packaging: Don't always build the kata-agent #8916
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
katacontainersbot
added
size/large
fidencio
force-pushed
the
topic/packaging-reuse-already-built-agent
branch
3 times, most recently
from
f855b01
to
5f9f531
Compare
This has been missed during reviews and will become a problem when the tools start to be built in different architectures. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This has been missed during reviews and is already a problem as we're trying to build the agent outside of the rootfs for other architectures than x86_64. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
stevenhorsman
approved these changes
Jan 25, 2024
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
Outdated
Show resolved
Hide resolved
fidencio
force-pushed
the
topic/packaging-reuse-already-built-agent
branch
4 times, most recently
from
cfa4a01
to
a22b50b
Compare
We're moving away from alpine and using ubuntu in order to be able to build the agent for all the architectures we need. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This env var will serve us to pass the agent tarball to the rootfs builder, which will then just unpack the content into the rootfs instead of building the agent again. AGENT_TARBALL and AGENT_SOURCE_BIN should never be used together. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we'll be untarring the agent tarball (and any other component that may be part of the rootfs) into the rootfs, we have to have xz installed. For debian and ubuntu the package is called xz-utils; for centos, alpine and cbl-mariner the package is called xz. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's always do this, regardless of where the agent is coming from. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
It just means the component is not cached, and that it must be built in the usual way. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's start relying on the already cached agent to be deployed inside the rootfs. By doing this we save a lot of time in our CI, and we have a better way, for developers, to play with changes in the agent. Fixes: kata-containers#8915 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/packaging-reuse-already-built-agent
branch
from
a22b50b
to
dd49479
Compare
|
/test |
|
A lot of goodness here - thanks @fidencio ! |
danmihai1
approved these changes
Jan 25, 2024
| @@ -693,6 +692,8 @@ EOF | |||
| tar xvJpf ${AGENT_TARBALL} -C ${ROOTFS_DIR} | |||
| fi | |||
|
|
|||
| ${stripping_tool} ${ROOTFS_DIR}/usr/bin/kata-agent | |||
There was a problem hiding this comment.
We can do this later, but perhaps we should have a way to bypass this new behavior.
There was a problem hiding this comment.
I'd prefer doing this later, but just to confirm.
The idea here is that we can bypass the behaviour and actually not have the component installed, correct?
If so, I think we can enforce this for the attestation-agent / confiential-data-hub / opa, are those are extra components. The kata agent itself must always be there, though.
There was a problem hiding this comment.
Never mind. Yesterday I thought this rootfs.sh change was a significant change in symbol strip behavior - but I see now that it's consistent with the previous behavior.
Otherwise building as root will not work, as demonstrated by the arm64 CI. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
|
/test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There's absolutely no need to always build the Kata Containers agent when building the rootfs. We already have the agent being built / packaged on every PR, and we can rely on that to simply be unpacked into the rootfs, unless there's a change in the agent.
Please, see each commit for more info.