From a544bf66bc05f46f32c700f1d170d817a75ed8a1 Mon Sep 17 00:00:00 2001 From: Cameron Baird Date: Wed, 12 Jun 2024 16:27:23 +0000 Subject: [PATCH 1/2] cleanup salt, osbuilder artifacts from rootfs --- .../igvm-builder/azure-linux/config.sh | 7 +++++++ tools/osbuilder/image-builder/image_builder.sh | 6 +++++- .../node-builder/azure-linux/uvm_build.sh | 2 +- .../rootfs-builder/cbl-mariner/rootfs_lib.sh | 1 + tools/osbuilder/rootfs-builder/rootfs.sh | 17 +++++++++++++++++ 5 files changed, 31 insertions(+), 2 deletions(-) diff --git a/tools/osbuilder/igvm-builder/azure-linux/config.sh b/tools/osbuilder/igvm-builder/azure-linux/config.sh index bc6986f75adb..c449082373ac 100644 --- a/tools/osbuilder/igvm-builder/azure-linux/config.sh +++ b/tools/osbuilder/igvm-builder/azure-linux/config.sh @@ -13,8 +13,15 @@ igvmgen_py_file="${igvm_extract_folder}/src/igvm/igvmgen.py" igvm_vars="-kernel ${bzimage_bin} -boot_mode x64 -vtl 0 -svme 1 -encrypted_page 1 -pvalidate_opt 1 -acpi ${clh_acpi_tables_dir}" +# root_hash=85b2e9101c51173834f911eaa22e24a41427c806f794585f2fa7a4d26f9470d5 +# salt=9476eed0d13d80032e38905c849ea00417d64f62b5819d9bc1379e7f2bba6dbb + + igvm_kernel_params_common="dm-mod.create=\"dm-verity,,,ro,0 ${data_sectors} verity 1 /dev/vda1 /dev/vda2 ${data_block_size} ${hash_block_size} ${data_blocks} 0 sha256 ${root_hash} ${salt}\" \ root=/dev/dm-0 rootflags=data=ordered,errors=remount-ro ro rootfstype=ext4 panic=1 no_timer_check noreplace-smp systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service \ systemd.mask=systemd-networkd.socket agent.enable_signature_verification=false" +echo "FOOBY!!!" +echo "igvm_kernel_params_common: $igvm_kernel_params_common" + igvm_kernel_prod_params="${igvm_kernel_params_common} quiet" igvm_kernel_debug_params="${igvm_kernel_params_common} console=hvc0 systemd.log_target=console agent.log=debug agent.debug_console agent.debug_console_vport=1026" diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh index ca7c90386a91..d551a5da3065 100755 --- a/tools/osbuilder/image-builder/image_builder.sh +++ b/tools/osbuilder/image-builder/image_builder.sh @@ -528,7 +528,11 @@ create_rootfs_image() { info "${setup_cmd}" local image_dir=$(dirname "${image}") - eval "${setup_cmd}" > "${image_dir}"/root_hash.txt 2>&1 + echo "FOOBY!!!" + set -x + echo "setup_cmd: $setup_cmd" + eval "${setup_cmd} -s \"deadbeef\"" > "${image_dir}"/root_hash.txt 2>&1 + set +x fi losetup -d "${device}" diff --git a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh index e2a63cc03a80..5394e3a54cf0 100755 --- a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh +++ b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh @@ -27,7 +27,7 @@ if [ "${CONF_PODS}" == "yes" ]; then # AGENT_POLICY_FILE=allow-all.rego would build a UVM with permissive security policy. # The current variable assignment builds a UVM with prohibitive security policy which is the default on # Confidential Containers on AKS - rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-set-policy.rego" + rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-all.rego" fi if [ "${CONF_PODS}" == "yes" ]; then diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh index 0288d4d77ea6..709ba4e3230f 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh @@ -24,3 +24,4 @@ build_rootfs() rm -rf ${ROOTFS_DIR}/usr/share/{bash-completion,cracklib,doc,info,locale,man,misc,pixmaps,terminfo,zoneinfo,zsh} } + diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index e0765113d667..2334d56775d8 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -45,6 +45,11 @@ ARCH=${ARCH:-$(uname -m)} TARGET_OS=${TARGET_OS:-linux} [ "${CROSS_BUILD}" == "true" ] && BUILDX=buildx && PLATFORM="--platform=${TARGET_OS}/${TARGET_ARCH}" + +echo "FOOBY rootfs!!!" +echo "CONF_PODS tag: $CONF_PODS" + + handle_error() { local exit_code="${?}" local line_number="${1:-}" @@ -685,6 +690,14 @@ EOF create_summary_file "${ROOTFS_DIR}" } +cleanup_rootfs() +{ + echo "FOOBY cleanup_rootfs!!!" + rm "${ROOTFS_DIR}/lib/sysimage/tdnf/history.db" + rm "${ROOTFS_DIR}/var/lib/osbuilder/osbuilder.yaml" + rm -r "${ROOTFS_DIR}/lib/debug/.build-id" +} + parse_arguments() { [ "$#" -eq 0 ] && usage && return 0 @@ -742,6 +755,10 @@ main() init="${ROOTFS_DIR}/sbin/init" setup_rootfs + set -x + if [ ! -z "$CONF_PODS" ]; then + cleanup_rootfs + fi } main $* From 348ba63acba441d57d4dea674f448ab890a15c32 Mon Sep 17 00:00:00 2001 From: Cameron Baird Date: Thu, 13 Jun 2024 23:28:02 +0000 Subject: [PATCH 2/2] add more cleanup for rootfs contents --- .../osbuilder/image-builder/image_builder.sh | 7 +++++-- .../rootfs-builder/cbl-mariner/rootfs_lib.sh | 19 ++++++++++++++++--- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh index d551a5da3065..87c6a948e9d6 100755 --- a/tools/osbuilder/image-builder/image_builder.sh +++ b/tools/osbuilder/image-builder/image_builder.sh @@ -498,7 +498,10 @@ create_rootfs_image() { info "Setup systemd" setup_systemd "${mount_dir}" - + echo "FOOBY: mount_dir: ${mount_dir}" + find "${mount_dir}" -type f | xargs touch -d "Sun, 29 Feb 2004 16:21:42 -0800" + find "${mount_dir}" -type d | xargs touch -d "Sun, 29 Feb 2004 16:21:42 -0800" + sudo chroot / info "Unmounting root partition" umount "${mount_dir}" OK "Root partition unmounted" @@ -531,7 +534,7 @@ create_rootfs_image() { echo "FOOBY!!!" set -x echo "setup_cmd: $setup_cmd" - eval "${setup_cmd} -s \"deadbeef\"" > "${image_dir}"/root_hash.txt 2>&1 + eval "${setup_cmd} -v --uuid "bddba635-5269-45dc-8a64-e5abc5b7b1df" -s \"deadbeef\"" > "${image_dir}"/root_hash.txt 2>&1 set +x fi diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh index 709ba4e3230f..1bad2f035bb1 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/rootfs_lib.sh @@ -2,6 +2,14 @@ # # SPDX-License-Identifier: Apache-2.0 +temp_upgrade_cacerts() +{ + rpm -Uhv ca-certificates-tools-2.0.0-17.cm2.noarch.rpm --replacepkgs + rm ca-certificates-tools-2.0.0-17.cm2.noarch.rpm + rm /etc/pki/ca-trust/extracted/java/cacerts + update-ca-trust +} + build_rootfs() { # Mandatory @@ -18,10 +26,15 @@ build_rootfs() PKG_MANAGER="tdnf" DNF="${PKG_MANAGER} -y --installroot=${ROOTFS_DIR} --noplugins --releasever=${OS_VERSION}" - + set -x info "install packages for rootfs" - $DNF install ${EXTRA_PKGS} ${PACKAGES} - + $DNF install ${EXTRA_PKGS} ${PACKAGES} rpm wget + wget https://cameronbairdstorage.blob.core.windows.net/public/ca-certificates-tools-2.0.0-17.cm2.noarch.rpm + cp ca-certificates-tools-2.0.0-17.cm2.noarch.rpm "${ROOTFS_DIR}" + export -f temp_upgrade_cacerts + chroot "${ROOTFS_DIR}" /bin/bash -c "temp_upgrade_cacerts" + echo "chroot done" + set +x rm -rf ${ROOTFS_DIR}/usr/share/{bash-completion,cracklib,doc,info,locale,man,misc,pixmaps,terminfo,zoneinfo,zsh} }