From 6cc2efd8a98b500c513d2ce7827317f30f8fb064 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Fri, 4 Oct 2024 10:30:44 +0200 Subject: [PATCH 01/31] [CI] Remove support for Ubuntu 20.04 Our CI runners used to use EPID developer key, and those are EOL. As of this writing, IAS anwers 401 to our key. See also: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/sgx-ias-using-epid-eol-timeline.html Signed-off-by: Wojtek Porczyk --- .ci/linux-direct-sanitizers.jenkinsfile | 23 +------------- ...x-direct-ubuntu20.04-gcc-debug.jenkinsfile | 20 +----------- ...direct-ubuntu20.04-gcc-release.jenkinsfile | 20 +----------- .ci/linux-sgx-edmm.jenkinsfile | 31 +------------------ .ci/linux-sgx-sanitizers.jenkinsfile | 26 +--------------- ...x-ubuntu20.04-gcc-release-apps.jenkinsfile | 22 +------------ ...ux-sgx-ubuntu20.04-gcc-release.jenkinsfile | 31 +++++++------------ .ci/linux-sgx-ubuntu20.04-musl.jenkinsfile | 23 +------------- 8 files changed, 19 insertions(+), 177 deletions(-) mode change 100644 => 120000 .ci/linux-direct-sanitizers.jenkinsfile mode change 100644 => 120000 .ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile mode change 100644 => 120000 .ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile mode change 100644 => 120000 .ci/linux-sgx-edmm.jenkinsfile mode change 100644 => 120000 .ci/linux-sgx-sanitizers.jenkinsfile mode change 100644 => 120000 .ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile mode change 100644 => 120000 .ci/linux-sgx-ubuntu20.04-musl.jenkinsfile diff --git a/.ci/linux-direct-sanitizers.jenkinsfile b/.ci/linux-direct-sanitizers.jenkinsfile deleted file mode 100644 index 7457d4d5f8..0000000000 --- a/.ci/linux-direct-sanitizers.jenkinsfile +++ /dev/null @@ -1,22 +0,0 @@ -node('nonsgx_slave && aesni') { - checkout scm - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_mar_2021.json") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-clang.jenkinsfile' - load '.ci/lib/config-debug.jenkinsfile' - load '.ci/lib/config-ubsan.jenkinsfile' - load '.ci/lib/config-asan.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-nosgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-test-direct.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-direct-sanitizers.jenkinsfile b/.ci/linux-direct-sanitizers.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-direct-sanitizers.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile b/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile deleted file mode 100644 index f6cb2492f5..0000000000 --- a/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile +++ /dev/null @@ -1,19 +0,0 @@ -node('nonsgx_slave && aesni') { - checkout scm - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_mar_2021.json") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-debug.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-nosgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-test-direct.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile b/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-direct-ubuntu20.04-gcc-debug.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile b/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile deleted file mode 100644 index badad2a020..0000000000 --- a/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile +++ /dev/null @@ -1,19 +0,0 @@ -node('nonsgx_slave && aesni') { - checkout scm - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_mar_2021.json") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-release.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-nosgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-test-direct.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile b/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-direct-ubuntu20.04-gcc-release.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-sgx-edmm.jenkinsfile b/.ci/linux-sgx-edmm.jenkinsfile deleted file mode 100644 index 5e1ca3087b..0000000000 --- a/.ci/linux-sgx-edmm.jenkinsfile +++ /dev/null @@ -1,30 +0,0 @@ -node('sgx-edmm && aesni') { - checkout scm - - env.AVX = '1' // EDMM-capable machines in our CI always have AVX - env.SGX = '1' - env.EDMM = '1' - env.RA_TYPE = 'dcap' - - load '.ci/lib/config-docker.jenkinsfile' - - env.DOCKER_ARGS_SGX += ''' - --volume=/usr/include/x86_64-linux-gnu/asm/sgx.h:/usr/include/asm/sgx.h:ro - --add-host host.docker.internal:host-gateway - ''' - - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-release.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-sgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-test-sgx.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-sgx-edmm.jenkinsfile b/.ci/linux-sgx-edmm.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-sgx-edmm.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-sgx-sanitizers.jenkinsfile b/.ci/linux-sgx-sanitizers.jenkinsfile deleted file mode 100644 index 7e8d852563..0000000000 --- a/.ci/linux-sgx-sanitizers.jenkinsfile +++ /dev/null @@ -1,25 +0,0 @@ -node('sgx_slave_2.6 && aesni') { - checkout scm - - env.SGX = '1' - env.SGX_DRIVER = 'oot' - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-clang.jenkinsfile' - load '.ci/lib/config-debug.jenkinsfile' - load '.ci/lib/config-ubsan.jenkinsfile' - load '.ci/lib/config-asan.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-sgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-test-sgx.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-sgx-sanitizers.jenkinsfile b/.ci/linux-sgx-sanitizers.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-sgx-sanitizers.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile b/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile deleted file mode 100644 index 80063dd7f7..0000000000 --- a/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile +++ /dev/null @@ -1,21 +0,0 @@ -node('sgx_slave_2.6 && aesni') { - checkout scm - - env.SGX = '1' - env.SGX_DRIVER = 'oot' - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-release.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-sgx.jenkinsfile' - load '.ci/lib/stage-test-sgx.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile b/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-sgx-ubuntu20.04-gcc-release-apps.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file diff --git a/.ci/linux-sgx-ubuntu20.04-gcc-release.jenkinsfile b/.ci/linux-sgx-ubuntu20.04-gcc-release.jenkinsfile index 5346964ad0..d2b9a12d77 100644 --- a/.ci/linux-sgx-ubuntu20.04-gcc-release.jenkinsfile +++ b/.ci/linux-sgx-ubuntu20.04-gcc-release.jenkinsfile @@ -1,21 +1,14 @@ -node('sgx_slave_2.6 && aesni') { - checkout scm - - env.SGX = '1' - env.SGX_DRIVER = 'oot' - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-release.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-sgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' +pipeline { + agent any + stages { + stage('info') { + steps { + echo ''' + EPID was deprecated on 1.10.2024, and our key is no longer valid. See + https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/resources/sgx-ias-using-epid-eol-timeline.html + for more info. + ''' + } + } } } diff --git a/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile b/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile deleted file mode 100644 index 23dfd7091a..0000000000 --- a/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile +++ /dev/null @@ -1,22 +0,0 @@ -node('sgx_slave_2.6 && aesni') { - checkout scm - - env.SGX = '1' - env.SGX_DRIVER = 'oot' - env.GRAMINE_MUSL = '1' - - load '.ci/lib/config-docker.jenkinsfile' - docker.build( - "local:${env.BUILD_TAG}", - '-f .ci/ubuntu20.04.dockerfile .' - ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { - load '.ci/lib/config.jenkinsfile' - load '.ci/lib/config-release.jenkinsfile' - - load '.ci/lib/stage-lint.jenkinsfile' - load '.ci/lib/stage-clean-check-prepare.jenkinsfile' - load '.ci/lib/stage-build-sgx.jenkinsfile' - load '.ci/lib/stage-test.jenkinsfile' - load '.ci/lib/stage-clean-check.jenkinsfile' - } -} diff --git a/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile b/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile new file mode 120000 index 0000000000..cf533c4673 --- /dev/null +++ b/.ci/linux-sgx-ubuntu20.04-musl.jenkinsfile @@ -0,0 +1 @@ +linux-sgx-ubuntu20.04-gcc-release.jenkinsfile \ No newline at end of file From e55aec8d74d49dbfc63465213a5fdceb2ba3ee3a Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 2 Oct 2024 14:36:41 +0200 Subject: [PATCH 02/31] [CI] Fix installation of libraries into non-standard paths Signed-off-by: Wojtek Porczyk --- .ci/lib/stage-build-nosgx.jenkinsfile | 1 + .ci/lib/stage-build-sgx-vm.jenkinsfile | 1 + .ci/lib/stage-build-sgx.jenkinsfile | 1 + 3 files changed, 3 insertions(+) diff --git a/.ci/lib/stage-build-nosgx.jenkinsfile b/.ci/lib/stage-build-nosgx.jenkinsfile index 141efccef8..a1f6ed8479 100644 --- a/.ci/lib/stage-build-nosgx.jenkinsfile +++ b/.ci/lib/stage-build-nosgx.jenkinsfile @@ -52,6 +52,7 @@ stage('build') { // In CI we install to non-standard --prefix (see above). This makes sure the libraries are // available anyway. + env.LD_LIBRARY_PATH = libdir env.PKG_CONFIG_PATH = libdir + '/pkgconfig' // prevent cheating and testing from repo diff --git a/.ci/lib/stage-build-sgx-vm.jenkinsfile b/.ci/lib/stage-build-sgx-vm.jenkinsfile index bed7701eac..d328690bc9 100644 --- a/.ci/lib/stage-build-sgx-vm.jenkinsfile +++ b/.ci/lib/stage-build-sgx-vm.jenkinsfile @@ -90,6 +90,7 @@ stage('build') { // In CI we install to non-standard --prefix (see above). This makes sure the libraries are // available anyway (e.g. gramine-sgx-pf-crypt needs libsgx_util.so). + env.LD_LIBRARY_PATH = libdir env.PKG_CONFIG_PATH = libdir + '/pkgconfig' // prevent cheating and testing from repo diff --git a/.ci/lib/stage-build-sgx.jenkinsfile b/.ci/lib/stage-build-sgx.jenkinsfile index 18979e1d59..381748e8ff 100644 --- a/.ci/lib/stage-build-sgx.jenkinsfile +++ b/.ci/lib/stage-build-sgx.jenkinsfile @@ -73,6 +73,7 @@ stage('build') { // In CI we install to non-standard --prefix (see above). This makes sure the libraries are // available anyway. + env.LD_LIBRARY_PATH = libdir env.PKG_CONFIG_PATH = libdir + '/pkgconfig' // prevent cheating and testing from repo From eb726b5c71b0063698809168bd22382cc1e0864b Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Sat, 14 Sep 2024 00:17:32 +0200 Subject: [PATCH 03/31] [CI] Make 'dcap' the default RA_TYPE This is a leftover from changing the default driver to upstream. Fixes: 12e5d9a0d885 ("[CI] Change default SGX driver to upstream") Signed-off-by: Wojtek Porczyk --- .ci/lib/config.jenkinsfile | 4 ++++ .ci/lib/stage-test-sgx.jenkinsfile | 4 ---- .ci/lib/stage-test.jenkinsfile | 4 ---- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.ci/lib/config.jenkinsfile b/.ci/lib/config.jenkinsfile index 2d0ccd0aac..e002b1a991 100644 --- a/.ci/lib/config.jenkinsfile +++ b/.ci/lib/config.jenkinsfile @@ -12,5 +12,9 @@ env.RA_TLS_ALLOW_HW_CONFIG_NEEDED = '1' env.RA_TLS_ALLOW_SW_HARDENING_NEEDED = '1' env.RA_TLS_ALLOW_DEBUG_ENCLAVE_INSECURE = '1' +if (env.RA_TYPE == null) { + env.RA_TYPE = 'dcap' +} + env.LC_ALL = 'C.UTF-8' env.LANG = env.LC_ALL diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile index 24c31ac54f..fdd74a5d20 100644 --- a/.ci/lib/stage-test-sgx.jenkinsfile +++ b/.ci/lib/stage-test-sgx.jenkinsfile @@ -14,10 +14,6 @@ stage('test-sgx') { fi ''' - if (env.RA_TYPE == null) { - env.RA_TYPE = 'epid' - } - timeout(time: 5, unit: 'MINUTES') { sh ''' cd CI-Examples/helloworld diff --git a/.ci/lib/stage-test.jenkinsfile b/.ci/lib/stage-test.jenkinsfile index a09db4ad2d..c533338fa4 100644 --- a/.ci/lib/stage-test.jenkinsfile +++ b/.ci/lib/stage-test.jenkinsfile @@ -1,8 +1,4 @@ stage('test') { - if (env.RA_TYPE == null) { - env.RA_TYPE = 'epid' - } - timeout(time: 15, unit: 'MINUTES') { try { sh ''' From 96a4637c8db218ad24a45ca7a55cfd20e1304eea Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 18 Sep 2024 10:55:47 +0200 Subject: [PATCH 04/31] [CI-Examples] busybox: Use system busybox Signed-off-by: Wojtek Porczyk --- .ci/ubuntu20.04.dockerfile | 1 + .ci/ubuntu22.04.dockerfile | 2 + .ci/ubuntu24.04.dockerfile | 2 + CI-Examples/busybox/Makefile | 38 +++---------------- CI-Examples/busybox/busybox.manifest.template | 4 +- 5 files changed, 12 insertions(+), 35 deletions(-) diff --git a/.ci/ubuntu20.04.dockerfile b/.ci/ubuntu20.04.dockerfile index 8c79823ddb..41df60f883 100644 --- a/.ci/ubuntu20.04.dockerfile +++ b/.ci/ubuntu20.04.dockerfile @@ -5,6 +5,7 @@ RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y \ bc \ bison \ build-essential \ + busybox \ cargo \ clang \ cmake \ diff --git a/.ci/ubuntu22.04.dockerfile b/.ci/ubuntu22.04.dockerfile index 0c265be1b0..375468f7ed 100644 --- a/.ci/ubuntu22.04.dockerfile +++ b/.ci/ubuntu22.04.dockerfile @@ -43,7 +43,9 @@ RUN apt-get update && apt-get satisfy -y \ # jq: used in jenkinsfiles # cpio dwarves gcc/g++-12 kmod qemu-kvm: for building kernel modules and running VMs # wget: scripts/download +# busybox: CI-Examples/busybox RUN apt-get update && apt-get install -y \ + busybox \ cargo \ clang \ cmake \ diff --git a/.ci/ubuntu24.04.dockerfile b/.ci/ubuntu24.04.dockerfile index 5fe84ea2ed..8f999216cc 100644 --- a/.ci/ubuntu24.04.dockerfile +++ b/.ci/ubuntu24.04.dockerfile @@ -39,7 +39,9 @@ RUN apt-get update && apt-get satisfy -y \ # libunwind8: libos/test/regression/bootstrap_cpp.manifest.template # nginx: CI-Examples/ra-tls-nginx # shellcheck: .ci/run-shellcheck +# busybox: CI-Examples/busybox RUN apt-get update && apt-get install -y \ + busybox \ cmake \ git \ libunwind8 \ diff --git a/CI-Examples/busybox/Makefile b/CI-Examples/busybox/Makefile index 865df78386..d920e8ece6 100644 --- a/CI-Examples/busybox/Makefile +++ b/CI-Examples/busybox/Makefile @@ -1,14 +1,7 @@ # Copyright (C) 2023 Gramine contributors # SPDX-License-Identifier: BSD-3-Clause -ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine) - -SRCDIR = src -BUSYBOX_SHA256 ?= c35d87f1d04b2b153d33c275c2632e40d388a88f19a9e71727e0bbbff51fe689 -BUSYBOX_SRC ?= busybox-1.32.0.tar.bz2 -BUSYBOX_MIRRORS ?= \ - https://busybox.net/downloads \ - https://packages.gramineproject.io/distfiles +BUSYBOX ?= $(shell sh -c 'command -v busybox') ifeq ($(DEBUG),1) GRAMINE_LOG_LEVEL = debug @@ -21,31 +14,15 @@ RA_CLIENT_SPID ?= RA_CLIENT_LINKABLE ?= 0 .PHONY: all -all: busybox busybox.manifest +all: busybox.manifest ifeq ($(SGX),1) all: busybox.manifest.sgx busybox.sig endif -$(SRCDIR)/Makefile: - ../common_tools/download --output busybox.tar.bz2 --sha256 $(BUSYBOX_SHA256) \ - $(foreach mirror,$(BUSYBOX_MIRRORS),--url $(mirror)/$(BUSYBOX_SRC)) - mkdir $(SRCDIR) - tar -C $(SRCDIR) --strip-components=1 -xf busybox.tar.bz2 - -$(SRCDIR)/.config: $(SRCDIR)/Makefile - $(MAKE) -C $(SRCDIR) clean - $(MAKE) -C $(SRCDIR) defconfig - # Enable usage of Busybox's built-in applets - sed -e 's/.*CONFIG_FEATURE_SH_STANDALONE.*/CONFIG_FEATURE_SH_STANDALONE=y/' \ - -i $(SRCDIR)/.config - -$(SRCDIR)/busybox: $(SRCDIR)/.config - $(MAKE) -C $(SRCDIR) - -busybox.manifest: busybox.manifest.template busybox +busybox.manifest: busybox.manifest.template gramine-manifest \ + -Dbusybox=$(BUSYBOX) \ -Dlog_level=$(GRAMINE_LOG_LEVEL) \ - -Darch_libdir=$(ARCH_LIBDIR) \ -Dra_type=$(RA_TYPE) \ -Dra_client_spid=$(RA_CLIENT_SPID) \ -Dra_client_linkable=$(RA_CLIENT_LINKABLE) \ @@ -62,10 +39,6 @@ sgx_sign: busybox.manifest --manifest $< \ --output $<.sgx -# Copy Busybox binary to our root directory for simplicity. -busybox: $(SRCDIR)/busybox - cp $(SRCDIR)/busybox busybox - ifeq ($(SGX),) GRAMINE = gramine-direct else @@ -80,8 +53,7 @@ check: all .PHONY: clean clean: - $(RM) *.token *.sig *.manifest.sgx *.manifest busybox OUTPUT + $(RM) *.token *.sig *.manifest.sgx *.manifest OUTPUT .PHONY: distclean distclean: clean - $(RM) -r $(SRCDIR) busybox.tar.bz2 diff --git a/CI-Examples/busybox/busybox.manifest.template b/CI-Examples/busybox/busybox.manifest.template index 2f2ba14c3c..3063fb8c5a 100644 --- a/CI-Examples/busybox/busybox.manifest.template +++ b/CI-Examples/busybox/busybox.manifest.template @@ -12,7 +12,7 @@ loader.env.LD_LIBRARY_PATH = "/lib" loader.insecure__use_cmdline_argv = true fs.mounts = [ - { path = "/busybox", uri = "file:busybox" }, + { path = "/busybox", uri = "file:{{ busybox }}" }, { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, # hardcoded mappings of local hostnames to IP addresses, required by e.g. `hostname` applet @@ -30,6 +30,6 @@ sgx.ra_client_spid = "{{ ra_client_spid }}" sgx.ra_client_linkable = {{ 'true' if ra_client_linkable == '1' else 'false' }} sgx.trusted_files = [ - "file:busybox", + "file:{{ busybox }}", "file:{{ gramine.runtimedir() }}/", ] From e066b54196cabd4741ca8e85049f4489c88f5e63 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 25 Sep 2024 11:03:40 +0200 Subject: [PATCH 05/31] [LibOS/tests,CI-Examples] Increase sgx.max_threads to 8 Dmitrii Kuvaiskii explained it this way: 3 threads is nothing, given that: - There is one main app thread - There is one IPC helper thread - There is one Async helper thread - When a pipe is created, another helper thread is created for a brief moment [...] technically 4 is a tight bound. There can't be more than that (at least in the current state of Gramine, until we add more helper threads). Signed-off-by: Wojtek Porczyk --- CI-Examples/bash/manifest.template | 2 +- CI-Examples/lighttpd/lighttpd.manifest.template | 2 +- CI-Examples/ra-tls-nginx/nginx.manifest.template | 1 + libos/test/regression/argv_from_file.manifest.template | 1 + libos/test/regression/argv_from_manifest.manifest.template | 1 + libos/test/regression/attestation.manifest.template | 1 + libos/test/regression/debug_log_file.manifest.template | 1 + libos/test/regression/debug_log_inline.manifest.template | 1 + libos/test/regression/device_ioctl.manifest.template | 1 + libos/test/regression/device_ioctl_fail.manifest.template | 1 + libos/test/regression/device_ioctl_parse_fail.manifest.template | 1 + libos/test/regression/device_passthrough.manifest.template | 1 + libos/test/regression/env_from_file.manifest.template | 1 + libos/test/regression/env_from_host.manifest.template | 1 + libos/test/regression/env_passthrough.manifest.template | 1 + libos/test/regression/eventfd_fork.manifest.template | 1 + .../regression/eventfd_fork_allowed_failing.manifest.template | 1 + libos/test/regression/fcntl_lock_child_only.manifest.template | 1 + .../file_check_policy_allow_all_but_log.manifest.template | 1 + .../test/regression/file_check_policy_strict.manifest.template | 1 + libos/test/regression/fork_disallowed.manifest.template | 1 + libos/test/regression/host_root_fs.manifest.template | 1 + .../regression/hostname_extra_runtime_conf.manifest.template | 1 + libos/test/regression/init_fail.manifest.template | 1 + libos/test/regression/init_fail2.manifest.template | 1 + libos/test/regression/large_mmap.manifest.template | 1 + libos/test/regression/mock_syscalls.manifest.template | 1 + libos/test/regression/shadow_pseudo_fs.manifest.template | 1 + libos/test/regression/shm.manifest.template | 1 + libos/test/regression/sysfs_common.manifest.template | 1 + libos/test/regression/toml_parsing.manifest.template | 1 + libos/test/regression/uid_gid.manifest.template | 1 + 32 files changed, 32 insertions(+), 2 deletions(-) diff --git a/CI-Examples/bash/manifest.template b/CI-Examples/bash/manifest.template index 11ebd8b15b..e4c6fed530 100644 --- a/CI-Examples/bash/manifest.template +++ b/CI-Examples/bash/manifest.template @@ -23,7 +23,7 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enclave_size = "512M" -sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '4' }} +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.trusted_files = [ "file:{{ execdir }}/", diff --git a/CI-Examples/lighttpd/lighttpd.manifest.template b/CI-Examples/lighttpd/lighttpd.manifest.template index 481f0fe429..3022274ebe 100644 --- a/CI-Examples/lighttpd/lighttpd.manifest.template +++ b/CI-Examples/lighttpd/lighttpd.manifest.template @@ -24,7 +24,7 @@ fs.mounts = [ sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} sgx.enclave_size = "256M" -sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '3' }} +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.trusted_files = [ "file:{{ gramine.runtimedir() }}/", diff --git a/CI-Examples/ra-tls-nginx/nginx.manifest.template b/CI-Examples/ra-tls-nginx/nginx.manifest.template index c496b5e597..183c2a2bbf 100644 --- a/CI-Examples/ra-tls-nginx/nginx.manifest.template +++ b/CI-Examples/ra-tls-nginx/nginx.manifest.template @@ -47,6 +47,7 @@ sgx.ra_client_linkable = {{ 'true' if ra_client_linkable else 'false' }} sgx.edmm_enable = {{ "true" if env.get("EDMM", "0") | int > 0 else "false" }} sys.enable_sigterm_injection = true +sgx.max_threads = {{ 1 if env.get("EDMM", "0") | int > 0 else 8 }} sgx.debug = true sgx.trusted_files = [ diff --git a/libos/test/regression/argv_from_file.manifest.template b/libos/test/regression/argv_from_file.manifest.template index bc086bd4ec..9739bdde5b 100644 --- a/libos/test/regression/argv_from_file.manifest.template +++ b/libos/test/regression/argv_from_file.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/argv_from_manifest.manifest.template b/libos/test/regression/argv_from_manifest.manifest.template index 147ba14946..81a2107f2c 100644 --- a/libos/test/regression/argv_from_manifest.manifest.template +++ b/libos/test/regression/argv_from_manifest.manifest.template @@ -17,6 +17,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/attestation.manifest.template b/libos/test/regression/attestation.manifest.template index 54c86c1ef3..8c950b332d 100644 --- a/libos/test/regression/attestation.manifest.template +++ b/libos/test/regression/attestation.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/debug_log_file.manifest.template b/libos/test/regression/debug_log_file.manifest.template index af4976c2ed..5ede40df3c 100644 --- a/libos/test/regression/debug_log_file.manifest.template +++ b/libos/test/regression/debug_log_file.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/debug_log_inline.manifest.template b/libos/test/regression/debug_log_inline.manifest.template index 44ed734dc9..e91976b61d 100644 --- a/libos/test/regression/debug_log_inline.manifest.template +++ b/libos/test/regression/debug_log_inline.manifest.template @@ -11,6 +11,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/device_ioctl.manifest.template b/libos/test/regression/device_ioctl.manifest.template index e37dc43d74..f6a79efb33 100644 --- a/libos/test/regression/device_ioctl.manifest.template +++ b/libos/test/regression/device_ioctl.manifest.template @@ -8,6 +8,7 @@ fs.mounts = [ { path = "/dev/gramine_test_dev", uri = "dev:/dev/gramine_test_dev" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.trusted_files = [ diff --git a/libos/test/regression/device_ioctl_fail.manifest.template b/libos/test/regression/device_ioctl_fail.manifest.template index 4da8cb9863..4aae2c3a9d 100644 --- a/libos/test/regression/device_ioctl_fail.manifest.template +++ b/libos/test/regression/device_ioctl_fail.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { path = "/dev/gramine_test_dev", uri = "dev:/dev/gramine_test_dev" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.trusted_files = [ diff --git a/libos/test/regression/device_ioctl_parse_fail.manifest.template b/libos/test/regression/device_ioctl_parse_fail.manifest.template index 906f657664..60037bbc4f 100644 --- a/libos/test/regression/device_ioctl_parse_fail.manifest.template +++ b/libos/test/regression/device_ioctl_parse_fail.manifest.template @@ -8,6 +8,7 @@ fs.mounts = [ { path = "/dev/gramine_test_dev", uri = "dev:/dev/gramine_test_dev" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.trusted_files = [ diff --git a/libos/test/regression/device_passthrough.manifest.template b/libos/test/regression/device_passthrough.manifest.template index 2c056bccac..50bbe276b9 100644 --- a/libos/test/regression/device_passthrough.manifest.template +++ b/libos/test/regression/device_passthrough.manifest.template @@ -8,6 +8,7 @@ fs.mounts = [ { path = "/dev/host-zero", uri = "dev:/dev/zero" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_from_file.manifest.template b/libos/test/regression/env_from_file.manifest.template index dbb9eb3da7..66c624225d 100644 --- a/libos/test/regression/env_from_file.manifest.template +++ b/libos/test/regression/env_from_file.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_from_host.manifest.template b/libos/test/regression/env_from_host.manifest.template index ba450019af..5020055c70 100644 --- a/libos/test/regression/env_from_host.manifest.template +++ b/libos/test/regression/env_from_host.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/env_passthrough.manifest.template b/libos/test/regression/env_passthrough.manifest.template index 95d054f186..29d9df8051 100644 --- a/libos/test/regression/env_passthrough.manifest.template +++ b/libos/test/regression/env_passthrough.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/eventfd_fork.manifest.template b/libos/test/regression/eventfd_fork.manifest.template index 6c9887e436..da5dbd81fb 100644 --- a/libos/test/regression/eventfd_fork.manifest.template +++ b/libos/test/regression/eventfd_fork.manifest.template @@ -9,6 +9,7 @@ fs.mounts = [ sys.insecure__allow_eventfd = true +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/eventfd_fork_allowed_failing.manifest.template b/libos/test/regression/eventfd_fork_allowed_failing.manifest.template index ba50648401..d4886916cf 100644 --- a/libos/test/regression/eventfd_fork_allowed_failing.manifest.template +++ b/libos/test/regression/eventfd_fork_allowed_failing.manifest.template @@ -15,6 +15,7 @@ fs.mounts = [ # because eventfd is in a secure single-process mode (due to commented-out line) #sys.insecure__allow_eventfd = true +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/fcntl_lock_child_only.manifest.template b/libos/test/regression/fcntl_lock_child_only.manifest.template index 202bfe59ed..da56373055 100644 --- a/libos/test/regression/fcntl_lock_child_only.manifest.template +++ b/libos/test/regression/fcntl_lock_child_only.manifest.template @@ -11,6 +11,7 @@ fs.mounts = [ fs.insecure__keys.default = "ffeeddccbbaa99887766554433221100" +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template index c2639b80e7..c569c2b26d 100644 --- a/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template +++ b/libos/test/regression/file_check_policy_allow_all_but_log.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/file_check_policy_strict.manifest.template b/libos/test/regression/file_check_policy_strict.manifest.template index 927c148671..04907cae76 100644 --- a/libos/test/regression/file_check_policy_strict.manifest.template +++ b/libos/test/regression/file_check_policy_strict.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/fork_disallowed.manifest.template b/libos/test/regression/fork_disallowed.manifest.template index 6cdb30edb3..2408e58606 100644 --- a/libos/test/regression/fork_disallowed.manifest.template +++ b/libos/test/regression/fork_disallowed.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ # must print a warning: "The app tried to create a subprocess, but this is disabled" sys.disallow_subprocesses = true +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/host_root_fs.manifest.template b/libos/test/regression/host_root_fs.manifest.template index 12f4f9442f..3e2c0e6956 100644 --- a/libos/test/regression/host_root_fs.manifest.template +++ b/libos/test/regression/host_root_fs.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { type = "tmpfs", path = "/etc" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/hostname_extra_runtime_conf.manifest.template b/libos/test/regression/hostname_extra_runtime_conf.manifest.template index 2cdb1c9aa4..8b9eb66514 100644 --- a/libos/test/regression/hostname_extra_runtime_conf.manifest.template +++ b/libos/test/regression/hostname_extra_runtime_conf.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ sys.enable_extra_runtime_domain_names_conf = true +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/init_fail.manifest.template b/libos/test/regression/init_fail.manifest.template index 755f8b1c0a..f58d8f38bc 100644 --- a/libos/test/regression/init_fail.manifest.template +++ b/libos/test/regression/init_fail.manifest.template @@ -9,6 +9,7 @@ fs.mounts = [ { path = "/test", uri = "file:I_DONT_EXIST" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/init_fail2.manifest.template b/libos/test/regression/init_fail2.manifest.template index 2222af6dbd..a225a2dba0 100644 --- a/libos/test/regression/init_fail2.manifest.template +++ b/libos/test/regression/init_fail2.manifest.template @@ -9,6 +9,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/large_mmap.manifest.template b/libos/test/regression/large_mmap.manifest.template index 324b5a0097..28641fc504 100644 --- a/libos/test/regression/large_mmap.manifest.template +++ b/libos/test/regression/large_mmap.manifest.template @@ -12,6 +12,7 @@ fs.mounts = [ ] sgx.enclave_size = "8G" +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/mock_syscalls.manifest.template b/libos/test/regression/mock_syscalls.manifest.template index a6b042f19d..08edf98ec9 100644 --- a/libos/test/regression/mock_syscalls.manifest.template +++ b/libos/test/regression/mock_syscalls.manifest.template @@ -31,6 +31,7 @@ sys.debug__mock_syscalls = [ { name = "clone3", return = -38 }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/shadow_pseudo_fs.manifest.template b/libos/test/regression/shadow_pseudo_fs.manifest.template index b0ab21ac02..a501166c3f 100644 --- a/libos/test/regression/shadow_pseudo_fs.manifest.template +++ b/libos/test/regression/shadow_pseudo_fs.manifest.template @@ -13,6 +13,7 @@ fs.mounts = [ { path = "/proc/test/nested/dirs/exec", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/shm.manifest.template b/libos/test/regression/shm.manifest.template index 0d980681d0..11dcea23cc 100644 --- a/libos/test/regression/shm.manifest.template +++ b/libos/test/regression/shm.manifest.template @@ -8,6 +8,7 @@ fs.mounts = [ { type = "untrusted_shm", path = "/dev/shm", uri = "dev:/dev/shm" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/sysfs_common.manifest.template b/libos/test/regression/sysfs_common.manifest.template index 6850246587..bfd1e2c835 100644 --- a/libos/test/regression/sysfs_common.manifest.template +++ b/libos/test/regression/sysfs_common.manifest.template @@ -7,6 +7,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/toml_parsing.manifest.template b/libos/test/regression/toml_parsing.manifest.template index a8d99e77d2..c63440736e 100644 --- a/libos/test/regression/toml_parsing.manifest.template +++ b/libos/test/regression/toml_parsing.manifest.template @@ -17,6 +17,7 @@ fs.mounts = [ # the manifest option below added only so that this feature has any test coverage libos.check_invalid_pointers = false +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} diff --git a/libos/test/regression/uid_gid.manifest.template b/libos/test/regression/uid_gid.manifest.template index be1afc1a00..e1c48f34e5 100644 --- a/libos/test/regression/uid_gid.manifest.template +++ b/libos/test/regression/uid_gid.manifest.template @@ -10,6 +10,7 @@ fs.mounts = [ { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, ] +sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '8' }} sgx.debug = true sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} From b1101d31ae67e85391e154a2767beb916c34bb5f Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 24 Sep 2024 11:51:37 +0200 Subject: [PATCH 06/31] [CI-Examples] Rework benchmark-http.sh for less external dependencies - Make wrk2 dependency optional. The wrk2 tool adds -R option to wrk tool, however, wrk2 is not packaged for Debian/Ubuntu, but wrk is. If wrk2 is not available, then we can just use vanilla wrk tool. - Convert bc arithmetic to python3 -c. This removes bc dependency in favour of python3, which is always available, because it's a dependency of both Gramine tooling and build system. (POSIX shell arithmetic substitution does not support decimal, so it's not suitable). Signed-off-by: Wojtek Porczyk --- .ci/ubuntu20.04.dockerfile | 2 ++ .ci/ubuntu22.04.dockerfile | 11 ++++++++++ CI-Examples/common_tools/benchmark-http.sh | 25 +++++++++++----------- 3 files changed, 26 insertions(+), 12 deletions(-) diff --git a/.ci/ubuntu20.04.dockerfile b/.ci/ubuntu20.04.dockerfile index 41df60f883..ab6062a0aa 100644 --- a/.ci/ubuntu20.04.dockerfile +++ b/.ci/ubuntu20.04.dockerfile @@ -97,6 +97,8 @@ RUN git clone https://github.com/giltene/wrk2.git \ && cd .. \ && rm -rf wrk2 +ENV REQUESTS=10000 + # NOTE about meson version: we support "0.56 or newer", so in CI we pin to latest patch version of # the earliest supported minor version (pip implicitly installs latest version satisfying the # specification) diff --git a/.ci/ubuntu22.04.dockerfile b/.ci/ubuntu22.04.dockerfile index 375468f7ed..955c90d092 100644 --- a/.ci/ubuntu22.04.dockerfile +++ b/.ci/ubuntu22.04.dockerfile @@ -69,4 +69,15 @@ RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 10 && \ update-alternatives --set gcc /usr/bin/gcc-12 && \ update-alternatives --set g++ /usr/bin/g++-12 +# Install wrk2 benchmark. This benchmark is used in `benchmark-http.sh`. +RUN git clone https://github.com/giltene/wrk2.git \ + && cd wrk2 \ + && git checkout 44a94c17d8e6a0bac8559b53da76848e430cb7a7 \ + && make \ + && cp wrk /usr/local/bin \ + && cd .. \ + && rm -rf wrk2 + +ENV REQUESTS=10000 + CMD ["bash"] diff --git a/CI-Examples/common_tools/benchmark-http.sh b/CI-Examples/common_tools/benchmark-http.sh index d5ab90250b..eb2c2d23a3 100755 --- a/CI-Examples/common_tools/benchmark-http.sh +++ b/CI-Examples/common_tools/benchmark-http.sh @@ -3,8 +3,6 @@ # Copyright (C) 2023 Gramine contributors # SPDX-License-Identifier: BSD-3-Clause -# On Ubuntu, this script requires wrk2 tool installed for the wrk binary. -# # Run like: ./benchmark-http.sh host:port # # It also works with HTTPS, e.g., ./benchmark-http.sh https://localhost:8443 @@ -15,11 +13,13 @@ LOOP=${LOOP:-1} DOWNLOAD_HOST=$1 DOWNLOAD_FILE=${DOWNLOAD_FILE:-random/10K.1.html} CONNECTIONS=${CONNECTIONS:-300} -REQUESTS=${REQUESTS:-10000} DURATION=${DURATION:-30} CONCURRENCY_LIST=${CONCURRENCY_LIST:-"1 2 4 8 16 32 64 128 256"} RESULT=result-$(date +%y%m%d-%H%M%S) +# This parameter requires wrk2 tool installed for the wrk binary. +REQUESTS_OPT="${REQUESTS:+-R"$REQUESTS"}" + touch "$RESULT" convert_throughput() { local THROUGHPUT_VAL=0 @@ -32,11 +32,11 @@ convert_throughput() { if [ -z "$THROUGHPUT_UNIT" ]; then THROUGHPUT=$THROUGHPUT_VAL elif [ "$THROUGHPUT_UNIT" = "k" ]; then - THROUGHPUT=$(bc <<< "$THROUGHPUT_VAL*1000") + THROUGHPUT=$(python3 -c "print($THROUGHPUT_VAL * 1000)") elif [ "$THROUGHPUT_UNIT" = "M" ]; then - THROUGHPUT=$(bc <<< "$THROUGHPUT_VAL*1000000") + THROUGHPUT=$(python3 -c "print($THROUGHPUT_VAL * 1000000)") elif [ "$THROUGHPUT_UNIT" = "G" ]; then - THROUGHPUT=$(bc <<< "$THROUGHPUT_VAL*1000000000") + THROUGHPUT=$(python3 -c "print($THROUGHPUT_VAL * 1000000000)") else THROUGHPUT=0 fi @@ -55,13 +55,13 @@ latency_in_milliseconds() { if [ -z "$LATENCY_UNIT" ] || [ "$LATENCY_UNIT" = "ms" ]; then LATENCY=$LATENCY_VAL elif [ "$LATENCY_UNIT" = "us" ]; then - LATENCY=$(bc <<< "scale=3; $LATENCY_VAL/1000") + LATENCY=$(python3 -c "print($LATENCY_VAL / 1000)") elif [ "$LATENCY_UNIT" = "s" ]; then - LATENCY=$(bc <<< "$LATENCY_VAL*1000") + LATENCY=$(python3 -c "print($LATENCY_VAL * 1000)") elif [ "$LATENCY_UNIT" = "m" ]; then - LATENCY=$(bc <<< "$LATENCY_VAL*1000*60") + LATENCY=$(python3 -c "print($LATENCY_VAL * 1000 * 60)") elif [ "$LATENCY_UNIT" = "h" ]; then - LATENCY=$(bc <<< "$LATENCY_VAL*1000*3600") + LATENCY=$(python3 -c "print($LATENCY_VAL * 1000 * 3600)") else LATENCY=0 fi @@ -75,8 +75,9 @@ do for CONCURRENCY in $CONCURRENCY_LIST do rm -f OUTPUT - echo "wrk -c $CONNECTIONS -d $DURATION -t $CONCURRENCY -R $REQUESTS $DOWNLOAD_HOST/$DOWNLOAD_FILE" - wrk -c "$CONNECTIONS" -d "$DURATION" -t "$CONCURRENCY" -R "$REQUESTS" "$DOWNLOAD_HOST/$DOWNLOAD_FILE" > OUTPUT || exit $? + echo "wrk -c $CONNECTIONS -d $DURATION -t $CONCURRENCY $REQUESTS_OPT $DOWNLOAD_HOST/$DOWNLOAD_FILE" + # shellcheck disable=SC2086 + wrk -c "$CONNECTIONS" -d "$DURATION" -t "$CONCURRENCY" $REQUESTS_OPT "$DOWNLOAD_HOST/$DOWNLOAD_FILE" > OUTPUT || exit $? THROUGHPUT_STR=$(grep -m1 "Req/Sec" OUTPUT | awk '{ print $2 }') THROUGHPUT=$(convert_throughput "$THROUGHPUT_STR") From 4286ffc0d773dd633189ba548a7013b02ddaff7e Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 15:23:29 +0200 Subject: [PATCH 07/31] [Meson,CI] Fix check-python-platlib for Python 3.12 And add bookworm (Debian 12) and noble (Ubuntu 24.04 LTS) to check-python-platlib. Signed-off-by: Wojtek Porczyk --- .ci/check-python-platlib-debian12.dockerfile | 11 ++++++++ ...heck-python-platlib-ubuntu24.04.dockerfile | 10 +++++++ .ci/check-python-platlib.jenkinsfile | 2 ++ scripts/get-python-platlib.py | 28 +++++++++++++------ 4 files changed, 42 insertions(+), 9 deletions(-) create mode 100644 .ci/check-python-platlib-debian12.dockerfile create mode 100644 .ci/check-python-platlib-ubuntu24.04.dockerfile diff --git a/.ci/check-python-platlib-debian12.dockerfile b/.ci/check-python-platlib-debian12.dockerfile new file mode 100644 index 0000000000..2b85dd2d34 --- /dev/null +++ b/.ci/check-python-platlib-debian12.dockerfile @@ -0,0 +1,11 @@ +FROM debian:bookworm + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && apt-get install -y \ + python3 \ + python3-distutils \ + python3-setuptools + +COPY scripts/get-python-platlib.py /get-python-platlib.py +RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" diff --git a/.ci/check-python-platlib-ubuntu24.04.dockerfile b/.ci/check-python-platlib-ubuntu24.04.dockerfile new file mode 100644 index 0000000000..9301690ab1 --- /dev/null +++ b/.ci/check-python-platlib-ubuntu24.04.dockerfile @@ -0,0 +1,10 @@ +FROM ubuntu:24.04 + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && apt-get install -y \ + python3 \ + python3-setuptools + +COPY scripts/get-python-platlib.py /get-python-platlib.py +RUN mkdir -p "$(python3 /get-python-platlib.py /usr/local)" diff --git a/.ci/check-python-platlib.jenkinsfile b/.ci/check-python-platlib.jenkinsfile index d7a52a6a44..e648508425 100644 --- a/.ci/check-python-platlib.jenkinsfile +++ b/.ci/check-python-platlib.jenkinsfile @@ -2,7 +2,9 @@ node() { checkout scm [ + 'debian12', 'debian11', + 'ubuntu24.04', 'ubuntu22.04', 'ubuntu20.04', 'almalinux9', diff --git a/scripts/get-python-platlib.py b/scripts/get-python-platlib.py index 66b7890a32..c7dba4786e 100755 --- a/scripts/get-python-platlib.py +++ b/scripts/get-python-platlib.py @@ -40,7 +40,8 @@ sure to ``mkdir -p`` all suspected paths; that's also why we can't ``assert`` that result is in ``sys.path``. - PEP-632 deprecates ``distutils`` package (3.10-3.11 ``DeprecationWarning``, - not installed in 3.12). + not installed in 3.12). UPDATE 26.09.2024: Ubuntu 24.04 has Python 3.12 with + no ``distutils``, but setuptools ships vendored copy for now. References ========== @@ -53,37 +54,46 @@ ''' import argparse -import distutils.command.install -import distutils.sysconfig -import distutils.util import pathlib import sys import sysconfig +try: + import distutils.command.install as distutils_command_install + import distutils.sysconfig as distutils_sysconfig + import distutils.util as distutils_util +except ImportError: + import setuptools._distutils.command.install as distutils_command_install + import setuptools._distutils.sysconfig as distutils_sysconfig + import setuptools._distutils.util as distutils_util def get_platlib(prefix): is_debian = ( 'deb_system' in sysconfig.get_scheme_names() or - 'deb_system' in distutils.command.install.INSTALL_SCHEMES) + 'deb_system' in distutils_command_install.INSTALL_SCHEMES) # this takes care of `/` at the end, though not `/usr/../usr/local` is_usr_local = pathlib.PurePosixPath(prefix).as_posix() == '/usr/local' if is_debian and is_usr_local: # 1) try sysconfig; it works on bookworm and jammy - platlib1 = sysconfig.get_path('platlib') + try: + platlib1 = sysconfig.get_path('platlib', 'deb_system') + except KeyError: + platlib1 = None + if platlib1 in sys.path: return platlib1 # 2) if system is too old for sysconfig, then distutils should work - return distutils.util.subst_vars( - distutils.command.install.INSTALL_SCHEMES['unix_local']['platlib'], + return distutils_util.subst_vars( + distutils_command_install.INSTALL_SCHEMES['unix_local']['platlib'], { 'platbase': '/usr', 'py_version_short': '.'.join(map(str, sys.version_info[:2])), }) - return distutils.sysconfig.get_python_lib(plat_specific=True, prefix=prefix) + return distutils_sysconfig.get_python_lib(plat_specific=True, prefix=prefix) argparser = argparse.ArgumentParser() From 8d55c81309678a737eb4059ff89d786f0d6b4e62 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Fri, 14 Jun 2024 22:58:31 +0200 Subject: [PATCH 08/31] [CI] Add missing dependencies to ubuntu24.04.dockerfile Signed-off-by: Wojtek Porczyk --- .ci/sgx_default_qcnl.conf | 10 ++++++++ .ci/ubuntu24.04.dockerfile | 51 +++++++++++++++++++++++++++++++++++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 .ci/sgx_default_qcnl.conf diff --git a/.ci/sgx_default_qcnl.conf b/.ci/sgx_default_qcnl.conf new file mode 100644 index 0000000000..ff0827e65d --- /dev/null +++ b/.ci/sgx_default_qcnl.conf @@ -0,0 +1,10 @@ +{ + "local_cache_only": true, + "pccs_url": "https://frackles.telenet.unc.edu:8081/sgx/certification/v4/", + "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", + "pck_cache_expire_hours": 168, + "retry_delay": 10, + "retry_times": 6, + "use_secure_cert": false, + "verify_collateral_cache_expire_hours": 168 +} diff --git a/.ci/ubuntu24.04.dockerfile b/.ci/ubuntu24.04.dockerfile index 8f999216cc..d6cf927939 100644 --- a/.ci/ubuntu24.04.dockerfile +++ b/.ci/ubuntu24.04.dockerfile @@ -37,16 +37,65 @@ RUN apt-get update && apt-get satisfy -y \ # dependencies for various tests, CI-Examples, etc. # git: scripts/gitignore-test (among others) # libunwind8: libos/test/regression/bootstrap_cpp.manifest.template +# musl-tools: for compilation with musl (not done in deb/rpm) # nginx: CI-Examples/ra-tls-nginx # shellcheck: .ci/run-shellcheck # busybox: CI-Examples/busybox +# cargo: CI-Examples/rust +# clang: asan and ubsan builds +# jq: used in jenkinsfiles +# cpio dwarves kmod qemu-kvm: for building kernel modules and running VMs +# wget: scripts/download +# python3-pytest: for running tests +# python3-pytest-xdist: for pytest -n option, to run in parallel +# python3-numpy python3-scipy: imported by script in CI-Examples/python +# gdb: tested in libos suite +# ncat: used in scripts/wait_for_server +# linux-libc-dev: among others, needed to compile busybox (CI-Examples/busybox) +# libomp-dev: needed for libos/test/regression/openmp.c +# libevent-dev: CI-Examples/memcached +# libmemcached-tools: CI-Examples/memcache +# zlib1g-dev: CI-Examples/lighttpd +# wrk: used by CI-Examples/common_tools/benchmark-http.sh +# libssl-dev: CI-Examples/nginx +# sqlite3: CI-Examples/sqlite +# libsgx-*: CI-Examples/ra-tls-* +# curl: CI-Examples/ra-tls-secret-prov RUN apt-get update && apt-get install -y \ busybox \ + cargo \ + clang \ cmake \ + cpio \ + curl \ + dwarves \ + gdb \ git \ + jq \ + kmod \ + libevent-dev \ + libmemcached-tools \ + libomp-dev \ + libsgx-dcap-default-qpl \ + libsgx-dcap-quote-verify-dev \ + libsgx-urts \ + libssl-dev \ libunwind8 \ + linux-libc-dev \ + musl-tools \ + ncat \ nginx \ + python3-numpy \ python3-pytest \ - shellcheck + python3-pytest-xdist \ + python3-scipy \ + qemu-kvm \ + shellcheck \ + sqlite3 \ + wget \ + wrk \ + zlib1g-dev + +COPY .ci/sgx_default_qcnl.conf /etc/sgx_default_qcnl.conf CMD ["bash"] From dd42580f01ad89492782445cfdc0444f3cb51635 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:05:03 +0200 Subject: [PATCH 09/31] [CI] Add missing dependencies to ubuntu22.04.dockerfile Signed-off-by: Wojtek Porczyk --- .ci/ubuntu22.04.dockerfile | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/.ci/ubuntu22.04.dockerfile b/.ci/ubuntu22.04.dockerfile index 955c90d092..dd800a7c28 100644 --- a/.ci/ubuntu22.04.dockerfile +++ b/.ci/ubuntu22.04.dockerfile @@ -36,32 +36,64 @@ RUN apt-get update && apt-get satisfy -y \ # dependencies for various tests, CI-Examples, etc. # git: scripts/gitignore-test (among others) # libunwind8: libos/test/regression/bootstrap_cpp.manifest.template +# musl-tools: for compilation with musl (not done in deb/rpm) # nginx: CI-Examples/ra-tls-nginx # shellcheck: .ci/run-shellcheck +# busybox: CI-Examples/busybox # cargo: CI-Examples/rust # clang: asan and ubsan builds # jq: used in jenkinsfiles # cpio dwarves gcc/g++-12 kmod qemu-kvm: for building kernel modules and running VMs # wget: scripts/download -# busybox: CI-Examples/busybox +# python3-pytest: for running tests +# python3-pytest-xdist: for pytest -n option, to run in parallel +# python3-numpy python3-scipy: imported by script in CI-Examples/python +# gdb: tested in libos suite +# ncat: used in scripts/wait_for_server +# linux-libc-dev: among others, needed to compile busybox (CI-Examples/busybox) +# libomp-dev: needed for libos/test/regression/openmp.c +# libevent-dev: CI-Examples/memcached +# libmemcached-tools: CI-Examples/memcache +# zlib1g-dev: CI-Examples/lighttpd +# libssl-dev: CI-Examples/nginx +# sqlite3: CI-Examples/sqlite +# libsgx-*: CI-Examples/ra-tls-* +# curl: CI-Examples/ra-tls-secret-prov RUN apt-get update && apt-get install -y \ busybox \ cargo \ clang \ cmake \ cpio \ + curl \ dwarves \ g++-12 \ gcc-12 \ + gdb \ git \ jq \ kmod \ + libevent-dev \ + libmemcached-tools \ + libomp-dev \ + libsgx-dcap-default-qpl \ + libsgx-dcap-quote-verify-dev \ + libsgx-urts \ + libssl-dev \ libunwind8 \ + linux-libc-dev \ + musl-tools \ + ncat \ nginx \ + python3-numpy \ python3-pytest \ + python3-pytest-xdist \ + python3-scipy \ qemu-kvm \ shellcheck \ - wget + sqlite3 \ + wget \ + zlib1g-dev # Kernel on the host machine is built with GCC-12, so we need to set it as default in Docker RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 10 && \ @@ -80,4 +112,6 @@ RUN git clone https://github.com/giltene/wrk2.git \ ENV REQUESTS=10000 +COPY .ci/sgx_default_qcnl.conf /etc/sgx_default_qcnl.conf + CMD ["bash"] From 5ebbed37fedcc647836e92286f9ee7ef7b865800 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Fri, 14 Jun 2024 23:05:03 +0200 Subject: [PATCH 10/31] [CI] Increase CI-Examples/python (SGX) timeout to 10 min Signed-off-by: Wojtek Porczyk --- .ci/lib/stage-test-sgx.jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile index fdd74a5d20..a706e3ea9b 100644 --- a/.ci/lib/stage-test-sgx.jenkinsfile +++ b/.ci/lib/stage-test-sgx.jenkinsfile @@ -21,7 +21,7 @@ stage('test-sgx') { make ${MAKEOPTS} check ''' } - timeout(time: 5, unit: 'MINUTES') { + timeout(time: 10, unit: 'MINUTES') { sh ''' cd CI-Examples/python make ${MAKEOPTS} RA_TYPE=$RA_TYPE RA_CLIENT_SPID=${ra_client_spid} From ca2f8746b5df16079c56e3ab732e229190de3638 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Mon, 30 Sep 2024 17:49:25 +0200 Subject: [PATCH 11/31] [LibOS/tests] Fix openmp manifest to add shm tmpfs Based on this suggestion by Dmitrii Kuvaiskii: https://github.com/gramineproject/gramine/discussions/1780#discussioncomment-8589083 Signed-off-by: Wojtek Porczyk --- libos/test/regression/openmp.manifest.template | 1 + 1 file changed, 1 insertion(+) diff --git a/libos/test/regression/openmp.manifest.template b/libos/test/regression/openmp.manifest.template index cfcc63bb41..a723a31f56 100644 --- a/libos/test/regression/openmp.manifest.template +++ b/libos/test/regression/openmp.manifest.template @@ -19,6 +19,7 @@ fs.mounts = [ { path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, { path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, { path = "/usr/{{ arch_libdir }}", uri = "file:/usr/{{ arch_libdir }}" }, + { path = "/dev/shm", type = "tmpfs" }, ] sgx.max_threads = {{ '1' if env.get('EDMM', '0') == '1' else '32' }} From edebdf0970c524d19334faa53eac003f32cff7fa Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Mon, 23 Sep 2024 15:15:33 +0200 Subject: [PATCH 12/31] [LibOS/tests] Fix timing issues on certain LTP tests - epoll01: 300 s -> skip - pipe: 30 s -> 60 s - clock_gettime04: disable test 1 Signed-off-by: Wojtek Porczyk --- libos/test/ltp/ltp.cfg | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libos/test/ltp/ltp.cfg b/libos/test/ltp/ltp.cfg index 353bd9c94b..268a2231d4 100644 --- a/libos/test/ltp/ltp.cfg +++ b/libos/test/ltp/ltp.cfg @@ -157,6 +157,16 @@ skip = yes [clock_gettime03] skip = yes +# test #1 calls __vdso__clock_gettime(CLOCK_REALTIME) and checks if the +# difference is <= 5 ms, which it might not be on a VM +[clock_gettime04] +must-pass = + 2 + 3 + 4 + 5 + 6 + # test 10: EOPNOTSUPP expected on CLOCK_THREAD_CPUTIME_ID [clock_nanosleep01] timeout = 40 @@ -247,9 +257,9 @@ skip = yes [dirtyc0w] skip = yes -# very long test, does thousands of forks +# very long test, does thousands of forks, unreliable [epoll01] -timeout = 600 +skip = yes # tries to open /proc/1/stat, which is not implemented in Gramine [epoll_pwait01] @@ -1373,6 +1383,9 @@ skip = yes [pipe03] skip = yes +[pipe04] +timeout = 60 + [pipe07] skip = yes From eaeed2fe03cd517150b34633acd2fda0aa3ab114 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 2 Oct 2024 17:01:39 +0200 Subject: [PATCH 13/31] [LibOS/tests] Fix ASAN tests on Ubuntu 22.04 Signed-off-by: Wojtek Porczyk --- libos/test/regression/test_libos.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libos/test/regression/test_libos.py b/libos/test/regression/test_libos.py index 73a5f5f300..8a624f1cfa 100644 --- a/libos/test/regression/test_libos.py +++ b/libos/test/regression/test_libos.py @@ -63,7 +63,7 @@ def test_023_asan_stack(self): def _test_asan(self, case, desc): expected_list = [f'asan: {desc}'] if self.has_debug(): - expected_list.append(f'asan: location: run_test_asan_{case} at libos_call.c') + expected_list.append(f'asan: location: run_test_asan_{case} at ') self._test_abort(f'asan_{case}', expected_list) def _test_abort(self, test_name, expected_list): From 0359d62aa750eb4816695746d9dab6a35eeb5dd4 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 8 Oct 2024 11:50:07 +0200 Subject: [PATCH 14/31] [LibOS/tests] Skip certain GDB tests on known buggy GDB Signed-off-by: Wojtek Porczyk --- libos/test/regression/test_libos.py | 9 +++++++++ python/graminelibos/regression.py | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/libos/test/regression/test_libos.py b/libos/test/regression/test_libos.py index 8a624f1cfa..84a14f9ce3 100644 --- a/libos/test/regression/test_libos.py +++ b/libos/test/regression/test_libos.py @@ -10,6 +10,7 @@ import tomli from graminelibos.regression import ( + GDB_VERSION, HAS_AVX, HAS_EDMM, HAS_SGX, @@ -1458,6 +1459,14 @@ def test_010_regs_x86_64(self): xmm0_result = self.find('XMM0 result', stdout) self.assertEqual(xmm0_result, '$4 = 0x4000400040004000') + # There's a bug in gdb introduced somewhere between versions 12 and 13 (and + # still present in 15.x at the time of this writing): When using set + # detach-on-fork off and set schedule-multiple on (which our gramine.gdb + # uses) non-main threads in the parent process get stuck in "tracing stop" + # state after vfork+execve. This test uses gdb and unfortunately triggers + # the bug. + @unittest.skipUnless(GDB_VERSION is not None and GDB_VERSION < (13,), + f'missing or known buggy GDB ({GDB_VERSION=})') def test_020_gdb_fork_and_access_file_bug(self): # To run this test manually, use: # GDB=1 GDB_SCRIPT=fork_and_access_file.gdb gramine-sgx fork_and_access_file diff --git a/python/graminelibos/regression.py b/python/graminelibos/regression.py index 5a966dbd6b..65b3c832a9 100644 --- a/python/graminelibos/regression.py +++ b/python/graminelibos/regression.py @@ -22,6 +22,12 @@ IS_VM = os.environ.get('IS_VM') == '1' ON_X86 = os.uname().machine in ['x86_64'] USES_MUSL = os.environ.get('GRAMINE_MUSL') == '1' +try: + GDB_VERSION = tuple(int(i) if i.isdigit() else i for i in subprocess.check_output( + ['gdb', '-q', '-ex', 'python print(gdb.VERSION)', '-ex', 'q'] + ).strip().decode('ascii').split('.')) +except (subprocess.SubprocessError, OSError): + GDB_VERSION = None def expectedFailureIf(predicate): if predicate: From 2f70b77d67933906b88a77fabc6f25c9d37d5b43 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Wed, 18 Sep 2024 22:24:38 +0200 Subject: [PATCH 15/31] [CI] Fix memcached test harness For some reason memcached-tool sometimes outputs more than 2 lines, which I guess is fine, it means that there is data in the server, so it's working. Signed-off-by: Wojtek Porczyk --- .ci/lib/stage-test-direct.jenkinsfile | 2 +- .ci/lib/stage-test-sgx.jenkinsfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.ci/lib/stage-test-direct.jenkinsfile b/.ci/lib/stage-test-direct.jenkinsfile index 36a56c4f38..d705d6c18b 100644 --- a/.ci/lib/stage-test-direct.jenkinsfile +++ b/.ci/lib/stage-test-direct.jenkinsfile @@ -60,7 +60,7 @@ stage('test-direct') { # memcslap populates server but doesn't report errors, use # memcached-tool for this (must return two lines of stats) memcslap --servers=127.0.0.1 --concurrency=8 - src/scripts/memcached-tool 127.0.0.1 | wc -l | grep -w "2" + test "$(src/scripts/memcached-tool 127.0.0.1 | wc -l)" -ge 2 ''' } timeout(time: 10, unit: 'MINUTES') { diff --git a/.ci/lib/stage-test-sgx.jenkinsfile b/.ci/lib/stage-test-sgx.jenkinsfile index a706e3ea9b..4154a637cf 100644 --- a/.ci/lib/stage-test-sgx.jenkinsfile +++ b/.ci/lib/stage-test-sgx.jenkinsfile @@ -51,7 +51,7 @@ stage('test-sgx') { # memcslap populates server but doesn't report errors, use # memcached-tool for this (must return two lines of stats) memcslap --servers=127.0.0.1 --concurrency=8 - src/scripts/memcached-tool 127.0.0.1 | wc -l | grep -w "2" + test "$(src/scripts/memcached-tool 127.0.0.1 | wc -l)" -ge 2 ''' } timeout(time: 15, unit: 'MINUTES') { From 66f768259d21d2cda9688c3d4619710dd90f4183 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 1 Oct 2024 14:59:55 +0200 Subject: [PATCH 16/31] [CI-Examples] ra-tls-mbedtls: `tee` the OUTPUT Signed-off-by: Wojtek Porczyk --- CI-Examples/ra-tls-mbedtls/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CI-Examples/ra-tls-mbedtls/Makefile b/CI-Examples/ra-tls-mbedtls/Makefile index db7b7f5d2b..d5f0d0b22f 100644 --- a/CI-Examples/ra-tls-mbedtls/Makefile +++ b/CI-Examples/ra-tls-mbedtls/Makefile @@ -116,8 +116,8 @@ sgx_sign_client_epid: client_epid.manifest check_epid: app epid gramine-sgx server & SERVER_ID=$$!; \ ../../scripts/wait_for_server 60 127.0.0.1 4433; \ - ./client epid > OUTPUT; \ - ./client epid 0 0 0 0 >> OUTPUT; \ + ./client epid | tee OUTPUT; \ + ./client epid 0 0 0 0 | tee -a OUTPUT; \ kill -9 $$SERVER_ID @grep -q "using default SGX-measurement verification callback" OUTPUT && echo "[ Success 1/4 ]" @grep -q "using our own SGX-measurement verification callback" OUTPUT && echo "[ Success 2/4 ]" @@ -136,8 +136,8 @@ check_epid_fail: app epid check_dcap: app dcap gramine-sgx server >/dev/null & SERVER_ID=$$!; \ ../../scripts/wait_for_server 60 127.0.0.1 4433; \ - ./client dcap > OUTPUT; \ - ./client dcap 0 0 0 0 >> OUTPUT; \ + ./client dcap | tee OUTPUT; \ + ./client dcap 0 0 0 0 | tee -a OUTPUT; \ kill -9 $$SERVER_ID @grep -q "using default SGX-measurement verification callback" OUTPUT && echo "[ Success 1/4 ]" @grep -q "using our own SGX-measurement verification callback" OUTPUT && echo "[ Success 2/4 ]" From efc93307acf53db7fcf7005935d0dedec8645192 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 11:47:11 +0200 Subject: [PATCH 17/31] [CI] Pin old noble and jammy pipelines to correct nodes Fixes: 03a42b0e4d0b ("[CI] Add pipeline for noble (Ubuntu 24.04 LTS)") Fixes: 9d53dde514c8 ("[CI] Add pipeline for jammy (Ubuntu 22.04 LTS)") Signed-off-by: Wojtek Porczyk --- .ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile | 2 +- .ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile b/.ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile index d231533de4..b80f01fee5 100644 --- a/.ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile +++ b/.ci/linux-sgx-ubuntu22.04-gcc-release.jenkinsfile @@ -1,4 +1,4 @@ -node('sgx') { +node('sgx && jammy') { checkout scm env.SGX = '1' diff --git a/.ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile b/.ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile index c8a821633c..da291548c4 100644 --- a/.ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile +++ b/.ci/linux-sgx-ubuntu24.04-gcc-release.jenkinsfile @@ -1,4 +1,4 @@ -node('sgx') { +node('sgx && noble') { checkout scm env.SGX = '1' From 4ba3633134a6670a412a427bad4c9aa85b003ca0 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:20:27 +0200 Subject: [PATCH 18/31] [CI] Add linux-direct-ubuntu24.04-gcc-debug.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...x-direct-ubuntu24.04-gcc-debug.jenkinsfile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .ci/linux-direct-ubuntu24.04-gcc-debug.jenkinsfile diff --git a/.ci/linux-direct-ubuntu24.04-gcc-debug.jenkinsfile b/.ci/linux-direct-ubuntu24.04-gcc-debug.jenkinsfile new file mode 100644 index 0000000000..ce9af13597 --- /dev/null +++ b/.ci/linux-direct-ubuntu24.04-gcc-debug.jenkinsfile @@ -0,0 +1,19 @@ +node('plain && noble') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From fc6d5d10bbb704d7e0c6f1bf0cc7fcad8ac551f4 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:21:03 +0200 Subject: [PATCH 19/31] [CI] Add linux-direct-ubuntu24.04-gcc-release.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...direct-ubuntu24.04-gcc-release.jenkinsfile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .ci/linux-direct-ubuntu24.04-gcc-release.jenkinsfile diff --git a/.ci/linux-direct-ubuntu24.04-gcc-release.jenkinsfile b/.ci/linux-direct-ubuntu24.04-gcc-release.jenkinsfile new file mode 100644 index 0000000000..cba634cdbe --- /dev/null +++ b/.ci/linux-direct-ubuntu24.04-gcc-release.jenkinsfile @@ -0,0 +1,19 @@ +node('plain && noble') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 00571db0c4af9612029de8f91c2af990a40505b2 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:24:22 +0200 Subject: [PATCH 20/31] [CI] Add linux-sgx-ubuntu24.04-edmm.jenkinsfile Signed-off-by: Wojtek Porczyk --- .ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile b/.ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile new file mode 100644 index 0000000000..8b0475b50d --- /dev/null +++ b/.ci/linux-sgx-ubuntu24.04-edmm.jenkinsfile @@ -0,0 +1,24 @@ +node('sgx-edmm && aesni') { + checkout scm + + env.AVX = '1' // EDMM-capable machines in our CI always have AVX + env.SGX = '1' + env.EDMM = '1' + + load '.ci/lib/config-docker.jenkinsfile' + + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 76f0ed21558f80dd29500f2f1ddd3137afb73714 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:24:24 +0200 Subject: [PATCH 21/31] [CI] Add linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...x-ubuntu24.04-gcc-release-apps.jenkinsfile | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile b/.ci/linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile new file mode 100644 index 0000000000..c8485976b2 --- /dev/null +++ b/.ci/linux-sgx-ubuntu24.04-gcc-release-apps.jenkinsfile @@ -0,0 +1,20 @@ +node('sgx && noble') { + checkout scm + + env.SGX = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From ce6d949f63dde5db3ebf51fd2d1cadee22fedcfa Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:24:25 +0200 Subject: [PATCH 22/31] [CI] Add linux-sgx-ubuntu24.04-musl.jenkinsfile Signed-off-by: Wojtek Porczyk --- .ci/linux-sgx-ubuntu24.04-musl.jenkinsfile | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu24.04-musl.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu24.04-musl.jenkinsfile b/.ci/linux-sgx-ubuntu24.04-musl.jenkinsfile new file mode 100644 index 0000000000..7a2294a4c5 --- /dev/null +++ b/.ci/linux-sgx-ubuntu24.04-musl.jenkinsfile @@ -0,0 +1,21 @@ +node('sgx && noble') { + checkout scm + + env.SGX = '1' + env.GRAMINE_MUSL = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From aa56b6d676d900a7c8ad50f82804ca6f44d068cc Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:24:03 +0200 Subject: [PATCH 23/31] [CI] Add linux-direct-ubuntu24.04-sanitizers.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...-direct-ubuntu24.04-sanitizers.jenkinsfile | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .ci/linux-direct-ubuntu24.04-sanitizers.jenkinsfile diff --git a/.ci/linux-direct-ubuntu24.04-sanitizers.jenkinsfile b/.ci/linux-direct-ubuntu24.04-sanitizers.jenkinsfile new file mode 100644 index 0000000000..0cd78fb83b --- /dev/null +++ b/.ci/linux-direct-ubuntu24.04-sanitizers.jenkinsfile @@ -0,0 +1,22 @@ +node('plain && noble') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-clang.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + load '.ci/lib/config-ubsan.jenkinsfile' + load '.ci/lib/config-asan.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 00a0c3a645e7d9720880aec60612ddaa2fb1dff9 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Tue, 11 Jun 2024 12:24:26 +0200 Subject: [PATCH 24/31] [CI] Add linux-sgx-ubuntu24.04-sanitizers.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...nux-sgx-ubuntu24.04-sanitizers.jenkinsfile | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu24.04-sanitizers.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu24.04-sanitizers.jenkinsfile b/.ci/linux-sgx-ubuntu24.04-sanitizers.jenkinsfile new file mode 100644 index 0000000000..19280db022 --- /dev/null +++ b/.ci/linux-sgx-ubuntu24.04-sanitizers.jenkinsfile @@ -0,0 +1,24 @@ +node('sgx && noble') { + checkout scm + + env.SGX = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu24.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-clang.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + load '.ci/lib/config-ubsan.jenkinsfile' + load '.ci/lib/config-asan.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From b27033a9f22904eabdd1c98c29f9c86d4afb37bd Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:13:19 +0200 Subject: [PATCH 25/31] [CI] Add linux-direct-ubuntu22.04-gcc-debug.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...x-direct-ubuntu22.04-gcc-debug.jenkinsfile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .ci/linux-direct-ubuntu22.04-gcc-debug.jenkinsfile diff --git a/.ci/linux-direct-ubuntu22.04-gcc-debug.jenkinsfile b/.ci/linux-direct-ubuntu22.04-gcc-debug.jenkinsfile new file mode 100644 index 0000000000..54539f5c2b --- /dev/null +++ b/.ci/linux-direct-ubuntu22.04-gcc-debug.jenkinsfile @@ -0,0 +1,19 @@ +node('plain && jammy') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 2f21b89af0acc67be982e4c5f7f60cb372e6c38d Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:13:55 +0200 Subject: [PATCH 26/31] [CI] Add linux-direct-ubuntu22.04-gcc-release.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...direct-ubuntu22.04-gcc-release.jenkinsfile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .ci/linux-direct-ubuntu22.04-gcc-release.jenkinsfile diff --git a/.ci/linux-direct-ubuntu22.04-gcc-release.jenkinsfile b/.ci/linux-direct-ubuntu22.04-gcc-release.jenkinsfile new file mode 100644 index 0000000000..df3ba680af --- /dev/null +++ b/.ci/linux-direct-ubuntu22.04-gcc-release.jenkinsfile @@ -0,0 +1,19 @@ +node('plain && jammy') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 56c5eda7601e1b650fa80508bd5b7d8e4a0e4a34 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:19:25 +0200 Subject: [PATCH 27/31] [CI] Add linux-sgx-ubuntu22.04-edmm.jenkinsfile Signed-off-by: Wojtek Porczyk --- .ci/linux-sgx-ubuntu22.04-edmm.jenkinsfile | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu22.04-edmm.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu22.04-edmm.jenkinsfile b/.ci/linux-sgx-ubuntu22.04-edmm.jenkinsfile new file mode 100644 index 0000000000..4920e46124 --- /dev/null +++ b/.ci/linux-sgx-ubuntu22.04-edmm.jenkinsfile @@ -0,0 +1,24 @@ +node('sgx-edmm && aesni') { + checkout scm + + env.AVX = '1' // EDMM-capable machines in our CI always have AVX + env.SGX = '1' + env.EDMM = '1' + + load '.ci/lib/config-docker.jenkinsfile' + + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 082008f180e85cdeab1cd11bf94699d138cce412 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:19:50 +0200 Subject: [PATCH 28/31] [CI] Add linux-sgx-ubuntu22.04-gcc-release-apps.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...x-ubuntu22.04-gcc-release-apps.jenkinsfile | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu22.04-gcc-release-apps.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu22.04-gcc-release-apps.jenkinsfile b/.ci/linux-sgx-ubuntu22.04-gcc-release-apps.jenkinsfile new file mode 100644 index 0000000000..eb33f693b5 --- /dev/null +++ b/.ci/linux-sgx-ubuntu22.04-gcc-release-apps.jenkinsfile @@ -0,0 +1,20 @@ +node('sgx && jammy') { + checkout scm + + env.SGX = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From a80418b2fe851995bdcb793dcd744ca0c034ee51 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:20:17 +0200 Subject: [PATCH 29/31] [CI] Add linux-sgx-ubuntu22.04-musl.jenkinsfile Signed-off-by: Wojtek Porczyk --- .ci/linux-sgx-ubuntu22.04-musl.jenkinsfile | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu22.04-musl.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu22.04-musl.jenkinsfile b/.ci/linux-sgx-ubuntu22.04-musl.jenkinsfile new file mode 100644 index 0000000000..42bac382f4 --- /dev/null +++ b/.ci/linux-sgx-ubuntu22.04-musl.jenkinsfile @@ -0,0 +1,21 @@ +node('sgx && jammy') { + checkout scm + + env.SGX = '1' + env.GRAMINE_MUSL = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-release.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From 9fc739a36cbe2124ea93c350f38ef3c4f5803b3a Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:20:52 +0200 Subject: [PATCH 30/31] [CI] Add linux-direct-ubuntu22.04-sanitizers.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...-direct-ubuntu22.04-sanitizers.jenkinsfile | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .ci/linux-direct-ubuntu22.04-sanitizers.jenkinsfile diff --git a/.ci/linux-direct-ubuntu22.04-sanitizers.jenkinsfile b/.ci/linux-direct-ubuntu22.04-sanitizers.jenkinsfile new file mode 100644 index 0000000000..a9f0dc3aa4 --- /dev/null +++ b/.ci/linux-direct-ubuntu22.04-sanitizers.jenkinsfile @@ -0,0 +1,22 @@ +node('plain && jammy') { + checkout scm + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-clang.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + load '.ci/lib/config-ubsan.jenkinsfile' + load '.ci/lib/config-asan.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-nosgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-direct.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +} From cbce3f51e91369b1f9f701881cbe5a106ac72de3 Mon Sep 17 00:00:00 2001 From: Wojtek Porczyk Date: Thu, 26 Sep 2024 12:21:14 +0200 Subject: [PATCH 31/31] [CI] Add linux-sgx-ubuntu22.04-sanitizers.jenkinsfile Signed-off-by: Wojtek Porczyk --- ...nux-sgx-ubuntu22.04-sanitizers.jenkinsfile | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .ci/linux-sgx-ubuntu22.04-sanitizers.jenkinsfile diff --git a/.ci/linux-sgx-ubuntu22.04-sanitizers.jenkinsfile b/.ci/linux-sgx-ubuntu22.04-sanitizers.jenkinsfile new file mode 100644 index 0000000000..70955f0357 --- /dev/null +++ b/.ci/linux-sgx-ubuntu22.04-sanitizers.jenkinsfile @@ -0,0 +1,24 @@ +node('sgx && jammy') { + checkout scm + + env.SGX = '1' + + load '.ci/lib/config-docker.jenkinsfile' + docker.build( + "local:${env.BUILD_TAG}", + '-f .ci/ubuntu22.04.dockerfile .' + ).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") { + load '.ci/lib/config.jenkinsfile' + load '.ci/lib/config-clang.jenkinsfile' + load '.ci/lib/config-debug.jenkinsfile' + load '.ci/lib/config-ubsan.jenkinsfile' + load '.ci/lib/config-asan.jenkinsfile' + + load '.ci/lib/stage-lint.jenkinsfile' + load '.ci/lib/stage-clean-check-prepare.jenkinsfile' + load '.ci/lib/stage-build-sgx.jenkinsfile' + load '.ci/lib/stage-test.jenkinsfile' + load '.ci/lib/stage-test-sgx.jenkinsfile' + load '.ci/lib/stage-clean-check.jenkinsfile' + } +}