-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CC | dependency error on kata-agent for s390x #5582
Comments
UPDATEInvestigation and test results
The
Conclusion
I look forward to feedback from @uweigand. Thanks @Xynnn007 and @huoqifeng for the discussion |
@fidencio mentioned that td-shim have replaced ring with sha2 https://github.com/confidential-containers/td-shim/pull/428/files, so I wonder if that would be helpful, but would involved getting |
@stevenhorsman Thanks for the idea. I've gone through how cc: @hbrueckner |
Yep - that makes sense and not unexpected, we just thought we'd throw in the idea. 🤞 we can get the ring PR merged soon. |
BTW - This PR is working add RustCrypto support, which can get rid of |
Hi @BbolroC @stevenhorsman ,
Also looked into ring usage in |
Thanks for sharing. And looking at the commit, they indeed replace a couple of crypto operations with the rustCrypto ones (e.g. similar to the mentioned |
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is just to keep the support for s390x without the cosign verification while looking for a solution for kata-containers#5582. Fixes: kata-containers#5599 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Looks like @briansmith is working on briansmith/ring#1555, when the issue be finished, maybe |
While we wait for the fix in the ring create to be progressed and completed we're going to attempt a workaround conditionally compiling image-rs without the sigstore-rs crate and without support for cosign signing when its compiled for s390x: confidential-containers/guest-components#80. |
Exclude the image-rs cosign feature when the build target is the s390x architecture. Fixes: kata-containers#5582 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Exclude the image-rs cosign feature when the build target is the s390x architecture. Change Cargo to use workspace resolver 2 so that conditional include for the image-rs crate is resolved correctly for different targets. Fixes: kata-containers#5582 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Exclude the image-rs cosign feature when the build target is the s390x architecture. Change Cargo to use workspace resolver 2 so that conditional include for the image-rs crate is resolved correctly for different targets. Fixes: kata-containers#5582 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Exclude the image-rs cosign feature when the build target is the s390x architecture. Change Cargo to use workspace resolver 2 so that conditional include for the image-rs crate is resolved correctly for different targets. Fixes: kata-containers#5582 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
Exclude the image-rs cosign feature when the build target is the s390x architecture. Change Cargo to use workspace resolver 2 so that conditional include for the image-rs crate is resolved correctly for different targets. Update cargo lock. Fixes: kata-containers#5582 Signed-off-by: Matthew Arnold <mattarno@uk.ibm.com>
@stevenhorsman I was wondering if this issue could be closed. |
I don't think we should close it, but maybe it needs updating, or possibly moving to image-rs? AFAIK we didn't get ring working on s390x, so cosign support doesn't work (which we'd like, hence keeping this open), we are just avoiding the problem by not building the co-sign feature on s390x. |
True. Then I will make an update on what is going for this issue this week. Thanks for your opinion. ❤️ |
FYI, recently |
@Xynnn007 - thanks for the update and for testing it out. I thought Gerry mentioned that the latest |
Description of problem
Since #5542 was merged on
CCv0
, CI jobs (e.g. http://jenkins.katacontainers.io/job/kata-containers-CCv0-ubuntu-20.04-s390x-PR/229/consoleText) for s390x has been failing due to the following build error onagent
:On the
image-rs
side, confidential-containers/guest-components#47 made a difference fors390x
, which introducedsigstore-rs
→openidconnect
→ring
dependency chain (https://github.com/sigstore/sigstore-rs/blob/main/Cargo.toml#L25).A conversation for the
s390x
support onring
started with a PR(briansmith/ring#1297) last year, but not yet merged. We need to fix this issue onimage-rs
orsigstore-rs
like what has been made forkata-ctl
(https://github.com/kata-containers/kata-containers/blob/main/src/tools/kata-ctl/Cargo.toml#L23) while we are waiting for having the PR forring
merged.cc: @stevenhorsman, @arronwy, @hbrueckner
The text was updated successfully, but these errors were encountered: