From cb71a167db4e16fb454316f97591b5027267728b Mon Sep 17 00:00:00 2001 From: Malte Poll <1780588+malt3@users.noreply.github.com> Date: Tue, 16 Apr 2024 13:57:30 +0200 Subject: [PATCH] node-installer: package as container image --- justfile | 3 + .../contrast-node-installer-image/package.nix | 80 +++++++++++++++++++ .../by-name/runtime-class-files/package.nix | 43 ++++++++++ packages/containers.nix | 15 +++- 4 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 packages/by-name/contrast-node-installer-image/package.nix create mode 100644 packages/by-name/runtime-class-files/package.nix diff --git a/justfile b/justfile index d775ae50d..dd2b3e24c 100644 --- a/justfile +++ b/justfile @@ -21,6 +21,9 @@ service-mesh-proxy: (push "service-mesh-proxy") # Build the initializer, containerize and push it. initializer: (push "initializer") +# Build the node-installer, containerize and push it. +node-installer: (push "node-installer") + default_cli := "contrast.cli" default_deploy_target := "simple" workspace_dir := "workspace" diff --git a/packages/by-name/contrast-node-installer-image/package.nix b/packages/by-name/contrast-node-installer-image/package.nix new file mode 100644 index 000000000..45bfce6b3 --- /dev/null +++ b/packages/by-name/contrast-node-installer-image/package.nix @@ -0,0 +1,80 @@ +{ lib +, ociLayerTar +, ociImageManifest +, ociImageLayout +, contrast-node-installer +, runtime-class-files +, pkgsStatic +, writers +}: +let + node-installer = ociLayerTar { + files = [ + { source = lib.getExe contrast-node-installer; destination = "/bin/node-installer"; } + { source = "${pkgsStatic.util-linux}/bin/nsenter"; destination = "/bin/nsenter"; } + ]; + }; + launch-digest = lib.removeSuffix "\n" (builtins.readFile "${runtime-class-files}/launch-digest.hex"); + runtime-handler = lib.removeSuffix "\n" (builtins.readFile "${runtime-class-files}/runtime-handler"); + installer-config = ociLayerTar { + files = [ + { + source = writers.writeJSON "contrast-node-install.json" { + files = [ + { url = "file:///opt/edgeless/share/kata-containers.img"; path = "/opt/edgeless/${runtime-handler}/share/kata-containers.img"; } + { url = "file:///opt/edgeless/share/kata-containers-igvm.img"; path = "/opt/edgeless/${runtime-handler}/share/kata-containers-igvm.img"; } + { url = "file:///opt/edgeless/bin/cloud-hypervisor-snp"; path = "/opt/edgeless/${runtime-handler}/bin/cloud-hypervisor-snp"; } + { url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2"; path = "/opt/edgeless/${runtime-handler}/bin/containerd-shim-contrast-cc-v2"; } + ]; + runtimeHandlerName = runtime-handler; + }; + destination = "/config/contrast-node-install.json"; + } + ]; + }; + kata-container-img = ociLayerTar { + files = [ + { source = runtime-class-files.rootfs; destination = "/opt/edgeless/share/kata-containers.img"; } + { source = runtime-class-files.igvm; destination = "/opt/edgeless/share/kata-containers-igvm.img"; } + ]; + }; + cloud-hypervisor = ociLayerTar { + files = [ + { source = runtime-class-files.cloud-hypervisor-bin; destination = "/opt/edgeless/bin/cloud-hypervisor-snp"; } + ]; + }; + containerd-shim = ociLayerTar { + files = [{ source = runtime-class-files.containerd-shim-contrast-cc-v2; destination = "/opt/edgeless/bin/containerd-shim-contrast-cc-v2"; }]; + }; + manifest = ociImageManifest + { + layers = [ + node-installer + installer-config + kata-container-img + cloud-hypervisor + containerd-shim + ]; + extraConfig = { + "config" = { + "Env" = [ + "PATH=/bin:/usr/bin" + "CONFIG_DIR=/config" + "HOST_MOUNT=/host" + ]; + "Entrypoint" = [ "/bin/node-installer" ]; + }; + }; + extraManifest = { + "annotations" = { + "org.opencontainers.image.title" = "contrast-node-installer"; + "org.opencontainers.image.description" = "Contrast Node Installer"; + "systems.edgeless.contrast.snp-launch-digest" = launch-digest; + }; + }; + }; + +in +ociImageLayout { + manifests = [ manifest ]; +} diff --git a/packages/by-name/runtime-class-files/package.nix b/packages/by-name/runtime-class-files/package.nix new file mode 100644 index 000000000..244f33225 --- /dev/null +++ b/packages/by-name/runtime-class-files/package.nix @@ -0,0 +1,43 @@ +{ fetchurl +, stdenvNoCC +, igvmmeasure +}: +let + # Currently, those are files extracted from the CoCo AKS node image (AKSCBLMariner-V2katagen2). + # In the future, those will be generated by us. + rootfs = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers.img"; + hash = "sha256-EdFywKAU+xD0BXmmfbjV4cB6Gqbq9R9AnMWoZFCM3A0="; + }; + igvm = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/kata-containers-igvm.img"; + hash = "sha256-E9Ttx6f9QYwKlQonO/fl1bF2MNBoU4XG3/HHvt9Zv30="; + }; + cloud-hypervisor-bin = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/cloud-hypervisor-cvm"; + hash = "sha256-coTHzd5/QLjlPQfrp9d2TJTIXKNuANTN7aNmpa8PRXo="; + }; + containerd-shim-contrast-cc-v2 = fetchurl { + url = "https://cdn.confidential.cloud/contrast/node-components/2024-03-13/containerd-shim-kata-cc-v2"; + hash = "sha256-yhk3ZearqQVz1X1p67OFPCSHbF0P66E7KknpO/JGzZg="; + }; +in +stdenvNoCC.mkDerivation { + name = "runtime-class-files"; + version = "2024-03-13"; + + dontUnpack = true; + + buildInputs = [ igvmmeasure ]; + + buildPhase = '' + mkdir -p $out + igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex + echo -n "contrast-cc-" > $out/runtime-handler + cat $out/launch-digest.hex | head -c 32 >> $out/runtime-handler + ''; + + passthru = { + inherit rootfs igvm cloud-hypervisor-bin containerd-shim-contrast-cc-v2; + }; +} diff --git a/packages/containers.nix b/packages/containers.nix index a82ab312d..e6f68a5d9 100644 --- a/packages/containers.nix +++ b/packages/containers.nix @@ -15,6 +15,15 @@ let ''; }; + pushOCIDir = name: dir: tag: writeShellApplication { + name = "push-${name}"; + runtimeInputs = [ crane ]; + text = '' + imageName="$1" + crane push "${dir}" "$imageName:${tag}" + ''; + }; + containers = { coordinator = dockerTools.buildImage { name = "coordinator"; @@ -71,4 +80,8 @@ let }; }; in -containers // (lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers) +containers // { + push-node-installer = pushOCIDir "push-node-installer" contrast-node-installer-image "v${contrast.version}"; +} // ( + lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers +)