From b4b83b86fe04f017b0cf2f78a31bd60a0a245670 Mon Sep 17 00:00:00 2001 From: Lei Li Date: Thu, 30 May 2024 11:48:13 +0800 Subject: [PATCH] ready for merge Signed-off-by: Lei Li --- .../as-build-and-push-cross-compilation.yaml | 100 ------------------ .github/workflows/as-build-and-push.yaml | 69 ++---------- .github/workflows/kbs-build-and-push.yaml | 37 ++----- attestation-service/Dockerfile.as-grpc | 18 ++-- attestation-service/Dockerfile.as-restful | 14 ++- attestation-service/rvps/Dockerfile | 9 +- kbs/docker/Dockerfile | 11 +- kbs/docker/Dockerfile.coco-as-grpc | 13 ++- 8 files changed, 59 insertions(+), 212 deletions(-) delete mode 100644 .github/workflows/as-build-and-push-cross-compilation.yaml diff --git a/.github/workflows/as-build-and-push-cross-compilation.yaml b/.github/workflows/as-build-and-push-cross-compilation.yaml deleted file mode 100644 index 24bb3c3f00..0000000000 --- a/.github/workflows/as-build-and-push-cross-compilation.yaml +++ /dev/null @@ -1,100 +0,0 @@ -name: Build and Push CoCoAS / RVPS Image with cross-compilation supports - -on: - push: - branches: - - main - workflow_dispatch: - -jobs: - build_and_push: - permissions: - packages: write - strategy: - fail-fast: false - matrix: - instance: - - ubuntu-latest - platform: - - linux/amd64 - - linux/s390x - tag: - - coco-as-grpc - - coco-as-restful - - rvps - include: - - docker_file: attestation-service/Dockerfile.as-grpc - tag: coco-as-grpc - name: gRPC CoCo-AS - - docker_file: attestation-service/Dockerfile.as-restful - tag: coco-as-restful - name: RESTful CoCo-AS - - docker_file: attestation-service/rvps/Dockerfile - tag: rvps - name: RVPS - runs-on: ${{ matrix.instance }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build ${{ matrix.name }} Container Image - run: | - commit_sha=${{ github.sha }} - arch=$(uname -m) - docker buildx build -f ${{ matrix.docker_file }} --load --build-arg ARCH=${arch} \ - --platform ${{ matrix.platform }} \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} . - - publish_multi_arch_image: - needs: build_and_push - permissions: - packages: write - strategy: - fail-fast: false - matrix: - tag: - - coco-as-grpc - - coco-as-restful - - rvps - include: - - tag: coco-as-grpc - name: gRPC CoCo-AS - - tag: coco-as-restful - name: RESTful CoCo-AS - - tag: rvps - name: RVPS - runs-on: ubuntu-latest - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Multi-arch Image for ${{ matrix.name }} - run: | - commit_sha=${{ github.sha }} - docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64 - docker manifest inspect ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} - docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64 - docker manifest inspect ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest diff --git a/.github/workflows/as-build-and-push.yaml b/.github/workflows/as-build-and-push.yaml index 50f1925ec8..32196c577b 100644 --- a/.github/workflows/as-build-and-push.yaml +++ b/.github/workflows/as-build-and-push.yaml @@ -4,6 +4,7 @@ on: push: branches: - main + workflow_dispatch: jobs: build_and_push: @@ -14,7 +15,8 @@ jobs: matrix: instance: - ubuntu-latest - - s390x + platforms: + - linux/amd64,linux/s390x tag: - coco-as-grpc - coco-as-restful @@ -32,14 +34,6 @@ jobs: runs-on: ${{ matrix.instance }} steps: - - name: Take a pre-action for self-hosted runner - run: | - # NOTE: Use file checking instead triggering a step based on a runner type - # to avoid updating the step for each new self-hosted runner. - if [ -f "${HOME}/script/pre_action.sh" ]; then - "${HOME}/script/pre_action.sh" cc-trustee - fi - - name: Checkout code uses: actions/checkout@v4 @@ -57,56 +51,7 @@ jobs: run: | commit_sha=${{ github.sha }} arch=$(uname -m) - DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push --build-arg ARCH=${arch} \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} . - - - name: Take a post-action for self-hosted runner - if: always() - run: | - # Please check out the note in the pre-action step for the reason of using file checking - if [ -f "${HOME}/script/post_action.sh" ]; then - "${HOME}/script/post_action.sh" cc-trustee - fi - - publish_multi_arch_image: - needs: build_and_push - permissions: - packages: write - strategy: - fail-fast: false - matrix: - tag: - - coco-as-grpc - - coco-as-restful - - rvps - include: - - tag: coco-as-grpc - name: gRPC CoCo-AS - - tag: coco-as-restful - name: RESTful CoCo-AS - - tag: rvps - name: RVPS - runs-on: ubuntu-latest - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Multi-arch Image for ${{ matrix.name }} - run: | - commit_sha=${{ github.sha }} - docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64 - docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} - docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x \ - --amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64 - docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest + docker buildx build -f ${{ matrix.docker_file }} --push --build-arg ARCH=${arch} \ + --platform ${{ matrix.platforms }} \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest . \ No newline at end of file diff --git a/.github/workflows/kbs-build-and-push.yaml b/.github/workflows/kbs-build-and-push.yaml index 40077d8c11..98f81a2028 100644 --- a/.github/workflows/kbs-build-and-push.yaml +++ b/.github/workflows/kbs-build-and-push.yaml @@ -1,6 +1,9 @@ name: Build and Push kbs Image on: + push: + branches: + - main workflow_dispatch: jobs: @@ -12,9 +15,8 @@ jobs: matrix: instance: - ubuntu-latest - platform: - - linux/amd64 - - linux/s390x + platforms: + - linux/amd64,linux/s390x tag: - kbs - kbs-grpc-as @@ -30,14 +32,6 @@ jobs: runs-on: ${{ matrix.instance }} steps: - - name: Take a pre-action for self-hosted runner - run: | - # NOTE: Use file checking instead triggering a step based on a runner type - # to avoid updating the step for each new self-hosted runner. - if [ -f "${HOME}/script/pre_action.sh" ]; then - "${HOME}/script/pre_action.sh" cc-trustee - fi - - name: Checkout code uses: actions/checkout@v4 @@ -54,18 +48,9 @@ jobs: - name: Build Container Image KBS (${{ matrix.name }}) run: | commit_sha=${{ github.sha }} - https_crypto=openssl - docker buildx build -f ${{ matrix.docker_file }} --load \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \ - -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} \ - --platform ${{ matrix.platform }} --build-arg HTTPS_CRYPTO=${https_crypto} . - - - name: Take a post-action for self-hosted runner - if: always() - run: | - # Please check out the note in the pre-action step for the reason of using file checking - if [ -f "${HOME}/script/post_action.sh" ]; then - "${HOME}/script/post_action.sh" cc-trustee - fi - - + https_crypto=${{ matrix.https_crypto }} + docker buildx build -f ${{ matrix.docker_file }} --push \ + --platform ${{ matrix.platforms }} \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \ + -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest \ + --build-arg HTTPS_CRYPTO=${https_crypto} . diff --git a/attestation-service/Dockerfile.as-grpc b/attestation-service/Dockerfile.as-grpc index a77df473d7..f9bd5cd7b7 100644 --- a/attestation-service/Dockerfile.as-grpc +++ b/attestation-service/Dockerfile.as-grpc @@ -3,6 +3,7 @@ # SPDX-License-Identifier: Apache-2.0 FROM --platform=${BUILDPLATFORM} rust:latest as builder +# predefined variables supported by BuildKit ARG TARGETARCH ARG BUILDARCH @@ -23,7 +24,7 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then curl -L https://download.01.org/intel echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi -# To support cross-compiling +# To support cross-compilation RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends \ gcc-"${TARGETARCH}"-linux-gnu \ libc6-dev-"${TARGETARCH}"-cross && \ @@ -33,16 +34,16 @@ RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-inst # Build and Install gRPC attestation-service RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" CGO_ENABLED=1 GOARCH="${TARGETARCH}" \ - cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked --target "${TARGETARCH}-unknown-linux-gnu"; \ + cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked \ + --target "${TARGETARCH}-unknown-linux-gnu"; \ else \ - cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked; \ + cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked; \ fi -RUN ls -l /usr/lib/ - FROM --platform=${TARGETPLATFORM} ubuntu:22.04 -ARG ARCH +ARG ARCH=x86_64 ARG TARGETARCH +ARG BUILDARCH LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" @@ -56,6 +57,9 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then curl -L https://download.01.org/intel apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi +# Install TPM Dependencies for cross-complication +RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends libtss2-dev; fi + # Copy TPM Runtime Dependencies COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu @@ -65,4 +69,4 @@ VOLUME /opt/confidential-containers/attestation-service CMD ["grpc-as", "--socket", "0.0.0.0:50004"] -EXPOSE 50004 +EXPOSE 50004 \ No newline at end of file diff --git a/attestation-service/Dockerfile.as-restful b/attestation-service/Dockerfile.as-restful index dc8a3f58e0..eeab5784fb 100644 --- a/attestation-service/Dockerfile.as-restful +++ b/attestation-service/Dockerfile.as-restful @@ -24,7 +24,7 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then curl -L https://download.01.org/intel echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi -# to support cross-compiling +# To support cross-compilation RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends \ gcc-"${TARGETARCH}"-linux-gnu \ libc6-dev-"${TARGETARCH}"-cross && \ @@ -34,13 +34,16 @@ RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-inst # Build and Install RESTful attestation-service RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" CGO_ENABLED=1 GOARCH="${TARGETARCH}" \ - cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked --target "${TARGETARCH}-unknown-linux-gnu"; \ + cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked \ + --target "${TARGETARCH}-unknown-linux-gnu"; \ else \ - cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked; \ + cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked; \ fi FROM --platform=${TARGETPLATFORM} ubuntu:22.04 ARG ARCH=x86_64 +ARG TARGETARCH +ARG BUILDARCH LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service" @@ -54,6 +57,9 @@ RUN if [ "${TARGETARCH}" = "amd64" ]; then curl -L https://download.01.org/intel apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \ rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi +# Install TPM Dependencies for cross-complication +RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends libtss2-dev; fi + # Copy TPM Runtime Dependencies COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu @@ -65,4 +71,4 @@ VOLUME /opt/confidential-containers/attestation-service CMD ["restful-as", "--socket", "0.0.0.0:8080", "--config-file", "/etc/config.json"] -EXPOSE 8080 +EXPOSE 8080 \ No newline at end of file diff --git a/attestation-service/rvps/Dockerfile b/attestation-service/rvps/Dockerfile index 74a7fd6946..040e3cb97e 100644 --- a/attestation-service/rvps/Dockerfile +++ b/attestation-service/rvps/Dockerfile @@ -13,7 +13,7 @@ COPY . . RUN apt-get update && apt-get install protobuf-compiler -y -# to support cross-compiling +# To support cross-compilation RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends \ gcc-"${TARGETARCH}"-linux-gnu \ libc6-dev-"${TARGETARCH}"-cross && \ @@ -21,9 +21,10 @@ RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-inst RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" \ - cargo install --bin rvps --path attestation-service/rvps --target "${TARGETARCH}-unknown-linux-gnu"; \ + cargo install --bin rvps --path attestation-service/rvps \ + --target "${TARGETARCH}-unknown-linux-gnu"; \ else \ - cargo install --bin rvps --path attestation-service/rvps; \ + cargo install --bin rvps --path attestation-service/rvps; \ fi FROM --platform=${TARGETPLATFORM} debian @@ -36,4 +37,4 @@ CMD ["rvps"] VOLUME /opt/confidential-containers/attestation-service/reference_values/ -EXPOSE 50003 +EXPOSE 50003 \ No newline at end of file diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile index fdadefb8c8..f295611b4e 100644 --- a/kbs/docker/Dockerfile +++ b/kbs/docker/Dockerfile @@ -38,7 +38,7 @@ RUN wget https://go.dev/dl/go1.20.1.linux-${BUILDARCH}.tar.gz && \ tar -C /usr/local -xzf go1.20.1.linux-${BUILDARCH}.tar.gz ENV PATH="/usr/local/go/bin:${PATH}" -# to support cross-compiling +# To support cross-compilation RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends \ gcc-"${TARGETARCH}"-linux-gnu \ libc6-dev-"${TARGETARCH}"-cross && \ @@ -49,11 +49,14 @@ RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-inst WORKDIR /usr/src/kbs COPY . . -RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ +RUN https_crypto_feature="${HTTPS_CRYPTO}" && \ + if [ "${TARGETARCH}" = "s390x" ]; then https_crypto_feature="openssl"; fi && \ + if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" CGO_ENABLED=1 GOARCH="${TARGETARCH}" \ - cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO} --target "${TARGETARCH}-unknown-linux-gnu"; \ + cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${https_crypto_feature} \ + --target "${TARGETARCH}-unknown-linux-gnu"; \ else \ - cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${HTTPS_CRYPTO}; \ + cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa,${https_crypto_feature}; \ fi FROM --platform=${TARGETPLATFORM} ubuntu:22.04 diff --git a/kbs/docker/Dockerfile.coco-as-grpc b/kbs/docker/Dockerfile.coco-as-grpc index f128ba6150..97350d596d 100644 --- a/kbs/docker/Dockerfile.coco-as-grpc +++ b/kbs/docker/Dockerfile.coco-as-grpc @@ -18,7 +18,7 @@ RUN wget https://go.dev/dl/go1.20.1.linux-${BUILDARCH}.tar.gz && \ tar -C /usr/local -xzf go1.20.1.linux-${BUILDARCH}.tar.gz ENV PATH="/usr/local/go/bin:${PATH}" -# To support cross-compiling +# To support cross-compilation RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-install-recommends \ gcc-"${TARGETARCH}"-linux-gnu \ libc6-dev-"${TARGETARCH}"-cross && \ @@ -26,11 +26,14 @@ RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then apt-get install -y --no-inst go env -w CC="${TARGETARCH}"-linux-gnu-gcc; fi # Build and Install KBS -RUN if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ - RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" CGO_ENABLED=1 GOARCH="${TARGETARCH}" \ - cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO} --target "${TARGETARCH}-unknown-linux-gnu"; \ +RUN https_crypto_feature="${HTTPS_CRYPTO}" && \ + if [ "${TARGETARCH}" = "s390x" ]; then https_crypto_feature="openssl"; fi && \ + if [ "${BUILDARCH}" != "${TARGETARCH}" ]; then \ + RUSTFLAGS=" -C linker=${TARGETARCH}-linux-gnu-gcc" CGO_ENABLED=1 GOARCH="${TARGETARCH}" \ + cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${https_crypto_feature} \ + --target "${TARGETARCH}-unknown-linux-gnu"; \ else \ - cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${HTTPS_CRYPTO}; \ + cargo install --path kbs/src/kbs --no-default-features --features coco-as-grpc,resource,opa,${https_crypto_feature}; \ fi FROM --platform=${TARGETPLATFORM} ubuntu:22.04