From 136085b972132aba6ed5b3dd167bb46bcbd8007b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Doktor?= Date: Tue, 22 Apr 2025 11:34:39 +0200 Subject: [PATCH 1/9] ci: Replace deprecated GH ubuntu 20.04 for 24.04 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit the ubuntu 20.04 is deprecated and removed from GH runners, let's replace it with the latest 24.04 to ensure various versions keep working well. Signed-off-by: Lukáš Doktor --- .github/workflows/ccruntime_e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ccruntime_e2e.yaml b/.github/workflows/ccruntime_e2e.yaml index 4ac170e9..76d2eef4 100644 --- a/.github/workflows/ccruntime_e2e.yaml +++ b/.github/workflows/ccruntime_e2e.yaml @@ -22,8 +22,8 @@ jobs: runtimeclass: - "kata-qemu" instance: - - "ubuntu-20.04" - "ubuntu-22.04" + - "ubuntu-24.04" - "s390x-large" - "tdx" - "sev-snp" From f4d0dc531f11c5154ce9cadf1bc2cb0ce85e1858 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 00:08:21 +0000 Subject: [PATCH 2/9] build(deps): bump the github-actions group with 2 updates Bumps the github-actions group with 2 updates: [docker/build-push-action](https://github.com/docker/build-push-action) and [github/codeql-action](https://github.com/github/codeql-action). Updates `docker/build-push-action` from 6.15.0 to 6.16.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/471d1dc4e07e5cdedd4c2171150001c434f0b7a4...14487ce63c7a62a4a324b0bfb37086795e31c6c1) Updates `github/codeql-action` from 3.28.15 to 3.28.16 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/45775bd8235c68ba998cffa5171334d58593da47...28deaeda66b76a05916b6923827895f2b14ab387) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 6.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 3.28.16 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/docker-publish-latest-on-merge.yaml | 2 +- .github/workflows/docker-publish-on-tag.yaml | 2 +- .github/workflows/lib-codeql.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-publish-latest-on-merge.yaml b/.github/workflows/docker-publish-latest-on-merge.yaml index fc0dbc85..5aac1401 100644 --- a/.github/workflows/docker-publish-latest-on-merge.yaml +++ b/.github/workflows/docker-publish-latest-on-merge.yaml @@ -61,7 +61,7 @@ jobs: # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push Docker image - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: context: . push: true diff --git a/.github/workflows/docker-publish-on-tag.yaml b/.github/workflows/docker-publish-on-tag.yaml index f1ac41a6..e3fce4f6 100644 --- a/.github/workflows/docker-publish-on-tag.yaml +++ b/.github/workflows/docker-publish-on-tag.yaml @@ -58,7 +58,7 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index e10d31b9..96f99efd 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -25,11 +25,11 @@ jobs: check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3 + uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: languages: 'go' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3 + uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: category: "/language:go" From 27a248106d661473561a28c725ee5b99fe10095f Mon Sep 17 00:00:00 2001 From: Amulyam24 Date: Thu, 15 May 2025 20:01:11 +0530 Subject: [PATCH 3/9] Build and publish operator and pre-install images for ppc64le This PR adds support for publishing operator images for ppc64le. Signed-off-by: Amulyam24 --- .github/workflows/docker-publish-latest-on-merge.yaml | 2 +- .github/workflows/docker-publish-on-tag.yaml | 2 +- install/pre-install-payload/payload.sh | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish-latest-on-merge.yaml b/.github/workflows/docker-publish-latest-on-merge.yaml index 5aac1401..747b9d79 100644 --- a/.github/workflows/docker-publish-latest-on-merge.yaml +++ b/.github/workflows/docker-publish-latest-on-merge.yaml @@ -65,6 +65,6 @@ jobs: with: context: . push: true - platforms: linux/amd64,linux/s390x,linux/arm64 + platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker-publish-on-tag.yaml b/.github/workflows/docker-publish-on-tag.yaml index e3fce4f6..6eed0af2 100644 --- a/.github/workflows/docker-publish-on-tag.yaml +++ b/.github/workflows/docker-publish-on-tag.yaml @@ -62,6 +62,6 @@ jobs: with: context: . push: ${{ github.event_name != 'pull_request' }} - platforms: linux/amd64,linux/s390x,linux/arm64 + platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/install/pre-install-payload/payload.sh b/install/pre-install-payload/payload.sh index f0f0a9f7..790954ec 100755 --- a/install/pre-install-payload/payload.sh +++ b/install/pre-install-payload/payload.sh @@ -11,7 +11,7 @@ official_containerd_repo=${official_containerd_repo:-"https://github.com/contain vfio_gpu_containerd_repo=${vfio_gpu_containerd_repo:-"https://github.com/confidential-containers/containerd"} nydus_snapshotter_repo=${nydus_snapshotter_repo:-"https://github.com/containerd/nydus-snapshotter"} extra_docker_manifest_flags="${extra_docker_manifest_flags:-}" -archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64"} +archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64 linux/ppc64le"} registry="${registry:-quay.io/confidential-containers/reqs-payload}" @@ -29,6 +29,10 @@ function setup_env_for_arch() { kernel_arch="aarch64" golang_arch="arm64" ;; + "linux/ppc64le") + kernel_arch="powerpc" + golang_arch="ppc64le" + ;; *) echo "$1 is not supported" >/dev/stderr && exit 1 ;; esac } From d99e84a4abb499d0c556428e454ca09cbc9c93a4 Mon Sep 17 00:00:00 2001 From: Nino Martinez Wael Date: Thu, 22 May 2025 08:52:44 +0200 Subject: [PATCH 4/9] Add reference to website Signed-off-by: Nino Martinez Wael --- docs/INSTALL.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 4ef190e9..fc327a32 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -167,6 +167,15 @@ kubectl delete -k github.com/confidential-containers/operator/config/samples/ccr kubectl delete -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}" ``` +## Troubleshooting +Something not working? [Go here](https://confidentialcontainers.org/docs/troubleshooting/) + + +## Next steps + +- [Take coco-dev, no confidential hardware required, for a spin](https://github.com/confidential-containers/confidential-containers/blob/main/guides/coco-dev.md) + + ## Advanced Topics - [How to install confidential containers with IBM Secure Execution](https://github.com/confidential-containers/confidential-containers/blob/main/guides/ibm-se.md) From db43afb8472ec844beff224710865edcd46432ef Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Wed, 21 May 2025 19:14:26 +0000 Subject: [PATCH 5/9] release: bump enclave-cc runtime payloads for v0.14.0 Update the enclave-cc runtime payloads to point to the v0.11.0 release of enclave-cc and update the pre-reqs payload. Signed-off-by: Niteesh Dubey --- config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml | 2 +- config/samples/enclave-cc/hw/kustomization.yaml | 2 +- config/samples/enclave-cc/sim/kustomization.yaml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml b/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml index 396cace3..b7225e03 100644 --- a/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml +++ b/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml @@ -9,7 +9,7 @@ spec: node.kubernetes.io/worker: "" config: installType: bundle - payloadImage: quay.io/confidential-containers/runtime-payload-ci:enclave-cc-HW-cc-kbc-latest + payloadImage: quay.io/confidential-containers/runtime-payload:enclave-cc-HW-cc-kbc-v0.11.0 installDoneLabel: confidentialcontainers.org/enclave-cc: "true" uninstallDoneLabel: diff --git a/config/samples/enclave-cc/hw/kustomization.yaml b/config/samples/enclave-cc/hw/kustomization.yaml index 3e0608d5..d52377f3 100644 --- a/config/samples/enclave-cc/hw/kustomization.yaml +++ b/config/samples/enclave-cc/hw/kustomization.yaml @@ -8,4 +8,4 @@ nameSuffix: -sgx-mode-hw images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 diff --git a/config/samples/enclave-cc/sim/kustomization.yaml b/config/samples/enclave-cc/sim/kustomization.yaml index 4b58e1ad..c02d9f57 100644 --- a/config/samples/enclave-cc/sim/kustomization.yaml +++ b/config/samples/enclave-cc/sim/kustomization.yaml @@ -4,7 +4,7 @@ resources: nameSuffix: -sgx-mode-sim images: -- name: quay.io/confidential-containers/runtime-payload-ci - newTag: enclave-cc-SIM-sample-kbc-latest +- name: quay.io/confidential-containers/runtime-payload + newTag: enclave-cc-SIM-sample-kbc-v0.11.0 - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 From 4ee8420d5dc6456ae75a2e9a4a7ad206a09bff3f Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Wed, 21 May 2025 19:19:55 +0000 Subject: [PATCH 6/9] release: bump kata payloads for v0.14.0 Update Kata payloads to 3.17.0 and bump the pre-reqs payload for default, peer-pods and s390x ccruntimes Signed-off-by: Niteesh Dubey --- config/samples/ccruntime/default/kustomization.yaml | 5 ++--- config/samples/ccruntime/peer-pods/kustomization.yaml | 5 ++--- config/samples/ccruntime/s390x/kustomization.yaml | 5 ++--- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/config/samples/ccruntime/default/kustomization.yaml b/config/samples/ccruntime/default/kustomization.yaml index 197946c9..e6d13907 100644 --- a/config/samples/ccruntime/default/kustomization.yaml +++ b/config/samples/ccruntime/default/kustomization.yaml @@ -8,10 +8,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: - patch: |- diff --git a/config/samples/ccruntime/peer-pods/kustomization.yaml b/config/samples/ccruntime/peer-pods/kustomization.yaml index fc8dc7ae..ea62064d 100644 --- a/config/samples/ccruntime/peer-pods/kustomization.yaml +++ b/config/samples/ccruntime/peer-pods/kustomization.yaml @@ -9,10 +9,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: diff --git a/config/samples/ccruntime/s390x/kustomization.yaml b/config/samples/ccruntime/s390x/kustomization.yaml index 046a8a54..099b9a49 100644 --- a/config/samples/ccruntime/s390x/kustomization.yaml +++ b/config/samples/ccruntime/s390x/kustomization.yaml @@ -8,10 +8,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: - patch: |- From 3c2dd42bf0c45b5c91ad8608b64fb5592c17cf5f Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Wed, 21 May 2025 19:22:32 +0000 Subject: [PATCH 7/9] release: update operator version to v0.14.0 Update operator version from v0.13.0 to v0.14.0. Signed-off-by: Niteesh Dubey --- config/release/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index e548d009..019d9663 100644 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -4,4 +4,4 @@ resources: # newTag points to the latest release image and must be updated before tagging a new release images: - name: quay.io/confidential-containers/operator - newTag: v0.13.0 + newTag: v0.14.0 From 08fdc05031a33060b0389ef4c827300aab7c9a90 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Thu, 24 Apr 2025 14:39:11 +0800 Subject: [PATCH 8/9] CAA: enable containerd installation for CAA deployment On Alibaba Cloud the default containerd version is lower than 1.7, thus we need to install new containerd via operator. Signed-off-by: Xynnn007 --- config/samples/ccruntime/peer-pods/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/samples/ccruntime/peer-pods/kustomization.yaml b/config/samples/ccruntime/peer-pods/kustomization.yaml index ea62064d..abbc0c7b 100644 --- a/config/samples/ccruntime/peer-pods/kustomization.yaml +++ b/config/samples/ccruntime/peer-pods/kustomization.yaml @@ -32,6 +32,6 @@ patches: # containerd v1.7+ running. If you know for sure that's not # the case, please, set this variable to `true` - name: "INSTALL_OFFICIAL_CONTAINERD" - value: "false" + value: "true" target: kind: CcRuntime From fdabf8864099c5aaf3275770d2f94b359d2593bc Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Fri, 11 Jul 2025 10:04:03 +0800 Subject: [PATCH 9/9] Mirror: add alibaba cloud image mirrors For some users who may encounter the problem of being unable to access `quay.io` when deploying CoCo, we bring an image mirror for coco/kata official image registries. The sync frequency will be 1~ per day. Signed-off-by: Xynnn007 --- config/mirror/README.md | 3 +++ config/mirror/default/kustomization.yaml | 9 +++++++++ config/mirror/release/kustomization.yaml | 9 +++++++++ .../samples/ccruntime/default/kustomization.yaml | 11 +++++++++++ .../samples/ccruntime/peer-pods/kustomization.yaml | 11 +++++++++++ docs/INSTALL.md | 8 ++++++++ docs/PEERPODS.md | 4 ++++ 7 files changed, 55 insertions(+) create mode 100644 config/mirror/README.md create mode 100644 config/mirror/default/kustomization.yaml create mode 100644 config/mirror/release/kustomization.yaml create mode 100644 config/mirror/samples/ccruntime/default/kustomization.yaml create mode 100644 config/mirror/samples/ccruntime/peer-pods/kustomization.yaml diff --git a/config/mirror/README.md b/config/mirror/README.md new file mode 100644 index 00000000..d5c9329d --- /dev/null +++ b/config/mirror/README.md @@ -0,0 +1,3 @@ +# Operator using Mirror of Alibaba Cloud + +For some users who may encounter the problem of being unable to access `quay.io` when deploying CoCo, this image mirror provided by Alibaba Cloud can be useful. This can greatly speed up the image pulling speed in some regions. diff --git a/config/mirror/default/kustomization.yaml b/config/mirror/default/kustomization.yaml new file mode 100644 index 00000000..a65d48ff --- /dev/null +++ b/config/mirror/default/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../default + +images: +- name: quay.io/confidential-containers/operator + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator \ No newline at end of file diff --git a/config/mirror/release/kustomization.yaml b/config/mirror/release/kustomization.yaml new file mode 100644 index 00000000..3bc6ed0e --- /dev/null +++ b/config/mirror/release/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../release + +images: +- name: quay.io/confidential-containers/operator + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator \ No newline at end of file diff --git a/config/mirror/samples/ccruntime/default/kustomization.yaml b/config/mirror/samples/ccruntime/default/kustomization.yaml new file mode 100644 index 00000000..18c62e58 --- /dev/null +++ b/config/mirror/samples/ccruntime/default/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../../samples/ccruntime/default + +images: +- name: quay.io/confidential-containers/reqs-payload + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload +- name: quay.io/kata-containers/kata-deploy-ci + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci \ No newline at end of file diff --git a/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml b/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml new file mode 100644 index 00000000..c5fc8e57 --- /dev/null +++ b/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../../samples/ccruntime/peer-pods + +images: +- name: quay.io/confidential-containers/reqs-payload + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload +- name: quay.io/kata-containers/kata-deploy-ci + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci \ No newline at end of file diff --git a/docs/INSTALL.md b/docs/INSTALL.md index fc327a32..d885395b 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -18,6 +18,10 @@ export RELEASE_VERSION= kubectl apply -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}" ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k` +> `"github.com/confidential-containers/operator/config/mirror/release?ref=${RELEASE_VERSION}"` + While also managing certain cluster-wide resources, the operator primarily deploys resources within the confidential-containers-system namespace. @@ -96,6 +100,10 @@ desired [release tag](https://github.com/confidential-containers/operator/tags): kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=${RELEASE_VERSION} ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k` +> `"github.com/confidential-containers/operator/config/mirror/samples/ccruntime/default?ref=${RELEASE_VERSION}"` + Wait until each pod has the `STATUS` as `Running`: ``` diff --git a/docs/PEERPODS.md b/docs/PEERPODS.md index 0584a461..538e4e8e 100644 --- a/docs/PEERPODS.md +++ b/docs/PEERPODS.md @@ -75,6 +75,10 @@ stringData: kubectl create -k config/samples/ccruntime/peerpods ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following path after `-k` +> `config/mirror/samples/ccruntime/peerpods` + ## Uninstalling Operator Ensure KUBECONFIG points to target Kubernetes cluster