From 36e52c6c67cfc3504a49fedd6a9888ca701c2991 Mon Sep 17 00:00:00 2001 From: Seunguk Shin Date: Fri, 20 Dec 2024 14:10:48 +0000 Subject: [PATCH] ci: Push AS, RVPS, KBS and KBS Client for arm64 Support cross-compiled build for as, rvps, kbs and kbs client on arm64 architecture Signed-off-by: Seunguk Shin Reviewed-by: Nick Connolly --- .github/workflows/build-as-image.yml | 28 ++++++++++----- .github/workflows/build-kbs-image.yml | 34 ++++++++++++++----- .github/workflows/push-as-image-to-ghcr.yml | 2 ++ .github/workflows/push-kbs-client-to-ghcr.yml | 27 ++++++++------- .github/workflows/push-kbs-image-to-ghcr.yml | 4 ++- kbs/Cargo.toml | 7 +++- kbs/Makefile | 2 +- kbs/docker/kbs-client/Dockerfile | 15 ++++++++ 8 files changed, 86 insertions(+), 33 deletions(-) create mode 100644 kbs/docker/kbs-client/Dockerfile diff --git a/.github/workflows/build-as-image.yml b/.github/workflows/build-as-image.yml index 948527e41..97d97f04b 100644 --- a/.github/workflows/build-as-image.yml +++ b/.github/workflows/build-as-image.yml @@ -13,9 +13,10 @@ jobs: strategy: fail-fast: false matrix: - instance: - - ubuntu-latest + target_arch: + - x86_64 - s390x + - aarch64 name: - RESTful CoCo-AS - gRPC CoCo-AS @@ -31,11 +32,19 @@ jobs: - name: RVPS docker_file: rvps/docker/Dockerfile tag: rvps - # add verifier flag to arch - - instance: ubuntu-latest + # add instance and verifier flag to target + - target_arch: x86_64 + target_platform: linux/amd64 + instance: ubuntu-latest verifier: all-verifier - - instance: s390x + - target_arch: s390x + target_platform: linux/s390x + instance: s390x verifier: se-verifier + - target_arch: aarch64 + target_platform: linux/arm64 + instance: ubuntu-latest + verifier: cca-verifier runs-on: ${{ matrix.instance }} steps: @@ -55,8 +64,9 @@ jobs: - name: Build ${{ matrix.name }} Container Image run: | commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} --build-arg ARCH="${arch}" \ + docker buildx build --platform "${{ matrix.target_platform }}" \ + -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + --build-arg ARCH="${{ matrix.target_arch }}" \ --build-arg VERIFIER="${{ matrix.verifier }}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" . + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" . diff --git a/.github/workflows/build-kbs-image.yml b/.github/workflows/build-kbs-image.yml index 5727e8262..562f4b3ee 100644 --- a/.github/workflows/build-kbs-image.yml +++ b/.github/workflows/build-kbs-image.yml @@ -13,20 +13,26 @@ jobs: strategy: fail-fast: false matrix: - instance: - - ubuntu-latest + target_arch: + - x86_64 - s390x + - aarch64 tag: - kbs - kbs-grpc-as - kbs-ita-as - rhel-ubi exclude: - - instance: s390x + - target_arch: s390x tag: kbs-ita-as - - instance: s390x + - target_arch: s390x + tag: rhel-ubi + - target_arch: aarch64 + tag: kbs-ita-as + - target_arch: aarch64 tag: rhel-ubi include: + # add docker_file + name to each tag - tag: kbs docker_file: kbs/docker/Dockerfile name: build-in AS @@ -39,6 +45,16 @@ jobs: - tag: rhel-ubi docker_file: kbs/docker/rhel-ubi/Dockerfile name: RHEL UBI AS + # add instance flag to target + - target_arch: x86_64 + target_platform: linux/amd64 + instance: ubuntu-latest + - target_arch: s390x + target_platform: linux/s390x + instance: s390x + - target_arch: aarch64 + target_platform: linux/arm64 + instance: ubuntu-latest runs-on: ${{ matrix.instance }} @@ -59,8 +75,8 @@ jobs: - name: Build Container Image KBS (${{ matrix.name }}) run: | commit_sha=${{ github.sha }} - arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \ - -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \ - --build-arg ARCH="${arch}" . + docker buildx build --platform "${{ matrix.target_platform }}" \ + -f "${{ matrix.docker_file }}" ${{ inputs.build_option }} \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${{ matrix.target_arch }}" \ + -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${{ matrix.target_arch }}" \ + --build-arg ARCH="${{ matrix.target_arch }}" . diff --git a/.github/workflows/push-as-image-to-ghcr.yml b/.github/workflows/push-as-image-to-ghcr.yml index 3a5f4e780..44a94ad8f 100644 --- a/.github/workflows/push-as-image-to-ghcr.yml +++ b/.github/workflows/push-as-image-to-ghcr.yml @@ -49,9 +49,11 @@ jobs: commit_sha=${{ github.sha }} docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}" docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest" diff --git a/.github/workflows/push-kbs-client-to-ghcr.yml b/.github/workflows/push-kbs-client-to-ghcr.yml index 22d5c28d1..76355c595 100644 --- a/.github/workflows/push-kbs-client-to-ghcr.yml +++ b/.github/workflows/push-kbs-client-to-ghcr.yml @@ -13,9 +13,15 @@ jobs: arch: - x86_64 - s390x - env: - RUSTC_VERSION: 1.76.0 - runs-on: ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 's390x' }} + - aarch64 + include: + - arch: x86_64 + platform: linux/amd64 + - arch: s390x + platform: linux/s390x + - arch: aarch64 + platform: linux/arm64 + runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }} permissions: contents: read packages: write @@ -24,11 +30,8 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install Rust toolchain (${{ env.RUSTC_VERSION }}) - uses: actions-rust-lang/setup-rust-toolchain@v1 - with: - toolchain: ${{ env.RUSTC_VERSION }} - components: rustfmt, clippy + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Log in to ghcr.io uses: docker/login-action@v3 @@ -38,17 +41,17 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build a statically linked kbs-client for ${{ matrix.arch }} linux - working-directory: kbs run: | - make cli-static-linux + docker buildx build --platform "${{ matrix.platform }}" \ + -f kbs/docker/kbs-client/Dockerfile \ + --build-arg ARCH="${{ matrix.arch }}" --output ./ . - name: Push to ghcr.io - working-directory: target/${{ matrix.arch }}-unknown-linux-gnu/release run: | commit_sha=${{ github.sha }} oras push \ ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${{ matrix.arch }}-linux-gnu-${commit_sha},latest-${{ matrix.arch }} \ kbs-client - if [ "$(uname -m)" = "x86_64" ]; then + if [ "${{ matrix.arch }}" = "x86_64" ]; then oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client fi diff --git a/.github/workflows/push-kbs-image-to-ghcr.yml b/.github/workflows/push-kbs-image-to-ghcr.yml index 47bb6882b..7360204bc 100644 --- a/.github/workflows/push-kbs-image-to-ghcr.yml +++ b/.github/workflows/push-kbs-image-to-ghcr.yml @@ -39,9 +39,11 @@ jobs: commit_sha=${{ github.sha }} docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x" docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}" docker manifest create "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64" \ + --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-aarch64" \ --amend "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x" - docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" \ No newline at end of file + docker manifest push "ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest" diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml index a25994d11..3209f89d1 100644 --- a/kbs/Cargo.toml +++ b/kbs/Cargo.toml @@ -72,7 +72,7 @@ openssl = "0.10.55" az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true } derivative = "2.2.0" -[target.'cfg(not(target_arch = "s390x"))'.dependencies] +[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies] attestation-service = { path = "../attestation-service", default-features = false, features = [ "all-verifier", ], optional = true } @@ -82,6 +82,11 @@ attestation-service = { path = "../attestation-service", default-features = fals "se-verifier", ], optional = true } +[target.'cfg(target_arch = "aarch64")'.dependencies] +attestation-service = { path = "../attestation-service", default-features = false, features = [ + "cca-verifier", +], optional = true } + [dev-dependencies] tempfile.workspace = true diff --git a/kbs/Makefile b/kbs/Makefile index b6f4d8804..cc7c8dab5 100644 --- a/kbs/Makefile +++ b/kbs/Makefile @@ -3,7 +3,7 @@ ALIYUN ?= false ARCH := $(shell uname -m) # Check if ARCH is supported, otehrwise return error -ifeq ($(filter $(ARCH),x86_64 s390x),) +ifeq ($(filter $(ARCH),x86_64 s390x aarch64),) $(error "Unsupported architecture: $(ARCH)") endif diff --git a/kbs/docker/kbs-client/Dockerfile b/kbs/docker/kbs-client/Dockerfile new file mode 100644 index 000000000..626261274 --- /dev/null +++ b/kbs/docker/kbs-client/Dockerfile @@ -0,0 +1,15 @@ +FROM rust:1.76.0 AS builder +ARG ARCH=x86_64 + +WORKDIR /usr/src/kbs +COPY . . + +RUN apt-get update && apt install -y pkg-config libssl-dev git sudo + +# Build KBS Client +RUN cd kbs && make ARCH=${ARCH} cli-static-linux && \ + cp ../target/${ARCH}-unknown-linux-gnu/release/kbs-client / + +# Export view.txt +FROM scratch AS export +COPY --from=builder /kbs-client .