Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-11 15:39:33 -05:00
Code Issues Packages Projects Releases Wiki Activity

Remove all traces of CoreOS from the codebase

Browse Source
This commit is contained in:
Malte Poll 2022-10-21 10:16:44 +02:00 committed by Malte Poll
parent 35e2267cf9
commit 743f5fa627
39 changed files with 117 additions and 799 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.github/actions/constellation_create/action.yml vendored
View File

@ -1,6 +1,6 @@
name: Constellation create
description: |
Create a new Constellation cluster using latest CoreOS image.
Create a new Constellation cluster using latest OS image.
inputs:
workerNodesCount:
description: "Number of worker nodes to spawn."
@ -17,11 +17,11 @@ inputs:
machineType:
description: "Machine type of VM to spawn."
required: false
coreosImage:
description: "CoreOS image to use. The default value 'debug-latest' will select the latest available debug image."
osImage:
description: "OS image to use. The default value 'debug-latest' will select the latest available debug image."
required: true
isDebugImage:
description: "Is CoreOS img a debug img?"
description: "Is OS img a debug img?"
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
@ -74,23 +74,23 @@ runs:
run: |
case $CSP in
azure)
if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ]
if [ "${{ inputs.osImage == 'debug-latest' }}" = true ]
then
IMAGE_DEFINITION=$(az sig image-definition list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --query "[].name" -o tsv | sort --version-sort | tail -n 1)
AZURE_IMAGE=$(az sig image-version list --resource-group constellation-images --gallery-name Constellation_Debug_CVM --gallery-image-definition ${IMAGE_DEFINITION} --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table | tail -n 1)
else
AZURE_IMAGE=${{ inputs.coreosImage }}
AZURE_IMAGE=${{ inputs.osImage }}
fi
yq eval -i "(.provider.azure.image) = \"${AZURE_IMAGE}\"" constellation-conf.yaml
;;
gcp)
if [ "${{ inputs.coreosImage == 'debug-latest' }}" = true ]
if [ "${{ inputs.osImage == 'debug-latest' }}" = true ]
then
GCP_IMAGE_NAME=$(gcloud compute images list --project constellation-images --filter="name ~ constellation-\d{10} AND family~constellation-debug-v\d+-\d+-\d+" --sort-by=creationTimestamp --format="table(name)" | tail -n 1)
GCP_IMAGE="projects/constellation-images/global/images/${GCP_IMAGE_NAME}"
else
GCP_IMAGE=${{ inputs.coreosImage }}
GCP_IMAGE=${{ inputs.osImage }}
fi
yq eval -i "(.provider.gcp.image) = \"${GCP_IMAGE}\"" constellation-conf.yaml

8
.github/actions/e2e_test/action.yml vendored
View File

@ -13,12 +13,12 @@ inputs:
machineType:
description: "VM machine type. Make sure it matches selected cloud provider!"
required: false
coreosImage:
description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image."
osImage:
description: "OS image to run. The default value 'debug-latest' will select the latest available debug image."
default: "debug-latest"
required: true
isDebugImage:
description: "Is CoreOS img a debug img?"
description: "Is OS img a debug img?"
default: "true"
required: true
kubernetesVersion:
@ -93,7 +93,7 @@ runs:
workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }}
machineType: ${{ inputs.machineType }}
coreosImage: ${{ inputs.coreosImage }}
osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
azureClientSecret: ${{ inputs.azureClientSecret }}

8
.github/actions/generate_measurements/action.yml vendored
View File

@ -4,11 +4,11 @@ inputs:
cloudProvider:
description: "Which cloud provider to use."
required: true
coreosImage:
description: "CoreOS image to run. The default value 'debug-latest' will select the latest available debug image."
osImage:
description: "OS image to run. The default value 'debug-latest' will select the latest available debug image."
required: true
isDebugImage:
description: "Is CoreOS img a debug img?"
description: "Is OS img a debug img?"
required: true
workerNodesCount:
description: "Number of worker nodes to spawn."
@ -87,7 +87,7 @@ runs:
workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }}
machineType: ${{ inputs.machineType }}
coreosImage: ${{ inputs.coreosImage }}
osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
azureClientSecret: ${{ inputs.azureClientSecret }}

2
.github/docs/README.md vendored
View File

@ -107,7 +107,7 @@ For information on how to achieve this, refer to the [First steps](https://docs.
## Image versions
The [build-coreos](../workflows/build-coreos.yml) workflow can be used to trigger an image build.
The [build-os-image](../workflows/build-os-image.yml) workflow can be used to trigger an image build.
The workflow can be used to build debug or release images.
A debug image uses [`debugd`](../../debugd/) as its bootstrapper binary, while release images use the actual [`bootstrapper`](../../bootstrapper/)

1
.github/docs/layout.md vendored
View File

@ -20,6 +20,5 @@ Development components:
Additional repositories:
* [constellation-fedora-coreos-config](https://github.com/edgelesssys/constellation-fedora-coreos-config): CoreOS build configuration with changes for Constellation
* [constellation-azuredisk-csi-driver](https://github.com/edgelesssys/constellation-azuredisk-csi-driver): Azure CSI driver with encryption on node
* [constellation-gcp-compute-persistent-disk-csi-driver](https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver): GCP CSI driver with encryption on node

31
.github/docs/release.md vendored
View File

@ -12,11 +12,8 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
# push upstream via PR
```
3. On the [CoreOS config repo](https://github.com/edgelesssys/constellation-fedora-coreos-config), create two new branches `release/v1.3`, `stream/v1.3` (new minor version) or use the existing ones (new patch version).
The release branch contains the squashed changeset and is branched from main while the stream branch contains the rebased changesets on top of the latest upstream changes.
[Consult this guide on rebasing forks (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/rebasing_forks.md#managing-release-branches) on how to create those two branches.
4. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version)
5. On this branch, prepare the following things:
3. Create a new branch `release/v1.3` (new minor version) or use the existing one (new patch version)
4. On this branch, prepare the following things:
1. (new patch version) `cherry-pick` (only) the required commits from `main`
2. Use [Build micro-service manual](https://github.com/edgelesssys/constellation/actions/workflows/build-micro-service-manual.yml) and run the pipeline once for each micro-service with the following parameters:
* branch: `release/v1.3`
@ -55,10 +52,10 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
2. Create a new block for unreleased changes
5. Update project version in [CMakeLists.txt](/CMakeLists.txt) to `1.3.0` (without v).
6. When the microservice builds are finished update versions in [versions.go](../../internal/versions/versions.go#L33-L39) to `v1.3.0`, **add the container hashes** and **push your changes**.
7. Create a [production coreOS image](/.github/workflows/build-coreos.yml)
7. Create a [production OS image](/.github/workflows/build-coreos.yml)
```sh
gh workflow run build-coreos.yml --ref release/v$minor -F debug=false -F coreOSConfigBranch=release/v$minor -F imageVersion=v$ver
gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver
```
8. Update [default images in config](/internal/config/images_enterprise.go)
@ -66,17 +63,17 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
```sh
sono='--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F sonobuoyTestSuiteCmd="$sono" -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F sonobuoyTestSuiteCmd="$sono" -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
```
10. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images on each CSP.
```sh
gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F coreosImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F coreosImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=azure -F osImage=/CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$ver -F isDebugImage=false
gh workflow run generate-measurements.yml --ref release/v$minor -F cloudProvider=gcp -F osImage=projects/constellation-images/global/images/constellation-v$gcpVer -F isDebugImage=false
```
11. Create a new tag on this release branch
@ -92,14 +89,14 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
```
* The previous step will create a draft release. Check build output for link to draft release. Review & approve.
6. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users.
7. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
8. Milestones management
5. Follow [export flow (INTERNAL)](https://github.com/edgelesssys/wiki/blob/master/documentation/constellation/customer-onboarding.md#manual-export-and-import) to make image available in S3 for trusted launch users.
6. To bring updated version numbers and other changes (if any) to main, create a new branch `feat/release` from `release/v1.3`, rebase it onto main, and create a PR to main
7. Milestones management
1. Create a new milestone for the next release
2. Add the next release manager and an approximate release date to the milestone description
3. Close the milestone for the release
4. Move open issues and PRs from closed milestone to next milestone
9. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
8. If the release is a minor version release, create an empty commit on main and tag it as the start of the next pre-release phase.
```sh
nextMinorVer=$(echo $ver | awk -F. -v OFS=. '{$2 += 1 ; print}')
git checkout main

6
.github/runners/gcp-nested-virt/README.md vendored
View File

@ -1,6 +0,0 @@
This folder contains a template for deploying a builder for CoreOS on GCP.
## Manually start a builder instance
```
gcloud compute instances create coreos-builder --enable-nested-virtualization --zone=us-central1-c --boot-disk-size 64GB --machine-type=n2-highmem-4 --image-project="ubuntu-os-cloud" --image="ubuntu-2110-impish-v20220118" --metadata-from-file=user-data=cloud-init.txt
```

37
.github/runners/gcp-nested-virt/cloud-init.txt vendored
View File

@ -1,37 +0,0 @@
#cloud-config
users:
- default
- name: github-actions-runner-user
groups: docker
sudo: ALL=(ALL) NOPASSWD:ALL
homedir: /home/github-actions-runner-user
package_update: true
packages:
- git
- cryptsetup
- build-essential
- libguestfs-tools
- ca-certificates
- curl
- gnupg
- lsb-release
- jq
- pv
runcmd:
- [sudo, chmod, "+r", "/boot/vmlinuz*"]
- [/bin/bash, -c, "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg"]
- [/bin/bash, -c, "echo \"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\" | tee /etc/apt/sources.list.d/docker.list > /dev/null "]
- [apt-get, update]
- [apt-get, install, -y, docker-ce, docker-ce-cli, containerd.io, libssl-dev, pigz]
- [chmod, 666, /dev/kvm]
- [mkdir, -p, /actions-runner]
- [curl, -o, "/actions-runner/actions-runner-linux-x64-2.286.1.tar.gz", -L, "https://github.com/actions/runner/releases/download/v2.286.1/actions-runner-linux-x64-2.286.1.tar.gz"]
- [/bin/bash, -c, "cd /actions-runner && tar xzf /actions-runner/actions-runner-linux-x64-2.286.1.tar.gz"]
- [sed, -i, "s:# insert anything to setup env when running as a service:export HOME=/home/github-actions-runner-user:", runsvc.sh]
- [chown, -R, github-actions-runner-user:github-actions-runner-user, /actions-runner]
- [sudo, -u, github-actions-runner-user, /bin/bash, -c, "cd /actions-runner && /actions-runner/config.sh --url https://github.com/edgelesssys/constellation --ephemeral --labels nested-virt --replace --unattended --token $(curl -u api:$(gcloud secrets versions access latest --secret=constellation-images-coreos-builder-github-token) -X POST -H 'Accept: application/vnd.github.v3+json' https://api.github.com/repos/edgelesssys/constellation/actions/runners/registration-token | jq -r .token)"]
- [/bin/bash, -c, "cd /actions-runner && ./svc.sh install"]
- [/bin/bash, -c, "systemctl enable --now actions.runner.edgelesssys-constellation.$(hostname).service"]

205
.github/runners/gcp-nested-virt/google-cloud-function.py vendored
View File

@ -1,205 +0,0 @@
import os
import sys
import re
import hmac
import hashlib
import random
import string
import google.cloud.compute_v1 as compute_v1
LABEL="nested-virt"
AUTH_TOKEN_ENV="COREOS_BUILDER_WORKFLOW_FUNCTION_TOKEN"
SA_EMAIL="constellation-cos-builder@constellation-331613.iam.gserviceaccount.com"
SA_SCOPES=[
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/cloud-platform",
]
def workflow_job(request):
"""Responds to https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_job
Args:
request (flask.Request): HTTP request object.
Returns:
The response text or any set of values that can be turned into a
Response object using
`make_response <http://flask.pocoo.org/docs/1.0/api/#flask.Flask.make_response>`.
"""
allow, reason = authorize(request)
if not allow:
return f'unauthorized: {reason}'
request_json = request.get_json()
if request_json and 'action' in request_json:
if request_json['action'] == 'queued':
return job_queued(request_json['workflow_job'])
elif request_json['action'] == 'completed':
return job_completed(request_json['workflow_job'])
elif request_json['action'] == 'in_progress':
return f'nothing to do here'
else:
return f'invalid message format'
def authorize(request) -> (bool, str) :
correct_token = os.environ.get(AUTH_TOKEN_ENV)
if correct_token is None:
return False, 'correct token not set'
correct_hmac = 'sha256=' + hmac.new(correct_token.encode('utf-8'), request.get_data(), hashlib.sha256).hexdigest()
request_hmac = request.headers.get('X-Hub-Signature-256')
if request_hmac is None:
return False, 'X-Hub-Signature-256 not set'
if correct_hmac == request_hmac:
return True, ''
else:
return False, f'X-Hub-Signature-256 incorrect'
def job_queued(workflow_job) -> str:
if not LABEL in workflow_job['labels']:
return f'unexpected job labels: {workflow_job["labels"]}'
cloud_init = generate_cloud_init()
instance_uid = ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(6))
try:
create_instance(metadata={'user-data': cloud_init}, instance_name=f'coreos-builder-{instance_uid}')
except Exception as e:
return f'creating instance failed: {e}'
return 'success'
def job_completed(workflow_job) -> str:
if not LABEL in workflow_job['labels']:
return f'unexpected job labels: {workflow_job["labels"]}'
instance_name = workflow_job["runner_name"]
try:
delete_instance(machine_name=instance_name)
except Exception as e:
return f'deleting instance failed: {e}'
return 'success'
def generate_cloud_init() -> str:
with open("cloud-init.txt", "r") as f:
cloud_init = f.read()
return cloud_init
def create_instance(
metadata: dict[str, str],
project_id: str = 'constellation-331613',
zone: str = 'us-central1-c',
instance_name: str = 'coreos-builder',
machine_type: str = "n2-highmem-4",
source_image: str = "projects/ubuntu-os-cloud/global/images/family/ubuntu-2004-lts",
network_name: str = "global/networks/default",
disk_size_gb: int = 64,
enable_nested_virtualization: bool = True,
service_accounts: list[compute_v1.ServiceAccount] = [compute_v1.ServiceAccount(email=SA_EMAIL, scopes=SA_SCOPES)],
) -> compute_v1.Instance:
"""
Send an instance creation request to the Compute Engine API and wait for it to complete.
Args:
project_id: project ID or project number of the Cloud project you want to use.
zone: name of the zone you want to use. For example: us-west3-b
instance_name: name of the new virtual machine.
machine_type: machine type of the VM being created. This value uses the
following format: "zones/{zone}/machineTypes/{type_name}".
For example: "zones/europe-west3-c/machineTypes/f1-micro"
source_image: path to the operating system image to mount on your boot
disk. This can be one of the public images
(like "projects/debian-cloud/global/images/family/debian-10")
or a private image you have access to.
network_name: name of the network you want the new instance to use.
For example: "global/networks/default" represents the `default`
network interface, which is created automatically for each project.
Returns:
Instance object.
"""
instance_client = compute_v1.InstancesClient()
operation_client = compute_v1.ZoneOperationsClient()
# Describe the size and source image of the boot disk to attach to the instance.
disk = compute_v1.AttachedDisk()
initialize_params = compute_v1.AttachedDiskInitializeParams()
initialize_params.source_image = (
source_image
)
initialize_params.disk_size_gb = disk_size_gb
disk.initialize_params = initialize_params
disk.auto_delete = True
disk.boot = True
disk.type_ = "PERSISTENT"
# Use the network interface provided in the network_name argument.
network_interface = compute_v1.NetworkInterface()
network_interface.name = network_name
network_interface.access_configs = [compute_v1.AccessConfig()]
# Collect information into the Instance object.
instance = compute_v1.Instance()
instance.name = instance_name
instance.disks = [disk]
if re.match(r"^zones/[a-z\d\-]+/machineTypes/[a-z\d\-]+$", machine_type):
instance.machine_type = machine_type
else:
instance.machine_type = f"zones/{zone}/machineTypes/{machine_type}"
instance.network_interfaces = [network_interface]
# Enable nested virtualization if requested
advanced_machine_features = compute_v1.AdvancedMachineFeatures()
advanced_machine_features.enable_nested_virtualization = enable_nested_virtualization
instance.advanced_machine_features = advanced_machine_features
metadata_items = [compute_v1.Items(key=k, value=v) for k, v in metadata.items()]
metadata = compute_v1.Metadata(items=metadata_items)
instance.metadata = metadata
# set service accounts.
instance.service_accounts = service_accounts
# Prepare the request to insert an instance.
request = compute_v1.InsertInstanceRequest()
request.zone = zone
request.project = project_id
request.instance_resource = instance
# Wait for the create operation to complete.
print(f"Creating the {instance_name} instance in {zone}...")
operation = instance_client.insert_unary(request=request)
while operation.status != compute_v1.Operation.Status.DONE:
operation = operation_client.wait(
operation=operation.name, zone=zone, project=project_id
)
if operation.error:
print("Error during creation:", operation.error, file=sys.stderr)
if operation.warnings:
print("Warning during creation:", operation.warnings, file=sys.stderr)
print(f"Instance {instance_name} created.")
return instance
def delete_instance(
project_id: str = 'constellation-331613',
zone: str = 'us-central1-c',
machine_name: str = 'coreos-builder',
) -> None:
"""
Send an instance deletion request to the Compute Engine API and wait for it to complete.
Args:
project_id: project ID or project number of the Cloud project you want to use.
zone: name of the zone you want to use. For example: us-west3-b
machine_name: name of the machine you want to delete.
"""
instance_client = compute_v1.InstancesClient()
operation_client = compute_v1.ZoneOperationsClient()
print(f"Deleting {machine_name} from {zone}...")
operation = instance_client.delete_unary(
project=project_id, zone=zone, instance=machine_name
)
while operation.status != compute_v1.Operation.Status.DONE:
operation = operation_client.wait(
operation=operation.name, zone=zone, project=project_id
)
if operation.error:
print("Error during deletion:", operation.error, file=sys.stderr)
if operation.warnings:
print("Warning during deletion:", operation.warnings, file=sys.stderr)
print(f"Instance {machine_name} deleted.")
return

136
.github/workflows/build-coreos.yml vendored
View File

@ -1,136 +0,0 @@
name: Build and Upload CoreOS image
on:
workflow_dispatch:
inputs:
coreOSConfigBranch:
description: "Branch of CoreOS config repo to build from"
default: "main"
required: false
imageVersion:
description: "Semantic version including patch e.g. v<major>.<minor>.<patch> (only used for releases)"
required: false
debug:
description: "Build debug image"
type: boolean
default: false
required: false
jobs:
build-coreos-image:
name: "Build CoreOS using customized COSA"
runs-on: [self-hosted, linux, nested-virt]
permissions:
contents: read
packages: read
env:
SHELL: /bin/bash
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
with:
submodules: recursive
token: ${{ secrets.CI_GITHUB_REPOSITORY }}
- name: Install build packages
id: install-packages
uses: ./.github/actions/setup_linux
- name: Setup Go environment
uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
with:
go-version: "1.19.2"
- name: Build bootstrapper
if: ${{ inputs.debug == false }}
uses: ./.github/actions/build_bootstrapper
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build debugd
if: ${{ inputs.debug == true }}
uses: ./.github/actions/build_debugd
with:
outputPath: ${{ github.workspace }}/build/bootstrapper
- name: Build disk-mapper
uses: ./.github/actions/build_disk_mapper
with:
outputPath: ${{ github.workspace }}/build/disk-mapper
- name: Determine version
id: version
uses: ./.github/actions/pseudo_version
- name: Log in to the Container registry
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install AzCopy
shell: bash
run: |
wget -q https://aka.ms/downloadazcopy-v10-linux -O azcopy.tar.gz
tar --strip-components 1 -xf azcopy.tar.gz
rm azcopy.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
- name: Login to Azure
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # tag=v1.4.6
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Store GH token to be mounted by cosa
shell: bash
run: echo "machine github.com login api password ${{ secrets.CI_GITHUB_REPOSITORY }}" > /tmp/.netrc
# Make sure to set valid names for GCP and Azure
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
# image version has to be semantic version in the form <uint>.<uint>.<uint> . uint may not be larger than 2,147,483,647
#
# GCP
# image family and image name may include lowercase alphanumeric characters and dashes. Must not end or begin with a dash
- name: Configure input variables
shell: bash
run: |
timestamp=${{ steps.version.outputs.timestamp }}
semver=${{ steps.version.outputs.semanticVersion }}
imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "azureImageName=constellation-${pseudover//./-}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "gcpImageName=constellation-${imageVersion//./-}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation" >> $GITHUB_ENV
echo "azureGalleryName=Constellation" >> $GITHUB_ENV
echo "azureImageDefinition=constellation" >> $GITHUB_ENV
echo "azureImageVersion=${imageVersion:1}" >> $GITHUB_ENV
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation-debug-${semver//./-}" >> $GITHUB_ENV
echo "azureGalleryName=Constellation_Debug" >> $GITHUB_ENV
echo "azureImageDefinition=${semver}" >> $GITHUB_ENV
echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
else
echo "gcpImageName=constellation-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
echo "gcpImageFamily=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
echo "azureGalleryName=Constellation_Testing" >> $GITHUB_ENV
echo "azureImageDefinition=${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
echo "azureImageVersion=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
fi
- name: Build and Upload
id: build-and-upload
shell: bash
run: |
make cosa-image
make -j$(nproc) CONTAINER_ENGINE=docker NETRC=/tmp/.netrc \
COSA_INIT_BRANCH="${{ inputs.coreOSConfigBranch }}" \
GCP_IMAGE_NAME="${{ env.gcpImageName }}" GCP_IMAGE_FAMILY="${{ env.gcpImageFamily }}" \
AZURE_IMAGE_DEFINITION="${{ env.azureImageDefinition }}" AZURE_IMAGE_VERSION="${{ env.azureImageVersion }}" AZURE_GALLERY_NAME="${{ env.azureGalleryName }}" AZURE_IMAGE_NAME="${{ env.azureImageName }}"\
image-gcp image-azure upload-gcp upload-azure
working-directory: ${{ github.workspace }}/image

8
.github/workflows/e2e-test-manual-macos.yml vendored
View File

@ -27,13 +27,13 @@ on:
description: "Kubernetes version to create the cluster from."
default: "1.24"
required: true
coreosImage:
description: "CoreOS image (full path). Examples are in internal/config/config.go."
osImage:
description: "OS image (full path). Examples are in internal/config/config.go."
default: "debug-latest"
type: string
required: true
isDebugImage:
description: "Is CoreOS image a debug image?"
description: "Is OS image a debug image?"
type: boolean
default: true
required: false
@ -127,7 +127,7 @@ jobs:
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
coreosImage: ${{ github.event.inputs.coreosImage }}
osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }}
- name: Always terminate cluster

8
.github/workflows/e2e-test-manual.yml vendored
View File

@ -27,12 +27,12 @@ on:
description: "Kubernetes version to create the cluster from."
default: "1.24"
required: true
coreosImage:
description: "CoreOS image (full path). Examples are in internal/config/config.go."
osImage:
description: "OS image (full path). Examples are in internal/config/config.go."
default: "debug-latest"
required: false
isDebugImage:
description: "Is CoreOS image a debug image?"
description: "Is OS image a debug image?"
type: boolean
default: true
required: false
@ -89,7 +89,7 @@ jobs:
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
coreosImage: ${{ github.event.inputs.coreosImage }}
osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }}
- name: Always terminate cluster

8
.github/workflows/generate-measurements.yml vendored
View File

@ -11,12 +11,12 @@ on:
- "gcp"
default: "gcp"
required: true
coreosImage:
description: "CoreOS image (full path). Examples are in internal/config/config.go."
osImage:
description: "OS image (full path). Examples are in internal/config/config.go."
type: string
required: true
isDebugImage:
description: "Is CoreOS image a debug image?"
description: "Is OS image a debug image?"
type: boolean
required: true
@ -56,7 +56,7 @@ jobs:
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
coreosImage: ${{ github.event.inputs.coreosImage }}
osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }}
cosignPublicKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/heads/release/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}

1
3rdparty/coreos-assembler/.gitignore vendored
View File

@ -1 +0,0 @@
build

34
3rdparty/coreos-assembler/HACKING.md vendored
View File

@ -1,34 +0,0 @@
# dm-verity patch for CoreOS assembler
Constellation uses CoreOS as a base for OS images. While the images are mostly unmodified and can be built using the upstream CoreOS assembler, small modifications to the assembler are required to support dm-verity for the root filesystem.
Checkout the CoreOS assembler source code [from the upstream repo](https://github.com/coreos/coreos-assembler) using the commit ID specified in the [Makefile](Makefile)
```shell-session
make clone
```
Apply the patch:
```shell-session
make patch
```
Now you can make changes to the coreos-assembler and compile it using the included `Dockerfile`:
```shell-session
make containerimage
```
Once you are done, create a new patch file (within `3rdparty/coreos-assembler/build/coreos-assembler`):
```shell-session
git diff HEAD^ > ../../verity.patch
```
## Building the CoreOS assembler container image
```shell-session
make
```
The resulting container image will be tagged as `localhost/coreos-assembler`.

28
3rdparty/coreos-assembler/Makefile vendored
View File

@ -1,28 +0,0 @@
CONTAINER_RUNTIME ?= docker
IMAGENAME ?= localhost/coreos-assembler
IMAGETAG ?= latest
UPSTREAM ?= https://github.com/coreos/coreos-assembler
COMMIT ?= 2dd33ddc36e6b9e1cc01ee0740f29020d203ceb2
SRC_PATH = $(CURDIR)
BASE_PATH ?= $(SRC_PATH)
BUILDDIR ?= $(BASE_PATH)/build
CLONEDIR ?= $(BUILDDIR)/coreos-assembler
.PHONY: all clone patch containerimage clean
all: clone patch containerimage
clone:
@mkdir -p $(BUILDDIR)
git clone $(UPSTREAM) $(CLONEDIR)
cd $(CLONEDIR) && git checkout $(COMMIT)
patch:
cd $(CLONEDIR) && patch --verbose -p1 < $(BASE_PATH)/verity.patch
containerimage:
cd $(CLONEDIR) && $(CONTAINER_RUNTIME) build -t $(IMAGENAME):$(IMAGETAG) -f Dockerfile .
clean:
rm -rf $(BUILDDIR)

232
3rdparty/coreos-assembler/verity.patch vendored
View File

@ -1,232 +0,0 @@
diff --git a/Dockerfile b/Dockerfile
index 80c008a2d..329171970 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,3 +38,12 @@ RUN chmod g=u /etc/passwd
# run as `builder` user
USER builder
ENTRYPOINT ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]
+
+# Constellation start
+USER root
+
+RUN dnf -y update && \
+ dnf install -y veritysetup && \
+ dnf clean all
+
+USER builder
+# Constellation end
diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go
index d4d5eafa7..20f156315 100644
--- a/mantle/platform/qemu.go
+++ b/mantle/platform/qemu.go
@@ -449,7 +449,7 @@ type QemuBuilder struct {
func NewQemuBuilder() *QemuBuilder {
ret := QemuBuilder{
Firmware: "bios",
- Swtpm: true,
+ Swtpm: false,
Pdeathsig: true,
Argv: []string{},
}
diff --git a/src/cosalib/qemuvariants.py b/src/cosalib/qemuvariants.py
index 8d57803b1..cdad6aeba 100644
--- a/src/cosalib/qemuvariants.py
+++ b/src/cosalib/qemuvariants.py
@@ -81,7 +81,7 @@ VARIANTS = {
"image_suffix": "tar.gz",
"gzip": True,
"convert_options": {
- '-o': 'preallocation=off'
+ '-o': 'preallocation=full'
},
"tar_members": [
"disk.raw"
diff --git a/src/create_disk.sh b/src/create_disk.sh
index 61d52cd96..fa3fe1655 100755
--- a/src/create_disk.sh
+++ b/src/create_disk.sh
@@ -188,6 +188,7 @@ set -x
SDPART=1
BOOTPN=3
ROOTPN=4
+VERITYHASHPN=5
# Make the size relative
if [ "${rootfs_size}" != "0" ]; then
rootfs_size="+${rootfs_size}"
@@ -201,7 +202,8 @@ case "$arch" in
-n 1:0:+1M -c 1:BIOS-BOOT -t 1:21686148-6449-6E6F-744E-656564454649 \
-n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk"
;;
aarch64)
@@ -212,7 +214,8 @@ case "$arch" in
-n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
-n ${EFIPN}:0:+127M -c ${EFIPN}:EFI-SYSTEM -t ${EFIPN}:C12A7328-F81F-11D2-BA4B-00A0C93EC93B \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk"
;;
s390x)
@@ -222,6 +225,7 @@ case "$arch" in
-n ${SDPART}:0:+200M -c ${SDPART}:se -t ${SDPART}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
else
# NB: in the bare metal case when targeting ECKD DASD disks, this
# partition table is not what actually gets written to disk in the end:
@@ -231,7 +235,8 @@ case "$arch" in
-U "${uninitialized_gpt_uuid}" \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
fi
sgdisk -p "$disk"
;;
ppc64le)
@@ -243,7 +248,8 @@ case "$arch" in
-n ${PREPPN}:0:+4M -c ${PREPPN}:PowerPC-PReP-boot -t ${PREPPN}:9E1A2D38-C612-4316-AA26-8B49521E5A8B \
-n ${RESERVEDPN}:0:+1M -c ${RESERVEDPN}:reserved -t ${RESERVEDPN}:8DA63339-0007-60C0-C436-083AC8230908 \
-n ${BOOTPN}:0:+384M -c ${BOOTPN}:boot \
- -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4
+ -n ${ROOTPN}:0:"${rootfs_size}" -c ${ROOTPN}:root_raw -A ${ROOTPN}:set:60 -A ${ROOTPN}:set:63 -t ${ROOTPN}:0FC63DAF-8483-4772-8E79-3D69D8477DE4 \
+ -n ${VERITYHASHPN}:0:+32M -c ${VERITYHASHPN}:root_verity
sgdisk -p "$disk"
;;
esac
@@ -251,10 +257,11 @@ esac
udevtrig
zipl_dev="${disk}${SDPART}"
boot_dev="${disk}${BOOTPN}"
root_dev="${disk}${ROOTPN}"
+hash_dev="${disk}${VERITYHASHPN}"
bootargs=
# If the bootfs_metadata_csum_seed image.yaml knob is set to true then
# we'll enable the metadata_csum_seed filesystem feature. This is
# gated behind an image.yaml knob because support for this feature
@@ -305,17 +315,17 @@ case "${rootfs_type}" in
# And reflinks are *very* useful for the container stack with overlayfs (and in general).
# So basically, we're choosing performance over half-implemented security.
# Eventually, we'd like both - once XFS gains verity (probably not too hard),
# we could unconditionally enable it there.
# shellcheck disable=SC2086
- mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+ mkfs.ext4 -b "$(getconf PAGE_SIZE)" -O verity -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
;;
btrfs)
# shellcheck disable=SC2086
- mkfs.btrfs -L root "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
+ mkfs.btrfs -L root_raw "${root_dev}" -U "${rootfs_uuid}" ${rootfs_args}
;;
xfs|"")
# shellcheck disable=SC2086
- mkfs.xfs "${root_dev}" -L root -m reflink=1 -m uuid="${rootfs_uuid}" ${rootfs_args}
+ mkfs.xfs "${root_dev}" -L root_raw -m reflink=1 -m uuid="${rootfs_uuid}" -s "size=4096" ${rootfs_args}
;;
*)
echo "Unknown rootfs_type: $rootfs_type" 1>&2
@@ -536,11 +428,10 @@ s390x)
esac
ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}"
-# Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA
-# https://github.com/ostreedev/ostree/issues/1265
-ostree config --repo $rootfs/ostree/repo set sysroot.readonly true
+# constellation: setting readonly to false interestingly stops ostree from remounting anything as rw
+ostree config --repo $rootfs/ostree/repo set sysroot.readonly false
# enable support for GRUB password
if [ "${bootloader_backend}" = "none" ]; then
ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi
@@ -542,15 +548,16 @@ s390x)
# enable support for GRUB password
if [ "${bootloader_backend}" = "none" ]; then
ostree config --repo $rootfs/ostree/repo set sysroot.bls-append-except-default 'grub_users=""'
fi
-touch $rootfs/boot/ignition.firstboot
+# constellation: do not enable ignition on first boot
+# touch $rootfs/boot/ignition.firstboot
# Finally, add the immutable bit to the physical root; we don't
# expect people to be creating anything there. A use case for
# OSTree in general is to support installing *inside* the existing
# root of a deployed OS, so OSTree doesn't do this by default, but
# we have no reason not to enable it here. Administrators should
# generally expect that state data is in /etc and /var; if anything
# else is in /sysroot it's probably by accident.
chattr +i $rootfs
@@ -557,10 +564,21 @@ chattr +i $rootfs
fstrim -a -v
# Ensure the filesystem journals are flushed
-for fs in $rootfs/boot $rootfs; do
+mount -o remount,ro $rootfs/boot
+for fs in $rootfs; do
mount -o remount,ro $fs
xfs_freeze -f $fs
done
umount -R $rootfs
rmdir $rootfs
+
+# setup dm-verity and disable audit logs
+veritysetup_out=$(veritysetup format "${root_dev}" "${hash_dev}")
+verity_root_hash=$(echo "${veritysetup_out}" | grep 'Root hash:' | sed --expression='s/Root hash:\s*//g')
+bootfs_mount=/tmp/boot
+rm -rf "${bootfs_mount}"
+mkdir -p "${bootfs_mount}"
+mount "${disk}${BOOTPN}" "${bootfs_mount}"
+sed -i -e "s/^options .*/\0 audit=0 verity.sysroot=${verity_root_hash}/g" "${bootfs_mount}/loader.1/entries/ostree-1-fedora-coreos.conf"
+umount "${bootfs_mount}"
diff --git a/src/gf-fsck b/src/gf-fsck
index 2d07eca2a..46c137672 100755
--- a/src/gf-fsck
+++ b/src/gf-fsck
@@ -28,7 +28,7 @@ for pt in $partitions; do
done
# And fsck the main rootfs
-root=$(coreos_gf findfs-label root)
+root=$(coreos_gf findfs-label root_raw)
coreos_gf debug sh "fsck.xfs -f -n ${root}"
coreos_gf_shutdown
diff --git a/src/libguestfish.sh b/src/libguestfish.sh
index 82cfcf86e..635fb9eaa 100755
--- a/src/libguestfish.sh
+++ b/src/libguestfish.sh
@@ -64,7 +64,7 @@ coreos_gf_run_mount() {
shift
fi
coreos_gf_run "$@"
- root=$(coreos_gf findfs-label root)
+ root=$(coreos_gf findfs-label root_raw)
coreos_gf ${mntarg} "${root}" /
local boot
boot=$(coreos_gf findfs-label boot)
diff --git a/src/vmdeps.txt b/src/vmdeps.txt
index 6c6045840..ddbece267 100644
--- a/src/vmdeps.txt
+++ b/src/vmdeps.txt
@@ -27,5 +27,8 @@ gdisk xfsprogs e2fsprogs dosfstools btrfs-progs
# needed for basic CA support
ca-certificates
tar
+
+# dm-verity
+veritysetup

2
README.md
View File

@ -42,7 +42,7 @@ Encrypting your K8s is good for:
### 🔍 Everything verifiable
* "Whole cluster" [attestation][cluster-attestation] based on the remote-attestation feature of CVMs
* Confidential computing-optimized [node images][images] based on Fedora CoreOS; fully measured and integrity-protected
* Confidential computing-optimized [node images][images]; fully measured and integrity-protected
* [Supply chain protection][supply-chain] with [sigstore](https://www.sigstore.dev/)
### 🚀 Performance and scale

6
bootstrapper/cmd/bootstrapper/main.go
View File

@ -109,7 +109,7 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to create cloud controller manager")
}
clusterInitJoiner = kubernetes.New(
"gcp", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), cloudControllerManager,
"gcp", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), cloudControllerManager,
&gcpcloud.CloudNodeManager{}, &gcpcloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
)
openTPM = vtpm.OpenVTPM
@ -142,7 +142,7 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
}
clusterInitJoiner = kubernetes.New(
"azure", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata),
"azure", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), azurecloud.NewCloudControllerManager(metadata),
&azurecloud.CloudNodeManager{}, &azurecloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
)
@ -163,7 +163,7 @@ func main() {
log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
}
clusterInitJoiner = kubernetes.New(
"qemu", k8sapi.NewKubernetesUtil(), &k8sapi.CoreOSConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{},
"qemu", k8sapi.NewKubernetesUtil(), &k8sapi.KubdeadmConfiguration{}, kubectl.New(), &qemucloud.CloudControllerManager{},
&qemucloud.CloudNodeManager{}, &qemucloud.Autoscaler{}, metadata, pcrsJSON, helmClient,
)
metadataAPI = metadata

4
bootstrapper/internal/helm/client.go
View File

@ -38,7 +38,7 @@ type Client struct {
// New creates a new client with the given logger.
func New(log *logger.Logger) (*Client, error) {
settings := cli.New()
settings.KubeConfig = constants.CoreOSAdminConfFilename
settings.KubeConfig = constants.ControlPlaneAdminConfFilename
actionConfig := &action.Configuration{}
if err := actionConfig.Init(settings.RESTClientGetter(), constants.HelmNamespace,
@ -83,7 +83,7 @@ func (h *Client) installCiliumAzure(ctx context.Context, release helm.Release, k
}
func (h *Client) installlCiliumGCP(ctx context.Context, kubectl k8sapi.Client, release helm.Release, nodeName, nodePodCIDR, subnetworkPodCIDR, kubeAPIEndpoint string) error {
out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.CoreOSAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
out, err := exec.CommandContext(ctx, constants.KubectlPath, "--kubeconfig", constants.ControlPlaneAdminConfFilename, "patch", "node", nodeName, "-p", "{\"spec\":{\"podCIDR\": \""+nodePodCIDR+"\"}}").CombinedOutput()
if err != nil {
err = errors.New(string(out))
return err

6
bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go
View File

@ -29,9 +29,9 @@ const (
auditPolicyPath = "/etc/kubernetes/audit-policy.yaml"
)
type CoreOSConfiguration struct{}
type KubdeadmConfiguration struct{}
func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML {
func (c *KubdeadmConfiguration) InitConfiguration(externalCloudProvider bool, k8sVersion versions.ValidK8sVersion) KubeadmInitYAML {
var cloudProvider string
if externalCloudProvider {
cloudProvider = "external"
@ -171,7 +171,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV
}
}
func (c *CoreOSConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML {
func (c *KubdeadmConfiguration) JoinConfiguration(externalCloudProvider bool) KubeadmJoinYAML {
var cloudProvider string
if externalCloudProvider {
cloudProvider = "external"

26
bootstrapper/internal/kubernetes/k8sapi/kubeadm_config_test.go
View File

@ -22,17 +22,17 @@ func TestMain(m *testing.M) {
}
func TestInitConfiguration(t *testing.T) {
coreOSConfig := CoreOSConfiguration{}
kubeadmConfig := KubdeadmConfiguration{}
testCases := map[string]struct {
config KubeadmInitYAML
}{
"CoreOS init config can be created": {
config: coreOSConfig.InitConfiguration(true, versions.Default),
"kubeadm init config can be created": {
config: kubeadmConfig.InitConfiguration(true, versions.Default),
},
"CoreOS init config with all fields can be created": {
"kubeadm init config with all fields can be created": {
config: func() KubeadmInitYAML {
c := coreOSConfig.InitConfiguration(true, versions.Default)
c := kubeadmConfig.InitConfiguration(true, versions.Default)
c.SetAPIServerAdvertiseAddress("192.0.2.0")
c.SetNodeIP("192.0.2.0")
c.SetNodeName("node")
@ -60,7 +60,7 @@ func TestInitConfiguration(t *testing.T) {
}
func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
coreOSConfig := CoreOSConfiguration{}
kubeadmConfig := KubdeadmConfiguration{}
testCases := map[string]struct {
config KubeadmInitYAML
@ -68,11 +68,11 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
wantErr bool
}{
"Kubeadm accepts version 'Latest'": {
config: coreOSConfig.InitConfiguration(true, versions.Default),
config: kubeadmConfig.InitConfiguration(true, versions.Default),
expectedVersion: fmt.Sprintf("v%s", versions.VersionConfigs[versions.Default].PatchVersion),
},
"Kubeadm receives incompatible version": {
config: coreOSConfig.InitConfiguration(true, "1.19"),
config: kubeadmConfig.InitConfiguration(true, "1.19"),
wantErr: true,
},
}
@ -92,17 +92,17 @@ func TestInitConfigurationKubeadmCompatibility(t *testing.T) {
}
func TestJoinConfiguration(t *testing.T) {
coreOSConfig := CoreOSConfiguration{}
kubdeadmConfig := KubdeadmConfiguration{}
testCases := map[string]struct {
config KubeadmJoinYAML
}{
"CoreOS join config can be created": {
config: coreOSConfig.JoinConfiguration(true),
"kubeadm join config can be created": {
config: kubdeadmConfig.JoinConfiguration(true),
},
"CoreOS join config with all fields can be created": {
"kubeadm join config with all fields can be created": {
config: func() KubeadmJoinYAML {
c := coreOSConfig.JoinConfiguration(true)
c := kubdeadmConfig.JoinConfiguration(true)
c.SetAPIServerEndpoint("192.0.2.0:6443")
c.SetNodeIP("192.0.2.0")
c.SetNodeName("node")

2
cli/internal/cloudcmd/upgrade.go
View File

@ -71,7 +71,7 @@ func (u *Upgrader) Upgrade(ctx context.Context, image string, measurements map[u
// GetCurrentImage returns the currently used image of the cluster.
func (u *Upgrader) GetCurrentImage(ctx context.Context) (*unstructured.Unstructured, string, error) {
imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-coreos")
imageStruct, err := u.imageUpdater.getCurrent(ctx, "constellation-os")
if err != nil {
return nil, "", err
}

4
cli/internal/cmd/upgradeplan.go
View File

@ -307,8 +307,8 @@ type upgradePlanFlags struct {
}
type imageManifest struct {
AzureImage string `json:"AzureCoreOSImage"`
GCPImage string `json:"GCPCoreOSImage"`
AzureImage string `json:"AzureOSImage"`
GCPImage string `json:"GCPOSImage"`
}
type nopWriteCloser struct {

8
cli/internal/terraform/terraform/qemu/main.tf
View File

@ -57,7 +57,7 @@ module "control_plane" {
cidr = "10.42.1.0/24"
network_id = libvirt_network.constellation.id
pool = libvirt_pool.cluster.name
boot_volume_id = libvirt_volume.constellation_coreos_image.id
boot_volume_id = libvirt_volume.constellation_os_image.id
machine = var.machine
firmware = var.firmware
nvram = var.nvram
@ -74,7 +74,7 @@ module "worker" {
cidr = "10.42.2.0/24"
network_id = libvirt_network.constellation.id
pool = libvirt_pool.cluster.name
boot_volume_id = libvirt_volume.constellation_coreos_image.id
boot_volume_id = libvirt_volume.constellation_os_image.id
machine = var.machine
firmware = var.firmware
nvram = var.nvram
@ -87,10 +87,10 @@ resource "libvirt_pool" "cluster" {
path = "/var/lib/libvirt/images"
}
resource "libvirt_volume" "constellation_coreos_image" {
resource "libvirt_volume" "constellation_os_image" {
name = "${var.name}-node-image"
pool = libvirt_pool.cluster.name
source = var.constellation_coreos_image
source = var.constellation_os_image
format = var.image_format
}

2
cli/internal/terraform/terraform/qemu/variables.tf
View File

@ -3,7 +3,7 @@ variable "libvirt_uri" {
description = "libvirt socket uri"
}
variable "constellation_coreos_image" {
variable "constellation_os_image" {
type = string
description = "constellation OS file path"
}

2
cli/internal/terraform/variables.go
View File

@ -155,7 +155,7 @@ func (v *QEMUVariables) String() string {
b.WriteString(v.CommonVariables.String())
writeLinef(b, "libvirt_uri = %q", v.LibvirtURI)
writeLinef(b, "libvirt_socket_path = %q", v.LibvirtSocketPath)
writeLinef(b, "constellation_coreos_image = %q", v.ImagePath)
writeLinef(b, "constellation_os_image = %q", v.ImagePath)
writeLinef(b, "image_format = %q", v.ImageFormat)
writeLinef(b, "vcpus = %d", v.CPUCount)
writeLinef(b, "memory = %d", v.MemorySizeMiB)

2
debugd/README.md
View File

@ -1,7 +1,7 @@
# debug daemon (debugd)
Debugd is a tool we built to allow for shorter iteration cycles during development.
The debugd gets embedded into coreOS images at the place where the bootstrapper normally sits.
The debugd gets embedded into OS images at the place where the bootstrapper normally sits.
Therefore, when a debug image is started, the debugd starts executing instead of the bootstrapper.
The debugd will then wait for a request from the `cdbg` tool to upload a bootstrapper binary.
Once the upload is finished debugd will start the bootstrapper.

2
debugd/internal/cdbg/cmd/root.go
View File

@ -18,7 +18,7 @@ func newRootCmd() *cobra.Command {
Use: "cdbg",
Short: "Constellation debugging client",
Long: `cdbg is the constellation debugging client.
It connects to CoreOS instances running debugd and deploys a self-compiled version of the bootstrapper.`,
It connects to Constellation instances running debugd and deploys a self-compiled version of the bootstrapper.`,
}
cmd.PersistentFlags().String("config", constants.ConfigFilename, "Constellation config file")
cmd.AddCommand(newDeployCmd())

36
hack/build-manifest/manifest.go
View File

@ -13,8 +13,8 @@ type Manifest struct {
}
type Images struct {
AzureCoreosImage string `json:"AzureCoreOSImage"`
GCPCoreOSImage string `json:"GCPCoreOSImage"`
AzureOSImage string `json:"AzureOSImage"`
GCPOSImage string `json:"GCPOSImage"`
}
// OldManifests provides Constellation releases to image mapping. These are the
@ -23,28 +23,28 @@ func OldManifests() Manifest {
return Manifest{
releases: map[string]Images{
"v1.0.0": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807",
GCPCoreOSImage: "constellation-coreos-1651150807",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1651150807",
GCPOSImage: "constellation-coreos-1651150807",
},
"v1.1.0": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948",
GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654096948",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654096948",
GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654096948",
},
"v1.2.0": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332",
},
"v1.3.0": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1654162332",
GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1654162332",
},
"v1.3.1": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013",
GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1657199013",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1657199013",
GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1657199013",
},
"v1.4.0": {
AzureCoreosImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
GCPCoreOSImage: "projects/constellation-images/global/images/constellation-coreos-1659453699",
AzureOSImage: "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos/versions/0.0.1659453699",
GCPOSImage: "projects/constellation-images/global/images/constellation-coreos-1659453699",
},
},
}
@ -56,20 +56,20 @@ func (m *Manifest) MarshalJSON() ([]byte, error) {
func (m *Manifest) SetAzureImage(version string, image string) {
if release, ok := m.releases[version]; !ok {
images := Images{AzureCoreosImage: image}
images := Images{AzureOSImage: image}
m.releases[version] = images
} else {
release.AzureCoreosImage = image
release.AzureOSImage = image
m.releases[version] = release
}
}
func (m *Manifest) SetGCPImage(version string, image string) {
if release, ok := m.releases[version]; !ok {
images := Images{GCPCoreOSImage: image}
images := Images{GCPOSImage: image}
m.releases[version] = images
} else {
release.GCPCoreOSImage = image
release.GCPOSImage = image
m.releases[version] = release
}
}

2
hack/importAzure.sh
View File

@ -43,7 +43,7 @@ AZURE_PUBLISHER="${AZURE_PUBLISHER:-edgelesssys}"
AZURE_IMAGE_NAME="${AZURE_IMAGE_NAME:-upload-target}"
AZURE_IMAGE_OFFER="${AZURE_IMAGE_OFFER:-constellation}"
AZURE_IMAGE_DEFINITION="${AZURE_IMAGE_DEFINITION:-constellation}"
AZURE_SKU="${AZURE_SKU:-constellation-coreos}"
AZURE_SKU="${AZURE_SKU:-constellation}"
AZURE_SECURITY_TYPE="${AZURE_SECURITY_TYPE:-TrustedLaunch}"
if [[ -z "${AZURE_RESOURCE_GROUP_NAME}" ]]; then

20
internal/constants/constants.go
View File

@ -58,16 +58,16 @@ const (
//
// Filenames.
//
ClusterIDsFileName = "constellation-id.json"
ConfigFilename = "constellation-conf.yaml"
LicenseFilename = "constellation.license"
DebugdConfigFilename = "cdbg-conf.yaml"
AdminConfFilename = "constellation-admin.conf"
MasterSecretFilename = "constellation-mastersecret.json"
WGQuickConfigFilename = "wg0.conf"
CoreOSAdminConfFilename = "/etc/kubernetes/admin.conf"
KubeadmCertificateDir = "/etc/kubernetes/pki"
KubectlPath = "/run/state/bin/kubectl"
ClusterIDsFileName = "constellation-id.json"
ConfigFilename = "constellation-conf.yaml"
LicenseFilename = "constellation.license"
DebugdConfigFilename = "cdbg-conf.yaml"
AdminConfFilename = "constellation-admin.conf"
MasterSecretFilename = "constellation-mastersecret.json"
WGQuickConfigFilename = "wg0.conf"
ControlPlaneAdminConfFilename = "/etc/kubernetes/admin.conf"
KubeadmCertificateDir = "/etc/kubernetes/pki"
KubectlPath = "/run/state/bin/kubectl"
//
// Filenames for Constellation's micro services.

1
internal/deploy/ssh/ssh.go
View File

@ -65,6 +65,7 @@ func (s *Access) GetAuthorizedKeys() []UserKey {
}
// DeployAuthorizedKey takes an user & public key pair, creates the user if required and deploy a SSH key for them.
// TODO: Refactor to not write to /etc or /home.
func (s *Access) DeployAuthorizedKey(ctx context.Context, sshKey UserKey) error {
// allow only one thread to write to authorized keys, create users and update the authorized map at a time
s.mux.Lock()

2
joinservice/internal/kubeadm/kubeadm.go
View File

@ -85,7 +85,7 @@ func (k *Kubeadm) GetJoinToken(ttl time.Duration) (*kubeadm.BootstrapTokenDiscov
// parse Kubernetes CA certs
k.log.Infof("Preparing join token for new node")
rawConfig, err := k.file.Read(constants.CoreOSAdminConfFilename)
rawConfig, err := k.file.Read(constants.ControlPlaneAdminConfFilename)
if err != nil {
return nil, fmt.Errorf("loading kubeconfig file: %w", err)
}

2
joinservice/internal/kubeadm/kubeadm_test.go
View File

@ -90,7 +90,7 @@ kind: Config`,
client: fake.NewSimpleClientset(),
}
if tc.adminConf != "" {
require.NoError(client.file.Write(constants.CoreOSAdminConfFilename, []byte(tc.adminConf), file.OptNone))
require.NoError(client.file.Write(constants.ControlPlaneAdminConfFilename, []byte(tc.adminConf), file.OptNone))
}
res, err := client.GetJoinToken(time.Minute)

8
operators/constellation-node-operator/README.md
View File

@ -24,7 +24,7 @@ Example for GCP:
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeImage
metadata:
name: constellation-coreos
name: constellation-os
spec:
image: "projects/constellation-images/global/images/<image-name>"
```
@ -34,7 +34,7 @@ Example for Azure:
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeImage
metadata:
name: constellation-coreos
name: constellation-os
spec:
image: "/subscriptions/<subscription-id>/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/<image-definition-name>/versions/<image-version>"
```
@ -70,7 +70,7 @@ kind: ScalingGroup
metadata:
name: scalinggroup-worker
spec:
nodeImage: "constellation-coreos"
nodeImage: "constellation-os"
groupId: "projects/<project-id>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
autoscaling: true
```
@ -83,7 +83,7 @@ kind: ScalingGroup
metadata:
name: scalinggroup-worker
spec:
nodeImage: "constellation-coreos"
nodeImage: "constellation-os"
groupId: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
autoscaling: true
```

4
operators/constellation-node-operator/config/samples/update_v1alpha1_nodeimage.yaml
View File

@ -1,7 +1,7 @@
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeImage
metadata:
name: constellation-coreos-azure
name: constellation-os-azure
namespace: kube-system
spec:
image: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/galleries/<gallery-name>/images/<image-definition-name>/versions/<version>"
@ -9,7 +9,7 @@ spec:
apiVersion: update.edgeless.systems/v1alpha1
kind: NodeImage
metadata:
name: constellation-coreos-gcp
name: constellation-os-gcp
namespace: kube-system
spec:
image: projects/<project>/global/images/<image-name>

4
operators/constellation-node-operator/config/samples/update_v1alpha1_scalinggroup.yaml
View File

@ -4,7 +4,7 @@ metadata:
name: scalinggroup-worker-azure
namespace: kube-system
spec:
nodeImage: "constellation-coreos-azure"
nodeImage: "constellation-os-azure"
groupId: "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachineScaleSets/<scale-set-name>"
autoscaling: true
---
@ -14,6 +14,6 @@ metadata:
name: scalinggroup-worker-gcp
namespace: kube-system
spec:
nodeImage: "constellation-coreos-gcp"
nodeImage: "constellation-os-gcp"
groupId: "projects/<project>/zones/<zone>/instanceGroupManagers/<instance-group-name>"
autoscaling: true

2
operators/constellation-node-operator/internal/constants/constants.go
View File

@ -8,7 +8,7 @@ package constants
const (
AutoscalingStrategyResourceName = "autoscalingstrategy"
NodeImageResourceName = "constellation-coreos"
NodeImageResourceName = "constellation-os"
ControlPlaneScalingGroupResourceName = "scalinggroup-controlplane"
WorkerScalingGroupResourceName = "scalinggroup-worker"
)