diff --git a/justfile b/justfile index d775ae50d6..e97ed5a5cb 100644 --- a/justfile +++ b/justfile @@ -21,6 +21,10 @@ service-mesh-proxy: (push "service-mesh-proxy") # Build the initializer, containerize and push it. initializer: (push "initializer") +# Build the node-installer, containerize and push it. +node-installer: + nix run .#containers.push-node-installer -- "$container_registry/contrast/node-installer" >&2 + default_cli := "contrast.cli" default_deploy_target := "simple" workspace_dir := "workspace" diff --git a/packages/by-name/contrast-node-installer-image/package.nix b/packages/by-name/contrast-node-installer-image/package.nix new file mode 100644 index 0000000000..2ff333af47 --- /dev/null +++ b/packages/by-name/contrast-node-installer-image/package.nix @@ -0,0 +1,96 @@ +{ lib +, ociLayerTar +, ociImageManifest +, ociImageLayout +, contrast-node-installer +, runtime-class-files +, pkgsStatic +, writers +}: +let + node-installer = ociLayerTar { + files = [ + { + source = lib.getExe contrast-node-installer; + destination = "/bin/node-installer"; + } + { + source = "${pkgsStatic.util-linux}/bin/nsenter"; + destination = "/bin/nsenter"; + } + ]; + }; + launch-digest = lib.removeSuffix "\n" (builtins.readFile "${runtime-class-files}/launch-digest.hex"); + runtime-handler = lib.removeSuffix "\n" (builtins.readFile "${runtime-class-files}/runtime-handler"); + installer-config = ociLayerTar { + files = [ + { + source = writers.writeJSON "contrast-node-install.json" { + files = [ + { + url = "file:///opt/edgeless/share/kata-containers.img"; + path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img"; + } + { + url = "file:///opt/edgeless/share/kata-containers-igvm.img"; + path = "/opt/edgeless/${runtime-handler}/share/kata-containers-igvm.img"; + } + { + url = "file:///opt/edgeless/bin/cloud-hypervisor-snp"; + path = "/opt/edgeless/${runtime-handler}/bin/cloud-hypervisor-snp"; + } + { + url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2"; + path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2"; + } + ]; + runtimeHandlerName = runtime-handler; + }; + destination = "/config/contrast-node-install.json"; + } + ]; + }; + kata-container-img = ociLayerTar { + files = [ + { source = runtime-class-files.rootfs; destination = "/opt/edgeless/share/kata-containers.img"; } + { source = runtime-class-files.igvm; destination = "/opt/edgeless/share/kata-containers-igvm.img"; } + ]; + }; + cloud-hypervisor = ociLayerTar { + files = [{ source = runtime-class-files.cloud-hypervisor-bin; destination = "/opt/edgeless/bin/cloud-hypervisor-snp"; }]; + }; + containerd-shim = ociLayerTar { + files = [{ source = runtime-class-files.containerd-shim-contrast-cc-v2; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; }]; + }; + manifest = ociImageManifest + { + layers = [ + node-installer + installer-config + kata-container-img + cloud-hypervisor + containerd-shim + ]; + extraConfig = { + "config" = { + "Env" = [ + "PATH=/bin:/usr/bin" + "CONFIG_DIR=/config" + "HOST_MOUNT=/host" + ]; + "Entrypoint" = [ "/bin/node-installer" ]; + }; + }; + extraManifest = { + "annotations" = { + "org.opencontainers.image.title" = "contrast-node-installer"; + "org.opencontainers.image.description" = "Contrast Node Installer"; + "systems.edgeless.contrast.snp-launch-digest" = launch-digest; + }; + }; + }; + +in +ociImageLayout { + manifests = [ manifest ]; +} diff --git a/packages/by-name/runtime-class-files/package.nix b/packages/by-name/runtime-class-files/package.nix new file mode 100644 index 0000000000..e86b7271cc --- /dev/null +++ b/packages/by-name/runtime-class-files/package.nix @@ -0,0 +1,41 @@ +{ fetchurl +, stdenvNoCC +, igvmmeasure +}: +let + rootfs = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers.img"; + hash = "sha256-EdFywKAU+xD0BXmmfbjV4cB6Gqbq9R9AnMWoZFCM3A0="; + }; + igvm = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers-igvm.img"; + hash = "sha256-E9Ttx6f9QYwKlQonO/fl1bF2MNBoU4XG3/HHvt9Zv30="; + }; + cloud-hypervisor-bin = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/cloud-hypervisor-cvm"; + hash = "sha256-coTHzd5/QLjlPQfrp9d2TJTIXKNuANTN7aNmpa8PRXo="; + }; + containerd-shim-contrast-cc-v2 = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/containerd-shim-kata-cc-v2"; + hash = "sha256-yhk3ZearqQVz1X1p67OFPCSHbF0P66E7KknpO/JGzZg="; + }; +in +stdenvNoCC.mkDerivation { + name = "runtime-class-files"; + version = "2024-03-13"; + + dontUnpack = true; + + buildInputs = [ igvmmeasure ]; + + buildPhase = '' + mkdir -p $out + igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex + echo -n "contrast-cc-" > $out/runtime-handler + cat $out/launch-digest.hex | head -c 32 >> $out/runtime-handler + ''; + + passthru = { + inherit rootfs igvm cloud-hypervisor-bin containerd-shim-contrast-cc-v2; + }; +} diff --git a/packages/containers.nix b/packages/containers.nix index a82ab312dc..adcdbbbd23 100644 --- a/packages/containers.nix +++ b/packages/containers.nix @@ -15,6 +15,15 @@ let ''; }; + pushOCIDir = name: dir: tag: writeShellApplication { + name = "push-${name}"; + runtimeInputs = [ crane ]; + text = '' + imageName="$1" + crane push "${dir}" "$imageName:${tag}" + ''; + }; + containers = { coordinator = dockerTools.buildImage { name = "coordinator"; @@ -71,4 +80,4 @@ let }; }; in -containers // (lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers) +containers // { push-node-installer = pushOCIDir "push-node-installer" contrast-node-installer-image "v${contrast.version}"; } // (lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers)