gha: Enable KBS images for s390x

This commit introduces a job matrix to allow a s390x self-hosted runner to run alongside the existing x86_64 one. Additionally, two new steps (e.g., {pre,post} action) are introduced to manage the self-hosted runner since it is not provisioned instantly for CI. To run the build steps `kbs` and `kbs-grpc-as` in parallel, the build step is generalized into one step and the relevant configuration values are parameterized into the job matrix. Signed-off-by: Hyounggyu Choi <[email protected]>
confidential-containers · May 8, 2024 · 4890f58 · 4890f58
1 parent c458aa8
commit 4890f58
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 24 deletions.
diff --git a/.github/workflows/kbs-build-and-push.yaml b/.github/workflows/kbs-build-and-push.yaml
@@ -7,9 +7,37 @@ on:
 
 jobs:
   build_and_push:
-    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        instance:
+          - ubuntu-latest
+          - s390x
+        tag:
+          - kbs
+          - kbs-grpc-as
+        include:
+          - tag: kbs
+            docker_file: kbs/docker/Dockerfile
+            https_crypto: openssl
+            name: build-in AS
+          - tag: kbs-grpc-as
+            docker_file: kbs/docker/Dockerfile.coco-as-grpc
+            https_crypto: rustls
+            name: gRPC AS
+    runs-on: ${{ matrix.instance }}
 
     steps:
+    - name: Take a pre-action for self-hosted runner
+      run: |
+        # NOTE: Use file checking instead triggering a step based on a runner type
+        # to avoid updating the step for each new self-hosted runner.
+        if [ -f "${HOME}/script/pre_action.sh" ]; then
+          "${HOME}/script/pre_action.sh" cc-trustee
+        fi
+
     - name: Checkout code
       uses: actions/checkout@v4
 
@@ -23,12 +51,53 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Build Container Image KBS (built-in AS)
+    - name: Build Container Image KBS (${{ matrix.name }})
       run: |
         commit_sha=${{ github.sha }}
-        DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile --push
+        arch=$(uname -m)
+        https_crypto=${{ matrix.https_crypto }}
+        [ "${arch}" = "s390x" ] && https_crypto=openssl
+        DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push \
+          -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \
+          -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} \
+          --build-arg ARCH=${arch} --build-arg HTTPS_CRYPTO=${https_crypto} .
+
+    - name: Take a post-action for self-hosted runner
+      if: always()
+      run: |
+        # Please check out the note in the pre-action step for the reason of using file checking
+        if [ -f "${HOME}/script/post_action.sh" ]; then
+          "${HOME}/script/post_action.sh" cc-trustee
+        fi
+
+  publish_multi_arch_image:
+    needs: build_and_push
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          - kbs
+          - kbs-grpc-as
+    permissions:
+      packages: write
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Login to GHCR Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Build Container Image KBS (gRPC AS)
+    - name: Publish Multi-Arch ${{ matrix.image }} image
       run: |
         commit_sha=${{ github.sha }}
-        DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:latest . -f kbs/docker/Dockerfile.coco-as-grpc --push
+        docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha} \
+          --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64 \
+          --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x
+        docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}
+        docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest \
+          --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64 \
+          --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x
+        docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest
diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile
@@ -1,4 +1,6 @@
 FROM rust:slim as builder
+ARG ARCH=x86_64
+ARG HTTPS_CRYPTO=rustls
 
 ENV DEBIAN_FRONTEND noninteractive
 
@@ -9,10 +11,10 @@ RUN apt-get update && \
     gnupg-agent \
     git
 
-RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
     gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
     echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | \
-    tee /etc/apt/sources.list.d/intel-sgx.list && \
+    tee /etc/apt/sources.list.d/intel-sgx.list; fi && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
     libclang-dev \
@@ -25,22 +27,24 @@ RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.k
     wget \
     clang \
     cmake \
-    libtss2-dev \
+    libtss2-dev && \
+    if [ "${ARCH}" = "x86_64" ]; then apt-get install -y --no-install-recommends \
     libsgx-dcap-quote-verify-dev \
-    libtdx-attest-dev
+    libtdx-attest-dev; fi
 
-RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
-RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
+RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
+    wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
+    tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz
 ENV PATH="/usr/local/go/bin:${PATH}"
 
 # Build and Install KBS
 WORKDIR /usr/src/kbs
 COPY . .
 
-ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa
-RUN cargo install --locked --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES}
+RUN cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO}
 
 FROM ubuntu:22.04
+ARG ARCH=x86_64
 
 RUN apt-get update && \
     apt-get install -y \
@@ -49,14 +53,14 @@ RUN apt-get update && \
     gnupg-agent
 
 # Install TDX Runtime Dependencies
-RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
-    gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
-RUN echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
+    gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg; fi
+RUN if [ "${ARCH}" = "x86_64" ]; then echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list; fi
 RUN apt-get update
-RUN apt-get install -y --no-install-recommends \
+RUN if [ "${ARCH}" = "x86_64" ]; then apt-get install -y --no-install-recommends \
     libsgx-dcap-default-qpl \
     libsgx-dcap-quote-verify \
-    tpm2-tools
+    tpm2-tools; fi
 
 # Intel PCCS URL Configurations
 # If you want the AS in KBS to connect to your customized PCCS for Intel TDX/SGX evidence verification,
@@ -66,7 +70,7 @@ ENV INTEL_PCCS_URL "https://localhost:8081/sgx/certification/v4/"
 ENV INTEL_PCCS_USE_SECURE_CERT false
 
 # Setup Intel PCCS URL
-RUN sed -i "s|\"pccs_url\":.*$|\"pccs_url\":$INTEL_PCCS_URL,|" /etc/sgx_default_qcnl.conf; \
-    sed -i "s/\"use_secure_cert\":.*$/\"use_secure_cert\":$INTEL_PCCS_USE_SECURE_CERT,/" /etc/sgx_default_qcnl.conf
+RUN if [ "${ARCH}" = "x86_64" ]; then sed -i "s|\"pccs_url\":.*$|\"pccs_url\":$INTEL_PCCS_URL,|" /etc/sgx_default_qcnl.conf; \
+    sed -i "s/\"use_secure_cert\":.*$/\"use_secure_cert\":$INTEL_PCCS_USE_SECURE_CERT,/" /etc/sgx_default_qcnl.conf; fi
 
 COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs
diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/Dockerfile.coco-as-grpc
@@ -1,17 +1,19 @@
 FROM rust:latest as builder
+ARG ARCH=x86_64
+ARG HTTPS_CRYPTO=rustls
 
 WORKDIR /usr/src/kbs
 COPY . .
 
 RUN apt-get update && apt install -y protobuf-compiler wget git
 
-RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz
-RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
+RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
+wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
+tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz
 ENV PATH="/usr/local/go/bin:${PATH}"
 
 # Build and Install KBS
-RUN cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,rustls
-
+RUN cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO}
 
 FROM ubuntu:22.04