Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

Image upload AWS

Browse Source
This commit is contained in:
Malte Poll 2022-10-17 17:39:49 +02:00 committed by Malte Poll
parent 0c297f7b10
commit b57b25fdaa
6 changed files with 254 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
.github/workflows/build-os-image.yml vendored
View File

@ -64,33 +64,41 @@ jobs:
# TODO: flatten outputs once possible
# https://github.com/community/community/discussions/17245
outputs:
image-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-aws-sha256 }}
image-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-azure-sha256 }}
image-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-gcp-sha256 }}
image-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-qemu-sha256 }}
image-efi-aws-sha256: ${{ steps.collect-hashes.outputs.image-efi-aws-sha256 }}
image-efi-azure-sha256: ${{ steps.collect-hashes.outputs.image-efi-azure-sha256 }}
image-efi-gcp-sha256: ${{ steps.collect-hashes.outputs.image-efi-gcp-sha256 }}
image-efi-qemu-sha256: ${{ steps.collect-hashes.outputs.image-efi-qemu-sha256 }}
image-initrd-aws-sha256: ${{ steps.collect-hashes.outputs.image-initrd-aws-sha256 }}
image-initrd-azure-sha256: ${{ steps.collect-hashes.outputs.image-initrd-azure-sha256 }}
image-initrd-gcp-sha256: ${{ steps.collect-hashes.outputs.image-initrd-gcp-sha256 }}
image-initrd-qemu-sha256: ${{ steps.collect-hashes.outputs.image-initrd-qemu-sha256 }}
image-root-raw-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-aws-sha256 }}
image-root-raw-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-azure-sha256 }}
image-root-raw-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-gcp-sha256 }}
image-root-raw-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-raw-qemu-sha256 }}
image-root-verity-aws-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-aws-sha256 }}
image-root-verity-azure-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-azure-sha256 }}
image-root-verity-gcp-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-gcp-sha256 }}
image-root-verity-qemu-sha256: ${{ steps.collect-hashes.outputs.image-root-verity-qemu-sha256 }}
image-vmlinuz-aws-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-aws-sha256 }}
image-vmlinuz-azure-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-azure-sha256 }}
image-vmlinuz-gcp-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-gcp-sha256 }}
image-vmlinuz-qemu-sha256: ${{ steps.collect-hashes.outputs.image-vmlinuz-qemu-sha256 }}
image-raw-changelog-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-aws-sha256 }}
image-raw-changelog-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-azure-sha256 }}
image-raw-changelog-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-gcp-sha256 }}
image-raw-changelog-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-changelog-qemu-sha256 }}
image-raw-manifest-aws-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-aws-sha256 }}
image-raw-manifest-azure-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-azure-sha256 }}
image-raw-manifest-gcp-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-gcp-sha256 }}
image-raw-manifest-qemu-sha256: ${{ steps.collect-hashes.outputs.image-raw-manifest-qemu-sha256 }}
strategy:
matrix:
csp: [azure, gcp, qemu]
csp: [aws, azure, gcp, qemu]
steps:
- name: Checkout
uses: actions/checkout@e2f20e631ae6d7dd3b768f56a5d2af784dd54791
@ -183,9 +191,12 @@ jobs:
name: "Upload OS image to CSP"
needs: make-os-image
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
strategy:
matrix:
csp: [azure, gcp]
csp: [aws, azure, gcp]
upload-variant: [""]
include:
- csp: azure
@ -205,9 +216,19 @@ jobs:
run: |
echo "::group::Install tools"
sudo apt-get update
sudo apt-get install -y pigz qemu-utils
sudo apt-get install -y \
pigz \
qemu-utils \
python3-crc32c
echo "::endgroup::"
- name: Login to AWS
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
if: ${{ matrix.csp == 'aws' || matrix.csp == 'azure' }}
with:
role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
aws-region: eu-central-1
- name: Login to Azure
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
if: ${{ matrix.csp == 'azure' }}
@ -229,7 +250,7 @@ jobs:
id: version
uses: ./.github/actions/pseudo_version
# Make sure to set valid names for GCP and Azure
# Make sure to set valid names for AWS, Azure and GCP
# Azure
# gallery name may include alphanumeric characters, dots and underscores. Must end and begin with an alphanumeric character
# image definition may include alphanumeric characters, dots, dashes and underscores. Must end and begin with an alphanumeric character
@ -245,6 +266,13 @@ jobs:
imageVersion=${{ inputs.imageVersion }}
pseudover=${{ steps.version.outputs.pseudoVersion }}
echo "PKI=${{ github.workspace }}/image/pki" >> $GITHUB_ENV
echo "AWS_REGION=eu-central-1" >> $GITHUB_ENV
echo "AWS_REPLICATION_REGIONS=us-east-2 ap-south-1" >> $GITHUB_ENV
echo "AWS_BUCKET=constellation-images" >> $GITHUB_ENV
echo "AWS_EFIVARS_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/efivars.bin" >> $GITHUB_ENV
echo "AWS_IMAGE_PATH=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/image.raw" >> $GITHUB_ENV
echo "AWS_AMI_OUTPUT=${{ github.workspace }}/image/mkosi.output.aws/fedora~36/ami.json" >> $GITHUB_ENV
echo "AWS_IMAGE_FILENAME=image-$(date +%s).raw" >> $GITHUB_ENV
echo "GCP_PROJECT=constellation-images" >> $GITHUB_ENV
echo "GCP_BUCKET=constellation-images" >> $GITHUB_ENV
echo "GCP_REGION=europe-west3" >> $GITHUB_ENV
@ -266,6 +294,7 @@ jobs:
echo "AZURE_DISK_NAME=constellation-${pseudover//./-}-${AZURE_SECURITY_TYPE,,}" >> $GITHUB_ENV
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-${imageVersion}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${imageVersion//./-}
echo "GCP_IMAGE_FAMILY=constellation" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=constellation
@ -273,12 +302,14 @@ jobs:
AZURE_GALLERY_NAME=Constellation
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "AWS_IMAGE_NAME=constellation-debug-${semver}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-debug-${semver//./-}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${semver}
echo "AZURE_IMAGE_VERSION=${timestamp:0:4}.${timestamp:4:4}.${timestamp:8}" >> $GITHUB_ENV
AZURE_GALLERY_NAME=Constellation_Debug
else
echo "AWS_IMAGE_NAME=constellation-${{ steps.version.outputs.branchName }}-${{ steps.version.outputs.timestamp }}" >> $GITHUB_ENV
GCP_IMAGE_NAME=constellation-${{ steps.version.outputs.timestamp }}
echo "GCP_IMAGE_FAMILY=constellation-${{ steps.version.outputs.branchName }}" >> $GITHUB_ENV
AZURE_IMAGE_DEFINITION=${{ steps.version.outputs.branchName }}
@ -299,12 +330,25 @@ jobs:
echo "GCP_IMAGE_FILENAME=${GCP_IMAGE_NAME}.tar.gz" >> $GITHUB_ENV
- name: Download VMGS blob
run: aws s3 cp \
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress
run: |
aws s3 cp \
--region ${AWS_REGION} \
s3://constellation-secure-boot/pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
pki_testing/${AZURE_SECURITY_TYPE}.vmgs \
--no-progress
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }}
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
- name: Upload AWS image
shell: bash
run: |
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'aws' }}
- name: Upload GCP image
shell: bash
@ -334,7 +378,7 @@ jobs:
runs-on: ubuntu-22.04
strategy:
matrix:
csp: [azure, gcp, qemu]
csp: [aws, azure, gcp, qemu]
steps:
- name: Checkout repository
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
@ -417,6 +461,14 @@ jobs:
cat > SHA256SUMS <<EOF
${{ needs.build-dependencies.outputs.bootstrapper-sha256 }} bootstrapper
${{ needs.build-dependencies.outputs.disk-mapper-sha256 }} disk-mapper
${{ needs.make-os-image.outputs.image-raw-aws-sha256 }} aws/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-aws-sha256 }} aws/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-aws-sha256 }} aws/image.raw.manifest
${{ needs.make-os-image.outputs.image-efi-aws-sha256 }} aws/image.efi
${{ needs.make-os-image.outputs.image-initrd-aws-sha256 }} aws/image.initrd
${{ needs.make-os-image.outputs.image-root-raw-aws-sha256 }} aws/image.root.raw
${{ needs.make-os-image.outputs.image-root-verity-aws-sha256 }} aws/image.root.verity
${{ needs.make-os-image.outputs.image-vmlinuz-aws-sha256 }} aws/image.vmlinuz
${{ needs.make-os-image.outputs.image-raw-azure-sha256 }} azure/image.raw
${{ needs.make-os-image.outputs.image-raw-changelog-azure-sha256 }} azure/image.raw.changelog
${{ needs.make-os-image.outputs.image-raw-manifest-azure-sha256 }} azure/image.raw.manifest

2
image/Makefile
View File

@ -6,7 +6,7 @@ DISK_MAPPER_BINARY ?= $(BASE_PATH)/../build/disk-mapper
PKI ?= $(BASE_PATH)/pki
MKOSI_EXTRA ?= $(BASE_PATH)/mkosi.extra
-include $(CURDIR)/config.mk
csps := qemu gcp azure
csps := aws qemu gcp azure
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer
.PHONY: all clean inject-bins $(csps)

31
image/README.md
View File

@ -31,7 +31,8 @@
curl \
jq \
util-linux \
virt-manager
virt-manager \
python3-crc32c
```
</details>
@ -134,6 +135,34 @@ secure-boot/azure/delete.sh --name "${AZURE_DISK_NAME}-setup-secure-boot"
## Upload to CSP
<details>
<summary>AWS</summary>
- Install `aws` cli (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html))
- Login to AWS (see [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html))
- Choose secure boot PKI public keys (one of `pki_dev`, `pki_test`, `pki_prod`)
- `pki_dev` can be used for local image builds
- `pki_test` is used by the CI for non-release images
- `pki_prod` is used for release images
```sh
# set these variables
export AWS_IMAGE_NAME= # e.g. "constellation-v1.0.0"
export PKI=${PWD}/pki
export AWS_REGION=eu-central-1
export AWS_REPLICATION_REGIONS="us-east-2"
export AWS_BUCKET=constellation-images
export AWS_EFIVARS_PATH=${PWD}/mkosi.output.aws/fedora~36/efivars.bin
export AWS_IMAGE_PATH=${PWD}/mkosi.output.aws/fedora~36/image.raw
export AWS_IMAGE_FILENAME=image-$(date +%s).raw
export AWS_AMI_OUTPUT=${PWD}/mkosi.output.aws/fedora~36/ami.txt
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
```
</details>
<details>
<summary>GCP</summary>

3
image/mkosi.files/mkosi.aws.conf Normal file
View File

@ -0,0 +1,3 @@
[Output]
KernelCommandLine=constel.csp=aws
OutputDirectory=mkosi.output.aws

9
image/secure-boot/aws/create_uefivars.sh Executable file
View File

@ -0,0 +1,9 @@
#!/usr/bin/env bash
set -euo pipefail
TMPDIR=$(mktemp -d /tmp/uefivars-XXXXXXXXXXXXXX)
git clone https://github.com/awslabs/python-uefivars ${TMPDIR}
"${TMPDIR}/uefivars.py" -i none -o aws -O "$1" -P ${PKI}/PK.esl -K ${PKI}/KEK.esl --db ${PKI}/db.esl
rm -rf "${TMPDIR}"

149
image/upload/upload_aws.sh Executable file
View File

@ -0,0 +1,149 @@
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
set -euo pipefail
if [ -z "${CONFIG_FILE-}" ] && [ -f "${CONFIG_FILE-}" ]; then
. "${CONFIG_FILE}"
fi
PK_FILE=${PKI}/PK.cer
KEK_FILES=${PKI}/KEK.cer,${PKI}/MicCorKEKCA2011_2011-06-24.crt
DB_FILES=${PKI}/db.cer,${PKI}/MicWinProPCA2011_2011-10-19.crt,${PKI}/MicCorUEFCA2011_2011-06-27.crt
CONTAINERS_JSON=$(mktemp /tmp/containers-XXXXXXXXXXXXXX.json)
declare -A AMI_FOR_REGION
AMI_OUTPUT=$1
import_status() {
local import_task_id=$1
aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${import_task_id}" | jq -r '.ImportSnapshotTasks[0].SnapshotTaskDetail.Status'
}
wait_for_import() {
local import_task_id=$1
local status
echo -n "Waiting for import to finish"
while true; do
local status=$(import_status "${import_task_id}")
case "${status}" in
completed)
echo -e "\nImport completed."
break
;;
active)
echo -n "."
sleep 5
;;
*)
echo "Unexpected status: ${status}"
exit 1
;;
esac
done
}
wait_for_image_available() {
local ami_id=$1
local region=$2
echo -n "Waiting for image ${ami_id} to be available"
while true; do
# Waiter ImageAvailable failed: Max attempts exceeded
local status=$(aws ec2 wait image-available \
--region ${region} \
--image-ids "${ami_id}" 2>&1 || true)
case "${status}" in
"")
echo -e "\nImage available."
break
;;
*"Max attempts exceeded"*)
echo -n "."
;;
*)
echo "Unexpected status: ${status}"
exit 1
;;
esac
done
}
tag_ami_with_backing_snapshot() {
local ami_id=$1
local region=$2
wait_for_image_available "${ami_id}" "${region}"
local snapshot_id=$(aws ec2 describe-images \
--region "${region}" \
--image-ids "${ami_id}" \
--output text --query "Images[0].BlockDeviceMappings[0].Ebs.SnapshotId")
aws ec2 create-tags \
--region "${region}" \
--resources "${ami_id}" "${snapshot_id}" \
--tags "Key=Name,Value=${AWS_IMAGE_NAME}"
}
create_ami_from_raw_disk() {
echo "Uploading raw disk image to S3"
aws s3 cp "${AWS_IMAGE_PATH}" "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}" --no-progress
printf '{
"Description": "%s",
"Format": "raw",
"UserBucket": {
"S3Bucket": "%s",
"S3Key": "%s"
}
}' "${AWS_IMAGE_NAME}" "${AWS_BUCKET}" "${AWS_IMAGE_FILENAME}" > "${CONTAINERS_JSON}"
IMPORT_SNAPSHOT=$(aws ec2 import-snapshot --region "${AWS_REGION}" --disk-container "file://${CONTAINERS_JSON}")
echo $IMPORT_SNAPSHOT
IMPORT_TASK_ID=$(echo $IMPORT_SNAPSHOT | jq -r '.ImportTaskId')
aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${IMPORT_TASK_ID}"
wait_for_import "${IMPORT_TASK_ID}"
AWS_SNAPSHOT=$(aws ec2 describe-import-snapshot-tasks --region "${AWS_REGION}" --import-task-ids "${IMPORT_TASK_ID}" | jq -r '.ImportSnapshotTasks[0].SnapshotTaskDetail.SnapshotId')
echo "Deleting raw disk image from S3"
aws s3 rm "s3://${AWS_BUCKET}/${AWS_IMAGE_FILENAME}"
rm "${CONTAINERS_JSON}"
REGISTER_OUT=$(aws ec2 register-image \
--region "${AWS_REGION}" \
--name "${AWS_IMAGE_NAME}" \
--boot-mode uefi \
--architecture x86_64 \
--root-device-name /dev/xvda \
--block-device-mappings "DeviceName=/dev/xvda,Ebs={SnapshotId=${AWS_SNAPSHOT}}" \
--ena-support \
--tpm-support v2.0 \
--uefi-data $(cat ${AWS_EFIVARS_PATH}))
IMAGE_ID=$(echo $REGISTER_OUT | jq -r '.ImageId')
AMI_FOR_REGION=( ["${AWS_REGION}"]="${IMAGE_ID}")
tag_ami_with_backing_snapshot "${IMAGE_ID}" "${AWS_REGION}"
echo "Imported initial AMI as ${IMAGE_ID} in ${AWS_REGION}"
}
replicate_ami() {
local target_region=$1
local replicated_image_out=$(aws ec2 copy-image \
--name "${AWS_IMAGE_NAME}" \
--source-region "${AWS_REGION}" \
--source-image-id "${IMAGE_ID}" \
--region "${target_region}")
local replicated_image_id=$(echo $replicated_image_out | jq -r '.ImageId')
AMI_FOR_REGION["${target_region}"]=${replicated_image_id}
echo "Replicated AMI as ${replicated_image_id} in ${target_region}"
}
create_ami_from_raw_disk
# replicate in parallel
for region in ${AWS_REPLICATION_REGIONS}; do
replicate_ami "${region}"
done
# wait for all images to be available and tag them
for region in ${AWS_REPLICATION_REGIONS}; do
tag_ami_with_backing_snapshot "${AMI_FOR_REGION[${region}]}" "${region}"
done
echo -n "{\"${AWS_REGION}\": \"${AMI_FOR_REGION[${AWS_REGION}]}\"" > "${AMI_OUTPUT}"
for region in ${AWS_REPLICATION_REGIONS}; do
echo -n ", \"${region}\": \"${AMI_FOR_REGION[${region}]}\"" >> "${AMI_OUTPUT}"
done
echo "}" >> "${AMI_OUTPUT}"