kata artifacts file permission fix (#8)

kumara1-intel · web-flow · commit a8d87b97e0d4 · 2025-04-14T21:12:12.000+05:30
* fix kata artifact file permission and ownership

Signed-off-by: Kumar, Anand &lt;anand.kumar@intel.com&gt;
diff --git a/.github/workflows/post-merge-kata-deploy.yaml b/.github/workflows/post-merge-kata-deploy.yaml
@@ -18,7 +18,7 @@ jobs:
     uses: open-edge-platform/orch-ci/.github/workflows/post-merge.yml@main
     with:
       run_security_scans: true
-      run_version_check: true
+      run_version_check: false
       run_build: true
       run_docker_build: true
       run_docker_push: true
diff --git a/REUSE.toml b/REUSE.toml
@@ -35,7 +35,8 @@ path = [
     "venv/**",
     "**.zip",
     ".gitattributes",
-    "**.tar.gz"
+    "**.tar.gz",
+    "**/kata_keeplist.txt"
 ]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2025 Intel Corporation"
diff --git a/helm/trustagent/values.yaml b/helm/trustagent/values.yaml
@@ -75,7 +75,7 @@ config:
     # /opt/kata/bin/qemu-system-x86_64
     # /opt/kata/libexec/virtiofsd
     # /opt/kata/share/defaults/kata-containers/configuration-qemu.toml
-    # /opt/kata/share/kata-containers/vmlinuz-6.12.19-1.emt3
+    # /opt/kata/share/kata-containers/vmlinuz-6.12.20-1.emt3
     # /opt/kata/share/kata-containers/trusted-vm.img
     # /opt/kata/share/kata-qemu/qemu/bios-256k.bin
     # /opt/kata/share/kata-qemu/qemu/efi-virtio.rom
diff --git a/trusted-workload/kata-deploy/Makefile b/trusted-workload/kata-deploy/Makefile
@@ -15,7 +15,7 @@ all: build lint test
 build:
 	@# Help: Runs build stage in all subprojects
 	@echo "---MAKEFILE BUILD---"
-	bash build-kata-deploy-image.sh
+	sudo -E bash build-kata-deploy-image.sh
 	@echo "---END MAKEFILE Build---"
 
 clean:
diff --git a/trusted-workload/kata-deploy/build-kata-deploy-image.sh b/trusted-workload/kata-deploy/build-kata-deploy-image.sh
@@ -33,17 +33,7 @@ KATA_ARTIFACT_NEW_NAME="kata-static.tar.xz"
 KATA_PATCH_DIR="patch/${KATA_CONTAINERS_TAG}"
 KATA_BOOT_COMPONENT_DIR="${KATA_ARTIFACT_DIR}/opt/kata/share/kata-containers"
 KATA_ARTIFACT_KERNEL_NAME="vmlinux.container"
-KATA_ARTIFACT_TOOTFS_NAME="kata-containers.img"
-
-
-KATA_KEEPLIST_FILE_LIST=( "VERSION" "containerd-shim-kata-v2" "kata-agent-ctl" "kata-collect-data.sh" "kata-ctl" "kata-manager" 
-	"kata-manager.sh" "kata-monitor" "kata-runtime" "kata-trace-forwarder" "qemu-system-x86_64" "stratovirt" "fdt.h" "libfdt.h" 
-	"libfdt_env.h" "libfdt.a" "libfdt.pc" "virtiofsd" "oci_config.json" "configuration.toml" "configuration-qemu.toml" 
-	"genpolicy-settings.json" "rules.rego" "root_hash.txt" "bios-256k.bin" "efi-virtio.rom" "kvmvapic.bin" "linuxboot_dma.bin" 
-	"pvh.bin" "versions.yaml" )
-
-KATA_DELETE_FILE_LIST=("runtime-rs" "share/defaults/kata-containers/runtime-rs" "share/kata-qemu/qemu/firmware" "share/kata-qemu-snp-experimental" 
-	"lib/kata-qemu-snp-experimental" "share/ovmf" )
+KATA_ARTIFACT_ROOTFS_NAME="kata-containers.img"
 
 check_file_exists() {
     local file="${1}"
@@ -82,26 +72,12 @@ echo "INFO: Extracting Kata artifacts"
 mkdir -p "${KATA_ARTIFACT_DIR}"
 tar -xf "${KATA_ARTIFACT_FILE_NAME}" -C "${KATA_ARTIFACT_DIR}"
 
-# Iterate over files and symlinks in the directory and remove the files not in the keeplist
-find "${KATA_ARTIFACT_DIR}" -type f -o -type l | while read -r item; do
-  	base_item=$(basename "$item")
-  	if [[ ! " ${KATA_KEEPLIST_FILE_LIST[@]} " =~ " ${base_item} " ]]; then
-		#echo "INFO: Deleting: $item (not in keeplist)"
-		rm -rf "$item"
-  	fi
-done
-
-#iterate over the delete file list and remove the files
-pushd "${KATA_ARTIFACT_DIR}/opt/kata"
-for file in "${KATA_DELETE_FILE_LIST[@]}"; do
-	echo "INFO: Removing ${file}"
-	rm -rf "${file}"
-done
-popd
-
 #check if the boot component directory exists
 check_dir_exists "${KATA_BOOT_COMPONENT_DIR}"
 
+#create bm-agents group if it does not exist
+getent group bm-agents > /dev/null || groupadd -g 500 bm-agents
+
 #copy edge microvisor kernel to the kata artifacts
 echo "INFO: Copying edge microvisor kernel to the Kata artifacts"
 cp "${EDGE_MICROVISOR_SRC}/${EDGE_MICROVISOR_KERNEL}" "${KATA_BOOT_COMPONENT_DIR}"
@@ -117,7 +93,29 @@ cp "${EDGE_MICROVISOR_SRC}/${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR
 #change symlink to point to the new kernel and rootfs
 echo "INFO: Change symlink to point to the new kernel and rootfs"
 ln -sf "${EDGE_MICROVISOR_KERNEL}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_KERNEL_NAME}"
-ln -sf "${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_TOOTFS_NAME}"
+ln -sf "${EDGE_MICROVISOR_ROOTFS}" "${KATA_BOOT_COMPONENT_DIR}/${KATA_ARTIFACT_ROOTFS_NAME}"
+
+# Iterate over all files, directories, clean up unwanted files and directories and set permission and onwership
+chmod 750 "${KATA_ARTIFACT_DIR}/opt/kata"
+chown root:bm-agents "${KATA_ARTIFACT_DIR}/opt/kata"
+
+pushd "${KATA_ARTIFACT_DIR}/opt/kata"
+for file in $(find . -type f -o -type d -o -type l | sed 's|^\./||'); do
+	match=$(awk -v search="$file" '$0 ~ search { print $0; found=1; exit } END { if (!found) print ""; exit }' ../../../kata_keeplist.txt)
+    if [[ -n "$match" ]]; then
+		chown $(echo "$match" | awk '{print $2}') "$file"
+		chmod $(echo "$match" | awk '{print $3}') "$file"
+	else
+		if [[ "$file" == *"$EDGE_MICROVISOR_KERNEL"* ]]; then
+			chown root:bm-agents "$file" && chmod 640 "$file"
+		elif [[ "$file" == *"$EDGE_MICROVISOR_KERNEL_CONFIG"* ]]; then
+			chown root:root "$file" && chmod 600 "$file"
+		else
+			rm -rf "$file"
+		fi
+	fi
+done
+popd
 
 #retar the artifacts
 echo "INFO: Retar the artifacts"
diff --git a/trusted-workload/kata-deploy/kata_keeplist.txt b/trusted-workload/kata-deploy/kata_keeplist.txt
@@ -0,0 +1,49 @@
+bin root:bm-agents 750
+bin/containerd-shim-kata-v2 root:bm-agents 740
+bin/kata-agent-ctl root:root 700
+bin/kata-collect-data.sh root:root 700
+bin/kata-ctl root:root 700
+bin/kata-manager root:root 700
+bin/kata-manager.sh root:root 700
+bin/kata-monitor root:root 700
+bin/kata-runtime root:root 700
+bin/kata-trace-forwarder root:root 700
+bin/stratovirt root:root 700
+bin/qemu-system-x86_64 root:bm-agents 740
+include root:root 600
+include/libfdt_env.h root:root 600
+include/libfdt.h root:root 600
+include/fdt.h root:root 600
+lib root:root 600
+lib/kata-qemu root:root 600
+lib/kata-qemu/libfdt.a root:root 600
+lib/kata-qemu/pkgconfig root:root 600
+lib/kata-qemu/pkgconfig/libfdt.pc root:root 600
+libexec root:bm-agents 750
+libexec/virtiofsd root:bm-agents 740
+share root:bm-agents 750
+share/bash-completion root:root 700
+share/bash-completion/completions root:root 700
+share/bash-completion/completions/kata-runtime root:root 700
+share/defaults root:bm-agents 750
+share/defaults/kata-containers root:bm-agents 750
+share/defaults/kata-containers/rules.rego root:root 600
+share/defaults/kata-containers/genpolicy-settings.json root:root 600
+share/defaults/kata-containers/configuration-qemu.toml root:bm-agents 640
+share/defaults/kata-containers/agent-ctl root:root 600
+share/defaults/kata-containers/agent-ctl/oci_config.json root:root 600
+share/defaults/kata-containers/configuration.toml root:bm-agents 640
+share/kata-containers root:bm-agents 750
+share/kata-containers/trusted-vm.img root:bm-agents 640
+share/kata-containers/root_hash.txt root:root 600
+share/kata-containers/vmlinux.container root:bm-agents 640
+share/kata-containers/kata-containers.img root:bm-agents 640
+share/kata-qemu root:bm-agents 750
+share/kata-qemu/qemu root:bm-agents 750
+share/kata-qemu/qemu/pvh.bin root:bm-agents 640
+share/kata-qemu/qemu/kvmvapic.bin root:bm-agents 640
+share/kata-qemu/qemu/linuxboot_dma.bin root:bm-agents 640
+share/kata-qemu/qemu/bios-256k.bin root:bm-agents 640
+share/kata-qemu/qemu/efi-virtio.rom root:bm-agents 640
+VERSION root:root 600
+versions.yaml root:root 600
