2022-05-30 11:38:06 +02:00
## Setup
2023-10-04 10:51:17 +02:00
Ensure you have Nix installed. This is a requirement for the following steps.
2023-09-18 12:18:52 +02:00
Consult the [developer docs ](/dev-docs/workflows/build-develop-deploy.md ) for more info.
2023-10-04 10:51:17 +02:00
At the very least, `nix` should be in your PATH.
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
## Build
2022-05-30 11:38:06 +02:00
2023-09-18 12:18:52 +02:00
You can build any image using Bazel.
Start by querying the available images:
2022-08-02 17:14:13 +02:00
2022-10-19 13:10:15 +02:00
```sh
2023-09-18 12:18:52 +02:00
bazel query //image/system/...
2022-08-02 17:14:13 +02:00
```
2023-09-18 12:18:52 +02:00
You can either build a group of images (all images for a cloud provider, a stream, ...) or a single image by selecting a target.
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
```sh
2023-09-18 12:18:52 +02:00
bazel build //image/system:openstack_qemu-vtpm_debug
2022-10-19 13:10:15 +02:00
```
2022-05-30 11:38:06 +02:00
2023-09-18 12:18:52 +02:00
The location of the destination folder can be queried like this:
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
```sh
2023-09-18 12:18:52 +02:00
bazel cquery --output=files //image/system:openstack_qemu-vtpm_debug
2022-10-19 13:10:15 +02:00
```
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
## Upload to CSP
2023-04-21 10:47:07 +02:00
Warning! Never set `--version` to a value that is already used for a release image.
2022-10-17 17:39:49 +02:00
< details >
< summary > AWS< / summary >
- Install `aws` cli (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html ))
- Login to AWS (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html ))
- Choose secure boot PKI public keys (one of `pki_dev` , `pki_test` , `pki_prod` )
2023-07-18 15:08:34 +02:00
- `pki_dev` can be used for local image builds
- `pki_test` is used by the CI for non-release images
- `pki_prod` is used for release images
2022-10-17 17:39:49 +02:00
```sh
2023-04-21 10:47:07 +02:00
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
2023-09-18 12:18:52 +02:00
bazel run //image/upload -- image aws --verbose --raw-image path/to/constellation.raw --attestation-variant "" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
2022-10-17 17:39:49 +02:00
```
< / details >
2022-10-19 13:10:15 +02:00
< details >
< summary > GCP< / summary >
- Install `gcloud` and `gsutil` (see [here ](https://cloud.google.com/sdk/docs/install ))
- Login to GCP (see [here ](https://cloud.google.com/sdk/docs/authorizing ))
- Choose secure boot PKI public keys (one of `pki_dev` , `pki_test` , `pki_prod` )
2023-07-18 15:08:34 +02:00
- `pki_dev` can be used for local image builds
- `pki_test` is used by the CI for non-release images
- `pki_prod` is used for release images
2022-10-19 13:10:15 +02:00
```sh
2023-09-18 12:18:52 +02:00
export GCP_RAW_IMAGE_PATH=$(realpath path/to/constellation.raw)
export GCP_IMAGE_PATH=path/to/image.tar.gz
2022-10-19 13:10:15 +02:00
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
2023-04-21 10:47:07 +02:00
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
2023-09-18 12:18:52 +02:00
bazel run //image/upload -- image gcp --verbose --raw-image "${GCP_IMAGE_PATH}" --attestation-variant "sev-es" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
2022-10-19 13:10:15 +02:00
```
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
< / details >
< details >
< summary > Azure< / summary >
2022-11-09 10:11:23 +01:00
Note:
> For testing purposes, it is a lot simpler to disable Secure Boot for the uploaded image!
> Disabling Secure Boot allows you to skip the VMGS creation steps above.
2022-10-19 13:10:15 +02:00
- Install `az` and `azcopy` (see [here ](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli ))
- Login to Azure (see [here ](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli ))
2022-11-09 10:11:23 +01:00
- Optional (if Secure Boot should be enabled) [Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob ](#azure-secure-boot )
2022-10-19 13:10:15 +02:00
```sh
2023-09-18 12:18:52 +02:00
export AZURE_RAW_IMAGE_PATH=path/to/constellation.raw
export AZURE_IMAGE_PATH=path/to/image.vhd
2022-10-19 13:10:15 +02:00
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
2023-04-21 10:47:07 +02:00
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
2023-09-18 12:18:52 +02:00
bazel run //image/upload -- image azure --verbose --raw-image "${AZURE_IMAGE_PATH}" --attestation-variant "cvm" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
2022-10-19 13:10:15 +02:00
```
2022-05-30 11:38:06 +02:00
2022-10-19 13:10:15 +02:00
< / details >
2022-11-16 15:45:10 +01:00
2023-02-27 18:19:52 +01:00
< details >
< summary > OpenStack< / summary >
Note:
> OpenStack is not one a global cloud provider, but rather a software that can be installed on-premises.
> This means we do not upload the image to a cloud provider, but to our CDN.
- Install `aws` cli (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html ))
- Login to AWS (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html ))
```sh
2023-04-21 10:47:07 +02:00
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
2023-09-18 12:18:52 +02:00
bazel run //image/upload -- image openstack --verbose --raw-image path/to/constellation.raw --attestation-variant "sev" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
2023-02-27 18:19:52 +01:00
```
< / details >
2022-11-16 15:45:10 +01:00
< details >
< summary > QEMU< / summary >
- Install `aws` cli (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html ))
- Login to AWS (see [here ](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html ))
```sh
2023-04-21 10:47:07 +02:00
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
2023-09-18 12:18:52 +02:00
bazel run //image/upload -- image qemu --verbose --raw-image path/to/constellation.raw --attestation-variant "default" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
2022-11-16 15:45:10 +01:00
```
< / details >
2023-08-16 10:42:48 +02:00
## Kernel
The Kernel is built from the srpm published under [edgelesssys/constellation-kernel ](https://github.com/edgelesssys/constellation-kernel ).
We track the latest longterm release, use sources directly from [kernel.org ](https://www.kernel.org/ ) and build the Kernel using the steps specified in the
srpm spec file.
After building a Kernel rpm, we upload it to our CDN and use it in our image builds.