diff --git a/.gitignore b/.gitignore index 65a3dc036ec4..e42d7311cda8 100644 --- a/.gitignore +++ b/.gitignore @@ -28,6 +28,10 @@ src/tarfs/**/*.o src/tarfs/**/modules.order src/tarfs/**/Module.symvers src/tarfs-cvm/ +tools/osbuilder/kata-containers-igvm.img +tools/osbuilder/kata-containers-igvm-debug.img +tools/osbuilder/igvm-debug-measurement.cose +tools/osbuilder/igvm-measurement.cose tools/osbuilder/root_hash.txt tools/osbuilder/igvm.log tools/osbuilder/kata-opa.service diff --git a/tools/osbuilder/node-builder/azure-linux/Makefile b/tools/osbuilder/node-builder/azure-linux/Makefile index 43eb8f5cba28..d81166a09d59 100644 --- a/tools/osbuilder/node-builder/azure-linux/Makefile +++ b/tools/osbuilder/node-builder/azure-linux/Makefile @@ -2,6 +2,18 @@ # # SPDX-License-Identifier: Apache-2.0 # +BUILD_TYPE := release + +ifeq ($(BUILD_TYPE),debug) + export AGENT_BUILD_TYPE := debug + export AGENT_POLICY_FILE := allow-all.rego + export SHIM_USE_DEBUG_CONFIG := yes +else + export AGENT_BUILD_TYPE := release + export AGENT_POLICY_FILE := allow-set-policy.rego + export SHIM_USE_DEBUG_CONFIG := no +endif + .PHONY: all all: package uvm diff --git a/tools/osbuilder/node-builder/azure-linux/README.md b/tools/osbuilder/node-builder/azure-linux/README.md index 357a8e2f2b59..ef808612768b 100644 --- a/tools/osbuilder/node-builder/azure-linux/README.md +++ b/tools/osbuilder/node-builder/azure-linux/README.md @@ -148,6 +148,37 @@ Notes: - To build an IGVM file for CondPods with a non-default SVN of 0, prefix the `make uvm-confpods` command with `IGVM_SVN=` - For build and deployment of both Kata and Kata-CC artifacts, first run the `make all` and `make deploy` commands to build and install the Kata Containers for AKS components followed by `make clean`, and then run `make all-confpods` and `make deploy-confpods` to build and install the Confidential Containers for AKS components - or vice versa (using `make clean-confpods`). +## Debug build + +`make all-confpods` takes the following variables: + + * `AGENT_BUILD_TYPE`: Specify `release` (default) to build the agent in + release mode, or `debug` to build it in debug mode. + * `AGENT_POLICY_FILE`: Specify `allow-set-policy.rego` (default) to use + a restrictive policy, or `allow-all.rego` to use a permissive policy. + +`make deploy-confpods` takes the following variable: + + * `SHIM_USE_DEBUG_CONFIG`: Specify `no` (default) to use the production + configuration, or `yes` to use the debug configuration (all debug + logging enabled). In this case you'll want to enable debug logging + in containerd as well. + +In general, you can specify the debug configuration for all the above +variables by using `BUILD_TYPE=debug` as such: + +```shell +sudo make BUILD_TYPE=debug all-confpods deploy-confpods +``` + +Also note that make still lets you override the other variables even +after setting `BUILD_TYPE`. For example, you can use the production shim +config with `BUILD_TYPE=debug`: + +```shell +sudo make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods +``` + # Run Kata (Confidential) Containers ## Run via CRI or via containerd API diff --git a/tools/osbuilder/node-builder/azure-linux/package_build.sh b/tools/osbuilder/node-builder/azure-linux/package_build.sh index 8a409303b1b1..7bc675ae2ff8 100755 --- a/tools/osbuilder/node-builder/azure-linux/package_build.sh +++ b/tools/osbuilder/node-builder/azure-linux/package_build.sh @@ -10,6 +10,7 @@ set -o errtrace [ -n "$DEBUG" ] && set -x +AGENT_BUILD_TYPE=${AGENT_BUILD_TYPE:-release} CONF_PODS=${CONF_PODS:-no} script_dir="$(dirname $(readlink -f $0))" @@ -38,9 +39,7 @@ if [ "${OS_VERSION}" == "3.0" ]; then runtime_make_flags+=" DEFSANDBOXCGROUPONLY=true" fi -# add BUILD_TYPE=debug to build a debug agent (result in significantly increased agent binary size) -# this will require to add same flag to the `make install` section for the agent in uvm_build.sh -agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR}" +agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}" if [ "${CONF_PODS}" == "yes" ]; then agent_make_flags+=" AGENT_POLICY=yes" diff --git a/tools/osbuilder/node-builder/azure-linux/package_install.sh b/tools/osbuilder/node-builder/azure-linux/package_install.sh index f3f0b0f89b2b..8906ccb4feb4 100755 --- a/tools/osbuilder/node-builder/azure-linux/package_install.sh +++ b/tools/osbuilder/node-builder/azure-linux/package_install.sh @@ -12,6 +12,7 @@ set -o errtrace CONF_PODS=${CONF_PODS:-no} PREFIX=${PREFIX:-} +SHIM_USE_DEBUG_CONFIG=${SHIM_USE_DEBUG_CONFIG:-no} START_SERVICES=${START_SERVICES:-yes} script_dir="$(dirname $(readlink -f $0))" @@ -40,6 +41,12 @@ if [ "${CONF_PODS}" == "yes" ]; then echo "Installing SNP shim debug configuration" cp -a --backup=numbered src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" "${PREFIX}/${SHIM_CONFIG_PATH}"/"${SHIM_DBG_CONFIG_INST_FILE_NAME}" + if [ "${SHIM_USE_DEBUG_CONFIG}" == "yes" ]; then + # We simply override the release config with the debug config, + # which is probably fine when debugging. + ln -sf src/runtime/config/"${SHIM_DBG_CONFIG_FILE_NAME}" src/runtime/config/"${SHIM_CONFIG_FILE_NAME}" + fi + echo "Enabling and starting snapshotter service" if [ "${START_SERVICES}" == "yes" ]; then systemctl enable tardev-snapshotter && systemctl daemon-reload && systemctl restart tardev-snapshotter diff --git a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh index 6774856ba469..0f4aa7370166 100755 --- a/tools/osbuilder/node-builder/azure-linux/uvm_build.sh +++ b/tools/osbuilder/node-builder/azure-linux/uvm_build.sh @@ -10,6 +10,7 @@ set -o errtrace [ -n "$DEBUG" ] && set -x +AGENT_POLICY_FILE="${AGENT_POLICY_FILE:-allow-set-policy.rego}" CONF_PODS=${CONF_PODS:-no} IGVM_SVN=${IGVM_SVN:-0} @@ -23,10 +24,7 @@ source "${common_file}" rootfs_make_flags="AGENT_SOURCE_BIN=${AGENT_INSTALL_DIR}/usr/bin/kata-agent" if [ "${CONF_PODS}" == "yes" ]; then - # AGENT_POLICY_FILE=allow-all.rego would build a UVM with permissive security policy. - # The current variable assignment builds a UVM with prohibitive security policy which is the default on - # Confidential Containers on AKS - rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-set-policy.rego" + rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=${AGENT_POLICY_FILE}" fi if [ "${CONF_PODS}" == "yes" ]; then