packages: package bare-metal node-installer

This adds a second node-installer package, suited for a bare-metal deployment. It's now possible to specify a deployment platform in the justfile via `default_platform=...` to decide which node-installer should be built / pushed.
edgelesssys · Jun 27, 2024 · 9a54072 · 9a54072
1 parent c41df6c
commit 9a54072
Show file tree

Hide file tree

Showing 4 changed files with 123 additions and 7 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -240,7 +240,7 @@ jobs:
       - name: Push containers with release tag
         run: |
           coordinatorImg=$(nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator")
-          nodeInstallerImg=$(nix run .#containers.push-node-installer -- "$container_registry/contrast/node-installer")
+          nodeInstallerImg=$(nix run .#containers.push-node-installer-microsoft -- "$container_registry/contrast/node-installer-microsoft")
           initializerImg=$(nix run .#containers.push-initializer -- "$container_registry/contrast/initializer")
           serviceMeshImg=$(nix run .#containers.push-service-mesh-proxy -- "$container_registry/contrast/service-mesh-proxy")
           echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_ENV"
@@ -263,7 +263,7 @@ jobs:
           echo "ghcr.io/edgelesssys/contrast/coordinator:latest=$coordinatorImgTagged" > image-replacements.txt
           echo "ghcr.io/edgelesssys/contrast/initializer:latest=$initializerImgTagged" >> image-replacements.txt
           echo "ghcr.io/edgelesssys/contrast/service-mesh-proxy:latest=$serviceMeshImgTagged" >> image-replacements.txt
-          echo "ghcr.io/edgelesssys/contrast/node-installer:latest=$nodeInstallerImgTagged" >> image-replacements.txt
+          echo "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest=$nodeInstallerImgTagged" >> image-replacements.txt
       - name: Upload image replacements file (for main branch PR)
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:

diff --git a/justfile b/justfile
@@ -1,5 +1,5 @@
 # Undeploy, rebuild, deploy.
-default target=default_deploy_target cli=default_cli: soft-clean coordinator initializer openssl port-forwarder service-mesh-proxy node-installer runtime (apply "runtime") (deploy target cli) set verify (wait-for-workload target)
+default target=default_deploy_target platform=default_platform cli=default_cli: soft-clean coordinator initializer openssl port-forwarder service-mesh-proxy (node-installer platform) (runtime platform) (apply "runtime") (deploy target cli) set verify (wait-for-workload target)
 
 # Build and push a container image.
 push target:
@@ -21,13 +21,27 @@ service-mesh-proxy: (push "service-mesh-proxy")
 # Build the initializer, containerize and push it.
 initializer: (push "initializer")
 
-# Build the node-installer, containerize and push it.
-node-installer: (push "node-installer")
-
 default_cli := "contrast.cli"
 default_deploy_target := "openssl"
+default_platform := "AKS-CLH-SNP"
 workspace_dir := "workspace"
 
+# Build the node-installer, containerize and push it.
+node-installer platform=default_platform:
+    #!/usr/bin/env bash
+    case {{ platform }} in
+        "AKS-CLH-SNP")
+            just push "node-installer-microsoft"
+        ;;
+        "K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
+            just push "node-installer-kata"
+        ;;
+        *)
+            echo "Unsupported platform: {{ platform }}"
+            exit 1
+        ;;
+    esac
+
 e2e target=default_deploy_target: coordinator initializer openssl port-forwarder service-mesh-proxy node-installer
     #!/usr/bin/env bash
     set -euo pipefail

diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix
@@ -0,0 +1,101 @@
+# Copyright 2024 Edgeless Systems GmbH
+# SPDX-License-Identifier: AGPL-3.0-only
+
+{ lib
+, ociLayerTar
+, ociImageManifest
+, ociImageLayout
+, contrast-node-installer
+, kata
+, pkgsStatic
+, writers
+}:
+
+let
+  node-installer = ociLayerTar {
+    files = [
+      { source = lib.getExe contrast-node-installer; destination = "/bin/node-installer"; }
+      { source = "${pkgsStatic.util-linux}/bin/nsenter"; destination = "/bin/nsenter"; }
+    ];
+  };
+
+  launch-digest = lib.removeSuffix "\n" (builtins.readFile "${kata.runtime-class-files}/launch-digest.hex");
+  runtime-handler = lib.removeSuffix "\n" (builtins.readFile "${kata.runtime-class-files}/runtime-handler");
+
+  installer-config = ociLayerTar {
+    files = [
+      {
+        source = writers.writeJSON "contrast-node-install.json" {
+          files = [
+            { url = "file:///opt/edgeless/share/kata-containers.img"; path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img"; }
+            { url = "file:///opt/edgeless/share/kata-kernel"; path = "/opt/edgeless/${runtime-handler}/share/kata-kernel"; }
+            { url = "file:///opt/edgeless/bin/qemu-system-x86_64"; path = "/opt/edgeless/${runtime-handler}/bin/qemu-system-x86_64"; }
+            { url = "file:///opt/edgeless/share/OVMF_CODE.fd"; path = "/opt/edgeless/${runtime-handler}/share/OVMF_CODE.fd"; }
+            { url = "file:///opt/edgeless/share/OVMF_VARS.fd"; path = "/opt/edgeless/${runtime-handler}/share/OVMF_VARS.fd"; }
+            { url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2"; path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2"; }
+          ];
+          runtimeHandlerName = runtime-handler;
+          inherit (kata.runtime-class-files) debugRuntime;
+        };
+        destination = "/config/contrast-node-install.json";
+      }
+    ];
+  };
+
+  kata-container-img = ociLayerTar {
+    files = [
+      { source = kata.runtime-class-files.image; destination = "/opt/edgeless/share/kata-containers.img"; }
+      { source = kata.runtime-class-files.kernel; destination = "/opt/edgeless/share/kata-kernel"; }
+    ];
+  };
+
+  ovmf = ociLayerTar {
+    files = [
+      { source = kata.runtime-class-files.ovmf-code; destination = "/opt/edgeless/share/OVMF_CODE.fd"; }
+      { source = kata.runtime-class-files.ovmf-vars; destination = "/opt/edgeless/share/OVMF_VARS.fd"; }
+    ];
+  };
+
+  qemu = ociLayerTar {
+    files = [
+      { source = kata.runtime-class-files.qemu-bin; destination = "/opt/edgeless/bin/qemu-system-x86_64"; }
+    ];
+  };
+
+  containerd-shim = ociLayerTar {
+    files = [{ source = kata.runtime-class-files.containerd-shim-contrast-cc-v2; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; }];
+  };
+
+  manifest = ociImageManifest
+    {
+      layers = [
+        node-installer
+        installer-config
+        kata-container-img
+        ovmf
+        qemu
+        containerd-shim
+      ];
+      extraConfig = {
+        "config" = {
+          "Env" = [
+            "PATH=/bin:/usr/bin"
+            "CONFIG_DIR=/config"
+            "HOST_MOUNT=/host"
+          ];
+          "Entrypoint" = [ "/bin/node-installer" ];
+        };
+      };
+      extraManifest = {
+        "annotations" = {
+          "org.opencontainers.image.title" = "contrast-node-installer-kata";
+          "org.opencontainers.image.description" = "Contrast Node Installer (Kata)";
+          "systems.edgeless.contrast.snp-launch-digest" = launch-digest;
+        };
+      };
+    };
+in
+
+ociImageLayout {
+  manifests = [ manifest ];
+}
diff --git a/packages/containers.nix b/packages/containers.nix
@@ -93,7 +93,8 @@ let
   };
 in
 containers // {
-  push-node-installer = pushOCIDir "push-node-installer-microsoft" pkgs.microsoft.contrast-node-installer-image "v${pkgs.contrast.version}";
+  push-node-installer-microsoft = pushOCIDir "push-node-installer-microsoft" pkgs.microsoft.contrast-node-installer-image "v${pkgs.contrast.version}";
+  push-node-installer-kata = pushOCIDir "push-node-installer-kata" pkgs.kata.contrast-node-installer-image "v${pkgs.contrast.version}";
 } // (
   lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers
 )