packaging/osbuilder: allow to pull and unpack pause image #9031
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
9572c2e
to
3fbe68c
Compare
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
3fbe68c
to
65d65d2
Compare
fidencio
reviewed
Feb 6, 2024
| @@ -44,6 +44,7 @@ jobs: | |||
| - nydus | |||
| - ovmf | |||
| - ovmf-sev | |||
| - pause | |||
| @@ -30,6 +30,7 @@ jobs: | |||
| - agent | |||
| - coco-guest-components | |||
| - kernel | |||
| - pause | |||
| @@ -176,6 +177,12 @@ KERNEL_MODULES_DIR Path to a directory containing kernel modules to include in | |||
| LIBC libc the agent is built against (gnu or musl). | |||
| Default value: ${LIBC} (varies with architecture) | |||
|
|
|||
| PAUSE_IMAGE_TARBALL Path to the kata-pause-image.tar.xz tarball to be unpacked inside the | |||
There was a problem hiding this comment.
kata-pause-image.tar.xz -> kata-static-pause-image.tar.xz
Comment on lines
+11
to
+14
| ca-certificates \ | ||
| curl \ | ||
| umoci \ | ||
| skopeo |
| echo "pull pause image from remote" | ||
|
|
||
| skopeo copy "${pause_image_repo}":"${pause_image_version}" oci:pause:"${pause_image_version}" | ||
| umoci unpack --image pause:"${pause_image_version}" "${DESTDIR}/pause_bundle" |
There was a problem hiding this comment.
When taking a look at the resulting tarball, I see:
⋊> kata-containers on guest-pull-rootfs ≡ tar tf build/kata-static-pause-image.tar.xz
./
./pause_bundle/
./pause_bundle/rootfs/
./pause_bundle/rootfs/pause
./pause_bundle/config.json
./pause_bundle/sha256_b42c514302e917881d20666a5990795df507ec14b2d79fdb1e41a619e66b77b6.mtree
./pause_bundle/umoci.jsonI assume the /pause_bundle/umoci.json file comes from the umoci unpack command. Is it the case? If so, is it okay to remove the file?
There was a problem hiding this comment.
Very good point, @fidencio. I have removed umoci.json in pause_bundle. Thank you!
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
3 times, most recently
from
351f567
to
124aaa7
Compare
stevenhorsman
approved these changes
Feb 7, 2024
| @@ -847,6 +849,23 @@ install_coco_guest_components() { | |||
| DESTDIR="${destdir}" "${coco_guest_components_builder}" | |||
| } | |||
|
|
|||
| install_pause_image() { | |||
| latest_artefact="$(get_from_kata_deps "externals.pause.version")" | |||
There was a problem hiding this comment.
I wonder if we should include the container image name, just in case we ever change it in this? ie:
latest_artefact="$(get_from_kata_deps "externals.pause.repo")-$(get_from_kata_deps "externals.pause.version")"
?
There was a problem hiding this comment.
Yeah, I agree. :-)
Thanks @stevenhorsman
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
124aaa7
to
b10f5ba
Compare
|
/test |
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
b10f5ba
to
9699a00
Compare
|
/test |
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
9699a00
to
548b62d
Compare
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. But the installation of skopeo is not included in 20.04 release, so we can not directly install skopeo in rootfs and pull pause image. So I plan to let the task as a static build stuff, which would not be influenced by the system version in rootfs. And the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit enables the component to be built both locally and in our CI environment with the command: make pause-image-tarball. Fixes: kata-containers#9032 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
Enable to build pause image static tarball for confidential containers casesi in ci environment. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
3 times, most recently
from
df155e1
to
931641c
Compare
This env ver will serve us to pass the pause image tarball to the rootfs builder, which will then just unpack the content into the rootfs. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com>
|
/test |
Install the pause image into the confidential rootfs image and initrd. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
ChengyuZhu6
force-pushed
the
guest-pull-rootfs
branch
from
931641c
to
a43edd0
Compare
|
/test |
|
@fidencio @stevenhorsman I don’t think the failures are caused by the PR, but I’m not sure what the reason is. Do you have any suggestions? 😥 |
Unfortunately my first attempt is normally to re-run the failed tests, so I'll try that now and see if things improve. Leave it to us and don't worry about it yourself for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For Confidential containers stack, the pause image is managed by host side, then it may configure a malicious pause image, we need package a pause image inside the rootfs and don't the pause image from host. So the pause image will be part of the Kata Containers rootfs that's used by the Confidential Containers usecase.
Fixes: #9032