Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add
buildah mkcw
, add --cw
to buildah commit
and buildah build
Add a --cw option to `buildah build` and `buildah commit`, which takes a comma-separated list of arguments and produces an image laid out for use as a confidential workload: type: sev or snp attestation_url: location of a key broker server encryption_passphrase: for encrypting the disk image cpus: expected number of virtual CPUs to run with memory: expected megabytes of memory to run with workload_id: a distinguishing identifier for the key broker server ignore_chain_retrieval_errors: ignore errors from "sevctl export -f" ignore_attestation_errors: ignore errors from the key broker server slop: extra space to allocate for the disk image At least one of attestation_url and encryption_passphrase must be specified in order for the encrypted disk image to be decryptable at run-time. Other arguments can be omitted. Add an `mkcw` top-level command, for converting directly from an image to a confidential workload. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
- Loading branch information
Showing
76 changed files
with
8,857 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
package main | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
|
||
"github.com/containers/buildah" | ||
"github.com/containers/buildah/define" | ||
"github.com/containers/buildah/pkg/parse" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
func mkcwCmd(c *cobra.Command, args []string, options buildah.CWConvertImageOptions) error { | ||
ctx := getContext() | ||
|
||
systemContext, err := parse.SystemContextFromOptions(c) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if options.AttestationURL == "" && options.DiskEncryptionPassphrase == "" { | ||
return fmt.Errorf("neither --attestation-url nor --encryption-passphrase flags provided, disk would not be decryptable") | ||
} | ||
|
||
store, err := getStore(c) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
options.InputImage = args[0] | ||
options.Tag = args[1] | ||
options.ReportWriter = os.Stderr | ||
imageID, _, _, err := buildah.CWConvertImage(ctx, systemContext, store, options) | ||
if err == nil { | ||
fmt.Printf("%s\n", imageID) | ||
} | ||
return err | ||
} | ||
|
||
func init() { | ||
var teeType string | ||
var options buildah.CWConvertImageOptions | ||
mkcwDescription := `Convert a conventional image to a confidential workload image.` | ||
mkcwCommand := &cobra.Command{ | ||
Use: "mkcw", | ||
Short: "Convert a conventional image to a confidential workload image", | ||
Long: mkcwDescription, | ||
RunE: func(cmd *cobra.Command, args []string) error { | ||
options.TeeType = define.TeeType(teeType) | ||
return mkcwCmd(cmd, args, options) | ||
}, | ||
Example: `buildah mkcw localhost/repository:typical localhost/repository:cw`, | ||
Args: cobra.ExactArgs(2), | ||
} | ||
mkcwCommand.SetUsageTemplate(UsageTemplate()) | ||
rootCmd.AddCommand(mkcwCommand) | ||
flags := mkcwCommand.Flags() | ||
flags.SetInterspersed(false) | ||
|
||
flags.StringVarP(&teeType, "type", "t", "", "TEE type") | ||
flags.StringVarP(&options.AttestationURL, "attestation-url", "u", "", "attestation server URL") | ||
flags.StringVarP(&options.AttestationURL, "attestation_url", "", "", "attestation server URL (alternate flag spelling)") | ||
if err := flags.MarkHidden("attestation_url"); err != nil { | ||
panic("error marking attestation_url as hidden") | ||
} | ||
flags.StringVarP(&options.BaseImage, "base-image", "b", "", "alternate base image (default: scratch)") | ||
flags.StringVarP(&options.BaseImage, "base_image", "", "", "alternate base image (default: scratch) (alternate flag spelling)") | ||
if err := flags.MarkHidden("base_image"); err != nil { | ||
panic("error marking base_image as hidden") | ||
} | ||
flags.StringVarP(&options.DiskEncryptionPassphrase, "encryption-passphrase", "p", "", "disk encryption passphrase") | ||
flags.StringVarP(&options.DiskEncryptionPassphrase, "encryption_passphrase", "", "", "disk encryption passphrase (alternate flag spelling)") | ||
if err := flags.MarkHidden("encryption_passphrase"); err != nil { | ||
panic("error marking encryption_passphrase as hidden") | ||
} | ||
flags.IntVarP(&options.CPUs, "cpus", "c", 0, "number of CPUs to expect") | ||
flags.IntVarP(&options.Memory, "memory", "m", 0, "amount of memory to expect (MB)") | ||
flags.StringVarP(&options.WorkloadID, "workload-id", "w", "", "workload ID") | ||
flags.StringVarP(&options.WorkloadID, "workload_id", "", "", "workload ID (alternate flag spelling)") | ||
if err := flags.MarkHidden("workload_id"); err != nil { | ||
panic("error marking workload_id as hidden") | ||
} | ||
flags.StringVarP(&options.Slop, "slop", "s", "25%", "extra space needed for converting a container rootfs to a disk image") | ||
flags.StringVarP(&options.FirmwareLibrary, "firmware-library", "f", "", "location of libkrunfw-sev.so") | ||
flags.StringVarP(&options.FirmwareLibrary, "firmware_library", "", "", "location of libkrunfw-sev.so (alternate flag spelling)") | ||
if err := flags.MarkHidden("firmware_library"); err != nil { | ||
panic("error marking firmware_library as hidden") | ||
} | ||
flags.BoolVarP(&options.IgnoreAttestationErrors, "ignore-attestation-errors", "", false, "ignore attestation errors") | ||
flags.BoolVarP(&options.IgnoreAttestationErrors, "ignore_attestation_errors", "", false, "ignore attestation errors (alternate flag spelling)") | ||
if err := flags.MarkHidden("ignore_attestation_errors"); err != nil { | ||
panic("error marking ignore_attestation_errors as hidden") | ||
} | ||
flags.BoolVarP(&options.IgnoreChainRetrievalErrors, "ignore-chain-retrieval-errors", "", false, "ignore errors retrieving the certificate chain") | ||
flags.BoolVarP(&options.IgnoreChainRetrievalErrors, "ignore_chain_retrieval_errors", "", false, "ignore errors retrieving the certificate chain (alternate flag spelling)") | ||
if err := flags.MarkHidden("ignore_chain_retrieval_errors"); err != nil { | ||
panic("error marking ignore_chain_retrieval_errors as hidden") | ||
} | ||
|
||
flags.String("signature-policy", "", "`pathname` of signature policy file (not usually used)") | ||
if err := flags.MarkHidden("signature-policy"); err != nil { | ||
panic(fmt.Sprintf("error marking signature-policy as hidden: %v", err)) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.