diff --git a/.github/actions/nix_tmpfs/action.yml b/.github/actions/nix_tmpfs/action.yml new file mode 100644 index 0000000000..9c52ae1840 --- /dev/null +++ b/.github/actions/nix_tmpfs/action.yml @@ -0,0 +1,13 @@ +name: create tmpfs for nix builds +description: Create a tmpfs for Nix builds that don't work in the runner-provisioned ext2/ext3 filesystem + +runs: + using: "composite" + steps: + - name: create tmpfs + shell: bash + run: | + sudo mkdir -p /etc/systemd/system/nix-daemon.service.d + echo -e "[Service]\nEnvironment=TMPDIR=/dev/shm" | sudo tee /etc/systemd/system/nix-daemon.service.d/tmpfs.conf + sudo systemctl daemon-reload + sudo systemctl restart nix-daemon diff --git a/.github/workflows/e2e_openssl.yml b/.github/workflows/e2e_openssl.yml index 11185a7e5b..13f4e266e4 100644 --- a/.github/workflows/e2e_openssl.yml +++ b/.github/workflows/e2e_openssl.yml @@ -57,6 +57,7 @@ jobs: echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV" sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}') echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV" + - uses: ./.github/actions/nix_tmpfs - name: Build and prepare deployments run: | just coordinator initializer openssl port-forwarder node-installer diff --git a/.github/workflows/e2e_policy.yml b/.github/workflows/e2e_policy.yml index 3461331dd0..ed0fff850b 100644 --- a/.github/workflows/e2e_policy.yml +++ b/.github/workflows/e2e_policy.yml @@ -57,6 +57,7 @@ jobs: echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV" sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}') echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV" + - uses: ./.github/actions/nix_tmpfs - name: Build and prepare deployments run: | just coordinator initializer openssl port-forwarder node-installer diff --git a/.github/workflows/e2e_regression.yml b/.github/workflows/e2e_regression.yml index 741537dd2b..3716522f9a 100644 --- a/.github/workflows/e2e_regression.yml +++ b/.github/workflows/e2e_regression.yml @@ -58,6 +58,7 @@ jobs: - name: Get credentials for CI cluster run: | just get-credentials + - uses: ./.github/actions/nix_tmpfs - name: Build and prepare deployments run: | just node-installer diff --git a/.github/workflows/e2e_servicemesh.yml b/.github/workflows/e2e_servicemesh.yml index 01f5f8e7e7..3bcc58756f 100644 --- a/.github/workflows/e2e_servicemesh.yml +++ b/.github/workflows/e2e_servicemesh.yml @@ -51,12 +51,13 @@ jobs: - name: Get credentials for CI cluster run: | just get-credentials - - name: Set sync environemnt + - name: Set sync environment run: | sync_ip=$(kubectl get svc sync -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo "SYNC_ENDPOINT=http://$sync_ip:8080" | tee -a "$GITHUB_ENV" sync_uuid=$(kubectl get configmap sync-server-fifo -o jsonpath='{.data.uuid}') echo "SYNC_FIFO_UUID=$sync_uuid" | tee -a "$GITHUB_ENV" + - uses: ./.github/actions/nix_tmpfs - name: Build and prepare deployments run: | just coordinator initializer port-forwarder service-mesh-proxy node-installer diff --git a/justfile b/justfile index f6ad42787a..1d2400c082 100644 --- a/justfile +++ b/justfile @@ -6,7 +6,7 @@ push target: #!/usr/bin/env bash set -euo pipefail mkdir -p {{ workspace_dir }} - pushedImg=$(nix run .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}") + pushedImg=$(nix run -L .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}") printf "ghcr.io/edgelesssys/contrast/%s:latest=%s\n" "{{ target }}" "$pushedImg" >> {{ workspace_dir }}/just.containerlookup # Build the coordinator, containerize and push it. diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index f2b3caeb1c..617726c62a 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -119,8 +119,6 @@ buildGoModule rec { "-w" "-X github.com/edgelesssys/contrast/cli/constants.Version=${version}" "-X github.com/edgelesssys/contrast/cli/constants.GenpolicyVersion=${genpolicy.version}" - "-X github.com/edgelesssys/contrast/internal/manifest.TrustedMeasurement=${launchDigest}" - "-X github.com/edgelesssys/contrast/internal/kuberesource.runtimeHandler=${runtimeHandler}" ]; preCheck = '' diff --git a/packages/by-name/kata/kata-image/package.nix b/packages/by-name/kata/kata-image/package.nix index 6df8337cd1..2eee559013 100644 --- a/packages/by-name/kata/kata-image/package.nix +++ b/packages/by-name/kata/kata-image/package.nix @@ -22,6 +22,7 @@ cryptsetup, closureInfo, erofs-utils, + strace, }: let @@ -139,6 +140,7 @@ stdenv.mkDerivation rec { util-linux tdnf buildimage + strace ]; sourceRoot = "${src.name}/tools/osbuilder/rootfs-builder"; @@ -146,6 +148,21 @@ stdenv.mkDerivation rec { buildPhase = '' runHook preBuild + # Check if filesystem is ext.* + fstype=$(stat -f -c %T .) + if [[ $fstye == "ext4" || $fstype == "ext2/ext3" ]]; then + echo "Due to a bug in libfakeroot, kata-image can unfortunately not be built on $fstype filesystems." + echo "As a workaround, you can build the derivation on a different filesystem with the following:" + echo "systemctl edit nix-daemon" + echo "Then, when editing the unit, enter:" + echo "[Service]" + echo 'Environment=TMPDIR=/some-non-ext*-filesystem' + echo "Then restart the nix-daemon with:" + echo "systemctl restart nix-daemon" + echo "Then rebuild the derivation." + exit 1 + fi + # use a fakeroot environment to build the rootfs as a tar # this is required to create files with the correct ownership and permissions # including suid diff --git a/packages/by-name/microsoft/runtime-class-files/package.nix b/packages/by-name/microsoft/runtime-class-files/package.nix index 19aa1a9b4d..98303f1a9a 100644 --- a/packages/by-name/microsoft/runtime-class-files/package.nix +++ b/packages/by-name/microsoft/runtime-class-files/package.nix @@ -24,8 +24,7 @@ stdenvNoCC.mkDerivation { buildPhase = '' mkdir -p $out igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex - echo -n "contrast-cc-" > $out/runtime-handler - cat $out/launch-digest.hex | head -c 32 >> $out/runtime-handler + printf "contrast-cc-%s" "$(cat $out/launch-digest.hex | head -c 32)" > $out/runtime-handler ''; passthru = {