From 4890f58c036da0555928e3e5b27082197600c593 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Tue, 7 May 2024 09:59:08 +0200 Subject: [PATCH] gha: Enable KBS images for s390x This commit introduces a job matrix to allow a s390x self-hosted runner to run alongside the existing x86_64 one. Additionally, two new steps (e.g., {pre,post} action) are introduced to manage the self-hosted runner since it is not provisioned instantly for CI. To run the build steps `kbs` and `kbs-grpc-as` in parallel, the build step is generalized into one step and the relevant configuration values are parameterized into the job matrix. Signed-off-by: Hyounggyu Choi --- .github/workflows/kbs-build-and-push.yaml | 79 +++++++++++++++++++++-- kbs/docker/Dockerfile | 34 +++++----- kbs/docker/Dockerfile.coco-as-grpc | 10 +-- 3 files changed, 99 insertions(+), 24 deletions(-) diff --git a/.github/workflows/kbs-build-and-push.yaml b/.github/workflows/kbs-build-and-push.yaml index 7cba6312ea..af2ababc04 100644 --- a/.github/workflows/kbs-build-and-push.yaml +++ b/.github/workflows/kbs-build-and-push.yaml @@ -7,9 +7,37 @@ on: jobs: build_and_push: - runs-on: ubuntu-latest + permissions: + packages: write + strategy: + fail-fast: false + matrix: + instance: + - ubuntu-latest + - s390x + tag: + - kbs + - kbs-grpc-as + include: + - tag: kbs + docker_file: kbs/docker/Dockerfile + https_crypto: openssl + name: build-in AS + - tag: kbs-grpc-as + docker_file: kbs/docker/Dockerfile.coco-as-grpc + https_crypto: rustls + name: gRPC AS + runs-on: ${{ matrix.instance }} steps: + - name: Take a pre-action for self-hosted runner + run: | + # NOTE: Use file checking instead triggering a step based on a runner type + # to avoid updating the step for each new self-hosted runner. + if [ -f "${HOME}/script/pre_action.sh" ]; then + "${HOME}/script/pre_action.sh" cc-trustee + fi + - name: Checkout code uses: actions/checkout@v4 @@ -23,12 +51,53 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build Container Image KBS (built-in AS) + - name: Build Container Image KBS (${{ matrix.name }}) run: | commit_sha=${{ github.sha }} - DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile --push + arch=$(uname -m) + https_crypto=${{ matrix.https_crypto }} + [ "${arch}" = "s390x" ] && https_crypto=openssl + DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} \ + --build-arg ARCH=${arch} --build-arg HTTPS_CRYPTO=${https_crypto} . + + - name: Take a post-action for self-hosted runner + if: always() + run: | + # Please check out the note in the pre-action step for the reason of using file checking + if [ -f "${HOME}/script/post_action.sh" ]; then + "${HOME}/script/post_action.sh" cc-trustee + fi + + publish_multi_arch_image: + needs: build_and_push + strategy: + fail-fast: false + matrix: + image: + - kbs + - kbs-grpc-as + permissions: + packages: write + runs-on: ubuntu-latest + + steps: + - name: Login to GHCR Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Build Container Image KBS (gRPC AS) + - name: Publish Multi-Arch ${{ matrix.image }} image run: | commit_sha=${{ github.sha }} - DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:latest . -f kbs/docker/Dockerfile.coco-as-grpc --push + docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha} \ + --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64 \ + --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x + docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha} + docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest \ + --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64 \ + --amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x + docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index 0d2795412f..2367920953 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -1,4 +1,6 @@ FROM rust:slim as builder +ARG ARCH=x86_64 +ARG HTTPS_CRYPTO=rustls ENV DEBIAN_FRONTEND noninteractive @@ -9,10 +11,10 @@ RUN apt-get update && \ gnupg-agent \ git -RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \ +RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \ gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \ echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | \ - tee /etc/apt/sources.list.d/intel-sgx.list && \ + tee /etc/apt/sources.list.d/intel-sgx.list; fi && \ apt-get update && \ apt-get install -y --no-install-recommends \ libclang-dev \ @@ -25,22 +27,24 @@ RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.k wget \ clang \ cmake \ - libtss2-dev \ + libtss2-dev && \ + if [ "${ARCH}" = "x86_64" ]; then apt-get install -y --no-install-recommends \ libsgx-dcap-quote-verify-dev \ - libtdx-attest-dev + libtdx-attest-dev; fi -RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz -RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz +RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \ + wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \ + tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz ENV PATH="/usr/local/go/bin:${PATH}" # Build and Install KBS WORKDIR /usr/src/kbs COPY . . -ARG KBS_FEATURES=coco-as-builtin,rustls,resource,opa -RUN cargo install --locked --path kbs/src/kbs --no-default-features --features ${KBS_FEATURES} +RUN cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} FROM ubuntu:22.04 +ARG ARCH=x86_64 RUN apt-get update && \ apt-get install -y \ @@ -49,14 +53,14 @@ RUN apt-get update && \ gnupg-agent # Install TDX Runtime Dependencies -RUN curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \ - gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg -RUN echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list +RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \ + gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg; fi +RUN if [ "${ARCH}" = "x86_64" ]; then echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list; fi RUN apt-get update -RUN apt-get install -y --no-install-recommends \ +RUN if [ "${ARCH}" = "x86_64" ]; then apt-get install -y --no-install-recommends \ libsgx-dcap-default-qpl \ libsgx-dcap-quote-verify \ - tpm2-tools + tpm2-tools; fi # Intel PCCS URL Configurations # If you want the AS in KBS to connect to your customized PCCS for Intel TDX/SGX evidence verification, @@ -66,7 +70,7 @@ ENV INTEL_PCCS_URL "https://localhost:8081/sgx/certification/v4/" ENV INTEL_PCCS_USE_SECURE_CERT false # Setup Intel PCCS URL -RUN sed -i "s|\"pccs_url\":.*$|\"pccs_url\":$INTEL_PCCS_URL,|" /etc/sgx_default_qcnl.conf; \ - sed -i "s/\"use_secure_cert\":.*$/\"use_secure_cert\":$INTEL_PCCS_USE_SECURE_CERT,/" /etc/sgx_default_qcnl.conf +RUN if [ "${ARCH}" = "x86_64" ]; then sed -i "s|\"pccs_url\":.*$|\"pccs_url\":$INTEL_PCCS_URL,|" /etc/sgx_default_qcnl.conf; \ + sed -i "s/\"use_secure_cert\":.*$/\"use_secure_cert\":$INTEL_PCCS_USE_SECURE_CERT,/" /etc/sgx_default_qcnl.conf; fi COPY --from=builder /usr/local/cargo/bin/kbs /usr/local/bin/kbs diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/Dockerfile.coco-as-grpc index 9022d5c9d0..1506741dce 100644 --- a/kbs/docker/Dockerfile.coco-as-grpc +++ b/kbs/docker/Dockerfile.coco-as-grpc @@ -1,17 +1,19 @@ FROM rust:latest as builder +ARG ARCH=x86_64 +ARG HTTPS_CRYPTO=rustls WORKDIR /usr/src/kbs COPY . . RUN apt-get update && apt install -y protobuf-compiler wget git -RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz -RUN tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz +RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \ +wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \ +tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz ENV PATH="/usr/local/go/bin:${PATH}" # Build and Install KBS -RUN cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,rustls - +RUN cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} FROM ubuntu:22.04