forked from kata-containers/kata-containers
-
Notifications
You must be signed in to change notification settings - Fork 42
Expand file tree
/
Copy pathuvm_build.sh
More file actions
executable file
·91 lines (73 loc) · 3.03 KB
/
uvm_build.sh
File metadata and controls
executable file
·91 lines (73 loc) · 3.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/env bash
#
# Copyright (c) 2024 Microsoft Corporation
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o pipefail
set -o errtrace
[ -n "$DEBUG" ] && set -x
AGENT_POLICY_FILE="${AGENT_POLICY_FILE:-allow-set-policy.rego}"
CONF_PODS=${CONF_PODS:-no}
IGVM_SVN=${IGVM_SVN:-0}
UVM_BUILD_MODE=${UVM_BUILD_MODE:-release}
script_dir="$(dirname $(readlink -f $0))"
repo_dir="${script_dir}/../../../../"
agent_policy_file_abs="${repo_dir}/src/kata-opa/${AGENT_POLICY_FILE}"
common_file="common.sh"
source "${common_file}"
# This ensures that a pre-built agent binary is being injected into the rootfs
rootfs_make_flags="AGENT_SOURCE_BIN=${AGENT_INSTALL_DIR}/usr/bin/kata-agent OS_VERSION=${OS_VERSION}"
if [ "${CONF_PODS}" == "yes" ]; then
rootfs_make_flags+=" CONF_GUEST=yes AGENT_POLICY=yes AGENT_POLICY_FILE=${agent_policy_file_abs}"
else
agent_policy_allow_all="${repo_dir}/src/kata-opa/allow-all.rego"
rootfs_make_flags+=" AGENT_POLICY=yes AGENT_POLICY_FILE=${agent_policy_file_allow_all}"
fi
set_uvm_kernel_vars
if [ -z "${UVM_KERNEL_HEADER_DIR}}" ]; then
exit 1
fi
pushd "${repo_dir}"
if [ "${UVM_BUILD_MODE}" == "release" ]; then
LOCAL_IMAGE_NAME="${IMG_FILE_NAME}"
else
LOCAL_IMAGE_NAME="${IMG_DBG_FILE_NAME}"
fi
# We must clean the rootfs build to allow the next build (i.e. a debug image) to be built
# from a clean state with a separate set of packages.
echo "Cleaning rootfs build"
pushd tools/osbuilder
sudo -E PATH=$PATH make DISTRO=cbl-mariner clean-rootfs
popd
echo "Building ${UVM_BUILD_MODE} rootfs and including pre-built agent binary"
pushd tools/osbuilder
# This command requires sudo because of dnf-installing packages into rootfs. As a suite, following commands require sudo as well as make clean
sudo -E PATH=$PATH UVM_BUILD_MODE=${UVM_BUILD_MODE} make ${rootfs_make_flags} -B DISTRO=cbl-mariner rootfs
ROOTFS_PATH="$(readlink -f ./cbl-mariner_rootfs)"
popd
echo "Installing agent service files into rootfs"
sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-containers.target ${ROOTFS_PATH}/usr/lib/systemd/system/kata-containers.target
sudo cp ${AGENT_INSTALL_DIR}/usr/lib/systemd/system/kata-agent.service ${ROOTFS_PATH}/usr/lib/systemd/system/kata-agent.service
echo "Building tarfs kernel driver and installing into rootfs"
pushd src/tarfs
make KDIR=${UVM_KERNEL_HEADER_DIR}
sudo make KDIR=${UVM_KERNEL_HEADER_DIR} KVER=${UVM_KERNEL_VERSION} INSTALL_MOD_PATH=${ROOTFS_PATH} install
popd
if [ "${CONF_PODS}" == "yes" ]; then
echo "Building dm-verity protected image based on rootfs"
pushd tools/osbuilder
sudo -E PATH=${PATH} IMAGE_NAME=${LOCAL_IMAGE_NAME} make DISTRO=cbl-mariner MEASURED_ROOTFS=yes DM_VERITY_FORMAT=kernelinit image
popd
echo "Building IGVM and UVM measurement files"
pushd tools/osbuilder
sudo chmod o+r root_hash.txt
sudo make igvm DISTRO=cbl-mariner IMAGE_NAME=${LOCAL_IMAGE_NAME} IGVM_SVN=${IGVM_SVN} UVM_BUILD_MODE=${UVM_BUILD_MODE}
popd
else
echo "Building image based on rootfs"
pushd tools/osbuilder
sudo -E PATH=$PATH IMAGE_NAME=${LOCAL_IMAGE_NAME} make DISTRO=cbl-mariner image
popd
fi
popd