Enable artifacts for s390x #383
Conversation
BbolroC
force-pushed
the
enable-s390x-images
branch
3 times, most recently
from
763914b to
7d80038
Compare
|
For reviewers, this PR does not cover the full enablement for s390x. Makefiles for |
There was a problem hiding this comment.
Looks pretty good.
You might want to check the release helper script and make sure that it will account for the multiarch images you are addding.
| - instance: ubuntu-22.04 | ||
| arch: x86_64 | ||
| - instance: s390x | ||
| arch: s390x |
There was a problem hiding this comment.
Fundamentally we only have two cases here. Maybe we could just have a matrix with the two arches and then put a condition down in the runs-on step to select the instance based on the arch?
I think there is also support for nested arrays in a matrix which might allow you to specify the two pairs directly.
I guess it's fairly common to use this include syntax, but I'm not a huge fan.
There was a problem hiding this comment.
Yep, what you are suggesting seems like:
jobs:
build_and_push:
strategy:
matrix:
arch:
- x86_64
- s390x
env:
RUSTC_VERSION: 1.76.0
runs-on: ${{ matrix.arch == 'x86_64' ? 'ubuntu-22.04' : 's390x' }}
It looks more concise and cleaner. Thanks for the suggestion.
| - name: Take a pre-action for self-hosted runner | ||
| run: | | ||
| if [ -f "${HOME}/script/pre_action.sh" ]; then | ||
| "${HOME}/script/pre_action.sh" cc-trustee |
There was a problem hiding this comment.
Is this script tracked anywhere?
There was a problem hiding this comment.
I got the same question for kata containers at kata-containers/kata-containers#8649 (review). The script is managed internally, but set -x could be set for tracking what it does.
| @@ -2,6 +2,8 @@ AS_TYPE ?= coco-as | |||
| HTTPS_CRYPTO ?= rustls | |||
| POLICY_ENGINE ?= | |||
|
|
|||
| ARCH := $(shell uname -m) | |||
There was a problem hiding this comment.
Should we have a check in case it is something other than the two we support?
There was a problem hiding this comment.
It sounds good. I will bring the check. Thanks!
| libsgx-dcap-quote-verify-dev \ | ||
| libtdx-attest-dev | ||
| libtdx-attest-dev; fi |
There was a problem hiding this comment.
I think this is fine, but really it might make more sense to connect all this TDX-specific stuff to a TDX-related flag rather than the arch. TDX could always be set to false for s390x
There was a problem hiding this comment.
Yes, we could introduce a TDX variable in the build script and then set it to true/false based on the arch, even we could have more fine-grained control over different boolean variables for TEE types. But as discussed in Slack, this could be handled in a follow-up PR. wdyt, @Xynnn007 ?
There was a problem hiding this comment.
reasonable. In future, we need to add all plugin flags and by default set them all to true.
| @@ -4,7 +4,7 @@ version = "0.1.0" | |||
| edition = "2021" | |||
|
|
|||
| [features] | |||
| default = [ "restful-bin", "rvps-grpc", "rvps-builtin", "all-verifier" ] | |||
| default = [ "restful-bin", "rvps-grpc", "rvps-builtin" ] | |||
There was a problem hiding this comment.
I'm on the fence about this. Maybe it would be better for us to add a dummy s390x feature or merge @huoqifeng's PR. wdyt @Xynnn007?
There was a problem hiding this comment.
nvm i think this is fine. hadn't read the bottom part yet.
| verifier = { path = "../verifier", default-features = false, features = ["all-verifier"] } | ||
|
|
||
| [target.'cfg(target_arch = "s390x")'.dependencies] | ||
| verifier = { path = "../verifier", default-features = false, features = ["csv-verifier"] } |
There was a problem hiding this comment.
So once the s390x verifier is in, will that only be able to be built (and run) on an s390x machine? Will we be able to support validating s390x evidence on x86?
There was a problem hiding this comment.
Yes, once the s390x verifier comes in, if it is included in all-verifier, we could see x86 support validating s390x evidence, but not vice versa.
|
|
||
| WORKDIR /usr/src/attestation-service | ||
| COPY . . | ||
|
|
||
| # Install golang | ||
| RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz && \ | ||
| tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz | ||
| RUN [ "${ARCH}" = "x86_64" ] && GOARCH="amd64" || GOARCH="${ARCH}" && \ |
There was a problem hiding this comment.
why we need [ "${ARCH}" = "x86_64" ] && GOARCH="amd64" here?
There was a problem hiding this comment.
Yeah, this could be confusing to those who are not familiar with bash. I will make it clearer with if else fi. Thanks!
| libsgx-dcap-quote-verify-dev \ | ||
| libtdx-attest-dev | ||
| libtdx-attest-dev; fi |
There was a problem hiding this comment.
reasonable. In future, we need to add all plugin flags and by default set them all to true.
@Xynnn007 might a circle dependency here, the remain work in #345 requires we can build on s390x because of the IBM SE crate. What about we merge #345 and then this PR and then add the IBM SE crate? |
Thanks for the comment. I also discussed it with @Xynnn007. We ended up with waiting until #345 is merged and updating |
It seems that container images will not be affected by this PR, but an oras artifact |
BbolroC
force-pushed
the
enable-s390x-images
branch
from
7d80038 to
4890f58
Compare
|
Here are the verification result for the last update:
The last verification will be fulfilled again when the verifier is updated by #345. |
BbolroC
force-pushed
the
enable-s390x-images
branch
from
4890f58 to
367a0de
Compare
Now, I got your point. I was only considering whether the multi-arch images hurt the release helper script or not. But you wanted me to enable the script to publish the multi-arch release images. I have updated the PR. Please take a look. 😉 |
| docker manifest create ${ghcr_repo}/${release_pkg_name}:${release_tag_full} \ | ||
| --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-x86_64 \ | ||
| --amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-s390x | ||
| docker manifest push ${ghcr_repo}/${release_pkg_name}:${release_tag_full} |
There was a problem hiding this comment.
Thanks for handling this release-helper.sh change with this PR! I wonder if there was a minor bug in the earlier script, though: It never added a latest tag to the new release. If you want, maybe add something like that here:
docker manifest create ${ghcr_repo}/${release_pkg_name}:${latest} \
--amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-x86_64 \
--amend ${ghcr_repo}/${release_pkg_name}:${release_tag_full}-s390x
docker manifest push ${ghcr_repo}/${release_pkg_name}:${latest}
|
Are we waiting on #345 for this? |
Yep! |
|
@BbolroC , I'm trying to build s390x kbs images based on this PR in our internal pipeline. The problem is we don't have s390x node in the pipeline. So I have to build s390x image on x86 platform. First, I tried docker buildx with It works and we don't need more changes on your PR. But the performance is very low. It takes hours to build the rust in this way. So I also tried to use rust cross-compile support, like: It also works, but requires some changes based on your PR. I think we did similar works in guest-components: I will try those changes in my fork based on your fork, and raise PR after this PR is merged. |
|
@genjuro214 thanks for your work. I think the best resolution would be not using the self-hosted runner in terms of capability and maintenance. Why don't you create a new PR based on this for the best resolution and merge it instead of this one? Or you could give me a patch and I could apply it here. 😉 |
BbolroC
force-pushed
the
enable-s390x-images
branch
2 times, most recently
from
1d351ce to
b4b83b8
Compare
BbolroC
force-pushed
the
enable-s390x-images
branch
3 times, most recently
from
c6a00bb to
0902814
Compare
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option for attestor is not configured here, but a new attester for s390x will be added by confidential-containers#492.
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option for attestor is not configured here, but a new attester for s390x will be added by confidential-containers#492. Signed-off-by: Hyounggyu Choi <[email protected]>
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option is configured to use `se-attester`. Signed-off-by: Hyounggyu Choi <[email protected]>
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option is configured to use `se-attester`. Signed-off-by: Hyounggyu Choi <[email protected]>
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option is configured to use `se-attester`. Signed-off-by: Hyounggyu Choi <[email protected]>
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option is configured to use `se-attester`. Signed-off-by: Hyounggyu Choi <[email protected]>
We are encountering an issue on s390x when compiling AS with `all-verifier`. The error message is as follows: ``` error: failed to run custom build command for `tss-esapi-sys v0.5.0` ``` A platform-specific verifier (e.g., `se-verifier`) is used here. (confidential-containers#345) Although we can easily configure the verifier using `--features`, this approach lacks flexibility when the crate is selectively called from outside (e.g., kbs) based on `target_arch`. The optimal solution would be to open up room for configuring the verifier at a `dependencies` level rather than a `features` level. This commit aims to remove `all-verifier` from the default feature set and configure it differently for s390x. Signed-off-by: Hyounggyu Choi <[email protected]>
`.github/actionlint.yaml` is required to make a label `s390x` tolerant against actionlint. Signed-off-by: Hyounggyu Choi <[email protected]>
This commit introduces a job matrix to allow a s390x self-hosted runner
to run alongside the existing x86_64 one.
Additionally, two new steps (e.g., {pre,post} action) are introduced to
manage the self-hosted runner since it is not provisioned instantly for
CI.
The make target `cli-static-x86_64-linux` is renamed to `cli-static-linux`
for platform independence.
Signed-off-by: Hyounggyu Choi <[email protected]>
BbolroC
force-pushed
the
enable-s390x-images
branch
2 times, most recently
from
bf99277 to
001d905
Compare
This commit introduces a job matrix to allow a s390x self-hosted runner
to run alongside the existing x86_64 one.
Additionally, two new steps (e.g., {pre,post} action) are introduced to
manage the self-hosted runner since it is not provisioned instantly for
CI.
To make the published images support multiple architecture, a new job
`publish_multi_arch_image` is also introduced.
Signed-off-by: Hyounggyu Choi <[email protected]>
This commit introduces a job matrix to allow a s390x self-hosted runner
to run alongside the existing x86_64 one.
Additionally, two new steps (e.g., {pre,post} action) are introduced to
manage the self-hosted runner since it is not provisioned instantly for
CI.
To run the build steps `kbs` and `kbs-grpc-as` in parallel, the build step
is generalized into one step and the relevant configuration values are
parameterized into the job matrix.
Signed-off-by: Hyounggyu Choi <[email protected]>
We need to update the release helper script accordingly to publish multi-arch images. Signed-off-by: Hyounggyu Choi <[email protected]>
BbolroC
force-pushed
the
enable-s390x-images
branch
from
001d905 to
f6947f3
Compare
This commit make the existing build/test for attestation agent running on s390x. We will enable `cargo test` after an image for kbs is ready. (confidential-containers/trustee#383) The build option is configured to use `se-attester`. Signed-off-by: Hyounggyu Choi <[email protected]>
This PR enables all artifacts (container images and binaries) for
s390xalongsidex86_64. The self-hosted runner to build them is already registered ass390x-runner-01to the organisation.The change was verified with a private runner as follows:
AS: https://github.com/BbolroC/trustee/actions/runs/8982469105
KBS: https://github.com/BbolroC/trustee/actions/runs/8982469108
KBS-client: https://github.com/BbolroC/trustee/actions/runs/8982469107
The artifacts are available at:
Fixes: #364
Signed-off-by: Hyounggyu Choi [email protected]