mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-12 19:22:25 -04:00
f16ccf5679
keyservice joinservice upgrade-agent measurement-reader debugd disk-mapper rewrote joinservice main rewrote some unit tests rewrote upgrade-agent + some grpc functions rewrote measurement-reader rewrote debugd removed unused import removed forgotten zap reference in measurements reader rewrote disk-mapper + tests rewrote packages verify disk-mapper malicious join bootstrapper attestationconfigapi versionapi internal/cloud/azure disk-mapper tests image/upload/internal/cmd rewrote verify (WIP with loglevel increase) rewrote forgotten zap references in disk-mapper rewrote malicious join rewrote bootstrapper rewrote parts of internal/ rewrote attestationconfigapi (WIP) rewrote versionapi cli rewrote internal/cloud/azure rewrote disk-mapper tests (untested by me rn) rewrote image/upload/internal/cmd removed forgotten zap references in verify/cmd rewrote packages hack/oci-pin hack/qemu-metadata-api debugd/internal/debugd/deploy hack/bazel-deps-mirror cli/internal/cmd cli-k8s-compatibility rewrote hack/qemu-metadata-api/server rewrote debugd/internal/debugd/deploy rewrote hack/bazel-deps-mirror rewrote rest of hack/qemu-metadata-api rewrote forgotten zap references in joinservice server rewrote cli/internal/cmd rewrote cli-k8s-compatibility rewrote packages internal/staticupload e2d/internal/upgrade internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds some missed unit tests rewrote e2e/internal/upgrade rewrote internal/constellation/helm internal/attestation/aws/snp internal/attestation/azure/trustedlaunch joinservice/internal/certcache/amkds search and replace test logging over all left *_test.go |
||
|---|---|---|
| .. | ||
| base | ||
| initrd | ||
| measured-boot | ||
| mirror | ||
| pki_prod | ||
| pki_testing | ||
| sysroot-tree/usr/lib | ||
| system | ||
| upload | ||
| BUILD.bazel | ||
| README.md | ||
Setup
Ensure you have Nix installed. This is a requirement for the following steps.
Consult the developer docs for more info.
At the very least, nix should be in your PATH.
Build
You can build any image using Bazel. Start by querying the available images:
bazel query //image/system/...
You can either build a group of images (all images for a cloud provider, a stream, ...) or a single image by selecting a target.
bazel build //image/system:openstack_qemu-vtpm_debug
The location of the destination folder can be queried like this:
bazel cquery --output=files //image/system:openstack_qemu-vtpm_debug
Upload to CSP
Warning! Never set --version to a value that is already used for a release image.
AWS
- Install
awscli (see here) - Login to AWS (see here)
- Choose secure boot PKI public keys (one of
pki_dev,pki_test,pki_prod)pki_devcan be used for local image buildspki_testis used by the CI for non-release imagespki_prodis used for release images
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image aws --verbose --raw-image path/to/constellation.raw --attestation-variant "" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
GCP
- Install
gcloudandgsutil(see here) - Login to GCP (see here)
- Choose secure boot PKI public keys (one of
pki_dev,pki_test,pki_prod)pki_devcan be used for local image buildspki_testis used by the CI for non-release imagespki_prodis used for release images
export GCP_RAW_IMAGE_PATH=$(realpath path/to/constellation.raw)
export GCP_IMAGE_PATH=path/to/image.tar.gz
upload/pack.sh gcp ${GCP_RAW_IMAGE_PATH} ${GCP_IMAGE_PATH}
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image gcp --verbose --raw-image "${GCP_IMAGE_PATH}" --attestation-variant "sev-es" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
Azure
Note:
For testing purposes, it is a lot simpler to disable Secure Boot for the uploaded image! Disabling Secure Boot allows you to skip the VMGS creation steps above.
- Install
azandazcopy(see here) - Login to Azure (see here)
- Optional (if Secure Boot should be enabled) Prepare virtual machine guest state (VMGS) with customized NVRAM or use existing VMGS blob
export AZURE_RAW_IMAGE_PATH=path/to/constellation.raw
export AZURE_IMAGE_PATH=path/to/image.vhd
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image azure --verbose --raw-image "${AZURE_IMAGE_PATH}" --attestation-variant "cvm" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
OpenStack
Note:
OpenStack is not one a global cloud provider, but rather a software that can be installed on-premises. This means we do not upload the image to a cloud provider, but to our CDN.
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image openstack --verbose --raw-image path/to/constellation.raw --attestation-variant "sev" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
QEMU
# Warning! Never set `--version` to a value that is already used for a release image.
# Instead, use a `ref` that corresponds to your branch name.
bazel run //image/upload -- image qemu --verbose --raw-image path/to/constellation.raw --attestation-variant "default" --version ref/foo/stream/nightly/v2.7.0-pre-asdf
Kernel
The Kernel is built from the srpm published under edgelesssys/constellation-kernel. We track the latest longterm release, use sources directly from kernel.org and build the Kernel using the steps specified in the srpm spec file.
After building a Kernel rpm, we upload it to our CDN and use it in our image builds.