rootfs: Make OPA build working in docker for s390x and pp…

[BbolroC]

The PR is to make the OPA build from source working in a docker builder ubuntu-rootfs-osbuilder.
To achieve the goal, the configuration is changed as follows:

• Switch the make target to ci-build-linux-static not triggering docker-in-docker build
• Install go in the builder image for s390x and ppc64le

Fixes: #9466

Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com

[stevenhorsman]

The code looks okay, but that my brain can't fully validate that Dockerfile templating line , so I've added the ok-to-test and will check the agent-opa job for s390x and ppc64le before I approve :)

[stevenhorsman]

The code looks okay, but that my brain can't fully validate that Dockerfile templating line , so I've added the ok-to-test and will check the agent-opa job for s390x and ppc64le before I approve :)

@BbolroC

The changes are failing for the am64 confidential rootfs image:

#6 ERROR: process "/bin/bash -o pipefail -c apt-get update &&     DEBIAN_FRONTEND=noninteractive     apt-get --no-install-recommends -y install     ca-certificates     curl     g++     $(gcc_arch=\"x86_64\" && [ \"$(uname -m)\" != \"$gcc_arch\" ] && (          libc_arch=\"$gcc_arch\" &&          [ \"$gcc_arch\" = aarch64 ] && libc_arch=arm64;          [ \"$gcc_arch\" = ppc64le ] && gcc_arch=powerpc64le && libc_arch=ppc64el;          [ \"$gcc_arch\" = s390x ] && gcc_arch=s390x && libc_arch=s390x;          [ \"$gcc_arch\" = x86_64 ] && gcc_arch=x86-64 && libc_arch=amd64;          echo \"gcc-$gcc_arch-linux-gnu libc6-dev-$libc_arch-cross\"))     git     gnupg2     make     makedev     multistrap     musl-tools     protobuf-compiler     xz-utils &&     ( go_version=\"@GOVERSION@\" && [ \"${go_version}\" = \"\" ] || (     echo \"Installing go \" && curl -sSL \"[https://golang.org/dl/go.linux-x86_64.tar.gz\](https://golang.org/dl/go.linux-x86_64.tar.gz/)" | tar -xz -C /usr/local ))" did not complete successfully: exit code: 2
------
 > [3/6] RUN apt-get update &&     DEBIAN_FRONTEND=noninteractive     apt-get --no-install-recommends -y install     ca-certificates     curl     g++     $(gcc_arch="x86_64" && [ "$(uname -m)" != "$gcc_arch" ] && (          libc_arch="$gcc_arch" &&          [ "$gcc_arch" = aarch64 ] && libc_arch=arm64;          [ "$gcc_arch" = ppc64le ] && gcc_arch=powerpc64le && libc_arch=ppc64el;          [ "$gcc_arch" = s390x ] && gcc_arch=s390x && libc_arch=s390x;          [ "$gcc_arch" = x86_64 ] && gcc_arch=x86-64 && libc_arch=amd64;          echo "gcc-$gcc_arch-linux-gnu libc6-dev-$libc_arch-cross"))     git     gnupg2     make     makedev     multistrap     musl-tools     protobuf-compiler     xz-utils &&     ( go_version="@GOVERSION@" && [ "${go_version}" = "" ] || (     echo "Installing go " && curl -sSL "https://golang.org/dl/go.linux-x86_64.tar.gz" | tar -xz -C /usr/local )):
17.29 Processing triggers for ca-certificates (20230311ubuntu0.20.04.1) ...
17.30 Updating certificates in /etc/ssl/certs...
17.76 0 added, 0 removed; done.
17.76 Running hooks in /etc/ca-certificates/update.d...
17.76 done.
17.80 Installing go 
17.96 
17.96 gzip: stdin: not in gzip format
17.96 tar: Child returned status 1
17.96 tar: Error is not recoverable: exiting now
------
Dockerfile:13
--------------------
  12 |     # hadolint ignore=DL3009,SC2046
  13 | >>> RUN apt-get update && \
  14 | >>>     DEBIAN_FRONTEND=noninteractive \
  15 | >>>     apt-get --no-install-recommends -y install \
  16 | >>>     ca-certificates \
  17 | >>>     curl \
  18 | >>>     g++ \
  19 | >>>     $(gcc_arch="x86_64" && [ "$(uname -m)" != "$gcc_arch" ] && ( \
  20 | >>>          libc_arch="$gcc_arch" && \
  21 | >>>          [ "$gcc_arch" = aarch64 ] && libc_arch=arm64; \
  22 | >>>          [ "$gcc_arch" = ppc64le ] && gcc_arch=powerpc64le && libc_arch=ppc64el; \
  23 | >>>          [ "$gcc_arch" = s390x ] && gcc_arch=s390x && libc_arch=s390x; \
  24 | >>>          [ "$gcc_arch" = x86_64 ] && gcc_arch=x86-64 && libc_arch=amd64; \
  25 | >>>          echo "gcc-$gcc_arch-linux-gnu libc6-dev-$libc_arch-cross")) \
  26 | >>>     git \
  27 | >>>     gnupg2 \
  28 | >>>     make \
  29 | >>>     makedev \
  30 | >>>     multistrap \
  31 | >>>     musl-tools \
  32 | >>>     protobuf-compiler \
  33 | >>>     xz-utils && \
  34 | >>>     ( go_version="@GOVERSION@" && [ "${go_version}" = "" ] || ( \
  35 | >>>     echo "Installing go " && curl -sSL "https://golang.org/dl/go.linux-x86_64.tar.gz" | tar -xz -C /usr/local ))
  36 |     # aarch64 requires this name -- link for all

[BbolroC]

The changes are failing for the am64 confidential rootfs image:

Ah, I missed an underscore between GO and VERSION. Thanks!

[stevenhorsman]

/test

[stevenhorsman]

The agent-opa and confidential images jobs are passing now, so looks good to me. Thanks

[BbolroC]

For reviewers: rootfs-image-confidential and rootfs-initrd-confidential were successfully built on a s390x runner at https://github.com/BbolroC/kata-containers/actions/runs/8708635945

[wainersm]

Hi @BbolroC ! I've some doubts that I won't be able to study more today. However, one thing that I can ask now before going offline:

Is this if block in the path of s390x builds? I figured that variant==confidential when you build the rootfs-image-confidential asset. The .github/workflows/build-kata-static-tarball-s390x.yaml workflow seems to build both rootfs-image and rootfs-initrd only.

[BbolroC]

Yes, you are right. The mentioned code block is not reached by the current workflow. The PR is tested (see https://github.com/BbolroC/kata-containers/actions/runs/8711566342/job/23908856311) and raised based on an assumption that a follow-up PR #9494 uses the change of this PR (it includes building 3 new confidential artifacts). Thanks!

[wainersm]

Cool! thanks for the info!

[Amulyam24]

LGTM, Thanks @BbolroC!

[BbolroC]

Please do not merge this until the review from @wainersm is finished. Thanks!

[wainersm]

Hi @BbolroC ! Sorry for holding this for too long. LGTM!