constellation

mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00

History

Moritz Sanft c15e4efef6 terraform: Azure Marketplace image support (#2651 ) * terraform: add Azure marketplace variable Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * config: add Azure marketplace variable Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * cli: use Terraform variables from config Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform: pass down marketplace variable * image: pad Azure images to 1GiB * terraform: add version attribute to marketplace image * semver: allow versions to be exported without prefix * cli: boolean var to use marketplace images * config: remove dive key * dev-docs: add instructions on how to use marketplace images * terraform: fix unit test * terraform: only fetch image for non-marketplace images * mpimage: refactor image selection Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] increase minor version for image build Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * terraform: ignore changes to source_image_reference on upgrade * operator: add support for parsing Azure marketplace images Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * upgrade: fix imagefetcher call * docs: add info about azure marketplace * image: ensure more than 1GiB in size * image: test to pad to 2GiB * version: change back to v2.14.0-pre * image: GPT-conformant image size padding * [remove] increase version * mpimage: inline prefix func Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * ci: add marketplace image e2e test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * [remove] register workflow * ci: fix workflow name * ci: only allow azure test * cli: add marketplace image input to interface * cli: fix argument passing * version: roll back to v2.14.0 * ci: add force-flag support * Update docs/docs/overview/license.md * Update dev-docs/workflows/marketplace-images.md Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com> Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>		2023-12-08 14:40:31 +01:00
..
base	image: provide runtime dependencies of cryptsetup in OS image.	2023-12-01 09:35:33 +01:00
initrd	image: provide runtime dependencies of cryptsetup in OS image.	2023-12-01 09:35:33 +01:00
measured-boot	image: use dissect from nix (#2558 )	2023-11-06 17:50:21 +01:00
mirror	image: update locked rpms (#2674 )	2023-12-04 09:02:59 +01:00
pki_prod	CI: Add secure boot prod keys (#462 )	2022-11-04 16:48:52 +01:00
pki_testing	Move mkosi folder to old image folder location	2022-10-21 11:04:25 +02:00
sysroot-tree/usr/lib	image: add sysroot files	2023-09-27 17:58:19 +02:00
system	terraform: Azure Marketplace image support (#2651 )	2023-12-08 14:40:31 +01:00
upload	terraform: Azure Marketplace image support (#2651 )	2023-12-08 14:40:31 +01:00
BUILD.bazel	image: provide runtime dependencies of cryptsetup in OS image.	2023-12-01 09:35:33 +01:00
README.md	bazel: always use nix	2023-10-12 14:42:24 +02:00

README.md

Setup

Ensure you have Nix installed. This is a requirement for the following steps. Consult the developer docs for more info. At the very least, nix should be in your PATH.

Build

You can build any image using Bazel. Start by querying the available images:

bazel query //image/system/...

You can either build a group of images (all images for a cloud provider, a stream, ...) or a single image by selecting a target.

bazel build //image/system:openstack_qemu-vtpm_debug

The location of the destination folder can be queried like this:

bazel cquery --output=files //image/system:openstack_qemu-vtpm_debug

Upload to CSP

Warning! Never set --version to a value that is already used for a release image.

AWS

Install aws cli (see here)
Login to AWS (see here)
Choose secure boot PKI public keys (one of pki_dev, pki_test, pki_prod)
- pki_dev can be used for local image builds
- pki_test is used by the CI for non-release images
- pki_prod is used for release images

# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image aws --verbose --raw-image path/to/constellation.raw --attestation-variant ""  --version ref/foo/stream/nightly/v2.7.0-pre-asdf

GCP

Install gcloud and gsutil (see here)
Login to GCP (see here)
Choose secure boot PKI public keys (one of pki_dev, pki_test, pki_prod)
- pki_dev can be used for local image builds
- pki_test is used by the CI for non-release images
- pki_prod is used for release images

export GCP_RAW_IMAGE_PATH=$(realpath path/to/constellation.raw)
export GCP_IMAGE_PATH=path/to/image.tar.gz
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image gcp --verbose --raw-image "${GCP_IMAGE_PATH}" --attestation-variant "sev-es"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf

Azure

Note:

For testing purposes, it is a lot simpler to disable Secure Boot for the uploaded image! Disabling Secure Boot allows you to skip the VMGS creation steps above.

Install az and azcopy (see here)
Login to Azure (see here)
Optional (if Secure Boot should be enabled) Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob

export AZURE_RAW_IMAGE_PATH=path/to/constellation.raw
export AZURE_IMAGE_PATH=path/to/image.vhd
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image azure --verbose --raw-image "${AZURE_IMAGE_PATH}" --attestation-variant "cvm"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf

OpenStack

Note:

OpenStack is not one a global cloud provider, but rather a software that can be installed on-premises. This means we do not upload the image to a cloud provider, but to our CDN.

Install aws cli (see here)
Login to AWS (see here)

# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image openstack --verbose --raw-image path/to/constellation.raw --attestation-variant "sev"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf

QEMU

Install aws cli (see here)
Login to AWS (see here)

# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image qemu --verbose --raw-image path/to/constellation.raw --attestation-variant "default"  --version ref/foo/stream/nightly/v2.7.0-pre-asdf

Kernel

The Kernel is built from the srpm published under edgelesssys/constellation-kernel. We track the latest longterm release, use sources directly from kernel.org and build the Kernel using the steps specified in the srpm spec file.

After building a Kernel rpm, we upload it to our CDN and use it in our image builds.