New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tests: Add IBM SE to the basic confidential test #8914
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code LGTM and I can see that is passed in the daily run:
ok 1 Test unencrypted confidential container launch success and verify that we are running in a secure enclave.
Do you know if there are any plans for Marist to have an LPAR with SE available, or any other options for us to add an SE self-hosted runner in the future?
I have to ask the Marist team on their plans. For other options, I will contact you offline and then let's circle back if there are options. cc: @magowan |
0923f78
to
a9f5c91
Compare
/test |
The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the kata-containers#6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: kata-containers#8913 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
a9f5c91
to
ab462a4
Compare
/test |
The CI jobs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @BbolroC !
The existing confidential basic test titled
Test unencrypted confidential container launch success and verify that we are running in a secure enclave
has been updated to incorporate IBM Secure Execution (qemu-se
).Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test.
Thanks to the #6755 update, it is now possible to test the TEE.
This modification extends the existing test by introducing
qemu-se
. The specific changes are outlined below:cc-se-e2e-tests
to s390x nightlyREMOTE_COMMAND_PER_HYPERVISOR
forqemu-se
cpu-ns
is a common issue across all TEEs, whileinotify
will be addressed in a subsequent pull request for Pod stuck inStartError
for k8s-inotify.bats on IBM Z16 LPAR #8906).Reviewers, please note that the test has already been verified on Jenkins at http://jenkins.katacontainers.io/job/kata-containers-CCv0-ubuntu-20.04-s390x-SE-daily/374/. It can only be verified internally due to limitations in computing resources (SE capable). To address this, the test is triggered by the nightly GHA workflow. The test log fetched during the workflow will be the same as the one verified on Jenkins.
Fixes: #8913
Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com