podvm: retrieve guest-components via ORAS #2074
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
I'll re-review once the guest-component caching is merged and working, but on initial review this looks great and supercedes #2033 nicely. Thanks!
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
9fa68ad to
e9edce4
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
2 times, most recently
from
123a30b to
6e53c66
Compare
|
The required PRs were merged but oras images aren't published yet (https://github.com/confidential-containers/guest-components/actions/workflows/publish-artifacts.yml) due a bug on setup-oras action (oras-project/setup-oras#57); so I could not test this yet. |
wainersm
reviewed
Oct 7, 2024
wainersm
reviewed
Oct 7, 2024
mkulke
force-pushed
the
mkulke/oras-caching
branch
5 times, most recently
from
c81bfa5 to
12fb47c
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
7 times, most recently
from
b59d8d6 to
3123f42
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
2 times, most recently
from
d0b43e1 to
d2f4929
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
d2f4929 to
f391a00
Compare
stevenhorsman
approved these changes
Oct 14, 2024
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
f391a00 to
fe19ee1
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
fe19ee1 to
239c49a
Compare
The artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change. The Rust build infra hasn't been fully removed yet, this should be done in a follow-up PR (otherwise the e2e test suite will fail, since those run on main). There are some notable changes: - guest-component exposed the TEE_PLATFORM param on its top level build script, which we use to pull the correct artifact. Since we don't build attestation-agent directly anymore the ATTESTER param has been removed from the project's build scripts - in versions.yaml kata and guest-components have been moved from the "git" section to the "oci" section, however since the tag is dynamic, we also provide a "reference" field in those entries. - bumped guest-components to a commit that is available as artifact in OCI Signed-off-by: Magnus Kulke <[email protected]>
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
239c49a to
0587993
Compare
mkulke
force-pushed
the
mkulke/oras-caching
branch
2 times, most recently
from
633d8ea to
2da61f2
Compare
The GC and agent artifacts attestations are being verified, so far this is only toggled on for mkosi on fedora images. Signed-off-by: Magnus Kulke <[email protected]>
mkulke
force-pushed
the
mkulke/oras-caching
branch
from
2da61f2 to
b4e9f9a
Compare
stevenhorsman
added a commit
to stevenhorsman/cloud-api-adaptor
that referenced
this pull request
Oct 22, 2024
In github.com/confidential-containers/pull/2074 we removed the RUST_VERSION env, but we still use it in The `Install rust toolchain` step which it needed to build the kbs client. I plan to remove this need very sooner by using the cached kbs client, but can't test those changes due to this error. Signed-off-by: stevenhorsman <[email protected]>
stevenhorsman
added a commit
that referenced
this pull request
Oct 22, 2024
In github.com//pull/2074 we removed the RUST_VERSION env, but we still use it in The `Install rust toolchain` step which it needed to build the kbs client. I plan to remove this need very sooner by using the cached kbs client, but can't test those changes due to this error. Signed-off-by: stevenhorsman <[email protected]>
This was referenced Dec 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: draft until GC 731 and #2064 have been mergedIn this change the artifacts are being retrieved from guest-component's ORAS now. Hence the rust build infrastructure can be removed with this change.
There is an option to verify the provenance of the guest component artifacts that we download as part of the build. It is opt-in, you have to set
VERIFY_PROVENANCE=yeswhen building a podvm. There are respective build flags on thesrc/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedoraand thesrc/cloud-api-adaptor/podvm-mkosi/Makefile. Currently only the azure-podvm-image-build ci workflow has the provenance checks enabled.There are some notable changes: