Skip to content

Commit

Permalink
AS: Replace dockerfile generation logic
Browse files Browse the repository at this point in the history
We have two needs to build an AS docker image.
1. Use specific verifier suites
2. Install specific verifier software stack due to verifier

This patch accomplish this by using a Makefile env `VERIFIER`. By
sepcifying the `VERIFIER`, a proper dockerfile will be generated. To
align with the needs, the cargo feature of AS is also modified. By
default the verifier is set to none in rust code, while the
`all-verifier` is set for Makefile.

We add target platform detecting logic to the KBS crate cargo toml to
determine the built-in AS features.

Also, the CI pipeline of CoCoAS is updated.

Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
Xynnn007 committed Nov 11, 2024
1 parent c3f1e75 commit 9a2e2d6
Show file tree
Hide file tree
Showing 14 changed files with 198 additions and 115 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/as-docker-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ jobs:
- name: Code checkout
uses: actions/checkout@v4

- name: Generate Dockerfiles
run: |
cd attestation-service && make dockerfile
- name: Build gRPC AS Container Image
run: |
DOCKER_BUILDKIT=1 docker build -t attestation-service:latest . -f attestation-service/docker/as-grpc/Dockerfile
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/kbs-docker-e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ jobs:
openssl genpkey -algorithm ed25519 > kbs/config/private.key
openssl pkey -in kbs/config/private.key -pubout -out kbs/config/public.pub
- name: Generate Dockerfiles
run: |
cd attestation-service && make dockerfile
- name: Build KBS Cluster
run: docker compose build

Expand Down
28 changes: 28 additions & 0 deletions .github/workflows/push-as-image-to-ghcr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,22 +19,50 @@ jobs:
- coco-as-grpc
- coco-as-restful
- rvps
verifier:
- all-verifier
- se-verifier
include:
- docker_file: attestation-service/docker/as-grpc/Dockerfile
tag: coco-as-grpc
name: gRPC CoCo-AS
verifier: all-verifier
instance: ubuntu-latest
- docker_file: attestation-service/docker/as-grpc/Dockerfile
tag: coco-as-grpc
name: gRPC CoCo-AS (IBM SE)
verifier: se-verifier
instance: s390x
- docker_file: attestation-service/docker/as-restful/Dockerfile
tag: coco-as-restful
name: RESTful CoCo-AS
verifier: all-verifier
instance: ubuntu-latest
- docker_file: attestation-service/docker/as-restful/Dockerfile
tag: coco-as-restful
name: RESTful CoCo-AS (IBM SE)
verifier: se-verifier
instance: s390x
- docker_file: rvps/docker/Dockerfile
tag: rvps
name: RVPS
verifier: all-verifier
instance: ubuntu-latest
- docker_file: rvps/docker/Dockerfile
tag: rvps
name: RVPS
verifier: se-verifier
instance: s390x
runs-on: ${{ matrix.instance }}

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Generate Dockerfiles
run: |
cd attestation-service && make dockerfile VERIFIER=${{ matrix.verifier }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Expand Down
3 changes: 3 additions & 0 deletions attestation-service/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,6 @@ tests/e2e/restful-request.json

# Output files generated by unit test
tests/tmp/

# Generated Dockerfile
docker/**/Dockerfile
7 changes: 1 addition & 6 deletions attestation-service/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ version = "0.1.0"
edition = "2021"

[features]
default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ]
default = ["restful-bin", "rvps-grpc", "rvps-builtin"]
all-verifier = [ "verifier/all-verifier" ]
tdx-verifier = [ "verifier/tdx-verifier" ]
sgx-verifier = [ "verifier/sgx-verifier" ]
Expand Down Expand Up @@ -64,13 +64,8 @@ thiserror = { workspace = true, optional = true }
tokio.workspace = true
tonic = { workspace = true, optional = true }
uuid = { version = "1.1.2", features = ["v4"] }

[target.'cfg(not(target_arch = "s390x"))'.dependencies]
verifier = { path = "../deps/verifier", default-features = false }

[target.'cfg(target_arch = "s390x")'.dependencies]
verifier = { path = "../deps/verifier", default-features = false, features = ["se-verifier"] }

[build-dependencies]
shadow-rs.workspace = true
tonic-build.workspace = true
Expand Down
30 changes: 19 additions & 11 deletions attestation-service/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,14 @@ BIN_NAMES := grpc-as restful-as
DEBUG ?=
DESTDIR ?= $(PREFIX)/bin

FEATURES ?=
VERIFIER ?= all-verifier

ifdef FEATURES
OPTIONAL_FEATURES := ,$(FEATURES)
default-features := --no-default-features
else
OPTIONAL_FEATURES :=
default-features :=
endif
GRPC_AS_DOCKERFILE_TEMPLATE := docker/as-grpc/Dockerfile.template
GRPC_AS_DOCKERFILE := docker/as-grpc/Dockerfile
RESTFUL_AS_DOCKERFILE_TEMPLATE := docker/as-restful/Dockerfile.template
RESTFUL_AS_DOCKERFILE := docker/as-restful/Dockerfile

DOCKERFILE_GENERATOR := docker/generate-dockerfile.sh

ifdef DEBUG
release :=
Expand All @@ -29,15 +28,24 @@ endif
build: grpc-as restful-as

grpc-as:
cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin$(OPTIONAL_FEATURES)
cargo build --bin grpc-as $(release) $(default-features) --features grpc-bin,$(VERIFIER)

restful-as:
cargo build --bin restful-as $(release) $(default-features) --features restful-bin$(OPTIONAL_FEATURES)
cargo build --bin restful-as $(release) $(default-features) --features restful-bin,$(VERIFIER)

install:
for bin_name in $(BIN_NAMES); do \
install -D -m0755 $(TARGET_DIR)/$$bin_name $(DESTDIR); \
done

$(GRPC_AS_DOCKERFILE): $(GRPC_AS_DOCKERFILE_TEMPLATE) $(DOCKERFILE_GENERATOR)
@$(DOCKERFILE_GENERATOR) $(GRPC_AS_DOCKERFILE_TEMPLATE) $(GRPC_AS_DOCKERFILE) VERIFIER=$(VERIFIER)

$(RESTFUL_AS_DOCKERFILE): $(RESTFUL_AS_DOCKERFILE_TEMPLATE) $(DOCKERFILE_GENERATOR)
@$(DOCKERFILE_GENERATOR) $(RESTFUL_AS_DOCKERFILE_TEMPLATE) $(RESTFUL_AS_DOCKERFILE) VERIFIER=$(VERIFIER)

dockerfile: $(GRPC_AS_DOCKERFILE) $(RESTFUL_AS_DOCKERFILE)

clean:
cargo clean
cargo clean && \
rm -rf $(GRPC_AS_DOCKERFILE) $(RESTFUL_AS_DOCKERFILE)
47 changes: 0 additions & 47 deletions attestation-service/docker/as-grpc/Dockerfile

This file was deleted.

35 changes: 35 additions & 0 deletions attestation-service/docker/as-grpc/Dockerfile.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Copyright (c) 2023 by Alibaba.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest AS builder

WORKDIR /usr/src/attestation-service
COPY . .

# Install Build Dependencies
RUN apt-get update && apt-get install -y protobuf-compiler clang

@INSTALL_TPM_DEPENDENCIES@

@INSTALL_TDX_DEPENDENCIES@

# Build and Install gRPC attestation-service
RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin,@VERIFIER@ --locked

FROM ubuntu:22.04
ARG ARCH=x86_64

LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service"

@INSTALL_TDX_DEPENDENCIES@

@COPY_TPM_DEPENDENCIES@

COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as

VOLUME /opt/confidential-containers/attestation-service

CMD ["grpc-as", "--socket", "0.0.0.0:50004"]

EXPOSE 50004
48 changes: 0 additions & 48 deletions attestation-service/docker/as-restful/Dockerfile

This file was deleted.

39 changes: 39 additions & 0 deletions attestation-service/docker/as-restful/Dockerfile.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Copyright (c) 2023 by Alibaba.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest AS builder

WORKDIR /usr/src/attestation-service
COPY . .

# Install Build Dependencies
RUN apt-get update && apt-get install -y protobuf-compiler clang

@INSTALL_TPM_DEPENDENCIES@

@INSTALL_TDX_DEPENDENCIES@

# Build and Install RESTful attestation-service
RUN cargo install --path attestation-service --bin restful-as --features restful-bin,@VERIFIER@ --locked

FROM ubuntu:22.04
ARG ARCH=x86_64

LABEL org.opencontainers.image.source="https://github.com/confidential-containers/trustee/attestation-service"

@INSTALL_TDX_DEPENDENCIES@

@COPY_TPM_DEPENDENCIES@

# Copy TPM Runtime Dependencies

COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as

COPY ./attestation-service/config.json /etc/config.json

VOLUME /opt/confidential-containers/attestation-service

CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"]

EXPOSE 8080
47 changes: 47 additions & 0 deletions attestation-service/docker/generate-dockerfile.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
#!/bin/bash

# Copyright (c) 2024 by Alibaba.
# Licensed under the Apache License, Version 2.0, see LICENSE for details.
# SPDX-License-Identifier: Apache-2.0

# Usage:
# VERIFIER=<verifier-parameter> generate-dockerfile.sh <template_file> <target_file>

set -euo pipefail

VERIFIER=${VERIFIER:-all-verifier}

template_file=$1
target_file=$2

cp "${template_file}" "${target_file}"

# TDX stacks
INSTALL_DCAP="
RUN apt-get update \&\& apt-get install -y curl gnupg \&\& \
curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - \&\& \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list \&\& \
apt-get update \&\& apt-get install -y libsgx-dcap-quote-verify-dev \&\& \
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/* \
"

if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ]; then
sed -i "s#@INSTALL_TDX_DEPENDENCIES@#${INSTALL_DCAP//$'\n'/\\n}#g" "${target_file}"
else
sed -i "s/@INSTALL_TDX_DEPENDENCIES@//g" "${target_file}"
fi

# vTPM TSS stacks
INSTALL_TSS="RUN apt-get install libtss2-dev -y"

COPY_TSS="COPY --from=builder /usr/lib/\${ARCH}-linux-gnu/libtss* /usr/lib/\${ARCH}-linux-gnu"

if [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "az-snp-vtpm-verifier" ] || [ "${VERIFIER}" = "az-tdx-vtpm-verifier" ]; then
sed -i "s#@INSTALL_TPM_DEPENDENCIES@#${INSTALL_TSS//$'\n'/\\n}#g" "${target_file}"
sed -i "s#@COPY_TPM_DEPENDENCIES@#${COPY_TSS//$'\n'/\\n}#g" "${target_file}"
else
sed -i "s/@INSTALL_TPM_DEPENDENCIES@//g" "${target_file}"
sed -i "s/@COPY_TPM_DEPENDENCIES@//g" "${target_file}"
fi

sed -i "s/@VERIFIER@/${VERIFIER}/g" "${target_file}"
5 changes: 4 additions & 1 deletion attestation-service/docs/grpc-as.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,9 @@ Build and install binary
git clone https://github.com/confidential-containers/trustee
cd trustee/attestation-service
WORKDIR=$(pwd)
make && make install
make ATTESTER=all-attester && make install

# You can use different attester by changing the value of ATTESTER
```

- For help information, run:
Expand Down Expand Up @@ -106,6 +108,7 @@ Build and run container image
```shell
git clone https://github.com/confidential-containers/trustee
cd trustee
cd attestation-service && make dockerfile && cd ..
docker build -t coco-as:grpc -f attestation-service/docker/as-grpc/Dockerfile .
```

Expand Down
Loading

0 comments on commit 9a2e2d6

Please sign in to comment.