Use the Go toolchain to cross-compile the "This image is designed to be
run as a confidential workload using libkrun." entrypoint that we add to
confidential workload images. It's bigger than it was before, but
easier to port and can be built from source every time when desired.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Use the CutPrefix(), SplitSeq(), and FieldsSeq() functions from the
strings package when chopping up or iterating over parts of strings, per
golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Disable warnings like this one:
> internal/mkcw/workload.go:34:2: ST1003: should not use ALL_CAPS in Go names; use CamelCase instead (staticcheck)
> SEV_NO_ES = types.SEV_NO_ES //revive:disable-line:var-naming
> ^
(
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Use the AtomicWriteFile() from github.com/containers/storage/pkg/ioutils
instead of the one from github.com/docker/docker/pkg/ioutils.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we have extra files to add to the image, handle them by adding them
to the upper overlay layer before creating the plaintext filesystem
image.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When using the working container's rootfs to populate a plaintext disk
image with mkfs, instead of writing .krun_config.json to the rootfs and
then removing it afterward (since we don't want it to show up if the
same working container is later committed to non confidential-workload
image), mount an overlay filesystem using a temporary directory as the
upper and the rootfs as the lower, create the .krun_config.json file in
the overlay filesystem, and use the overlay filesystem as the source
directory for mkfs.
Add the necessary stubs to allow pkg/overlay to at least compile on
non-Linux systems. Change the naming scheme for a test so that the path
names it uses for temporary directories don't include "," or "=", which
can confuse the kernel.
Creating confidential workload images will now only be possible on Linux
systems, but we exec'd out to sevctl to read platform certificates, and
that requires kernel support with vendor firmware, so I don't know that
anyone will actually be impacted by the change.
Teach pkg/overlay.MountWithOptions() to accept `nil` as a pointer to a
struct parameter that is otherwise optional.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This is a common mistake by users and is ignored in some places
but not everywhere. This change will help this to be ignored everwhere.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Include the arch in the name of the static entrypoint binary, in case we
find ourselves needing to support other architectures in the same area
in the future.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Following PR is a attempt to add `Heredoc` support to buildah.
Once this PR is merged buildah is supposed to honor heredoc syntax while
processing containerfiles
Expected syntax to work
```Dockerfile
FROM docker.io/library/python:latest
RUN <<EOF
echo "Hello" >> /hello
echo "World!" >> /hello
EOF
RUN python3 <<EOF
with open("/hello", "w") as f:
print("Hello", file=f)
print("Something", file=f)
EOF
RUN ls -a
RUN cat hello
```
Signed-off-by: Aditya R <arajan@redhat.com>
All `[]string`s in containers.conf have now been migrated to attributed
string slices which require some adjustments in Buildah and Podman.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
This change is the first step of integrating appendable string arrays
into containers.conf and starts with enabling the `Env`, `Mounts`, and
`Volumes` fields in the `[Containers]` table.
Both, Buildah and Podman, read (and sometimes write) the fields of the
`Config` struct at various places, so I decided to migrate the fields
step-by-step. The ones in this change are most critical ones for
customers. Once all string slices/arrays are migrated, the docs of
containers.conf will be updated. The current changes are entirely
transparent to users.
[NO NEW TESTS NEEDED]
Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Add siena and turin to the list of generations in a comment.
Drop a double-whitespace in the middle of a comment sentence.
[NO NEW TESTS NEEDED]
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Add a --cw option to `buildah build` and `buildah commit`, which takes a
comma-separated list of arguments and produces an image laid out for use
as a confidential workload:
type: sev or snp
attestation_url: location of a key broker server
cpus: expected number of virtual CPUs to run with
memory: expected megabytes of memory to run with
workload_id: a distinguishing identifier for the key broker server
ignore_attestation_errors: ignore errors registering the workload
passphrase: for encrypting the disk image
slop: extra space to allocate for the disk image
At least one of attestation_url and passphrase must be specified in
order for the encrypted disk image to be decryptable at run-time. Other
arguments can be omitted. ignore_attestation_errors is intentionally
undocumented, as it's mainly used to permit some amount of testing on
systems which don't have the required hardware.
Add an `mkcw` top-level command, for converting directly from an image
to a confidential workload.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Nalin Dahyabhai
Jan Kaluza
Patrick Stoeckle
Kir Kolyshkin
flouthoc
Daniel J Walsh
Giuseppe Scrivano
openshift-merge-bot[bot]
Aditya R
Valentin Rothberg