Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-07 18:12:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
constellation/image
History
edgelessci d04fbe88af
image: update locked rpms (#3331) 
Co-authored-by: edgelessci <edgelessci@users.noreply.github.com>
2024-09-03 16:14:59 +02:00
..
base bootstrapper: disable gRPC logging (#3134) 2024-06-05 09:24:08 +02:00
initrd image: update to Fedora 40 (#3104) 2024-05-16 09:10:09 +02:00
measured-boot image: update to Fedora 40 (#3104) 2024-05-16 09:10:09 +02:00
mirror image: update locked rpms (#3331) 2024-09-03 16:14:59 +02:00
pki_prod CI: Add secure boot prod keys (#462) 2022-11-04 16:48:52 +01:00
pki_testing Move mkosi folder to old image folder location 2022-10-21 11:04:25 +02:00
sysroot-tree/usr/lib image: add sysroot files 2023-09-27 17:58:19 +02:00
system image: update to Fedora 40 (#3104) 2024-05-16 09:10:09 +02:00
upload misc: update golangci-lint related changes 2024-05-13 08:47:15 +02:00
BUILD.bazel image: provide runtime dependencies of cryptsetup in OS image. 2023-12-01 09:35:33 +01:00
README.md image: document uidmap dependency (#3310) 2024-08-12 13:34:03 +02:00

README.md

Setup

Ensure you have Nix installed. This is a requirement for the following steps. Consult the developer docs for more info. At the very least, nix should be in your PATH.

Building the image also requires newuidmap and newgidmap to be present in the PATH. On Debian and Ubuntu, these can be sourced through the uidmap package.

Build

You can build any image using Bazel. Start by querying the available images:

bazel query //image/system/...

You can either build a group of images (all images for a cloud provider, a stream, ...) or a single image by selecting a target.

bazel build //image/system:azure_azure-sev-snp_stable

The location of the destination folder can be queried like this:

bazel cquery --output=files //image/system:azure_azure-sev-snp_stable

Build and Upload

Similarly, you can also build and upload images to the respective CSP within a single step with the upload_* targets.

bazel run //image/system:upload_aws_aws-sev-snp_console -- --ref deps-image-fedora-40 --upload-measurements

The --ref should be the branch you're building images on. It should not contain slashes. Slashes should be replaced with dashes to not break the filesystem structure of the image storages.

Optionally, the --upload-measurements option can be used to specify that measurements for the image should be uploaded, and --fake-sign specifies that a debugging signing key should be used to sign the measurements, which is done for debug images.

Kernel

The Kernel is built from the srpm published under edgelesssys/constellation-kernel. We track the latest longterm release, use sources directly from kernel.org and build the Kernel using the steps specified in the srpm spec file.

After building a Kernel rpm, we upload it to our CDN and use it in our image builds.

Upgrading to a new Fedora release

  • Search for the old Fedora releasever in the image/ directory and replace every occurence (outside of lockfiles) with the new releasever
  • Search for Fedora container images in Dockerfiles and upgrade the releasever
  • Regenerate the package lockfile: bazel run //image/mirror:update_packages
  • Build test images locally:
    • bazel query //image/system:all (pick an image name from the output)
    • bazel build //image/system:IMAGE_NAME_HERE (replace with an actual image name)
  • Let CI build new images and run e2e tests
  • Upgrade kernel spec under edgelesssys/constellation-kernel to use new releasever