tests icon indicating copy to clipboard operation
tests copied to clipboard

Published 20 hours ago verified publisher icon kata-containers

Amd cc sev

Open ryansavino opened this issue 2 years ago • 4 comments

Add support for AMD SEV on CI of Confidential Containers Version 0 (CCv0).

ryansavino avatar Jul 26 '22 18:07 ryansavino

I'm adding the wip label till 4270 gets merged.

fidencio avatar Aug 10 '22 08:08 fidencio

@ryansavino, in general I'm not exactly following why you don't use the machinery we already have as part of the CI, instead of creating your own scripts to build every single piece of the stack.

@fidencio I suggested @ryansavino that we could start with the scripts he had although they aren't using the CI machinery and once we had a clean execution then we could do the refactoring. And now we reached that point where the code can be adapted to use the CI stuffs and we will have means to test it.

wainersm avatar Aug 10 '22 13:08 wainersm

@ryansavino, in general I'm not exactly following why you don't use the machinery we already have as part of the CI, instead of creating your own scripts to build every single piece of the stack.

@fidencio I suggested @ryansavino that we could start with the scripts he had although they aren't using the CI machinery and once we had a clean execution then we could do the refactoring. And now we reached that point where the code can be adapted to use the CI stuffs and we will have means to test it.

Okay, but then we keep this as a WIP and avoid merging it as it's, and refactor it before getting it in.

fidencio avatar Aug 10 '22 14:08 fidencio

@fidencio to add to what @wainersm said, I'm in the process of integrating those pieces into their respective places in the existing ci. Once kata 4270 is merged, it will make this possible. Just trying to get a little ahead of that by having some working ci for it.

ryansavino avatar Aug 10 '22 14:08 ryansavino

Add SEV support PR (https://github.com/kata-containers/kata-containers/pull/4270) is needed - Merged Kernel upgrade to 5.19 PR (https://github.com/kata-containers/kata-containers/pull/4861) is needed - Merged Initrd fixes for ubuntu systemd (https://github.com/kata-containers/kata-containers/pull/4987) is needed - Pending Review

ryansavino avatar Aug 25 '22 06:08 ryansavino

I still need to setup the encrypted image on quay.io to avoid running the encrypt and docker push commands. Working on this today.

ryansavino avatar Aug 25 '22 15:08 ryansavino

Need https://github.com/kata-containers/kata-containers/pull/5013 merged for this.

ryansavino avatar Aug 26 '22 09:08 ryansavino

Okay, I think this one is pretty much good to go pending these PR merges: https://github.com/kata-containers/kata-containers/pull/4987 https://github.com/kata-containers/kata-containers/pull/5013

Jenkins job is passing: http://jenkins.katacontainers.io/job/wainer-CCv0-ubuntu-20.04-x86_64-CC_SEV_CRI_CONTAINERD_K8S/89/console

I've removed attestation agent image creation and encryption, and I'm pulling the encryption key and ssh key from the quay.io docker image labels. I have a separate script for creating the encrypted image that I can share/add somewhere if desired.

Let me know if anyone wants me to change/fix something.

ryansavino avatar Aug 30 '22 01:08 ryansavino

So it seems like we are building the components via the test script for the first release rather than using https://github.com/kata-containers/tests/pull/5048 and the kata-cc bundle.

Is that correct @ryansavino @wainersm

fitzthum avatar Sep 02 '22 16:09 fitzthum

So it seems like we are building the components via the test script for the first release rather than using #5048 and the kata-cc bundle.

Is that correct @ryansavino @wainersm

That's correct @fitzthum . But notice #5048 was reverted in #5102 because it breaks the TDX CI; it turned out that the kata-deploy build scripts don't handle all the cases were we need to use a proxy (the TDX CI is behind a firewall).

wainersm avatar Sep 02 '22 17:09 wainersm

/test

wainersm avatar Sep 02 '22 20:09 wainersm

Hi @ryansavino

Okay, I think this one is pretty much good to go pending these PR merges: kata-containers/kata-containers#4987 kata-containers/kata-containers#5013

Jenkins job is passing: http://jenkins.katacontainers.io/job/wainer-CCv0-ubuntu-20.04-x86_64-CC_SEV_CRI_CONTAINERD_K8S/89/console

I've removed attestation agent image creation and encryption, and I'm pulling the encryption key and ssh key from the quay.io docker image labels. I have a separate script for creating the encrypted image that I can share/add somewhere if desired.

Let me know if anyone wants me to change/fix something.

IMO it is ready to be merged. Any improvements can be made upon this base which seems solid enough.

hey, thanks for fighting to get it done!

wainersm avatar Sep 02 '22 20:09 wainersm

Thanks @wainersm. Unfortunately, there's a new bug that's causing the SEV kernel build to fail: https://github.com/kata-containers/kata-containers/pull/5095

It needs to get merged from main to CCv0 as well.

I want to get successful jenkins build before merging. I'll update when everything is working. Hopefully Tues.

ryansavino avatar Sep 02 '22 23:09 ryansavino

@ryansavino ready to be merged?

wainersm avatar Sep 14 '22 13:09 wainersm

@ryansavino ready to be merged?

Jenkins job is passing: http://jenkins.katacontainers.io/job/wainer-CCv0-ubuntu-20.04-x86_64-CC_SEV_CRI_CONTAINERD_K8S/98

However, if we can get https://github.com/kata-containers/kata-containers/pull/5024 merged, I can remove the agent config file from this PR. @wainersm do you want to merge it now anyways? I can always clean it up later.

ryansavino avatar Sep 14 '22 15:09 ryansavino

@ryansavino let's get it merged first so we get the jobs running on CI (still need to merge the PR on kata-containers/ci); later we refactor it.

/test

wainersm avatar Sep 14 '22 22:09 wainersm

Yep, sounds good.

ryansavino avatar Sep 14 '22 22:09 ryansavino

/test-tdx-k8s-clh

stevenhorsman avatar Sep 15 '22 08:09 stevenhorsman