Skip to content

Commit

Permalink
chore: NODE-1242 - Remove SEV-SNP from ic-os
Browse files Browse the repository at this point in the history
  • Loading branch information
@khushboo-dfn @marko-k0
khushboo-dfn authored and marko-k0 committed Feb 12, 2024
1 parent 75c4492 commit 11a3ded
Show file tree
Hide file tree
Showing 30 changed files with 8 additions and 749 deletions.
39 changes: 0 additions & 39 deletions gitlab-ci/config/base-images-build.yml
View file
Expand Up @@ -65,17 +65,6 @@ build-guestos-base-dev:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev")
- *build-base-image

build-guestos-base-dev-sev:
extends:
- .build-base-image-job
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs"
IMAGE: "guestos-base-dev-sev"
REF_FILE: "ic-os/guestos/rootfs/docker-base.dev-sev"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev")
- *build-base-image

build-boundaryos-base:
extends:
- .build-base-image-job
Expand Down Expand Up @@ -114,17 +103,6 @@ build-hostos-base-dev:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev")
- *build-base-image

build-hostos-base-dev-sev:
extends:
- .build-base-image-job
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs"
IMAGE: "hostos-base-dev-sev"
REF_FILE: "ic-os/hostos/rootfs/docker-base.dev-sev"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev")
- *build-base-image

build-setupos-base:
extends:
- .build-base-image-job
Expand All @@ -144,44 +122,27 @@ build-setupos-base-dev:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev")
- *build-base-image

build-setupos-base-dev-sev:
extends:
- .build-base-image-job
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs"
IMAGE: "setupos-base-dev-sev"
REF_FILE: "ic-os/setupos/rootfs/docker-base.dev-sev"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev")
- *build-base-image

build-base-images-ref-update:
extends:
- .rules-build-base-images
needs:
- build-guestos-base
- build-guestos-base-dev
- build-guestos-base-dev-sev
- build-boundaryos-base
- build-boundaryos-base-snp
- build-hostos-base
- build-hostos-base-dev
- build-hostos-base-dev-sev
- build-setupos-base
- build-setupos-base-dev
- build-setupos-base-dev-sev
dependencies:
- build-guestos-base
- build-guestos-base-dev
- build-guestos-base-dev-sev
- build-boundaryos-base
- build-boundaryos-base-snp
- build-hostos-base
- build-hostos-base-dev
- build-hostos-base-dev-sev
- build-setupos-base
- build-setupos-base-dev
- build-setupos-base-dev-sev
script:
- |
set -euo pipefail
Expand Down
150 changes: 0 additions & 150 deletions gitlab-ci/config/zz-generated-gitlab-ci.yaml
View file
Expand Up @@ -1555,29 +1555,23 @@ build-base-images-ref-update:
dependencies:
- build-guestos-base
- build-guestos-base-dev
- build-guestos-base-dev-sev
- build-boundaryos-base
- build-boundaryos-base-snp
- build-hostos-base
- build-hostos-base-dev
- build-hostos-base-dev-sev
- build-setupos-base
- build-setupos-base-dev
- build-setupos-base-dev-sev
extends:
- ".rules-build-base-images"
needs:
- build-guestos-base
- build-guestos-base-dev
- build-guestos-base-dev-sev
- build-boundaryos-base
- build-boundaryos-base-snp
- build-hostos-base
- build-hostos-base-dev
- build-hostos-base-dev-sev
- build-setupos-base
- build-setupos-base-dev
- build-setupos-base-dev-sev
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images"
- allow_failure: true
Expand Down Expand Up @@ -1881,54 +1875,6 @@ build-guestos-base-dev:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs"
IMAGE: guestos-base-dev
REF_FILE: ic-os/guestos/rootfs/docker-base.dev
build-guestos-base-dev-sev:
artifacts:
paths:
- digestfile*
extends:
- ".build-base-image-job"
needs: []
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images"
- allow_failure: true
if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master"
when: manual
- changes:
- gitlab-ci/config/base-images-build.yml
- ic-os/boundary-guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/packages.common
- ic-os/guestos/rootfs/packages.dev
- ic-os/hostos/rootfs/Dockerfile.base
- ic-os/hostos/rootfs/packages.common
- ic-os/hostos/rootfs/packages.dev
- ic-os/setupos/rootfs/Dockerfile.base
- ic-os/setupos/rootfs/packages.common
- ic-os/setupos/rootfs/packages.dev
if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev")
- |
set -euo pipefail
TAG=$(date '+%Y-%m-%d-%H%M')
echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build"
pushd "$CONTEXT"
podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base .
popd
echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K"
if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then
podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io
podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile
echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}"
echo "$REF_FILE" >> "digestfile-${IMAGE}"
rm -f digestfile
fi
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs"
IMAGE: guestos-base-dev-sev
REF_FILE: ic-os/guestos/rootfs/docker-base.dev-sev
build-hostos-base:
artifacts:
paths:
Expand Down Expand Up @@ -2024,54 +1970,6 @@ build-hostos-base-dev:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs"
IMAGE: hostos-base-dev
REF_FILE: ic-os/hostos/rootfs/docker-base.dev
build-hostos-base-dev-sev:
artifacts:
paths:
- digestfile*
extends:
- ".build-base-image-job"
needs: []
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images"
- allow_failure: true
if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master"
when: manual
- changes:
- gitlab-ci/config/base-images-build.yml
- ic-os/boundary-guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/packages.common
- ic-os/guestos/rootfs/packages.dev
- ic-os/hostos/rootfs/Dockerfile.base
- ic-os/hostos/rootfs/packages.common
- ic-os/hostos/rootfs/packages.dev
- ic-os/setupos/rootfs/Dockerfile.base
- ic-os/setupos/rootfs/packages.common
- ic-os/setupos/rootfs/packages.dev
if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev")
- |
set -euo pipefail
TAG=$(date '+%Y-%m-%d-%H%M')
echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build"
pushd "$CONTEXT"
podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base .
popd
echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K"
if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then
podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io
podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile
echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}"
echo "$REF_FILE" >> "digestfile-${IMAGE}"
rm -f digestfile
fi
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs"
IMAGE: hostos-base-dev-sev
REF_FILE: ic-os/hostos/rootfs/docker-base.dev-sev
build-ic:
artifacts:
paths:
Expand Down Expand Up @@ -2302,54 +2200,6 @@ build-setupos-base-dev:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs"
IMAGE: setupos-base-dev
REF_FILE: ic-os/setupos/rootfs/docker-base.dev
build-setupos-base-dev-sev:
artifacts:
paths:
- digestfile*
extends:
- ".build-base-image-job"
needs: []
rules:
- if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images"
- allow_failure: true
if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master"
when: manual
- changes:
- gitlab-ci/config/base-images-build.yml
- ic-os/boundary-guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/Dockerfile.base
- ic-os/guestos/rootfs/packages.common
- ic-os/guestos/rootfs/packages.dev
- ic-os/hostos/rootfs/Dockerfile.base
- ic-os/hostos/rootfs/packages.common
- ic-os/hostos/rootfs/packages.dev
- ic-os/setupos/rootfs/Dockerfile.base
- ic-os/setupos/rootfs/packages.common
- ic-os/setupos/rootfs/packages.dev
if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev")
- |
set -euo pipefail
TAG=$(date '+%Y-%m-%d-%H%M')
echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build"
pushd "$CONTEXT"
podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base .
popd
echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K"
if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then
podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io
podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile
echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}"
echo "$REF_FILE" >> "digestfile-${IMAGE}"
rm -f digestfile
fi
variables:
CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs"
IMAGE: setupos-base-dev-sev
REF_FILE: ic-os/setupos/rootfs/docker-base.dev-sev
cargo-build-release-linux:
extends:
- ".rules-master-pipeline-and-merge-request"
Expand Down
36 changes: 3 additions & 33 deletions ic-os/README.adoc
View file
Expand Up @@ -27,9 +27,9 @@ As an alternative, the following script can be used to build the images in a con

Each image has its own build targets, which are variations of the image:

* SetupOS: `prod`, `dev`, `dev-sev`
* HostOS: `prod`, `dev`, `dev-sev`
* GuestOS: `prod`, `dev`, `dev-malicious`, `dev-sev`
* SetupOS: `prod`, `dev`
* HostOS: `prod`, `dev`
* GuestOS: `prod`, `dev`, `dev-malicious`
* BoundaryGuestOS: `prod`, `prod-sev`, `dev`, `dev-sev`

The difference between production and development images is that the console can be accessed on `dev` images, but not on `prod` images.
Expand Down Expand Up @@ -99,33 +99,3 @@ To add a new package to an IC-OS image you need to:

* *rootfs/*: Each rootfs subdirectory contains everything required to build a bootable Ubuntu system. Various template directories (e.g., /opt) are used, which are copied verbatim to the target system. You can add files to these directories to include them in the image.
** For instructions on how to make changes to the OS, refer to the link:docs/Rootfs.adoc#[rootfs documentation]

== SEV testing

=== Preparing DEV machine

Follow instructions link:docs/SEVSnpTest.adoc#[here] to prepare the dev machine.

==== Storing the SEV Certificates on the host (e.g. for test/farm machines)

Note: we are storing the PEM files instead of the DER files.

```bash
% snptool get-certs
% sev-host-set-cert-chain -r ark.pem -s ask.pem -v vcek.pem
```

=== Running SEV-SNP VM with virsh

### Preparing image

* cd to the root of the source tree
* build the image: bazel build //ic-os/boundary-guestos/envs/dev-sev/...
* ic-os/scripts/bn-virsh/prepare-for-virsh.sh

### Create, login, destroy

* ```$ virsh create ./bn_sev_vm.xml```
* ```$ virsh console boundary_nodes_sev_snp-$USER```
** Note: control-] to exit
* ```$ virsh destroy boundary_nodes_sev_snp-$USER```
2 changes: 0 additions & 2 deletions ic-os/defs.bzl
View file
Expand Up @@ -399,8 +399,6 @@ def icos_build(
upload_suffix = ""
if mode == "dev":
upload_suffix = "-dev"
elif mode == "dev-sev":
upload_suffix = "-dev-sev"
if malicious:
upload_suffix += "-malicious"

Expand Down

0 comments on commit 11a3ded

Please sign in to comment.