Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-01-21 21:01:04 -05:00
Code Issues Packages Projects Releases Wiki Activity
4,529 Commits 138 Branches 49 Tags 95 MiB
835b1fc43f
Commit Graph

242 Commits

Author SHA1 Message Date
edgelessci
2c70867bc2
image: update locked rpms (#3017) 
Co-authored-by: malt3 <1780588+malt3@users.noreply.github.com>
 2024-04-07 10:30:01 +02:00
miampf
840f460bac
logging: unify debug log message format (#2997) 2024-04-03 13:49:03 +00:00
edgelessci
3ebf66554f
image: update locked rpms (#3005) 
Co-authored-by: malt3 <1780588+malt3@users.noreply.github.com>
 2024-04-02 09:23:39 +02:00
edgelessci
309bc83831
image: update locked rpms (#3002) 
Co-authored-by: malt3 <1780588+malt3@users.noreply.github.com>
 2024-03-24 19:59:45 +01:00
edgelessci
6a2dffc379
image: update locked rpms (#2991) 
Co-authored-by: malt3 <1780588+malt3@users.noreply.github.com>
 2024-03-18 09:44:44 +01:00
malt3
9c5f231f4a image: update locked rpms 2024-03-11 09:35:10 +01:00
Malte Poll
56460f0d63 image: special case OpenStack serial console to include ttyS1 2024-03-07 11:47:51 +01:00
malt3
06da526fe0 image: update locked rpms 2024-03-04 10:23:14 +01:00
edgelessci
0336cd4faa
image: update locked rpms (#2946) 
Co-authored-by: malt3 <1780588+malt3@users.noreply.github.com>
 2024-02-25 09:54:09 +01:00
Malte Poll
889677c795 image: update mkosi and use package directory feature 2024-02-20 12:50:13 +01:00
Malte Poll
a4d25646f5 deps: update to bazel 7 2024-02-20 12:50:13 +01:00
Malte Poll
75f16ce87b image: upload OpenStack images to OpenStack 2024-02-19 18:16:45 +01:00
edgelessci
a337e323a5
image: update locked rpms (#2917) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-02-18 11:12:28 +01:00
edgelessci
d3b3f45534
image: update locked rpms (#2902) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-02-11 10:57:51 +01:00
Malte Poll
dba835bdf4
openstack: prepare for normal users (#2899) 
* image: disable serial console autologin on OpenStack
* cli: remove requirement for CONSTELLATION_OPENSTACK_DEV env var
 2024-02-09 14:48:41 +01:00
miampf
54cce77bab
deps: convert zap to slog (#2825) 2024-02-08 14:20:01 +00:00
Malte Poll
18acd0b12a
deps: update go-uefi and use new authenticode package (#2873) 2024-02-05 12:06:48 +01:00
edgelessci
70c0a1969d
image: update locked rpms (#2890) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-02-05 11:37:34 +01:00
edgelessci
b9f33fc05b
image: update locked rpms (#2863) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-01-29 09:19:39 +01:00
edgelessci
fc1c9b7c1a
image: update locked rpms (#2835) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-01-22 14:07:26 +01:00
Malte Poll
3a5753045e goleak: ignore rules_go SIGTERM handler 
rules_go added a SIGTERM handler that has a goroutine that survives the scope of the goleak check.
Currently, the best known workaround is to ignore this goroutine.

https://github.com/uber-go/goleak/issues/119
https://github.com/bazelbuild/rules_go/pull/3749
https://github.com/bazelbuild/rules_go/pull/3827#issuecomment-1894002120
 2024-01-22 13:11:58 +01:00
Malte Poll
00eacdf9e8 image: mark image upload as manual bazel target 2024-01-22 13:11:58 +01:00
Malte Poll
403acf75aa image: add mainline kernel and azure tdx image target 2024-01-16 17:34:44 +01:00
Malte Poll
9a27e7bf77 image: only archive release images + QEMU / OpenStack image 2024-01-15 13:53:15 +01:00
Malte Poll
5ec03c5b9d image: add upload rules for images 2024-01-15 13:53:15 +01:00
Malte Poll
b7bab7c3c8 image: replace "upload {aws|azure|gcp}" with uplosi 2024-01-15 13:53:15 +01:00
Malte Poll
181b8f64d2 image: add static (per-CSP) measurements during "measurement envelope" 
This logic was previously performed in a GitHub Actions workflow
using yq.
Since every step should now be performed in Bazel, this now needs to happen here.
 2024-01-15 13:53:15 +01:00
edgelessci
84a90bb5bd
image: update locked rpms (#2819) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-01-15 10:46:50 +01:00
3u13r
120ae9d227
image: lower file limit for containerd (#2815) 2024-01-11 12:47:38 +01:00
Markus Rudy
ef6f63dc48
Fix various small things throughout the codebase (#2800) 
* bootstrapper: remove obsolete log statement

* ci: simplify variable usage

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>

* cli: add missing formatting directive

* helm: fix rm invocation

* ci: document reproducible-builds workflow

* constants: use variables for measurement files

* constants: use variables for CDN distribution ID

* ci: make Helm version explicit

* api: prettify versionsapi-list output

* ci: remove obsolete docstring

---------

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
 2024-01-09 19:37:56 +01:00
edgelessci
a23e838a01
image: update locked rpms (#2802) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2024-01-08 08:52:52 +01:00
edgelessci
4d8f45cff6
image: update locked rpms (#2784) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-12-31 13:42:45 +01:00
edgelessci
2ce73c19dc
image: update locked rpms (#2773) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-12-24 09:53:47 +01:00
edgelessci
086b42b08f
image: update locked rpms (#2726) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-12-18 11:02:42 +01:00
Malte Poll
58e7af5364 image: create package manifest in chroot 
rpm doesn't work properly when run on the host.
 2023-12-13 18:19:59 +01:00
Malte Poll
23e456a265 nix: update flake and use mkosi with sorted cpio 2023-12-13 18:19:59 +01:00
edgelessci
acba9c4c60
image: update locked rpms (#2693) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-12-10 16:03:03 +01:00
Moritz Sanft
c15e4efef6
terraform: Azure Marketplace image support (#2651) 
* terraform: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* config: add Azure marketplace variable

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* cli: use Terraform variables from config

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: pass down marketplace variable

* image: pad Azure images to 1GiB

* terraform: add version attribute to marketplace image

* semver: allow versions to be exported without prefix

* cli: boolean var to use marketplace images

* config: remove dive key

* dev-docs: add instructions on how to use marketplace images

* terraform: fix unit test

* terraform: only fetch image for non-marketplace images

* mpimage: refactor image selection

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] increase minor version for image build

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* terraform: ignore changes to source_image_reference on upgrade

* operator: add support for parsing Azure marketplace images

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* upgrade: fix imagefetcher call

* docs: add info about azure marketplace

* image: ensure more than 1GiB in size

* image: test to pad to 2GiB

* version: change back to v2.14.0-pre

* image: GPT-conformant image size padding

* [remove] increase version

* mpimage: inline prefix func

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* ci: add marketplace image e2e test

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>

* [remove] register workflow

* ci: fix workflow name

* ci: only allow azure test

* cli: add marketplace image input to interface

* cli: fix argument passing

* version: roll back to v2.14.0

* ci: add force-flag support

* Update docs/docs/overview/license.md

* Update dev-docs/workflows/marketplace-images.md

Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>

---------

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
 2023-12-08 14:40:31 +01:00
edgelessci
8bd17b995e
image: update locked rpms (#2674) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-12-04 09:02:59 +01:00
Malte Poll
bd3430fcf0 image: provide runtime dependencies of cryptsetup in OS image. 
This adds nix store paths to the initrd and sysroot of bootable Fedora images.
 2023-12-01 09:35:33 +01:00
Daniel Weiße
97aea98e77
ci: update GCP service accounts for CI (#2629) 
* Update CI to use different GCP project for e2e tests
* Update GCP image project service accounts
* Update default GCP bucket name for image builds

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2023-11-27 13:04:41 +01:00
edgelessci
2fc82874b7
image: update locked rpms (#2645) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-11-27 09:01:16 +01:00
edgelessci
60921fcc14
image: update locked rpms (#2614) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-11-20 14:19:26 +01:00
edgelessci
285b7bc47d
image: update locked rpms (#2575) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-11-12 11:20:48 +01:00
edgelessci
e29d32af7f
image: update locked rpms (#2555) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-11-10 19:50:38 +01:00
Malte Poll
4fe51cd5f4
image: use dissect from nix (#2558) 2023-11-06 17:50:21 +01:00
3u13r
618da92c7f
image: use all of cilium's sysctl overrides (#2532) 2023-10-30 11:19:58 +01:00
edgelessci
b76bd3dfcc
image: update locked rpms (#2535) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-10-30 09:31:05 +01:00
edgelessci
9c89b75a53
image: update locked rpms (#2498) 2023-10-22 10:10:48 +02:00
Malte Poll
1a141c3972
image: add rpm database as build output (#2442) 
For reproducibility reasons, the final OS image does not ship the rpm database in sqlite format.
For supply chain security and license compliance reasons, we want to keep the rpm database of os images as a detached build artifact.
We now ship a reproducible, human readable manifest of installed rpms in the image under "/usr/share/constellation/packagemanifest" and upload the full rpm database as a build artifact (rpmdb.tar).
 2023-10-17 14:04:41 +02:00
Malte Poll
e93de82c0b
image: use systemd-dissect from the host when calculating measurements (#2473) 
* image: use systemd-dissect from the host when calculating measurements

* ci: setup bazel and nix toolchains before merging os image measurements
 2023-10-17 13:26:07 +02:00
Malte Poll
bad9edb99b
image: move mkosi settings into their actual sections (#2471) 
mkosi now warns about what settings are defined in what sections.
Soon, the config parsing might fail when settings are in the wrong sections.
 2023-10-17 12:44:19 +02:00
edgelessci
d9bd870dbd
image: update locked rpms (#2463) 
Co-authored-by: malt3 <malt3@users.noreply.github.com>
 2023-10-17 09:42:00 +02:00
Malte Poll
8bc1d80d86 image: install rpms from lockfile 2023-10-17 09:23:56 +02:00
Malte Poll
d22f53d7cc bazel: always use nix 2023-10-12 14:42:24 +02:00
Malte Poll
f6d9f91877 image: reimplement and adapt measurement generation in Go 2023-09-27 17:58:19 +02:00
Malte Poll
8e706d6de3 image: update README 2023-09-27 17:58:19 +02:00
Malte Poll
3543fe140e image: allow toggling secure boot in image upload 2023-09-27 17:58:19 +02:00
Malte Poll
c6ea596eb9 image: system layer 2023-09-27 17:58:19 +02:00
Malte Poll
4ef3d10be3 image: initrd layer 2023-09-27 17:58:19 +02:00
Malte Poll
d904766b9c image: base layer 2023-09-27 17:58:19 +02:00
Malte Poll
fc1045a4f7 image: remove old mkosi config 2023-09-27 17:58:19 +02:00
Malte Poll
825dab0e0b image: add sysroot files 2023-09-27 17:58:19 +02:00
Paul Meyer
53e48f453f image: remove unused upload script 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
 2023-09-27 15:06:55 +02:00
Otto Bittner
cb934ed087
image: move idle and nosmt to aws-only images (#2297) 
We don't want these options on other CSPs. This is temporary until AWS
fixed some background issues.
We need to set the option we want to set differently on each provider
once per provider as we need to keep some of the options we set with
higher priority.
 2023-09-04 14:02:10 +02:00
Malte Poll
ecfb6d9b1f
image: update to Linux 6.1.46 (#2268) 2023-09-04 11:41:25 +02:00
Otto Bittner
75ce11af14
cli: disable smt via cpu_options (#2291) 
Disabling SMT dynamically inside the image creates problems on AWS.
The problem should be fixed by disabling smt through the VMM.
By recommendation from AWS: add idle=poll.
This should improve our launch success rate while they investigate some
upstream issues.
 2023-09-01 11:26:21 +02:00
Malte Poll
78fa921746
image: use longterm release of the Linux kernel (#2228) 2023-08-16 10:42:48 +02:00
Otto Bittner
dac690656e
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 16:48:13 +02:00
Malte Poll
6098ff3612
image: synchronize time via ntp (#2118) 2023-07-19 14:11:24 +02:00
Daniel Weiße
d03f8c7d78
image: use AWS linux kernel for AWS images to fix deadlock (#2115) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2023-07-18 15:08:34 +02:00
Malte Poll
bae9dc9a36
image: always copy amazon ena driver into initrd (#2112) 2023-07-18 11:23:30 +02:00
Malte Poll
264b2df902
deps: upgrade to Fedora 38 (#1909) 
* image: upgrade mkosi distro version to Fedora 38
* image: remove downgrade of GCP kernel
* ci: upgrade expected measurements for Fedora 38
* deps: upgrade bazeldnf packages to Fedora 38
* deps: upgrade container images to Fedora 38
 2023-06-15 16:50:35 +02:00
Adrian Stobbe
4284f892ce
api: rename /api/versions to versionsapi and /api/attestationcfig to attestationconfigapi (#1876) 
* rename to attestationconfigapi + put client and fetcher inside pkg

* rename api/version to versionsapi and put fetcher + client inside pkg

* rename AttestationConfigAPIFetcher to Fetcher
 2023-06-07 16:16:32 +02:00
Malte Poll
e1d3afe8d4
ci: use aws s3 client that invalidates cloudfront cache for places that modify Constellation api (#1839) 2023-06-02 11:20:01 +02:00
Otto Bittner
30f2b332b3
api: restructure api pkg (#1851) 
* api: rename AttestationVersionRepo to Client
* api: move client into separate subpkg for
clearer import paths.
* api: rename configapi -> attestationconfig
* api: rename versionsapi -> versions
* api: rename sut to client
* api: split versionsapi client and make it public
* api: split versionapi fetcher and make it public
* config: move attestationversion type to config
* api: fix attestationconfig client test

Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
 2023-06-02 09:19:23 +02:00
3u13r
e0285c122e
todo responsibilities and cleanup (#1837) 
* chore: add TODO responsibilities

* chore: remove not needed TODOs

* chore: remove outdated migrations

* chore: remove resolved goleak exception

* chore: remove not needed cosign env

* config: add link to our Azure snp docs
 2023-06-01 12:33:06 +02:00
Otto Bittner
0c13f3ed8d image: add aws_aws-sev-snp variant 
This needs no changes to the existing AWS image.
The images have worked without modification so far.
 2023-06-01 11:25:31 +02:00
Adrian Stobbe
0a6e5ec02e
config: dynamic attestation configuration through S3 backed API (#1808) 2023-05-25 17:43:44 +01:00
Malte Poll
217a744606 image: add go code to upload image info and measurements 2023-05-25 15:01:15 +02:00
Malte Poll
b8751f35f9 image: add intermediate "image" verb to upload tool 2023-05-25 15:01:15 +02:00
Malte Poll
d0e53cbb59 cli: image info (v2) 2023-05-25 15:01:15 +02:00
Malte Poll
2ebc0cf2c8 image: set attestation variant explicitly 2023-05-25 15:01:15 +02:00
3u13r
6e574fd52c
ci: fix os image archive path (#1809) 2023-05-22 14:05:34 +02:00
Malte Poll
a2d701f421 image: remove upload scripts 2023-05-05 12:06:44 +02:00
Malte Poll
ee91d8b1cc image: implement idempotent upload of os images 2023-05-05 12:06:44 +02:00
Malte Poll
cb6cc8df22
image: fix pcr 12 calculation (#1706) 
Kernel cmdline embedded in UKIs had no null terminator before. With newer versions of mkosi, it is already null-terminated so we shouldn't null terminate it twice.
 2023-05-02 12:01:30 +02:00
Paul Meyer
7ab23c28b8 Revert "misc: replace sha256sum with shasum -a 256 (#1681)" 
This reverts commit ec1d5e9fb5.

While the change enabled shasum calculation on mac, it broke it
on some Linux distros.
 2023-05-02 11:07:05 +02:00
Malte Poll
ec1d5e9fb5
misc: replace sha256sum with shasum -a 256 (#1681) 2023-04-26 13:40:18 +02:00
Malte Poll
84dd25600f
image: upgrade mkosi to support repart (#1684) 2023-04-25 18:22:40 +02:00
Malte Poll
69de06dd1f
image: OpenStack vTPM (#1616) 
* cli: allow vpc traffic between nodes on OpenStack
* image: enable vTPM on OpenStack
* cli: add create tests for OpenStack
 2023-04-05 16:49:03 +02:00
Malte Poll
3e73530b4f image: use dummy attestation for OpenStack 2023-03-21 10:51:09 +01:00
Nils Hanke
1a35eab765
image: update Azure and GCP to kernel 6.1.18 (#1406) 2023-03-13 17:48:31 +01:00
Malte Poll
d34f4d4457
image: increase esp size (#1393) 2023-03-10 11:08:40 +01:00
Daniel Weiße
8c87bba755
Add measurement reader (#1381) 
Signed-off-by: Daniel Weiße <dw@edgeless.systems>
 2023-03-09 11:22:58 +01:00
Malte Poll
ac94e01642
image: downgrade systemd to 251.11-2 (#1369) 2023-03-08 10:45:53 +01:00
Malte Poll
0ba2c1c2bd
image: add systemd-boot as explicit dependency (#1351) 2023-03-07 10:19:28 +01:00
Malte Poll
e02183b9d9
Merge pull request from GHSA-6w5f-5wgr-qjg5 2023-03-07 09:26:36 +01:00
Malte Poll
1624af0cc7
image: pin aws uefivars version and install new deps (#1345) 2023-03-06 13:29:15 +01:00
Malte Poll
96b4b74a7a
image: set attestation variant on kernel cmdline (#1323) 2023-03-02 12:20:10 +01:00