-
Notifications
You must be signed in to change notification settings - Fork 40
138 lines (120 loc) · 6.35 KB
/
e2e.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: enclave-cc e2e test
on:
push:
branches:
- main
pull_request:
branches:
- main
env:
CONTAINERD_VERSION: 1.6.8.1
permissions:
contents: read
jobs:
e2e:
strategy:
fail-fast: false
matrix:
include:
- runner: sgx-ecc
sgx_mode: HW
kbc: cc-kbc
- runner: ubuntu-22.04
sgx_mode: SIM
kbc: sample-kbc
name: SGX_MODE=${{ matrix.sgx_mode }} KBC=${{ matrix.kbc }}
runs-on: ${{ matrix.runner }}
env:
SGX_MODE: ${{ matrix.sgx_mode }}
KBC: ${{ matrix.kbc }}
PAYLOAD_ARTIFACTS: ${{ github.workspace }}/coco
steps:
- uses: actions/checkout@v4
with:
path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
- uses: actions/setup-go@v4
with:
check-latest: true
go-version-file: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.mod
cache-dependency-path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.sum
- name: Install confidential-containers/containerd
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
curl -fsSL https://github.com/confidential-containers/containerd/releases/download/v$CONTAINERD_VERSION/cri-containerd-cni-$CONTAINERD_VERSION-linux-amd64.tar.gz | sudo tar zx -C /
- name: Configure and start containerd
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
sudo mkdir /run/containerd-test
/usr/local/bin/containerd config default | sed -e 's:\(/[a-z]*/containerd\):\1-test:'| tee $PWD/containerd-test.toml
cat <<EOF | tee -a $PWD/containerd-test.toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.enclavecc]
cri_handler = "cc"
runtime_type = "io.containerd.rune.v2"
EOF
echo "runtime-endpoint: unix:///run/containerd-test/containerd.sock" | sudo tee /etc/crictl.yaml
sudo /usr/local/bin/containerd -c $PWD/containerd-test.toml -l debug &
sleep 5
- name: Test containerd is running
run: |
sudo crictl info
test $(sudo crictl info | jq '.config.containerd.runtimes.enclavecc|length') != 0
- name: Install io.containerd.rune.v2
run: |
make binaries
sudo ln -sf $PWD/bin/containerd-shim-rune-v2 /usr/local/bin/containerd-shim-rune-v2
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim
- name: Configure io.containerd.rune.v2
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
sudo mkdir /etc/enclave-cc
sed -e 's#\(.*container_instance = "\)\(.*\)$#\1'$PAYLOAD_ARTIFACTS'\2#g' config/config.toml | sudo tee /etc/enclave-cc/config.toml
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim
- name: Build agent-enclave bundle
run: |
mkdir $PAYLOAD_ARTIFACTS
docker build . -f tools/packaging/build/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance:build
docker export $(docker create agent-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
- name: Install config.json for agent-enclave bundle
run: |
jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/tools/packaging/build/agent-enclave-bundle
- name: Build boot-instance bundle
run: |
docker build . -f tools/packaging/build/boot-instance-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t boot-instance:build
docker export $(docker create boot-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/boot-instance.tar
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
- name: Install enclave-cc bundles
run: |
mkdir -p opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
sudo tar -xf agent-instance.tar -C opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
cp config.json opt/confidential-containers/share/enclave-cc-agent-instance/
mkdir -p opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
sudo tar -xf boot-instance.tar -C opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
working-directory: ${{env.PAYLOAD_ARTIFACTS}}
- name: Install decrypt_config.conf and ocicrypt.conf for agent-enclave bundle
run: |
sudo install -D -t $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs ocicrypt.conf
sudo install decrypt_config-$SGX_MODE-$KBC.conf $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e
- name: Test image pull and unpack
if: ${{ matrix.sgx_mode == 'SIM' }}
run: |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json)
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-unencrypted-$SGX_MODE.json sandbox.json)
sudo crictl start $CONTAINER_ID
sleep 5
sudo crictl logs $CONTAINER_ID
sudo crictl -t 10s stopp $SANDBOX_ID || true
sudo crictl -t 10s rmp $SANDBOX_ID || true
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e
- name: Test image decryption
run: |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json)
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-encrypted-$SGX_MODE-$KBC.json sandbox.json)
sudo crictl start $CONTAINER_ID
sleep 5
sudo crictl logs $CONTAINER_ID
sudo crictl -t 10s stopp $SANDBOX_ID || true
sudo crictl -t 10s rmp $SANDBOX_ID || true
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e