From 5199e5783669eef0159bd7e7f609c8cf15c378b4 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Thu, 13 Jun 2024 13:07:42 +0200 Subject: [PATCH] guest-components: Bump guest-components dependency There has been a change in build flags in the way attestation-agent is built. cc_kbc is now always enabled as part of the `coco-as` and `kbs` features. a new `ATTESTER` Makefile flag has been introduced to pick the attesters that should be included in the attestation-agent build. By default all attesters are being built, which won't build ootb, since it's missing dependencies (e.g. sgx libraries) For peerpods only a limited set of attesters actually make sense and usually you'd want to define it at build time for a given TEE architecture (e.g. azure vtpm or ibm se attester modules), so we default to `ATTESTER=sample` in most cases. The `AA_KBC` param is now only used for templating the `aa-kbc-params` value in the podvm's static kata-agent config. Signed-off-by: Magnus Kulke --- .github/workflows/azure-podvm-image-build.yml | 2 +- .github/workflows/podvm_binaries.yaml | 2 +- src/cloud-api-adaptor/Makefile | 3 ++- src/cloud-api-adaptor/azure/build-image.md | 2 +- src/cloud-api-adaptor/docker/image/Makefile | 4 ++-- src/cloud-api-adaptor/libvirt/kcli_cluster.sh | 2 +- src/cloud-api-adaptor/podvm-mkosi/Makefile | 8 ++++---- src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries | 6 ++++-- .../podvm/Dockerfile.podvm_binaries.fedora | 6 ++++-- .../podvm/Dockerfile.podvm_binaries.rhel | 6 ++++-- src/cloud-api-adaptor/podvm/Makefile.inc | 5 +++-- src/cloud-api-adaptor/test/e2e/README.md | 4 ++-- src/cloud-api-adaptor/test/e2e/common.go | 5 +++++ src/cloud-api-adaptor/test/e2e/common_suite.go | 7 ++++--- src/cloud-api-adaptor/versions.yaml | 2 +- 15 files changed, 39 insertions(+), 25 deletions(-) diff --git a/.github/workflows/azure-podvm-image-build.yml b/.github/workflows/azure-podvm-image-build.yml index 51c706a4e..48a714676 100644 --- a/.github/workflows/azure-podvm-image-build.yml +++ b/.github/workflows/azure-podvm-image-build.yml @@ -108,7 +108,7 @@ jobs: - name: Build binaries run: make binaries \ - AA_KBC="cc_kbc_az_snp_vtpm,cc_kbc_az_tdx_vtpm" \ + ATTESTER="az_snp_vtpm_attester,az_tdx_vtpm_attester" \ LIBC=gnu - uses: azure/login@v1 diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml index fad4a927f..fe2000eea 100644 --- a/.github/workflows/podvm_binaries.yaml +++ b/.github/workflows/podvm_binaries.yaml @@ -71,7 +71,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - run: AA_KBC=cc_kbc make podvm-binaries + run: make podvm-binaries env: PUSH: true REGISTRY: ${{ inputs.registry }} diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile index d7ab442c9..73a5004b4 100644 --- a/src/cloud-api-adaptor/Makefile +++ b/src/cloud-api-adaptor/Makefile @@ -18,6 +18,7 @@ BINARIES := cloud-api-adaptor agent-protocol-forwarder process-user-data SOURCEDIRS := ./cmd ./pkg PACKAGES := $(shell go list $(addsuffix /...,$(SOURCEDIRS))) SOURCES := $(shell find $(SOURCEDIRS) -name '*.go' -print) +ATTESTER ?= none # End-to-end tests overall run timeout. TEST_E2E_TIMEOUT ?= 60m @@ -193,7 +194,7 @@ podvm-binaries: --build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \ --build-arg PODVM_DISTRO=$(PODVM_DISTRO) \ --build-arg ARCH=$(ARCH) \ - --build-arg AA_KBC=$(AA_KBC) \ + --build-arg ATTESTER=$(ATTESTER) \ $(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \ $(DOCKER_OPTS) . rm -rf .git diff --git a/src/cloud-api-adaptor/azure/build-image.md b/src/cloud-api-adaptor/azure/build-image.md index 354019b75..ed1b975af 100644 --- a/src/cloud-api-adaptor/azure/build-image.md +++ b/src/cloud-api-adaptor/azure/build-image.md @@ -110,7 +110,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1" export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy export PKR_VAR_sku=22_04-lts-cvm -export AA_KBC="cc_kbc_az_snp_vtpm" +export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester" export LIBC=gnu export CLOUD_PROVIDER=azure PODVM_DISTRO=ubuntu make image diff --git a/src/cloud-api-adaptor/docker/image/Makefile b/src/cloud-api-adaptor/docker/image/Makefile index 80a4ccae4..fe8b0123f 100644 --- a/src/cloud-api-adaptor/docker/image/Makefile +++ b/src/cloud-api-adaptor/docker/image/Makefile @@ -1,8 +1,8 @@ -AA_KBC ?= offline_fs_kbc ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) BUILDER = ubuntu-binaries-builder-$(ARCH) PODVM_IMG ?= quay.io/confidential-containers/podvm-docker-image AGENT_POLICY = no +ATTESTER ?= none .DEFAULT_GOAL := all .PHONY: all @@ -35,7 +35,7 @@ binaries: cp -rf ../../../../.git ../../../.git docker buildx build \ --build-arg BUILDER_IMG=$(BUILDER) \ - --build-arg AA_KBC=$(AA_KBC) \ + --build-arg ATTESTER=$(ATTESTER) \ $(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \ -o type=local,dest="./resources/binaries-tree" \ -f ../../podvm/Dockerfile.podvm_binaries ../../../ diff --git a/src/cloud-api-adaptor/libvirt/kcli_cluster.sh b/src/cloud-api-adaptor/libvirt/kcli_cluster.sh index d6f5b74ad..360fb682b 100755 --- a/src/cloud-api-adaptor/libvirt/kcli_cluster.sh +++ b/src/cloud-api-adaptor/libvirt/kcli_cluster.sh @@ -64,7 +64,7 @@ create () { fi echo "Download $CLUSTER_IMAGE ${TARGET_ARCH} image" # kcli support download image with archs: 'x86_64', 'aarch64', 'ppc64le', 's390x' - kcli download image $CLUSTER_IMAGE -a ${ARCH} + kcli download image $CLUSTER_IMAGE -P arch=${ARCH} kcli create kube generic $parameters "$CLUSTER_NAME" diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile index 4fddc5eb4..b5fc3f0d3 100644 --- a/src/cloud-api-adaptor/podvm-mkosi/Makefile +++ b/src/cloud-api-adaptor/podvm-mkosi/Makefile @@ -1,8 +1,8 @@ include ../Makefile.defaults -AA_KBC ?= cc_kbc -ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) -BUILDER = fedora-binaries-builder-$(ARCH) +ATTESTER ?= none +ARCH ?= $(subst x86_64,amd64,$(shell uname -m)) +BUILDER = fedora-binaries-builder-$(ARCH) REGISTRY ?= quay.io/confidential-containers PODVM_DISTRO ?= fedora @@ -43,7 +43,7 @@ binaries: cp -rf ../../../.git ../../.git docker buildx build \ --build-arg BUILDER_IMG=$(BUILDER) \ - --build-arg AA_KBC=$(AA_KBC) \ + --build-arg ATTESTER=$(ATTESTER) \ $(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \ -o type=local,dest="./resources/binaries-tree" \ -f ../podvm/Dockerfile.podvm_binaries.fedora ../../ diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries index 0432bfa96..158cfad6c 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER ARG PODVM_DISTRO=ubuntu ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO -ARG AA_KBC="cc_kbc" +# By default AA will be built with the `all-attesters` feature, +# which doesn't compile ootb on ubuntu. +ARG ATTESTER=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER} ENV PODVM_DISTRO ${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO} -ENV AA_KBC ${AA_KBC} +ENV ATTESTER ${ATTESTER} ENV ARCH ${ARCH} ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora index 15ffe85cb..09c02f039 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora @@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER ARG PODVM_DISTRO=rhel ARG GUEST_COMPONENTS_VERSION ARG GUEST_COMPONENTS_REPO -ARG AA_KBC="cc_kbc" +# By default AA will be built with the `all-attesters` feature, +# which doesn't compile on fedora. +ARG ATTESTER=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER} ENV PODVM_DISTRO ${PODVM_DISTRO} ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION} ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO} -ENV AA_KBC ${AA_KBC} +ENV ATTESTER ${ATTESTER} ENV ARCH ${ARCH} ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel index 2ead5ea5f..3c8285cfc 100644 --- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel +++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel @@ -9,7 +9,9 @@ ARG BUILDER_IMG FROM ${BUILDER_IMG} AS podvm_builder ARG PODVM_DISTRO=rhel -ARG AA_KBC="cc_kbc" +# By default AA will be built with the `all-attesters` feature, +# which doesn't compile ootb on RHEL. +ARG ATTESTER=none # If not provided, uses system architecture ARG ARCH #This is the name of the policy file under @@ -17,7 +19,7 @@ ARG ARCH ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego ENV PODVM_DISTRO ${PODVM_DISTRO} -ENV AA_KBC ${AA_KBC} +ENV ATTESTER ${ATTESTER} ENV ARCH ${ARCH} ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE} diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc index 5773fa8b9..12ec831b6 100644 --- a/src/cloud-api-adaptor/podvm/Makefile.inc +++ b/src/cloud-api-adaptor/podvm/Makefile.inc @@ -23,12 +23,13 @@ ARCH := $(or $(ARCH),$(HOST_ARCH)) # Normalise x86_64 / amd64 for input ARCH ARCH := $(subst amd64,x86_64,$(ARCH)) DEB_ARCH := $(subst x86_64,amd64,$(ARCH)) -AA_KBC ?= cc_kbc +AA_KBC ?= offline_fs_kbc KBC_URI ?= null LIBC ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl) RUST_ARCH ?= $(subst ppc64le,powerpc64le,$(ARCH)) RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC) +ATTESTER ?= none CDH_RESOURCE_PROVIDER ?= kbs SEALED_SECRET ?= yes @@ -169,7 +170,7 @@ $(GUEST_COMPONENTS_SRC): $(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION)) $(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC) - cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) KBC="$(AA_KBC)" ttrpc=true LIBC="$(LIBC)" + cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)" mkdir -p "$(@D)" install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@" diff --git a/src/cloud-api-adaptor/test/e2e/README.md b/src/cloud-api-adaptor/test/e2e/README.md index d5d4c45fe..4cdf07b27 100644 --- a/src/cloud-api-adaptor/test/e2e/README.md +++ b/src/cloud-api-adaptor/test/e2e/README.md @@ -64,10 +64,10 @@ popd popd ``` -We need build and use the PodVM image with `AA_KBC=cc_kbc` enabled, for example: +We need build and use the PodVM image: ``` pushd ${cloud-api-adaptor} -AA_KBC=cc_kbc make podvm-builder podvm-binaries podvm-image +make podvm-builder podvm-binaries podvm-image popd ``` Then extract the PodVM image and use it following [extracting-the-qcow2-image](../../podvm/README.md#extracting-the-qcow2-image) diff --git a/src/cloud-api-adaptor/test/e2e/common.go b/src/cloud-api-adaptor/test/e2e/common.go index 0465b63ff..d899885d5 100644 --- a/src/cloud-api-adaptor/test/e2e/common.go +++ b/src/cloud-api-adaptor/test/e2e/common.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +const CURL_IMAGE = "quay.io/curl/curl:latest" const BUSYBOX_IMAGE = "quay.io/prometheus/busybox:latest" const WAIT_DEPLOYMENT_AVAILABLE_TIMEOUT = time.Second * 180 const DEFAULT_AUTH_SECRET = "auth-json-secret-default" @@ -140,6 +141,10 @@ func NewBusyboxPod(namespace string) *corev1.Pod { return NewBusyboxPodWithName(namespace, "busybox") } +func NewCurlPodWithName(namespace, podName string) *corev1.Pod { + return NewPod(namespace, podName, "curl", CURL_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"})) +} + func NewBusyboxPodWithName(namespace, podName string) *corev1.Pod { return NewPod(namespace, podName, "busybox", BUSYBOX_IMAGE, WithCommand([]string{"/bin/sh", "-c", "sleep 3600"})) } diff --git a/src/cloud-api-adaptor/test/e2e/common_suite.go b/src/cloud-api-adaptor/test/e2e/common_suite.go index 2e18d8be4..ca70ed83a 100644 --- a/src/cloud-api-adaptor/test/e2e/common_suite.go +++ b/src/cloud-api-adaptor/test/e2e/common_suite.go @@ -595,13 +595,14 @@ func DoTestKbsKeyRelease(t *testing.T, e env.Environment, assert CloudAssert) { func DoTestKbsKeyReleaseForFailure(t *testing.T, e env.Environment, assert CloudAssert) { log.Info("Do test kbs key release failure case") - pod := NewBusyboxPodWithName(E2eNamespace, "busybox-wget-failure") + pod := NewCurlPodWithName(E2eNamespace, "curl-failure") testCommands := []TestCommand{ { - Command: []string{"wget", "-q", "-O-", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"}, + Command: []string{"curl", "-s", "http://127.0.0.1:8006/cdh/resource/reponame/workload_key/key.bin"}, ContainerName: pod.Spec.Containers[0].Name, TestCommandStdoutFn: func(stdout bytes.Buffer) bool { - if strings.Contains(stdout.String(), "request unautorized") { + body := stdout.String() + if strings.Contains(strings.ToLower(body), "error") { log.Infof("Pass failure case as: %s", stdout.String()) return true } else { diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml index 14f62e1cc..7692b8bd2 100644 --- a/src/cloud-api-adaptor/versions.yaml +++ b/src/cloud-api-adaptor/versions.yaml @@ -28,7 +28,7 @@ tools: git: guest-components: url: https://github.com/confidential-containers/guest-components - reference: 277617af60c32661819c1132ffbf3db8dc6e1b9f + reference: 9bcc7c1addcbad1e249a6d870d9df68f2824254b kata-containers: url: https://github.com/kata-containers/kata-containers reference: 59ff40f05484da2a462fa44f18fe95e7c8484546