microsoft · jslobodzian · Feb 2, 2024 · Jan 17, 2024 · Jan 17, 2024 · Jan 17, 2024
@@ -65,6 +65,7 @@
 /SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime
 /SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers
 /SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers
+/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers
 
 /SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization
 /SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-clean-stage-check:
     name: Spec %clean stage check

@@ -12,6 +12,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   check:
     name: Spec Entanglement Mismatch Check

@@ -16,6 +16,8 @@ on:
     paths:
       - 'SPECS/kernel*/config*'
 
+permissions: read-all
+
 jobs:
   check:
     name: Kernel configs check
@@ -25,7 +27,7 @@ jobs:
       # Checkout the branch of our repo that triggered this action
       - name: Workflow trigger checkout
         uses: actions/checkout@v4
-        
+
       - name: Get base commit for PRs
         if: ${{ github.event_name == 'pull_request' }}
         run: |

@@ -11,6 +11,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   check:
     name: Spec License Map Check

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [2.0, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Livepatches check
@@ -51,7 +53,7 @@ jobs:
           #################### CHECK FAILURE ####################
           Livepatch specs need to be updated!
           Run the following command to perform the update:
-          
+
               toolkit/scripts/livepatching/update_livepatches.sh
 
           #################### CHECK FAILURE ####################

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   build:
     name: Check Manifests

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
 
   build:

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Spec files check

@@ -10,6 +10,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-check:
     name: Static glibc version check

@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 env:
   EXPECTED_GO_VERSION: "1.20"
 

@@ -13,6 +13,8 @@ on:
       - '**.spec'
     branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
 
+permissions: read-all
+
 jobs:
   spec-lint:
     name: Spec Linting

@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "0 15 * * *"
 
+permissions: read-all
+
 jobs:
   get_input-srpms:
     runs-on: ubuntu-latest

@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "0 15 * * *"
 
+permissions: read-all
+
 jobs:
   get_input-srpms:
     runs-on: ubuntu-latest

@@ -0,0 +1,19 @@
+ARG RPMS_TO_INSTALL \
+\
+RUN --mount=type=bind,source=./Stage/,target=/dockerStage/ \\\
+    RPMS_PATH="/dockerStage/RPMS"; \\\
+    LOCAL_REPO_PATH="/localrepo"; \\\
+    mkdir -p $LOCAL_REPO_PATH; \\\
+    tdnf install -y createrepo; \\\
+    cp -r ${RPMS_PATH} ${LOCAL_REPO_PATH}; \\\
+    cat /dockerStage/marinerLocalRepo.repo >> /etc/yum.repos.d/local.repo; \\\
+    createrepo --database ${LOCAL_REPO_PATH} --workers 10; tdnf makecache \&\& tdnf makecache; \\\
+    tdnf autoremove -y createrepo; \\\
+    for rpm in "${RPMS_TO_INSTALL[@]}"; do \\\
+       echo "RPM: $rpm"; \\\
+       tdnf install -y $rpm; \\\
+    done; \\\
+    tdnf clean all; \\\
+    rm -f /etc/yum.repos.d/local.repo; \\\
+    rm -rf /var/cache/tdnf; \\\
+    rm -rf ${LOCAL_REPO_PATH};
@@ -0,0 +1,14 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+# basic smoke test
+RUN az version
+
+# set default command for the container
+CMD ["bash"]
@@ -0,0 +1 @@
+azure-cli
@@ -0,0 +1,32 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE AS BASE
+
+ARG MARINER_VERSION=2.0
+ARG USERNAME=nonroot
+ARG USER_UID=65532
+ARG USER_GID=$USER_UID
+ARG SET_USER=$USERNAME
+
+RUN mkdir -p /staging/etc \
+    && tdnf install -y --releasever=$MARINER_VERSION shadow-utils \
+    && groupadd --gid $USER_GID $USERNAME \
+    && useradd --gid $USER_GID -g $USERNAME $USERNAME -u $USER_UID \
+    && tdnf clean all \
+    # Copy user/group info to staging
+    && cp /etc/passwd /staging/etc/passwd \
+    && cp /etc/group /staging/etc/group
+
+FROM $BASE_IMAGE AS FINAL
+
+ARG USER_UID=65532
+ARG SET_USER=$USER_UID
+
+COPY --from=BASE /staging/ /
+
+USER $SET_USER
+
+CMD [ "bash" ]
@@ -0,0 +1,12 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG EULA=@EULA_FILE@
+
+COPY $EULA .
+
+CMD [ "bash" ]
@@ -0,0 +1,41 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE AS BASE
+
+ARG MARINER_VERSION=2.0
+
+# Install busybox, glibc, and their dependencies into a staging location.
+# Staging directory is copied into the final scratch image.
+RUN mkdir /staging \
+    && tdnf install -y --releasever=$MARINER_VERSION --installroot /staging \
+    busybox glibc \
+    && tdnf clean all \
+    && pushd /staging \
+    && rm -rf boot media mnt opt run \
+    && rm -rf usr/lib/sysimage \
+    && rm -rf var/cache \
+    && rm -rf var/lib/rpm; \
+	ln -vL /staging/usr/sbin/busybox /staging/bin/; \
+	chroot /staging /bin/busybox --install -s /bin
+
+# Smoke Tests
+# Test and make sure it works
+RUN chroot /staging /usr/bin/env sh -xec 'true'
+
+# Ensure correct timezone (UTC)
+RUN [ "$(chroot /staging date +%Z)" = 'UTC' ]
+
+# Test and make sure DNS works too
+RUN cp -L /etc/resolv.conf /staging/etc/; \
+	chroot /staging /bin/sh -xec 'nslookup microsoft.com'; \
+	rm /staging/etc/resolv.conf
+
+FROM scratch
+
+# Copy dependencies into the scratch image.
+COPY --from=BASE /staging/ .
+
+CMD [ "sh" ]
@@ -0,0 +1,23 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG BINARY_NAME
+ARG USER
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+# workaround till binaries rename is merged
+RUN [ -f /usr/bin/virt-cdi-apiserver ] && mv -f /usr/bin/virt-cdi-apiserver /usr/bin/cdi-apiserver
+
+#simple smoke test
+RUN ls /usr/bin/cdi-apiserver
+
+# If the user specified for this image is not root (0), create a new user in the root (0) group
+RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi
+USER $USER
+
+ENTRYPOINT [ "/usr/bin/cdi-apiserver", "-alsologtostderr" ]
@@ -0,0 +1,20 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG BINARY_NAME
+ARG USER
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+#simple smoke test
+RUN ls /usr/bin/cdi-cloner
+
+# If the user specified for this image is not root (0), create a new user in the root (0) group
+RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi
+USER $USER
+
+ENTRYPOINT [ "/usr/bin/cloner_startup.sh" ]
@@ -0,0 +1,23 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG BINARY_NAME
+ARG USER
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+# workaround till binaries rename is merged
+RUN [ -f /usr/bin/virt-cdi-controller ] && mv -f /usr/bin/virt-cdi-controller /usr/bin/cdi-controller
+
+#simple smoke test
+RUN ls /usr/bin/cdi-controller
+
+# If the user specified for this image is not root (0), create a new user in the root (0) group
+RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi
+USER $USER
+
+ENTRYPOINT [ "/usr/bin/cdi-controller", "-alsologtostderr" ]
@@ -0,0 +1,29 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG BINARY_NAME
+ARG USER
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+# Workaround till proper binaries are built as part of the cdi rpm & renames are removed
+# https://github.com/microsoft/CBL-Mariner/pull/5708/files#
+COPY cdi-containerimage-server /usr/bin/cdi-containerimage-server
+COPY cdi-image-size-detection /usr/bin/cdi-image-size-detection
+COPY cdi-source-update-poller /usr/bin/cdi-source-update-poller
+
+# workaround till binaries rename is merged
+RUN [ -f /usr/bin/virt-cdi-importer ] && mv -f /usr/bin/virt-cdi-importer /usr/bin/cdi-importer
+
+#simple smoke test
+RUN ls /usr/bin/cdi-importer
+
+# If the user specified for this image is not root (0), create a new user in the root (0) group
+RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi
+USER $USER
+
+ENTRYPOINT [ "/usr/bin/cdi-importer", "-alsologtostderr" ]
@@ -0,0 +1,27 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+ARG BASE_IMAGE
+
+FROM $BASE_IMAGE
+
+ARG BINARY_NAME
+ARG USER
+
+@INCLUDE_MAIN_RUN_INSTRUCTION@
+
+# Workaround till proper binaries are built as part of the cdi rpm & renames are removed
+# https://github.com/microsoft/CBL-Mariner/pull/5708/files#
+COPY csv-generator /usr/bin/csv-generator
+
+# workaround till binaries rename is merged
+RUN [ -f /usr/bin/virt-cdi-operator ] && mv -f /usr/bin/virt-cdi-operator /usr/bin/cdi-operator
+
+#simple smoke test
+RUN ls /usr/bin/cdi-operator
+
+# If the user specified for this image is not root (0), create a new user in the root (0) group
+RUN if [[ $USER != 0 ]]; then adduser -u $USER --gid 0 --create-home -s /bin/bash $BINARY_NAME ; fi
+USER $USER
+
+ENTRYPOINT [ "/usr/bin/cdi-operator" ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,8 @@ on: @@
       pull_request:
         branches: [main, dev, 1.0*, 2.0*, fasttrack/*]
+    permissions: read-all
     jobs:
       build:
@@ Expand Down @@