-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
AS: Replace dockerfile generation logic
We have two needs to build an AS docker image. 1. Use specific verifier suites 2. Install specific verifier software stack due to verifier This patch accomplish this by using a Makefile env `VERIFIER`. By sepcifying the `VERIFIER`, a proper dockerfile will be generated. To align with the needs, the cargo feature of AS is also modified. By default the verifier is set to none in rust code, while the `all-verifier` is set for Makefile. We add target platform detecting logic to the KBS crate cargo toml to determine the built-in AS features. Also, the CI pipeline of CoCoAS is updated. Signed-off-by: Xynnn007 <[email protected]>
- Loading branch information
Showing
14 changed files
with
198 additions
and
115 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# Copyright (c) 2023 by Alibaba. | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
FROM rust:latest AS builder | ||
|
||
WORKDIR /usr/src/attestation-service | ||
COPY . . | ||
|
||
# Install Build Dependencies | ||
RUN apt-get update && apt-get install -y protobuf-compiler clang | ||
|
||
@INSTALL_TPM_DEPENDENCIES@ | ||
|
||
@INSTALL_TDX_DEPENDENCIES@ | ||
|
||
# Build and Install gRPC attestation-service | ||
RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,@VERIFIER@ --locked | ||
|
||
FROM ubuntu:22.04 | ||
ARG ARCH=x86_64 | ||
|
||
LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service" | ||
|
||
@INSTALL_TDX_DEPENDENCIES@ | ||
|
||
@COPY_TPM_DEPENDENCIES@ | ||
|
||
COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as | ||
|
||
VOLUME /opt/confidential-containers/attestation-service | ||
|
||
CMD ["grpc-as", "--socket", "0.0.0.0:50004"] | ||
|
||
EXPOSE 50004 |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Copyright (c) 2023 by Alibaba. | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
FROM rust:latest AS builder | ||
|
||
WORKDIR /usr/src/attestation-service | ||
COPY . . | ||
|
||
# Install Build Dependencies | ||
RUN apt-get update && apt-get install -y protobuf-compiler clang | ||
|
||
@INSTALL_TPM_DEPENDENCIES@ | ||
|
||
@INSTALL_TDX_DEPENDENCIES@ | ||
|
||
# Build and Install RESTful attestation-service | ||
RUN cargo install --path attestation-service --bin restful-as --features restful-bin,@VERIFIER@ --locked | ||
|
||
FROM ubuntu:22.04 | ||
ARG ARCH=x86_64 | ||
|
||
LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service" | ||
|
||
@INSTALL_TDX_DEPENDENCIES@ | ||
|
||
@COPY_TPM_DEPENDENCIES@ | ||
|
||
# Copy TPM Runtime Dependencies | ||
|
||
COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as | ||
|
||
COPY ./attestation-service/config.json /etc/config.json | ||
|
||
VOLUME /opt/confidential-containers/attestation-service | ||
|
||
CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"] | ||
|
||
EXPOSE 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#!/bin/bash | ||
|
||
# Copyright (c) 2024 by Alibaba. | ||
# Licensed under the Apache License, Version 2.0, see LICENSE for details. | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
# Usage: | ||
# VERIFIER=<verifier-parameter> generate-dockerfile.sh <template_file> <target_file> | ||
|
||
set -euo pipefail | ||
|
||
VERIFIER=${VERIFIER:-all-verifier} | ||
|
||
template_file=$1 | ||
target_file=$2 | ||
|
||
cp "${template_file}" "${target_file}" | ||
|
||
# TDX stacks | ||
INSTALL_DCAP=" | ||
RUN apt-get update \&\& apt-get install -y curl gnupg \&\& \ | ||
curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - \&\& \ | ||
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list \&\& \ | ||
apt-get update \&\& apt-get install -y libsgx-dcap-quote-verify-dev \&\& \ | ||
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* \ | ||
" | ||
|
||
if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ]; then | ||
sed -i "s#@INSTALL_TDX_DEPENDENCIES@#${INSTALL_DCAP//$'\n'/\\n}#g" "${target_file}" | ||
else | ||
sed -i "s/@INSTALL_TDX_DEPENDENCIES@//g" "${target_file}" | ||
fi | ||
|
||
# vTPM TSS stacks | ||
INSTALL_TSS="RUN apt-get install libtss2-dev -y" | ||
|
||
COPY_TSS="COPY --from=builder /usr/lib/\${ARCH}-linux-gnu/libtss* /usr/lib/\${ARCH}-linux-gnu" | ||
|
||
if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "az-snp-vtpm-verifier" ] || [ "${VERIFIER}" = "az-tdx-vtpm-verifier" ]; then | ||
sed -i "s#@INSTALL_TPM_DEPENDENCIES@#${INSTALL_TSS//$'\n'/\\n}#g" "${target_file}" | ||
sed -i "s#@COPY_TPM_DEPENDENCIES@#${COPY_TSS//$'\n'/\\n}#g" "${target_file}" | ||
else | ||
sed -i "s/@INSTALL_TPM_DEPENDENCIES@//g" "${target_file}" | ||
sed -i "s/@COPY_TPM_DEPENDENCIES@//g" "${target_file}" | ||
fi | ||
|
||
sed -i "s/@VERIFIER@/${VERIFIER}/g" "${target_file}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.