Commit Graph

155 Commits

Author SHA1 Message Date
Moritz Sanft
c15e4efef6
terraform: Azure Marketplace image support (#2651)
* terraform: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* config: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: use Terraform variables from config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: pass down marketplace variable

* image: pad Azure images to 1GiB

* terraform: add version attribute to marketplace image

* semver: allow versions to be exported without prefix

* cli: boolean var to use marketplace images

* config: remove dive key

* dev-docs: add instructions on how to use marketplace images

* terraform: fix unit test

* terraform: only fetch image for non-marketplace images

* mpimage: refactor image selection

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] increase minor version for image build

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: ignore changes to source_image_reference on upgrade

* operator: add support for parsing Azure marketplace images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* upgrade: fix imagefetcher call

* docs: add info about azure marketplace

* image: ensure more than 1GiB in size

* image: test to pad to 2GiB

* version: change back to v2.14.0-pre

* image: GPT-conformant image size padding

* [remove] increase version

* mpimage: inline prefix func

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: add marketplace image e2e test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register workflow

* ci: fix workflow name

* ci: only allow azure test

* cli: add marketplace image input to interface

* cli: fix argument passing

* version: roll back to v2.14.0

* ci: add force-flag support

* Update docs/docs/overview/license.md

* Update dev-docs/workflows/marketplace-images.md

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
2023-12-08 14:40:31 +01:00
edgelessci
8bd17b995e
image: update locked rpms (#2674)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-12-04 09:02:59 +01:00
Malte Poll
bd3430fcf0 image: provide runtime dependencies of cryptsetup in OS image.
This adds nix store paths to the initrd and sysroot of bootable Fedora images.
2023-12-01 09:35:33 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI (#2629)
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-11-27 13:04:41 +01:00
edgelessci
2fc82874b7
image: update locked rpms (#2645)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-27 09:01:16 +01:00
edgelessci
60921fcc14
image: update locked rpms (#2614)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-20 14:19:26 +01:00
edgelessci
285b7bc47d
image: update locked rpms (#2575)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-12 11:20:48 +01:00
edgelessci
e29d32af7f
image: update locked rpms (#2555)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-11-10 19:50:38 +01:00
Malte Poll
4fe51cd5f4
image: use dissect from nix (#2558) 2023-11-06 17:50:21 +01:00
3u13r
618da92c7f
image: use all of cilium's sysctl overrides (#2532) 2023-10-30 11:19:58 +01:00
edgelessci
b76bd3dfcc
image: update locked rpms (#2535)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-30 09:31:05 +01:00
edgelessci
9c89b75a53
image: update locked rpms (#2498) 2023-10-22 10:10:48 +02:00
Malte Poll
1a141c3972
image: add rpm database as build output (#2442)
For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
2023-10-17 14:04:41 +02:00
Malte Poll
e93de82c0b
image: use systemd-dissect from the host when calculating measurements (#2473)
* image: use systemd-dissect from the host when calculating measurements

* ci: setup bazel and nix toolchains before merging os image measurements
2023-10-17 13:26:07 +02:00
Malte Poll
bad9edb99b
image: move mkosi settings into their actual sections (#2471)
mkosi now warns about what settings are defined in what sections.
Soon, the config parsing might fail when settings are in the wrong sections.
2023-10-17 12:44:19 +02:00
edgelessci
d9bd870dbd
image: update locked rpms (#2463)
Co-authored-by: malt3 <malt3@users.noreply.github.com>
2023-10-17 09:42:00 +02:00
Malte Poll
8bc1d80d86 image: install rpms from lockfile 2023-10-17 09:23:56 +02:00
Malte Poll
d22f53d7cc bazel: always use nix 2023-10-12 14:42:24 +02:00
Malte Poll
f6d9f91877 image: reimplement and adapt measurement generation in Go 2023-09-27 17:58:19 +02:00
Malte Poll
8e706d6de3 image: update README 2023-09-27 17:58:19 +02:00
Malte Poll
3543fe140e image: allow toggling secure boot in image upload 2023-09-27 17:58:19 +02:00
Malte Poll
c6ea596eb9 image: system layer 2023-09-27 17:58:19 +02:00
Malte Poll
4ef3d10be3 image: initrd layer 2023-09-27 17:58:19 +02:00
Malte Poll
d904766b9c image: base layer 2023-09-27 17:58:19 +02:00
Malte Poll
fc1045a4f7 image: remove old mkosi config 2023-09-27 17:58:19 +02:00
Malte Poll
825dab0e0b image: add sysroot files 2023-09-27 17:58:19 +02:00
Paul Meyer
53e48f453f image: remove unused upload script
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
2023-09-27 15:06:55 +02:00
Otto Bittner
cb934ed087
image: move idle and nosmt to aws-only images (#2297)
We don't want these options on other CSPs. This is temporary until AWS
fixed some background issues.
We need to set the option we want to set differently on each provider
once per provider as we need to keep some of the options we set with
higher priority.
2023-09-04 14:02:10 +02:00
Malte Poll
ecfb6d9b1f
image: update to Linux 6.1.46 (#2268) 2023-09-04 11:41:25 +02:00
Otto Bittner
75ce11af14
cli: disable smt via cpu_options (#2291)
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
2023-09-01 11:26:21 +02:00
Malte Poll
78fa921746
image: use longterm release of the Linux kernel (#2228) 2023-08-16 10:42:48 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
Malte Poll
6098ff3612
image: synchronize time via ntp (#2118) 2023-07-19 14:11:24 +02:00
Daniel Weiße
d03f8c7d78
image: use AWS linux kernel for AWS images to fix deadlock (#2115)
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2023-07-18 15:08:34 +02:00
Malte Poll
bae9dc9a36
image: always copy amazon ena driver into initrd (#2112) 2023-07-18 11:23:30 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 (#1909)
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
2023-06-15 16:50:35 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876)
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
2023-06-07 16:16:32 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839) 2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg (#1851)
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
2023-06-02 09:19:23 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837)
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
2023-06-01 12:33:06 +02:00
Otto Bittner
0c13f3ed8d image: add aws_aws-sev-snp variant
This needs no changes to the existing AWS image.
The images have worked without modification so far.
2023-06-01 11:25:31 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00
Malte Poll
217a744606 image: add go code to upload image info and measurements 2023-05-25 15:01:15 +02:00
Malte Poll
b8751f35f9 image: add intermediate "image" verb to upload tool 2023-05-25 15:01:15 +02:00
Malte Poll
d0e53cbb59 cli: image info (v2) 2023-05-25 15:01:15 +02:00
Malte Poll
2ebc0cf2c8 image: set attestation variant explicitly 2023-05-25 15:01:15 +02:00
3u13r
6e574fd52c
ci: fix os image archive path (#1809) 2023-05-22 14:05:34 +02:00
Malte Poll
a2d701f421 image: remove upload scripts 2023-05-05 12:06:44 +02:00
Malte Poll
ee91d8b1cc image: implement idempotent upload of os images 2023-05-05 12:06:44 +02:00
Malte Poll
cb6cc8df22
image: fix pcr 12 calculation (#1706)
Kernel cmdline embedded in UKIs had no null terminator before. With newer versions of mkosi, it is already null-terminated so we shouldn't null terminate it twice.
2023-05-02 12:01:30 +02:00