Skip to content

Commit

Permalink
Merge branch 'choi' into s390x-verifier-dev-img
Browse files Browse the repository at this point in the history
  • Loading branch information
Qi Feng Huo committed May 27, 2024
2 parents 0deabc5 + 367a0de commit 97857c4
Show file tree
Hide file tree
Showing 16 changed files with 336 additions and 61 deletions.
4 changes: 4 additions & 0 deletions .github/actionlint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
self-hosted-runner:
# Labels of self-hosted runner in array of string
labels:
- s390x
74 changes: 72 additions & 2 deletions .github/workflows/as-build-and-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,18 @@ on:

jobs:
build_and_push:
runs-on: ubuntu-latest
permissions:
packages: write
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
- s390x
tag:
- coco-as-grpc
- coco-as-restful
- rvps
include:
- docker_file: attestation-service/Dockerfile.as-grpc
tag: coco-as-grpc
Expand All @@ -21,8 +29,17 @@ jobs:
- docker_file: attestation-service/rvps/Dockerfile
tag: rvps
name: RVPS
runs-on: ${{ matrix.instance }}

steps:
- name: Take a pre-action for self-hosted runner
run: |
# NOTE: Use file checking instead triggering a step based on a runner type
# to avoid updating the step for each new self-hosted runner.
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-trustee
fi
- name: Checkout code
uses: actions/checkout@v4

Expand All @@ -39,4 +56,57 @@ jobs:
- name: Build ${{ matrix.name }} Container Image
run: |
commit_sha=${{ github.sha }}
DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest . -f ${{ matrix.docker_file }} --push
arch=$(uname -m)
DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push --build-arg ARCH=${arch} \
-t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \
-t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} .
- name: Take a post-action for self-hosted runner
if: always()
run: |
# Please check out the note in the pre-action step for the reason of using file checking
if [ -f "${HOME}/script/post_action.sh" ]; then
"${HOME}/script/post_action.sh" cc-trustee
fi
publish_multi_arch_image:
needs: build_and_push
permissions:
packages: write
strategy:
fail-fast: false
matrix:
tag:
- coco-as-grpc
- coco-as-restful
- rvps
include:
- tag: coco-as-grpc
name: gRPC CoCo-AS
- tag: coco-as-restful
name: RESTful CoCo-AS
- tag: rvps
name: RVPS
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Publish Multi-arch Image for ${{ matrix.name }}
run: |
commit_sha=${{ github.sha }}
docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64
docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}
docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64
docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest
79 changes: 74 additions & 5 deletions .github/workflows/kbs-build-and-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,37 @@ on:

jobs:
build_and_push:
runs-on: ubuntu-latest
permissions:
packages: write
strategy:
fail-fast: false
matrix:
instance:
- ubuntu-latest
- s390x
tag:
- kbs
- kbs-grpc-as
include:
- tag: kbs
docker_file: kbs/docker/Dockerfile
https_crypto: openssl
name: build-in AS
- tag: kbs-grpc-as
docker_file: kbs/docker/Dockerfile.coco-as-grpc
https_crypto: rustls
name: gRPC AS
runs-on: ${{ matrix.instance }}

steps:
- name: Take a pre-action for self-hosted runner
run: |
# NOTE: Use file checking instead triggering a step based on a runner type
# to avoid updating the step for each new self-hosted runner.
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-trustee
fi
- name: Checkout code
uses: actions/checkout@v4

Expand All @@ -23,12 +51,53 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build Container Image KBS (built-in AS)
- name: Build Container Image KBS (${{ matrix.name }})
run: |
commit_sha=${{ github.sha }}
DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs:latest --build-arg KBS_FEATURES=coco-as-builtin,openssl,resource,opa . -f kbs/docker/Dockerfile --push
arch=$(uname -m)
https_crypto=${{ matrix.https_crypto }}
[ "${arch}" = "s390x" ] && https_crypto=openssl
DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push \
-t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \
-t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} \
--build-arg ARCH=${arch} --build-arg HTTPS_CRYPTO=${https_crypto} .
- name: Take a post-action for self-hosted runner
if: always()
run: |
# Please check out the note in the pre-action step for the reason of using file checking
if [ -f "${HOME}/script/post_action.sh" ]; then
"${HOME}/script/post_action.sh" cc-trustee
fi
publish_multi_arch_image:
needs: build_and_push
strategy:
fail-fast: false
matrix:
image:
- kbs
- kbs-grpc-as
permissions:
packages: write
runs-on: ubuntu-latest

steps:
- name: Login to GHCR Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build Container Image KBS (gRPC AS)
- name: Publish Multi-Arch ${{ matrix.image }} image
run: |
commit_sha=${{ github.sha }}
DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:${commit_sha} -t ghcr.io/confidential-containers/staged-images/kbs-grpc-as:latest . -f kbs/docker/Dockerfile.coco-as-grpc --push
docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha} \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-x86_64 \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}-s390x
docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:${commit_sha}
docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-x86_64 \
--amend ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest-s390x
docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.image }}:latest
33 changes: 28 additions & 5 deletions .github/workflows/kbs-client-build-and-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,28 @@ on:

jobs:
build_and_push:
strategy:
fail-fast: false
matrix:
arch:
- x86_64
- s390x
env:
RUSTC_VERSION: 1.76.0
runs-on: ubuntu-22.04
runs-on: ${{ matrix.arch == 'x86_64' && 'ubuntu-22.04' || 's390x' }}
permissions:
contents: read
packages: write

steps:
- name: Take a pre-action for self-hosted runner
run: |
# NOTE: Use file checking instead triggering a step based on a runner type
# to avoid updating the step for each new self-hosted runner.
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-trustee
fi
- name: Check out code
uses: actions/checkout@v4
- name: Install rust toolchain
Expand All @@ -29,14 +43,23 @@ jobs:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build a statically linked kbs-client for x86_64 linux
- name: Build a statically linked kbs-client for ${{ matrix.arch }} linux
working-directory: kbs
run: |
make cli-static-x86_64-linux
make cli-static-linux
- name: Push to ghcr.io
working-directory: target/x86_64-unknown-linux-gnu/release
working-directory: target/${{ matrix.arch }}-unknown-linux-gnu/release
run: |
commit_sha=${{ github.sha }}
oras push \
ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-x86_64-linux-gnu-${commit_sha},latest \
ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-${{ matrix.arch }}-linux-gnu-${commit_sha},latest-${{ matrix.arch }} \
kbs-client
[ "$(uname -m)" = "x86_64" ] && oras push ghcr.io/confidential-containers/staged-images/kbs-client:latest kbs-client || true
- name: Take a post-action for self-hosted runner
if: always()
run: |
# Please check out the note in the pre-action step for the reason of using file checking
if [ -f "${HOME}/script/post_action.sh" ]; then
"${HOME}/script/post_action.sh" cc-trustee
fi
17 changes: 10 additions & 7 deletions attestation-service/Dockerfile.as-grpc
Original file line number Diff line number Diff line change
Expand Up @@ -3,44 +3,47 @@
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest as builder
ARG ARCH=x86_64

WORKDIR /usr/src/attestation-service
COPY . .

# Install golang
RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz

ENV PATH="/usr/local/go/bin:${PATH}"

# Install TPM Build Dependencies
RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev

# Install TDX Build Dependencies
RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev
apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi

# Build and Install gRPC attestation-service
RUN cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked


FROM ubuntu:22.04
ARG ARCH=x86_64

LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service"

# Install TDX Runtime Dependencies
RUN apt-get update && apt-get install curl gnupg openssl -y && \
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*

RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
apt-get update && \
apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi

# Copy TPM Runtime Dependencies
COPY --from=builder /usr/lib/x86_64-linux-gnu/libtss* /usr/lib/x86_64-linux-gnu
COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu

COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as

Expand Down
17 changes: 10 additions & 7 deletions attestation-service/Dockerfile.as-restful
Original file line number Diff line number Diff line change
Expand Up @@ -3,43 +3,46 @@
# SPDX-License-Identifier: Apache-2.0

FROM rust:latest as builder
ARG ARCH=x86_64

WORKDIR /usr/src/attestation-service
COPY . .

# Install golang
RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz && \
tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz

ENV PATH="/usr/local/go/bin:${PATH}"

# Install TPM Build Dependencies
RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev

# Install TDX Build Dependencies
RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev
apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi

# Build and Install RESTful attestation-service
RUN cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked

FROM ubuntu:22.04
ARG ARCH=x86_64

LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service"

# Install TDX Runtime Dependencies
RUN apt-get update && apt-get install curl gnupg openssl -y && \
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*

RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
apt-get update && \
apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi

# Copy TPM Runtime Dependencies
COPY --from=builder /usr/lib/x86_64-linux-gnu/libtss* /usr/lib/x86_64-linux-gnu
COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu

COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as

Expand Down
Loading

0 comments on commit 97857c4

Please sign in to comment.