Skip to content
Azure PodVM image build

azure-podvm-image-build #22

Sign in to view logs

azure-podvm-image-build

azure-podvm-image-build #22

Workflow file for this run

.github/workflows/azure-podvm-image-build.yml at cf07e8a
name: Azure PodVM image build
on:
workflow_call:
inputs:
image-version:
type: string
required: true
outputs:
image-id:
description: "The PodVM image id"
value: ${{ jobs.build-podvm-image.outputs.image-id }}
workflow_dispatch:
inputs:
image-version:
type: string
description: x.y.z
git-ref:
type: string
default: 'main'
description: tag, branch, sha
permissions:
id-token: write
contents: read
env:
AZURE_PODVM_IMAGE_DEF_NAME: "${{ vars.AZURE_PODVM_IMAGE_DEF_NAME }}"
AZURE_PODVM_IMAGE_VERSION: "${{ inputs.image-version }}"
COMMUNITY_GALLERY_PREFIX: "/CommunityGalleries/${{ vars.AZURE_COMMUNITY_GALLERY_NAME }}"
PODVM_IMAGE_NAME: "peerpod-image-${{ github.run_id }}-${{ github.run_attempt }}"
SSH_USERNAME: "peerpod"
VM_SIZE: "Standard_D2as_v5"
AA_KBC: "cc_kbc_az_snp_vtpm"
jobs:
build-podvm-image:
runs-on: ubuntu-22.04
defaults:
run:
working-directory: cloud-api-adaptor/azure/image
outputs:
image-id: "${{ steps.create-image.outputs.image-id }}"
steps:
- name: Clone cloud-api-adaptor repository
uses: actions/checkout@v3
with:
path: cloud-api-adaptor
ref: "${{ inputs.git-ref || 'main' }}"
- name: Read properties from versions.yaml
working-directory: cloud-api-adaptor
run: |
go_version="$(yq '.tools.golang' versions.yaml)"
[ -n "$go_version" ]
echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
rust_version="$(yq '.tools.rust' versions.yaml)"
[ -n "$rust_version" ]
echo "RUST_VERSION=${rust_version}" >> "$GITHUB_ENV"
kata_src_branch="$(yq '.git.kata-containers.reference' versions.yaml)"
[ "$kata_src_branch" ]
echo "KATA_SRC_BRANCH=${kata_src_branch}" >> "$GITHUB_ENV"
guest_components_ref="$(yq '.git.guest-components.reference' versions.yaml)"
[ -n "$guest_components_ref" ]
echo "GUEST_COMPONENTS_REF=${guest_components_ref}" >> "$GITHUB_ENV"
pause_tag="$(yq '.oci.pause.tag' versions.yaml)"
[ -n "$pause_tag" ]
echo "PAUSE_TAG=${pause_tag}" >> "$GITHUB_ENV"
- name: Set up Go environment
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
cache-dependency-path: cloud-api-adaptor/go.sum
- name: Install build dependencies
run: |
sudo curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
sudo echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y \
libdevmapper-dev \
libgpgme-dev \
libtdx-attest-dev \
musl-tools \
libssl-dev \
libtss2-dev \
protobuf-compiler
- name: Set PodVM files base
run: echo "PODVM_FILES_BASE=$(realpath -m ../../podvm/files)" >> "$GITHUB_ENV"
- name: Build CAA binaries
env:
GOPATH: /home/runner/go
run: |
make "${PODVM_FILES_BASE}/usr/local/bin/agent-protocol-forwarder"
make "${PODVM_FILES_BASE}/usr/local/bin/process-user-data"
- uses: actions-rs/toolchain@v1
with:
profile: minimal
toolchain: ${{ env.RUST_VERSION }}
target: x86_64-unknown-linux-musl
default: true
- name: Set up kata-agent cache
id: kata-agent-cache
uses: actions/cache@v3
with:
path: cloud-api-adaptor/podvm/files/usr/local/bin/kata-agent
key: kata-agent-${{ env.KATA_SRC_BRANCH }}_rust${{ env.RUST_VERSION }}
- name: Clone kata-containers repository
if: steps.kata-agent-cache.outputs.cache-hit != 'true'
uses: actions/checkout@v3
with:
repository: kata-containers/kata-containers
path: kata-containers
ref: ${{ env.KATA_SRC_BRANCH }}
- name: Build kata-agent
env:
GOPATH: /home/runner/go
if: steps.kata-agent-cache.outputs.cache-hit != 'true'
run: |
make "${PODVM_FILES_BASE}/usr/local/bin/kata-agent"
rm -f "${GOPATH}/bin/yq"
- name: Set up pause cache
id: pause-cache
uses: actions/cache@v3
with:
path: cloud-api-adaptor/podvm/files/pause_bundle
key: pause-${{ env.PAUSE_TAG }}
- name: Build pause bundle
if: steps.pause-cache.outputs.cache-hit != 'true'
run: make "${PODVM_FILES_BASE}/pause_bundle/rootfs/pause"
- name: Set up guest-components cache
id: guest-components-cache
uses: actions/cache@v3
with:
path: |
${{ env.PODVM_FILES_BASE }}/usr/local/bin/attestation-agent
${{ env.PODVM_FILES_BASE }}/usr/local/bin/confidential-data-hub
${{ env.PODVM_FILES_BASE }}/usr/local/bin/api-server-rest
key: guest-components-${{ env.AA_KBC }}_${{ env.GUEST_COMPONENTS_REF }}_rust${{ env.RUST_VERSION }}
- name: Build guest-components
if: steps.guest-components-cache.outputs.cache-hit != 'true'
run: |
make "${PODVM_FILES_BASE}/usr/local/bin/attestation-agent" LIBC=gnu
make "${PODVM_FILES_BASE}/usr/local/bin/confidential-data-hub" LIBC=gnu
make "${PODVM_FILES_BASE}/usr/local/bin/api-server-rest" LIBC=gnu
- uses: azure/login@v1
name: 'Az CLI login'
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- name: Create image
id: create-image
env:
IMAGE_ID: "${{ env.COMMUNITY_GALLERY_PREFIX }}/images/${{ env.AZURE_PODVM_IMAGE_DEF_NAME }}/versions/${{ env.AZURE_PODVM_IMAGE_VERSION }}"
PKR_VAR_subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
PKR_VAR_resource_group: ${{ secrets.AZURE_RESOURCE_GROUP }}
PKR_VAR_location: ${{ secrets.AZURE_REGION }}
PKR_VAR_az_image_name: ${{ env.PODVM_IMAGE_NAME }}
PKR_VAR_vm_size: ${{ env.VM_SIZE }}
PKR_VAR_ssh_username: ${{ env.SSH_USERNAME }}
PKR_VAR_az_gallery_name: ${{ secrets.AZURE_PODVM_GALLERY_NAME }}
PKR_VAR_az_gallery_image_name: ${{ env.AZURE_PODVM_IMAGE_DEF_NAME }}
PKR_VAR_az_gallery_image_version: ${{ env.AZURE_PODVM_IMAGE_VERSION }}
PKR_VAR_use_azure_cli_auth: "true"
CLOUD_PROVIDER: "azure"
PODVM_DISTRO: "ubuntu"
run: |
make image BINARIES=
echo "successfully built $IMAGE_ID"
echo "image-id=${IMAGE_ID}" >> "$GITHUB_OUTPUT"
- name: Cleanup intermediate image
if: always()
run: |
# Delete intermediate image
az image delete \
--resource-group ${{ secrets.AZURE_RESOURCE_GROUP }} \
--name ${{ env.PODVM_IMAGE_NAME }}