test

edgelesssys · Jul 25, 2024 · e3443d2 · e3443d2
1 parent 4128cab
commit e3443d2
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 6 deletions.
diff --git a/.github/actions/nix_tmpfs/action.yml b/.github/actions/nix_tmpfs/action.yml
@@ -0,0 +1,13 @@
+name: create tmpfs for nix builds
+description: Create a tmpfs for Nix builds that don't work in the runner-provisioned ext2/ext3 filesystem
+
+runs:
+  using: "composite"
+  steps:
+    - name: create tmpfs
+      shell: bash
+      run: |
+        sudo mkdir -p /etc/systemd/system/nix-daemon.service.d
+        echo -e "[Service]\nEnvironment=TMPDIR=/dev/shm" | sudo tee /etc/systemd/system/nix-daemon.service.d/tmpfs.conf
+        sudo systemctl daemon-reload
+        sudo systemctl restart nix-daemon
diff --git a/.github/workflows/e2e_openssl.yml b/.github/workflows/e2e_openssl.yml
@@ -57,6 +57,7 @@ jobs:
           echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV"
           sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}')
           echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV"
+      - uses: ./.github/actions/nix_tmpfs
       - name: Build and prepare deployments
         run: |
           just coordinator initializer openssl port-forwarder node-installer

diff --git a/.github/workflows/e2e_policy.yml b/.github/workflows/e2e_policy.yml
@@ -57,6 +57,7 @@ jobs:
           echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV"
           sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}')
           echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV"
+      - uses: ./.github/actions/nix_tmpfs
       - name: Build and prepare deployments
         run: |
           just coordinator initializer openssl port-forwarder node-installer

diff --git a/.github/workflows/e2e_regression.yml b/.github/workflows/e2e_regression.yml
@@ -58,6 +58,7 @@ jobs:
       - name: Get credentials for CI cluster
         run: |
           just get-credentials
+      - uses: ./.github/actions/nix_tmpfs
       - name: Build and prepare deployments
         run: |
           just node-installer

diff --git a/.github/workflows/e2e_servicemesh.yml b/.github/workflows/e2e_servicemesh.yml
@@ -51,12 +51,13 @@ jobs:
       - name: Get credentials for CI cluster
         run: |
           just get-credentials
-      - name: Set sync environemnt
+      - name: Set sync environment
         run: |
           sync_ip=$(kubectl get svc sync -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
           echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV"
           sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}')
           echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV"
+      - uses: ./.github/actions/nix_tmpfs
       - name: Build and prepare deployments
         run: |
           just coordinator initializer port-forwarder service-mesh-proxy node-installer

diff --git a/justfile b/justfile
@@ -6,7 +6,7 @@ push target:
     #!/usr/bin/env bash
     set -euo pipefail
     mkdir -p {{ workspace_dir }}
-    pushedImg=$(nix run .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}")
+    pushedImg=$(nix run -L .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}")
     printf "ghcr.io/edgelesssys/contrast/%s:latest=%s\n" "{{ target }}" "$pushedImg" >> {{ workspace_dir }}/just.containerlookup
 
 # Build the coordinator, containerize and push it.

diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix
@@ -119,8 +119,6 @@ buildGoModule rec {
     "-w"
     "-X github.com/edgelesssys/contrast/cli/constants.Version=${version}"
     "-X github.com/edgelesssys/contrast/cli/constants.GenpolicyVersion=${genpolicy.version}"
-    "-X github.com/edgelesssys/contrast/internal/manifest.TrustedMeasurement=${launchDigest}"
-    "-X github.com/edgelesssys/contrast/internal/kuberesource.runtimeHandler=${runtimeHandler}"
   ];
 
   preCheck = ''

diff --git a/packages/by-name/kata/kata-image/package.nix b/packages/by-name/kata/kata-image/package.nix
@@ -22,6 +22,7 @@
   cryptsetup,
   closureInfo,
   erofs-utils,
+  strace,
 }:
 
 let
@@ -139,13 +140,29 @@ stdenv.mkDerivation rec {
     util-linux
     tdnf
     buildimage
+    strace
   ];
 
   sourceRoot = "${src.name}/tools/osbuilder/rootfs-builder";
 
   buildPhase = ''
     runHook preBuild
 
+    # Check if filesystem is ext.*
+    fstype=$(stat -f -c %T .)
+    if [[ $fstye == "ext4" || $fstype == "ext2/ext3" ]]; then
+      echo "Due to a bug in libfakeroot, kata-image can unfortunately not be built on $fstype filesystems."
+      echo "As a workaround, you can build the derivation on a different filesystem with the following:"
+      echo "systemctl edit nix-daemon"
+      echo "Then, when editing the unit, enter:"
+      echo "[Service]"
+      echo 'Environment=TMPDIR=/some-non-ext*-filesystem'
+      echo "Then restart the nix-daemon with:"
+      echo "systemctl restart nix-daemon"
+      echo "Then rebuild the derivation."
+      exit 1
+    fi
+
     # use a fakeroot environment to build the rootfs as a tar
     # this is required to create files with the correct ownership and permissions
     # including suid

diff --git a/packages/by-name/microsoft/runtime-class-files/package.nix b/packages/by-name/microsoft/runtime-class-files/package.nix
@@ -24,8 +24,7 @@ stdenvNoCC.mkDerivation {
   buildPhase = ''
     mkdir -p $out
     igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex
-    echo -n "contrast-cc-" > $out/runtime-handler
-    cat $out/launch-digest.hex | head -c 32 >> $out/runtime-handler
+    printf "contrast-cc-%s" "$(cat $out/launch-digest.hex | head -c 32)" > $out/runtime-handler
   '';
 
   passthru = {