New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packaging/osbuilder: allow to pull and unpack pause image #9031
Conversation
9572c2e
to
3fbe68c
Compare
3fbe68c
to
65d65d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ChengyuZhu6, I've left a few comments.
Thanks!
@@ -44,6 +44,7 @@ jobs: | |||
- nydus | |||
- ovmf | |||
- ovmf-sev | |||
- pause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This must be pause-image
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
@@ -30,6 +30,7 @@ jobs: | |||
- agent | |||
- coco-guest-components | |||
- kernel | |||
- pause |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This must be pauise-image
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
@@ -176,6 +177,12 @@ KERNEL_MODULES_DIR Path to a directory containing kernel modules to include in | |||
LIBC libc the agent is built against (gnu or musl). | |||
Default value: ${LIBC} (varies with architecture) | |||
|
|||
PAUSE_IMAGE_TARBALL Path to the kata-pause-image.tar.xz tarball to be unpacked inside the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kata-pause-image.tar.xz -> kata-static-pause-image.tar.xz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
ca-certificates \ | ||
curl \ | ||
umoci \ | ||
skopeo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, ident those correcly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
echo "pull pause image from remote" | ||
|
||
skopeo copy "${pause_image_repo}":"${pause_image_version}" oci:pause:"${pause_image_version}" | ||
umoci unpack --image pause:"${pause_image_version}" "${DESTDIR}/pause_bundle" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When taking a look at the resulting tarball, I see:
⋊> kata-containers on guest-pull-rootfs ≡ tar tf build/kata-static-pause-image.tar.xz
./
./pause_bundle/
./pause_bundle/rootfs/
./pause_bundle/rootfs/pause
./pause_bundle/config.json
./pause_bundle/sha256_b42c514302e917881d20666a5990795df507ec14b2d79fdb1e41a619e66b77b6.mtree
./pause_bundle/umoci.json
I assume the /pause_bundle/umoci.json
file comes from the umoci unpack
command. Is it the case? If so, is it okay to remove the file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good point, @fidencio. I have removed umoci.json
in pause_bundle
. Thank you!
351f567
to
124aaa7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks @ChengyuZhu6!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One query here, but otherwise it looks good to me
@@ -847,6 +849,23 @@ install_coco_guest_components() { | |||
DESTDIR="${destdir}" "${coco_guest_components_builder}" | |||
} | |||
|
|||
install_pause_image() { | |||
latest_artefact="$(get_from_kata_deps "externals.pause.version")" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should include the container image name, just in case we ever change it in this? ie:
latest_artefact="$(get_from_kata_deps "externals.pause.repo")-$(get_from_kata_deps "externals.pause.version")"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I agree. :-)
Thanks @stevenhorsman
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
124aaa7
to
b10f5ba
Compare
/test |
b10f5ba
to
9699a00
Compare
/test |
9699a00
to
548b62d
Compare
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
Enable to build pause image static tarball for confidential containers casesi in ci environment. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
df155e1
to
931641c
Compare
This env ver will serve us to pass the pause image tarball to the rootfs builder, which will then just unpack the content into the rootfs. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
/test |
Install the pause image into the confidential rootfs image and initrd. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
931641c
to
a43edd0
Compare
/test |
@fidencio @stevenhorsman I don’t think the failures are caused by the PR, but I’m not sure what the reason is. Do you have any suggestions? 😥 |
Unfortunately my first attempt is normally to re-run the failed tests, so I'll try that now and see if things improve. Leave it to us and don't worry about it yourself for now. |
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. So the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase.
Fixes: #9032