diff --git a/gitlab-ci/config/base-images-build.yml b/gitlab-ci/config/base-images-build.yml index d2905846aa4..112905f57f2 100644 --- a/gitlab-ci/config/base-images-build.yml +++ b/gitlab-ci/config/base-images-build.yml @@ -65,17 +65,6 @@ build-guestos-base-dev: - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev") - *build-base-image -build-guestos-base-dev-sev: - extends: - - .build-base-image-job - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs" - IMAGE: "guestos-base-dev-sev" - REF_FILE: "ic-os/guestos/rootfs/docker-base.dev-sev" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev") - - *build-base-image - build-boundaryos-base: extends: - .build-base-image-job @@ -114,17 +103,6 @@ build-hostos-base-dev: - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev") - *build-base-image -build-hostos-base-dev-sev: - extends: - - .build-base-image-job - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs" - IMAGE: "hostos-base-dev-sev" - REF_FILE: "ic-os/hostos/rootfs/docker-base.dev-sev" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev") - - *build-base-image - build-setupos-base: extends: - .build-base-image-job @@ -144,44 +122,27 @@ build-setupos-base-dev: - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev") - *build-base-image -build-setupos-base-dev-sev: - extends: - - .build-base-image-job - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs" - IMAGE: "setupos-base-dev-sev" - REF_FILE: "ic-os/setupos/rootfs/docker-base.dev-sev" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev") - - *build-base-image - build-base-images-ref-update: extends: - .rules-build-base-images needs: - build-guestos-base - build-guestos-base-dev - - build-guestos-base-dev-sev - build-boundaryos-base - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - - build-hostos-base-dev-sev - build-setupos-base - build-setupos-base-dev - - build-setupos-base-dev-sev dependencies: - build-guestos-base - build-guestos-base-dev - - build-guestos-base-dev-sev - build-boundaryos-base - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - - build-hostos-base-dev-sev - build-setupos-base - build-setupos-base-dev - - build-setupos-base-dev-sev script: - | set -euo pipefail diff --git a/gitlab-ci/config/zz-generated-gitlab-ci.yaml b/gitlab-ci/config/zz-generated-gitlab-ci.yaml index 52d666f6124..b75b1355438 100644 --- a/gitlab-ci/config/zz-generated-gitlab-ci.yaml +++ b/gitlab-ci/config/zz-generated-gitlab-ci.yaml @@ -1555,29 +1555,23 @@ build-base-images-ref-update: dependencies: - build-guestos-base - build-guestos-base-dev - - build-guestos-base-dev-sev - build-boundaryos-base - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - - build-hostos-base-dev-sev - build-setupos-base - build-setupos-base-dev - - build-setupos-base-dev-sev extends: - ".rules-build-base-images" needs: - build-guestos-base - build-guestos-base-dev - - build-guestos-base-dev-sev - build-boundaryos-base - build-boundaryos-base-snp - build-hostos-base - build-hostos-base-dev - - build-hostos-base-dev-sev - build-setupos-base - build-setupos-base-dev - - build-setupos-base-dev-sev rules: - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images" - allow_failure: true @@ -1881,54 +1875,6 @@ build-guestos-base-dev: CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs" IMAGE: guestos-base-dev REF_FILE: ic-os/guestos/rootfs/docker-base.dev -build-guestos-base-dev-sev: - artifacts: - paths: - - digestfile* - extends: - - ".build-base-image-job" - needs: [] - rules: - - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images" - - allow_failure: true - if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master" - when: manual - - changes: - - gitlab-ci/config/base-images-build.yml - - ic-os/boundary-guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/packages.common - - ic-os/guestos/rootfs/packages.dev - - ic-os/hostos/rootfs/Dockerfile.base - - ic-os/hostos/rootfs/packages.common - - ic-os/hostos/rootfs/packages.dev - - ic-os/setupos/rootfs/Dockerfile.base - - ic-os/setupos/rootfs/packages.common - - ic-os/setupos/rootfs/packages.dev - if: $CI_PIPELINE_SOURCE == "merge_request_event" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev") - - | - set -euo pipefail - - TAG=$(date '+%Y-%m-%d-%H%M') - echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build" - pushd "$CONTEXT" - podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base . - popd - echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K" - - if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then - podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io - podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile - echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}" - echo "$REF_FILE" >> "digestfile-${IMAGE}" - rm -f digestfile - fi - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/guestos/rootfs" - IMAGE: guestos-base-dev-sev - REF_FILE: ic-os/guestos/rootfs/docker-base.dev-sev build-hostos-base: artifacts: paths: @@ -2024,54 +1970,6 @@ build-hostos-base-dev: CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs" IMAGE: hostos-base-dev REF_FILE: ic-os/hostos/rootfs/docker-base.dev -build-hostos-base-dev-sev: - artifacts: - paths: - - digestfile* - extends: - - ".build-base-image-job" - needs: [] - rules: - - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images" - - allow_failure: true - if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master" - when: manual - - changes: - - gitlab-ci/config/base-images-build.yml - - ic-os/boundary-guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/packages.common - - ic-os/guestos/rootfs/packages.dev - - ic-os/hostos/rootfs/Dockerfile.base - - ic-os/hostos/rootfs/packages.common - - ic-os/hostos/rootfs/packages.dev - - ic-os/setupos/rootfs/Dockerfile.base - - ic-os/setupos/rootfs/packages.common - - ic-os/setupos/rootfs/packages.dev - if: $CI_PIPELINE_SOURCE == "merge_request_event" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev" --build-arg "CPU_SUPPORT=sev") - - | - set -euo pipefail - - TAG=$(date '+%Y-%m-%d-%H%M') - echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build" - pushd "$CONTEXT" - podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base . - popd - echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K" - - if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then - podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io - podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile - echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}" - echo "$REF_FILE" >> "digestfile-${IMAGE}" - rm -f digestfile - fi - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/hostos/rootfs" - IMAGE: hostos-base-dev-sev - REF_FILE: ic-os/hostos/rootfs/docker-base.dev-sev build-ic: artifacts: paths: @@ -2302,54 +2200,6 @@ build-setupos-base-dev: CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs" IMAGE: setupos-base-dev REF_FILE: ic-os/setupos/rootfs/docker-base.dev -build-setupos-base-dev-sev: - artifacts: - paths: - - digestfile* - extends: - - ".build-base-image-job" - needs: [] - rules: - - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "build-push-base-images" - - allow_failure: true - if: $CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULE_NAME == "run-all-master" - when: manual - - changes: - - gitlab-ci/config/base-images-build.yml - - ic-os/boundary-guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/Dockerfile.base - - ic-os/guestos/rootfs/packages.common - - ic-os/guestos/rootfs/packages.dev - - ic-os/hostos/rootfs/Dockerfile.base - - ic-os/hostos/rootfs/packages.common - - ic-os/hostos/rootfs/packages.dev - - ic-os/setupos/rootfs/Dockerfile.base - - ic-os/setupos/rootfs/packages.common - - ic-os/setupos/rootfs/packages.dev - if: $CI_PIPELINE_SOURCE == "merge_request_event" - script: - - BUILD_ARGS=(--build-arg "PACKAGE_FILES=packages.common packages.dev") - - | - set -euo pipefail - - TAG=$(date '+%Y-%m-%d-%H%M') - echo -e "\e[0Ksection_start:$(date +%s):${IMAGE}[collapsed=true]\r\e[0KClick here to see the ${IMAGE} build" - pushd "$CONTEXT" - podman build "${BUILD_ARGS[@]}" --squash-all --no-cache -t "docker.io/dfinity/${IMAGE}:${TAG}" -f Dockerfile.base . - popd - echo -e "\e[0Ksection_end:$(date +%s):${IMAGE}\r\e[0K" - - if [ "${CI_COMMIT_REF_NAME:-}" == "master" ]; then - podman login -u "$DOCKER_HUB_USER" -p "$DOCKER_HUB_PASSWORD" docker.io - podman push "dfinity/${IMAGE}:${TAG}" --digestfile digestfile - echo "dfinity/${IMAGE}@$(cat digestfile)" > "digestfile-${IMAGE}" - echo "$REF_FILE" >> "digestfile-${IMAGE}" - rm -f digestfile - fi - variables: - CONTEXT: "${CI_PROJECT_DIR}/ic-os/setupos/rootfs" - IMAGE: setupos-base-dev-sev - REF_FILE: ic-os/setupos/rootfs/docker-base.dev-sev cargo-build-release-linux: extends: - ".rules-master-pipeline-and-merge-request" diff --git a/ic-os/README.adoc b/ic-os/README.adoc index a8d4f2abe8c..dffe58b7107 100644 --- a/ic-os/README.adoc +++ b/ic-os/README.adoc @@ -27,9 +27,9 @@ As an alternative, the following script can be used to build the images in a con Each image has its own build targets, which are variations of the image: -* SetupOS: `prod`, `dev`, `dev-sev` -* HostOS: `prod`, `dev`, `dev-sev` -* GuestOS: `prod`, `dev`, `dev-malicious`, `dev-sev` +* SetupOS: `prod`, `dev` +* HostOS: `prod`, `dev` +* GuestOS: `prod`, `dev`, `dev-malicious` * BoundaryGuestOS: `prod`, `prod-sev`, `dev`, `dev-sev` The difference between production and development images is that the console can be accessed on `dev` images, but not on `prod` images. @@ -99,33 +99,3 @@ To add a new package to an IC-OS image you need to: * *rootfs/*: Each rootfs subdirectory contains everything required to build a bootable Ubuntu system. Various template directories (e.g., /opt) are used, which are copied verbatim to the target system. You can add files to these directories to include them in the image. ** For instructions on how to make changes to the OS, refer to the link:docs/Rootfs.adoc#[rootfs documentation] - -== SEV testing - -=== Preparing DEV machine - -Follow instructions link:docs/SEVSnpTest.adoc#[here] to prepare the dev machine. - -==== Storing the SEV Certificates on the host (e.g. for test/farm machines) - -Note: we are storing the PEM files instead of the DER files. - -```bash -% snptool get-certs -% sev-host-set-cert-chain -r ark.pem -s ask.pem -v vcek.pem -``` - -=== Running SEV-SNP VM with virsh - -### Preparing image - -* cd to the root of the source tree -* build the image: bazel build //ic-os/boundary-guestos/envs/dev-sev/... -* ic-os/scripts/bn-virsh/prepare-for-virsh.sh - -### Create, login, destroy - -* ```$ virsh create ./bn_sev_vm.xml``` -* ```$ virsh console boundary_nodes_sev_snp-$USER``` -** Note: control-] to exit -* ```$ virsh destroy boundary_nodes_sev_snp-$USER``` diff --git a/ic-os/defs.bzl b/ic-os/defs.bzl index e4f59364479..bafc77744ac 100644 --- a/ic-os/defs.bzl +++ b/ic-os/defs.bzl @@ -399,8 +399,6 @@ def icos_build( upload_suffix = "" if mode == "dev": upload_suffix = "-dev" - elif mode == "dev-sev": - upload_suffix = "-dev-sev" if malicious: upload_suffix += "-malicious" diff --git a/ic-os/docs/SEVSnpTest.adoc b/ic-os/docs/SEVSnpTest.adoc deleted file mode 100644 index 6b0544f41c1..00000000000 --- a/ic-os/docs/SEVSnpTest.adoc +++ /dev/null @@ -1,104 +0,0 @@ -= SEV SNP Validation - -This doc explains how to validate a Host machine for SEV-SNP. Steps explain how to setup a SEV-SNP enabled host and prepare an Ubuntu image to be launched as SEV-SNP guest. - -== Prepare Host -* In the BIOS, these settings are required to be set. Please consult https://wiki.internetcomputer.org/wiki/IC_OS_Installation_Runbook#6._UEFI_Setup_and_Boot_Menu[NP wikis] for the particular vendor: -``` -SMEE = [Enable] -SEV ASID space limit Control = Manual -SEV-ES ASID space limit = 100 -SNP Memory Coverage = [Enabled] -SEV-SNP = [Enabled] -``` -* Download the https://github.com/dfinity/AMDSEV/releases[latest snp release] tar file from the DFINITY Github and untar it: -``` -$ wget https://github.com/dfinity/AMDSEV/releases/download/snp-release-/snp-release-.tar.gz -$ tar xvf snp-release-.tar.gz -``` - -* Install the linux kernel by running the install script in the release directory: -``` -$ cd snp-release- -$ sudo ./install.sh -``` -* Reboot the machine and (if needed) choose the SNP host kernel from the grub menu -* Run the following commands to verify that the SNP is enabled on the host: -``` -$ uname -r -6.1.0-rc4-snp-host-93fa8c5918a4 -# command will output the SNP host kernel you downloaded - -$ sudo dmesg | grep -i -e sev -e ccp -e rmp -[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 root=/dev/mapper/vgroot-lvroot ro mem_encrypt=on kvm_amd.sev=1 amd_iommu=on -[ 0.520036] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.14.0-rc2-snp-host-6d4469b86f90 root=/dev/mapper/vgroot-lvroot ro mem_encrypt=on kvm_amd.sev=1 amd_iommu=on -[ 1.768903] SEV-SNP: RMP table physical address 0x0000007fef500000 - 0x000000806fcfffff -[ 2.767472] [Hardware Error]: event severity: fatal -[ 8.328990] ccp 0000:22:00.1: enabling device (0000 -> 0002) -[ 8.330886] ccp 0000:22:00.1: no command queues available -[ 8.331699] ccp 0000:22:00.1: sev enabled -[ 8.331702] ccp 0000:22:00.1: psp enabled -[ 8.331973] ccp 0000:a6:00.1: enabling device (0000 -> 0002) -[ 8.333711] ccp 0000:a6:00.1: no command queues available -[ 8.382289] ccp 0000:22:00.1: SEV firmware update successful -[ 17.253755] ccp 0000:22:00.1: SEV-SNP API:1.51 build:3 -[ 17.267208] SEV supported: 410 ASIDs -[ 17.267209] SEV-ES and SEV-SNP supported: 99 ASIDs - -$ cat /sys/module/kvm_amd/parameters/sev -Y - -$ cat /sys/module/kvm_amd/parameters/sev_es -Y - -$ cat /sys/module/kvm_amd/parameters/sev_snp -Y -``` -== Prepare Guest -* Install these utils: -``` -$ sudo apt install -y libvirt-daemon-system virtinst qemu-utils cloud-image-utils libsnappy-dev -``` -* Get an ubuntu image: -``` -$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img -``` -* Create QCOW2 image: -``` -$ sudo qemu-img create -b focal-server-cloudimg-amd64.img -f qcow2 -F qcow2 sev-guest.qcow2 100G -``` -* Create a cloud-init config file that sets a default password: -``` -$ cat >cloud-config <] # bazel build //ic-os/guestos/envs/dev/... -# bazel build //ic-os/guestos/envs/dev-sev/... # # check //ic-os/defs.bzl for the full list of targets. diff --git a/ic-os/guestos/defs.bzl b/ic-os/guestos/defs.bzl index f2f7760230a..8eea522d8b4 100644 --- a/ic-os/guestos/defs.bzl +++ b/ic-os/guestos/defs.bzl @@ -12,7 +12,7 @@ def image_deps(mode, malicious = False): Define all GuestOS inputs. Args: - mode: Variant to be built, dev, dev-sev or prod. + mode: Variant to be built, dev or prod. malicious: if True, bundle the `malicious_replica` Returns: A dict containing inputs to build this image. @@ -77,9 +77,6 @@ def image_deps(mode, malicious = False): "dev-malicious": { "build_container_filesystem_config_file": "//ic-os/guestos/envs/dev-malicious:build_container_filesystem_config.txt", }, - "dev-sev": { - "build_container_filesystem_config_file": "//ic-os/guestos/envs/dev-sev:build_container_filesystem_config.txt", - }, "prod": { "build_container_filesystem_config_file": "//ic-os/guestos/envs/prod:build_container_filesystem_config.txt", }, @@ -92,9 +89,6 @@ def image_deps(mode, malicious = False): "dev": { "//ic-os/guestos:rootfs/allow_console_root": "/etc/allow_console_root:0644", }, - "dev-sev": { - "//ic-os/guestos:rootfs/allow_console_root": "/etc/allow_console_root:0644", - }, } deps["rootfs"].update(extra_rootfs_deps.get(mode, {})) diff --git a/ic-os/guestos/envs/dev-sev/BUILD.bazel b/ic-os/guestos/envs/dev-sev/BUILD.bazel deleted file mode 100644 index 67de04e4c67..00000000000 --- a/ic-os/guestos/envs/dev-sev/BUILD.bazel +++ /dev/null @@ -1,16 +0,0 @@ -load("//ic-os:defs.bzl", "icos_build") -load("//ic-os/guestos:defs.bzl", "image_deps") - -exports_files(["build_container_filesystem_config.txt"]) - -# The macro contains several targets. -# Check -# //ic-os/guestos/BUILD.bazel for examples -# or //ic-os/defs.bzl for the full list of targets. -icos_build( - name = "dev-sev", - ic_version = "//bazel:rc_only_version.txt", - image_deps_func = image_deps, - upload_prefix = "guest-os", - visibility = ["//visibility:public"], -) diff --git a/ic-os/guestos/envs/dev-sev/build_container_filesystem_config.txt b/ic-os/guestos/envs/dev-sev/build_container_filesystem_config.txt deleted file mode 100644 index 4cba3ea86f3..00000000000 --- a/ic-os/guestos/envs/dev-sev/build_container_filesystem_config.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Config file for build_container_filesystem_tar.py -# CLI args will override these values -# For more info: `build_container_filesystem_tar.py --help` -dockerfile=Dockerfile -build-arg:["BUILD_TYPE=dev","ROOT_PASSWORD=root"] -file-build-arg="BASE_IMAGE=docker-base.dev-sev" diff --git a/ic-os/guestos/rootfs/Dockerfile b/ic-os/guestos/rootfs/Dockerfile index 66a11001c4b..23f214e9ecf 100644 --- a/ic-os/guestos/rootfs/Dockerfile +++ b/ic-os/guestos/rootfs/Dockerfile @@ -251,11 +251,6 @@ COPY dev-certs/canister_http_test_ca.cert /usr/local/share/ca-certificates/dev-r RUN chmod 0644 /usr/local/share/ca-certificates/dev-root-ca.crt RUN update-ca-certificates -# The above steps are also used for dev-sev image -FROM output_dev as output_dev-sev - -RUN echo "UNUSED DOCKERFILE LAYER. This line must exist to not fail." - FROM output_${BUILD_TYPE} USER root:root diff --git a/ic-os/guestos/rootfs/Dockerfile.base b/ic-os/guestos/rootfs/Dockerfile.base index f3daa3a3bbe..a2186351320 100644 --- a/ic-os/guestos/rootfs/Dockerfile.base +++ b/ic-os/guestos/rootfs/Dockerfile.base @@ -5,8 +5,6 @@ # - `docker push/pull dfinity/guestos-base:` # - `docker build -t dfinity/guestos-base-dev: --build-arg PACKAGE_FILES="packages.common packages.dev" -f Dockerfile.base .` # - `docker push/pull dfinity/guestos-base-dev:` -# - `docker build -t dfinity/guestos-base-dev-sev: --build-arg PACKAGE_FILES="packages.common packages.dev" --build-arg CPU_SUPPORT="sev" -f Dockerfile.base .` -# - `docker push/pull dfinity/guestos-base-dev-sev:` # # NOTE! If you edit this file, you will need to perform the following # operations to get your changes deployed. @@ -16,10 +14,6 @@ # 3. Note the sha256 and update the sha256 reference in the neighboring Dockerfiles. # -# The default will be a non_sev build -# For a SEV-SNP build, set CPU_SUPPORT build arg to "sev" -ARG CPU_SUPPORT=non_sev - # # First build stage: # - Download 3rd party tools @@ -47,17 +41,6 @@ RUN cd /tmp/ && \ echo "68f3802c2dd3980667e4ba65ea2e1fb03f4a4ba026cca375f15a0390ff850949 node_exporter-1.3.1.linux-amd64.tar.gz" > node_exporter.sha256 && \ shasum -c node_exporter.sha256 -# Download and verify SEV-SNP binaries -RUN cd /tmp/ && \ - curl -L -O https://github.com/dfinity/AMDSEV/releases/download/snp-release-2023-05-24/snp-release-2023-05-24.tar.gz && \ - echo "94d3fc86498261767cdaef7261232bf1315a7b06a981b14cb628487aa3d793e8 snp-release-2023-05-24.tar.gz" > snp-release.sha256 && \ - shasum -c snp-release.sha256 - -# Download and verify SEV-guest binaries -RUN cd /tmp/ && \ - curl -L -O https://github.com/dfinity/sev-guest/releases/download/sev-guest-2023-08-15/sev-guest.tar.gz && \ - echo "db0c996be7c0132d30fe446b76bd3ab8d3b4a0eb058205aaae7225ea98361c6f sev-guest.tar.gz" > sev-guest.sha256 && \ - shasum -c sev-guest.sha256 # # Second build stage: @@ -69,7 +52,6 @@ FROM ubuntu:20.04 USER root:root -ARG CPU_SUPPORT ENV SOURCE_DATE_EPOCH=0 ENV TZ=UTC @@ -99,31 +81,3 @@ RUN cd /tmp/ && \ mkdir -p /etc/node_exporter && \ tar --strip-components=1 -C /usr/local/bin/ -zvxf node_exporter-1.3.1.linux-amd64.tar.gz node_exporter-1.3.1.linux-amd64/node_exporter && \ rm /tmp/node_exporter-1.3.1.linux-amd64.tar.gz - -# If CPU_SUPPORT is "sev", install the guest kernel -# TODO: Generate SEV build conditionally -COPY --from=download /tmp/snp-release-2023-05-24.tar.gz /tmp/snp-release-2023-05-24.tar.gz -COPY --from=download /tmp/sev-guest.tar.gz /tmp/sev-guest.tar.gz -ARG sev_snp_guest_kernel_version=6.1.0-rc4-snp-guest-93fa8c5918a4 -RUN \ - echo "CPU_SUPPORT: ${CPU_SUPPORT}" && \ - if [ "${CPU_SUPPORT}" = "sev" ] ; then \ - cd /tmp/ && \ - tar xf snp-release-2023-05-24.tar.gz && \ - cd snp-release-2023-05-24 && \ - dpkg -i linux/guest/linux-image-*.deb && \ - ln -sf vmlinuz-${sev_snp_guest_kernel_version} /boot/vmlinuz && \ - ln -sf initrd.img-${sev_snp_guest_kernel_version} /boot/initrd.img && \ - find /boot -name "*.old" | xargs -L 1 unlink && \ - find /boot -name "*generic" | xargs rm && \ - find /usr/lib/modules -maxdepth 1 -type d -name "*generic" | xargs rm -rf && \ - - # Install sev-guest tools - mkdir -p /var/lib/sev-guest && \ - tar --strip-components=1 -C /var/lib/sev-guest -zvxf /tmp/sev-guest.tar.gz && \ - rm -rf /tmp/snp-release-2023-05-24 ; \ - fi - -# Cleanup -RUN rm /tmp/snp-release-2023-05-24.tar.gz -RUN rm /tmp/sev-guest.tar.gz diff --git a/ic-os/guestos/rootfs/docker-base.dev-sev b/ic-os/guestos/rootfs/docker-base.dev-sev deleted file mode 100644 index 611fdccf86a..00000000000 --- a/ic-os/guestos/rootfs/docker-base.dev-sev +++ /dev/null @@ -1 +0,0 @@ -docker.io/dfinity/guestos-base-dev-sev@sha256:b4c4ccb5afe7b50e9c5e15efef85916bfa1323b59d7e76f5efd154fabfafb8b5 diff --git a/ic-os/guestos/rootfs/etc/initramfs-tools/modules b/ic-os/guestos/rootfs/etc/initramfs-tools/modules index 89203db7e89..badf49b7475 100644 --- a/ic-os/guestos/rootfs/etc/initramfs-tools/modules +++ b/ic-os/guestos/rootfs/etc/initramfs-tools/modules @@ -1,3 +1,2 @@ virtio_blk dm_verity -sev_guest diff --git a/ic-os/guestos/rootfs/etc/udev/rules.d/20-sev-guest.rules b/ic-os/guestos/rootfs/etc/udev/rules.d/20-sev-guest.rules deleted file mode 100644 index cc9c790d27f..00000000000 --- a/ic-os/guestos/rootfs/etc/udev/rules.d/20-sev-guest.rules +++ /dev/null @@ -1 +0,0 @@ -ACTION=="add", KERNEL=="sev-guest", MODE="0777" diff --git a/ic-os/hostos/BUILD.bazel b/ic-os/hostos/BUILD.bazel index 76efc0ac136..6bac5bae00c 100644 --- a/ic-os/hostos/BUILD.bazel +++ b/ic-os/hostos/BUILD.bazel @@ -7,7 +7,6 @@ exports_files([ "volumes.csv", "grub.cfg", "rootfs/docker-base.dev", - "rootfs/docker-base.dev-sev", "rootfs/extra_boot_args", "rootfs/docker-base.prod", ]) @@ -30,6 +29,5 @@ ext4_image( # # bazel run //ic-os/hostos/envs/prod:upload_disk-img [--s3_endpoint=] # bazel build //ic-os/hostos/envs/dev/... -# bazel build //ic-os/hostos/envs/dev-sev/... # # check //ic-os/defs.bzl for the full list of targets. diff --git a/ic-os/hostos/defs.bzl b/ic-os/hostos/defs.bzl index 5f0326eaca3..397e57ee049 100644 --- a/ic-os/hostos/defs.bzl +++ b/ic-os/hostos/defs.bzl @@ -14,7 +14,7 @@ def image_deps(mode, _malicious = False): Define all HostOS inputs. Args: - mode: Variant to be built, dev, dev-sev or prod. + mode: Variant to be built, dev or prod. _malicious: Unused, but currently needed to fit generic build structure. Returns: A dict containing inputs to build this image. @@ -57,9 +57,6 @@ def image_deps(mode, _malicious = False): "dev": { "build_container_filesystem_config_file": "//ic-os/hostos/envs/dev:build_container_filesystem_config.txt", }, - "dev-sev": { - "build_container_filesystem_config_file": "//ic-os/hostos/envs/dev-sev:build_container_filesystem_config.txt", - }, "prod": { "build_container_filesystem_config_file": "//ic-os/hostos/envs/prod:build_container_filesystem_config.txt", }, diff --git a/ic-os/hostos/envs/dev-sev/BUILD.bazel b/ic-os/hostos/envs/dev-sev/BUILD.bazel deleted file mode 100644 index ae5de9779b3..00000000000 --- a/ic-os/hostos/envs/dev-sev/BUILD.bazel +++ /dev/null @@ -1,17 +0,0 @@ -load("//ic-os:defs.bzl", "icos_build") -load("//ic-os/hostos:defs.bzl", "image_deps") - -exports_files(["build_container_filesystem_config.txt"]) - -# The macro contains several targets. -# Check -# //ic-os/hostos/BUILD.bazel for examples -# or //ic-os/defs.bzl for the full list of targets. -icos_build( - name = "dev-sev", - ic_version = "//bazel:rc_only_version.txt", - image_deps_func = image_deps, - upload_prefix = "host-os", - visibility = ["//visibility:public"], - vuln_scan = False, -) diff --git a/ic-os/hostos/envs/dev-sev/build_container_filesystem_config.txt b/ic-os/hostos/envs/dev-sev/build_container_filesystem_config.txt deleted file mode 100644 index 4cba3ea86f3..00000000000 --- a/ic-os/hostos/envs/dev-sev/build_container_filesystem_config.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Config file for build_container_filesystem_tar.py -# CLI args will override these values -# For more info: `build_container_filesystem_tar.py --help` -dockerfile=Dockerfile -build-arg:["BUILD_TYPE=dev","ROOT_PASSWORD=root"] -file-build-arg="BASE_IMAGE=docker-base.dev-sev" diff --git a/ic-os/hostos/rootfs/Dockerfile.base b/ic-os/hostos/rootfs/Dockerfile.base index 0ab2ed6909c..df2b943b9df 100644 --- a/ic-os/hostos/rootfs/Dockerfile.base +++ b/ic-os/hostos/rootfs/Dockerfile.base @@ -5,8 +5,6 @@ # - `docker push/pull dfinity/hostos-base:` # - `docker build -t dfinity/hostos-base-dev: --build-arg PACKAGE_FILES="packages.common packages.dev" -f Dockerfile.base .` # - `docker push/pull dfinity/hostos-base-dev:` -# - `docker build -t dfinity/hostos-base-dev-sev: --build-arg PACKAGE_FILES="packages.common packages.dev" --build-arg CPU_SUPPORT="sev" -f Dockerfile.base .` -# - `docker push/pull dfinity/hostos-base-dev-sev:` # # NOTE: # If you edit this file, you will need to perform the following operations @@ -18,10 +16,6 @@ # Dockerfiles # -# The default will be a non_sev build -# For a SEV-SNP build, set CPU_SUPPORT build arg to "sev" -ARG CPU_SUPPORT=non_sev - # # First build stage: # - Download 3rd party tools @@ -49,11 +43,6 @@ RUN cd /tmp/ && \ echo "68f3802c2dd3980667e4ba65ea2e1fb03f4a4ba026cca375f15a0390ff850949 node_exporter-1.3.1.linux-amd64.tar.gz" > node_exporter.sha256 && \ shasum -c node_exporter.sha256 -# Download and verify SEV-SNP binaries -RUN cd /tmp/ && \ - curl -L -O https://github.com/dfinity/AMDSEV/releases/download/snp-release-2023-05-24/snp-release-2023-05-24.tar.gz && \ - echo "dae30357ee68cbe1347d8bdf84f8b4f883c999be snp-release-2023-05-24.tar.gz" > snp-release.sha256 && \ - shasum -c snp-release.sha256 # # Second build stage: @@ -124,34 +113,3 @@ RUN cd /tmp/ && \ mkdir -p /etc/node_exporter && \ tar --strip-components=1 -C /usr/local/bin/ -zvxf node_exporter-1.3.1.linux-amd64.tar.gz node_exporter-1.3.1.linux-amd64/node_exporter && \ rm /tmp/node_exporter-1.3.1.linux-amd64.tar.gz - -# If CPU_SUPPORT is "sev", install the patched qemu and the host kernel -# The file `/opt/ic/share/SEV` is used as a build-time flag to indicate that -# the SEV path shoud be taken at runtime. -# QEMU installed previously will be over-written by the patched QEMU (7.2.0) -# Installing libsnappy package only for "sev" configuration -# TODO: Generate SEV build conditionally so that QEMU 6.2 is not built unnecessarily -COPY --from=download /tmp/snp-release-2023-05-24.tar.gz /tmp/snp-release-2023-05-24.tar.gz -ARG sev_snp_host_kernel_version=6.1.0-rc4-snp-host-93fa8c5918a4 -RUN \ - echo "CPU_SUPPORT: ${CPU_SUPPORT}" && \ - if [ "${CPU_SUPPORT}" = "sev" ] ; then \ - cd /tmp/ && \ - apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommends install libsnappy-dev && \ - tar xf snp-release-2023-05-24.tar.gz && \ - cd snp-release-2023-05-24 && \ - cp usr/local/bin/qemu-system-x86_64 /usr/local/bin && \ - cp -r usr/local/share/qemu /usr/local/share && \ - dpkg -i linux/host/linux-image-*.deb && \ - cp kvm.conf /etc/modprobe.d/ && \ - ln -sf vmlinuz-${sev_snp_host_kernel_version} /boot/vmlinuz && \ - ln -sf initrd.img-${sev_snp_host_kernel_version} /boot/initrd.img && \ - find /boot -name "*.old" | xargs -L 1 unlink && \ - find /boot -name "*generic" | xargs rm && \ - find /usr/lib/modules -maxdepth 1 -type d -name "*generic" | xargs rm -rf && \ - mkdir -p /opt/ic/share && touch /opt/ic/share/SEV && \ - rm -rf /tmp/snp-release-2023-05-24 ; \ - fi - -# Cleanup -RUN rm /tmp/snp-release-2023-05-24.tar.gz diff --git a/ic-os/hostos/rootfs/docker-base.dev-sev b/ic-os/hostos/rootfs/docker-base.dev-sev deleted file mode 100644 index 9faee635fed..00000000000 --- a/ic-os/hostos/rootfs/docker-base.dev-sev +++ /dev/null @@ -1 +0,0 @@ -docker.io/dfinity/hostos-base-dev-sev@sha256:6565c80504641ea7c5926dd7bab942a8c531a277e15830b7a195a22dd1fb0285 diff --git a/ic-os/hostos/rootfs/etc/systemd/system/sev-guestos.service b/ic-os/hostos/rootfs/etc/systemd/system/sev-guestos.service deleted file mode 100644 index 14ca451150f..00000000000 --- a/ic-os/hostos/rootfs/etc/systemd/system/sev-guestos.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Manage SEV GuestOS virtual machine -Requires=generate-guestos-config.service -After=generate-guestos-config.service -ConditionPathExists=/opt/ic/share/SEV - -[Service] -Type=simple -ExecStartPre=/opt/ic/bin/detect-first-boot.sh -ExecStart=/var/lib/sev_guestos.sh start -ExecStartPost=/opt/ic/bin/manageboot.sh confirm -ExecStopPost=/var/lib/sev_guestos.sh stop -Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh b/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh index fcc57db1d06..d72baf421ff 100755 --- a/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh +++ b/ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh @@ -156,90 +156,12 @@ function generate_guestos_config() { fi } -TMP_MOUNT_DIR="/tmp/sev-guest-mount" -BOOT_COMPONENTS_DIR="/tmp/sev-guest-boot-components" -LOOP_DEVICE="/dev/loop0" -GUESTOS_LOCATION="/dev/mapper/hostlvm-guestos" -SEV_SNP_FILE="/opt/ic/share/SEV" - -# Set up loop device and mount. Get the boot components -mount_guestos_image_and_copy_files() { - mkdir -p "$TMP_MOUNT_DIR" - losetup -P "$LOOP_DEVICE" /dev/mapper/hostlvm-guestos - mount "${LOOP_DEVICE}p4" "$TMP_MOUNT_DIR" - mkdir -p "$BOOT_COMPONENTS_DIR" - cp "$TMP_MOUNT_DIR"/vmlinuz "$BOOT_COMPONENTS_DIR" - cp "$TMP_MOUNT_DIR"/initrd.img "$BOOT_COMPONENTS_DIR" - cp "$TMP_MOUNT_DIR"/extra_boot_args "$BOOT_COMPONENTS_DIR" -} - -# Clean up loop device and mount -unmount_guestos_image() { - umount -q "$TMP_MOUNT_DIR" - rmdir "$TMP_MOUNT_DIR" - losetup -d "$LOOP_DEVICE" -} - -# Generate config for SEV GuestOS -# Use the qemu script template and mount the guestos image. -# Derive kernel, initrd and the cmdline and populate the qemu script. -function generate_sev_guestos_config() { - INPUT="/opt/ic/share/sev_guestos.sh.template" - OUTPUT="/var/lib/sev_guestos.sh" - RESOURCES_MEMORY=$(/opt/ic/bin/fetch-property.sh --key=.resources.memory --metric=hostos_resources_memory --config=${DEPLOYMENT}) - MAC_ADDRESS=$(/opt/ic/bin/hostos_tool generate-mac-address --node-type GuestOS) - mount_guestos_image_and_copy_files - unmount_guestos_image - - KERNEL="$BOOT_COMPONENTS_DIR/vmlinuz" - INITRD="$BOOT_COMPONENTS_DIR/initrd.img" - source "$BOOT_COMPONENTS_DIR"/extra_boot_args - if [ ! -f "${OUTPUT}" ]; then - mkdir -p "$(dirname "$OUTPUT")" - sed -e "s@{{ resources_memory }}@${RESOURCES_MEMORY}@" \ - -e "s@{{ mac_address }}@${MAC_ADDRESS}@" \ - -e "s@{{ kernel }}@${KERNEL}@" \ - -e "s@{{ initrd }}@${INITRD}@" \ - -e "s@{{ extra_boot_args }}@${EXTRA_BOOT_ARGS}@" \ - "${INPUT}" >"${OUTPUT}" - chmod ug+x "${OUTPUT}" - restorecon -R "$(dirname "$OUTPUT")" - write_log "Generating SEV GuestOS configuration file: ${OUTPUT}" - write_metric "hostos_generate_sev_guestos_config" \ - "1" \ - "HostOS generate SEV GuestOS config" \ - "gauge" - else - write_log "SEV GuestOS configuration file already exists: ${OUTPUT}" - write_metric "hostos_generate_sev_guestos_config" \ - "0" \ - "HostOS generate SEV GuestOS config" \ - "gauge" - fi -} - -# Check if SEV-SNP if enabled on host -function is_sev_snp_enabled() { - if [ -f "$SEV_SNP_FILE" ]; then - return 0 - fi - - return 1 -} - function main() { # Establish run order validate_arguments read_variables assemble_config_media - if is_sev_snp_enabled; then - # TODO: Also, fetch and load the SEV certs. - # snptool get-certs - # sev-host-set-cert-chain -r ark.pem -s ask.pem -v vcek.pem - generate_sev_guestos_config - else - generate_guestos_config - fi + generate_guestos_config } main diff --git a/ic-os/hostos/rootfs/opt/ic/share/sev_guestos.sh.template b/ic-os/hostos/rootfs/opt/ic/share/sev_guestos.sh.template deleted file mode 100644 index 854f58c9575..00000000000 --- a/ic-os/hostos/rootfs/opt/ic/share/sev_guestos.sh.template +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/sh - -set -e - -SCRIPT="$(basename $0)[$$]" - -write_log() { - local message=$1 - - if [ -t 1 ]; then - echo "${SCRIPT} ${message}" >/dev/stdout - fi - - logger -t ${SCRIPT} "${message}" -} - -# Setup tap device -# TODO: This should be done in network service. -# Currently here to keep all SEV changes to one place. -TAP_INTERFACE="tap0" -BRIDGE_INTERFACE="br6" - -# Create a tap interface and connect it to bridge interface -setup() { - ip tuntap add dev $TAP_INTERFACE mode tap - ip link set dev $TAP_INTERFACE up - ip link set $TAP_INTERFACE master $BRIDGE_INTERFACE - - write_log "SEV GuestOS setup tap interface" - -} - -# Cleanup resources -cleanup() { - # Delete the tap interface - ip link set dev $TAP_INTERFACE down - ip tuntap del dev $TAP_INTERFACE mode tap - - write_log "Cleanup sev guestos resources" -} - -# Launch QEMU to setup the SEV-SNP GuestOS -start_qemu() { - write_log "Starting SEV GuestOS" - - /usr/local/bin/qemu-system-x86_64 \ - -name guest=guestos,debug-threads=on \ - -uuid 7c0cfb2b-2304-4e5c-8caf-564de0efd92f \ - -enable-kvm \ - -machine pc-q35-6.2,usb=off,dump-guest-core=off \ - -cpu EPYC-v4,topoext=on,l3-cache=off \ - -m {{ resources_memory }}G \ - -overcommit mem-lock=off \ - -smp 2,sockets=1,dies=1,cores=2,threads=1 \ - -drive if=pflash,format=raw,unit=0,file=/usr/local/share/qemu/OVMF_CODE.fd,readonly=on \ - -drive file=/dev/hostlvm/guestos,if=none,id=disk0,format=raw \ - -drive file=/run/ic-node/config.img,if=none,id=disk1,format=raw \ - -kernel {{ kernel }} \ - -initrd {{ initrd }} \ - -append "BOOT_IMAGE=/vmlinuz root=/dev/vda5 console=ttyS0 dfinity.system=A dfinity.boot_state=stable {{ extra_boot_args }}" \ - -device usb-ehci,id=ehci \ - -device usb-storage,bus=ehci.0,drive=disk1,removable=on,port=1 \ - -device virtio-blk,drive=disk0,id=virtblk0,bus=pcie.0,addr=0x7,disable-legacy=on,iommu_platform=on,bootindex=4 \ - -device pcie-root-port,port=0x8,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x4 \ - -device pcie-root-port,port=0x9,chassis=2,id=pci.2,bus=pcie.0,addr=0x4.0x1 \ - -device pcie-root-port,port=0xa,chassis=3,id=pci.3,bus=pcie.0,addr=0x4.0x2 \ - -device pcie-root-port,port=0xb,chassis=4,id=pci.4,bus=pcie.0,addr=0x4.0x3 \ - -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 \ - -netdev tap,id=net0,ifname=$TAP_INTERFACE,vhost=on,script=no,downscript=no \ - -device virtio-net-pci,netdev=net0,id=hostnet0,mac={{ mac_address }},bus=pci.1,addr=0x0 \ - -object rng-random,id=objrng0,filename=/dev/urandom \ - -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.4,addr=0x0 \ - -device vhost-vsock-pci,id=vsock0,guest-cid=3,bus=pci.2,addr=0x0 \ - -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown \ - -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on \ - -machine memory-encryption=sev0,vmport=off \ - -object memory-backend-memfd-private,id=ram1,size=2048M,share=true \ - -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,discard=none \ - -machine memory-backend=ram1,kvm-type=protected \ - -nographic \ - -msg timestamp=on -} - -# Determine action based on the passed argument -# - 'start': Sets up the environment, starts QEMU -# - 'stop': Cleans up resources related to the SEV-SNP GuestOS -case "$1" in - start) - setup - start_qemu - ;; - stop) - cleanup - ;; - *) - echo "Usage: $0 {start|stop}" - exit 1 - ;; -esac - -exit 0 diff --git a/ic-os/setupos/BUILD.bazel b/ic-os/setupos/BUILD.bazel index b534df9d6be..18923e55a19 100644 --- a/ic-os/setupos/BUILD.bazel +++ b/ic-os/setupos/BUILD.bazel @@ -6,7 +6,6 @@ exports_files([ "rootfs/docker-base.dev", "rootfs/extra_boot_args", "rootfs/docker-base.prod", - "rootfs/docker-base.sev", "config/config.ini", "config/ssh_authorized_keys/admin", "config/node_operator_private_key.pem", @@ -24,6 +23,5 @@ filegroup( # # bazel run //ic-os/setupos/envs/prod:upload_disk-img [--s3_endpoint=] # bazel build //ic-os/setupos/envs/dev/... -# bazel build //ic-os/setupos/envs/dev-sev/... # # check //ic-os/defs.bzl for the full list of targets. diff --git a/ic-os/setupos/defs.bzl b/ic-os/setupos/defs.bzl index 9e72737b721..45b74836c01 100644 --- a/ic-os/setupos/defs.bzl +++ b/ic-os/setupos/defs.bzl @@ -51,9 +51,6 @@ def image_deps(mode, _malicious = False): "dev": { "build_container_filesystem_config_file": "//ic-os/setupos/envs/dev:build_container_filesystem_config.txt", }, - "dev-sev": { - "build_container_filesystem_config_file": "//ic-os/setupos/envs/dev-sev:build_container_filesystem_config.txt", - }, "prod": { "build_container_filesystem_config_file": "//ic-os/setupos/envs/prod:build_container_filesystem_config.txt", }, @@ -63,17 +60,13 @@ def image_deps(mode, _malicious = False): return deps -# Inject a step building a data partition that contains either dev, dev-sev or prod +# Inject a step building a data partition that contains either dev or prod # child images, depending on this build variant. def _custom_partitions(mode): if mode == "dev": guest_image = Label("//ic-os/guestos/envs/dev:disk-img.tar.zst") host_image = Label("//ic-os/hostos/envs/dev:disk-img.tar.zst") nns_url = "https://dfinity.org" - elif mode == "dev-sev": - guest_image = Label("//ic-os/guestos/envs/dev-sev:disk-img.tar.zst") - host_image = Label("//ic-os/hostos/envs/dev-sev:disk-img.tar.zst") - nns_url = "https://dfinity.org" else: guest_image = Label("//ic-os/guestos/envs/prod:disk-img.tar.zst") host_image = Label("//ic-os/hostos/envs/prod:disk-img.tar.zst") @@ -98,7 +91,7 @@ def _custom_partitions(mode): Label("//ic-os/setupos:config/ssh_authorized_keys/admin"): "ssh_authorized_keys/admin", } - if mode == "dev" or mode == "dev-sev": + if mode == "dev": config_dict[Label("//ic-os/setupos:config/node_operator_private_key.pem")] = "node_operator_private_key.pem" pkg_tar( diff --git a/ic-os/setupos/envs/dev-sev/BUILD.bazel b/ic-os/setupos/envs/dev-sev/BUILD.bazel deleted file mode 100644 index d4efe6bd304..00000000000 --- a/ic-os/setupos/envs/dev-sev/BUILD.bazel +++ /dev/null @@ -1,23 +0,0 @@ -load("//ic-os:defs.bzl", "icos_build") -load("//ic-os/setupos:defs.bzl", "image_deps") -load("//ic-os/utils/bare_metal_deployment:tools.bzl", "launch_bare_metal") - -exports_files(["build_container_filesystem_config.txt"]) - -# The macro contains several targets. -# Check -# //ic-os/setupos/BUILD.bazel for examples -# or //ic-os/defs.bzl for the full list of targets. -icos_build( - name = "dev-sev", - ic_version = "//bazel:rc_only_version.txt", - image_deps_func = image_deps, - upgrades = False, - upload_prefix = "setup-os", - vuln_scan = False, -) - -launch_bare_metal( - name = "launch_bare_metal", - image_zst_file = ":disk-img.tar.zst", -) diff --git a/ic-os/setupos/envs/dev-sev/build_container_filesystem_config.txt b/ic-os/setupos/envs/dev-sev/build_container_filesystem_config.txt deleted file mode 100644 index 254f1cb806a..00000000000 --- a/ic-os/setupos/envs/dev-sev/build_container_filesystem_config.txt +++ /dev/null @@ -1,6 +0,0 @@ -# Config file for build_container_filesystem_tar.py -# CLI args will override these values -# For more info: `build_container_filesystem_tar.py --help` -dockerfile=Dockerfile -build-arg="BUILD_TYPE=dev-sev" -file-build-arg="BASE_IMAGE=docker-base.dev-sev" diff --git a/ic-os/setupos/rootfs/Dockerfile.base b/ic-os/setupos/rootfs/Dockerfile.base index b24c80c097e..b7467e308b4 100644 --- a/ic-os/setupos/rootfs/Dockerfile.base +++ b/ic-os/setupos/rootfs/Dockerfile.base @@ -5,8 +5,6 @@ # - `docker push/pull dfinity/setupos-base:` # - `docker build -t dfinity/setupos-base-dev: --build-arg PACKAGE_FILES="packages.common packages.dev" -f Dockerfile.base .` # - `docker push/pull dfinity/setupos-base-dev:` -# - `docker build -t dfinity/setupos-base-dev-sev: --build-arg PACKAGE_FILES="packages.common packages.dev" -f Dockerfile.base .` -# - `docker push/pull dfinity/setupos-base-dev-sev:` # # First build stage: # - Download and cache minimal Ubuntu Server 20.04 LTS Docker image @@ -36,22 +34,3 @@ RUN apt-get -y update && \ apt-get -y upgrade && \ apt-get -y --no-install-recommends install $(for P in ${PACKAGE_FILES}; do cat /tmp/$P | sed -e "s/#.*//" ; done) && \ rm /tmp/packages.* - -# Install kernel modified to support sev-snp. Link the resulting kernel as the default. -# Then clean up old kernel to save space -# In the future this will change. Either: -# - the mainline kernel will get SEV-SNP or -# - AMDSEV repo might get built as part of this dockerfile -ARG MODIFIED_KERNEL_DEB="linux-image-6.1.0-rc4-snp-host-93fa8c5918a4_6.1.0-rc4-snp-host-93fa8c5918a4-1_amd64.deb" -RUN curl -LsSf --remote-name https://github.com/dfinity/AMDSEV/releases/download/snp-release-2023-05-24/${MODIFIED_KERNEL_DEB} \ - && dpkg -i ${MODIFIED_KERNEL_DEB} \ - && rm ${MODIFIED_KERNEL_DEB} \ - && ln -sf vmlinuz-6.1.0-rc4-snp-host-93fa8c5918a4 /boot/vmlinuz \ - && ln -sf initrd.img-6.1.0-rc4-snp-host-93fa8c5918a4 /boot/initrd.img \ - && find /boot -name "*.old" | xargs -L 1 unlink \ - && find /boot -name "initrd*generic" \ - -o -name "vmlinuz*generic" \ - -o -name "config*generic" \ - -o -name "System*generic" \ - | xargs rm \ - && find /usr/lib/modules -maxdepth 1 -type d -name "*generic" | xargs rm -rf diff --git a/ic-os/setupos/rootfs/docker-base.dev-sev b/ic-os/setupos/rootfs/docker-base.dev-sev deleted file mode 100644 index 9fb4670b79e..00000000000 --- a/ic-os/setupos/rootfs/docker-base.dev-sev +++ /dev/null @@ -1 +0,0 @@ -docker.io/dfinity/setupos-base-dev-sev@sha256:f087cea42d8f2a3f604eaa615f6c511fdd90e5111b54bf58cf6af917275cf4e0