Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add NixOS image for bare-metal Kata #1019

Merged
merged 5 commits into from
Dec 6, 2024
Merged

Add NixOS image for bare-metal Kata #1019

merged 5 commits into from
Dec 6, 2024

Conversation

msanft
Copy link
Contributor

@msanft msanft commented Nov 19, 2024
edited
Loading

This switches the image used in our bare-metal Kata uses (e.g. non-AKS and non-peerpods) to a NixOS image that we build in-tree as a MicroVM image (e.g. separated kernel, initrd, cmdline and rootfs).

I tried to split this up into digestible commits as much as possible, but a large part still has to be done in one commit in order to ensure bisectability through all commits. I also tried to write meaningful commit messages, so please consult these to find out about the specific changes.

@msanft msanft added the no changelog PRs not listed in the release notes label Nov 19, 2024
@msanft msanft requested a review from burgerdev November 19, 2024 15:22
@msanft msanft requested a review from katexochen as a code owner November 19, 2024 15:22
@msanft msanft force-pushed the msanft/kata/nixos-image branch 6 times, most recently from 1140233 to 304fca3 Compare November 21, 2024 14:38
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 21, 2024
edited
Loading

PR Preview Action v1.4.8
Preview removed because the pull request was closed.
2024-12-06 15:03 UTC

@msanft msanft force-pushed the msanft/kata/nixos-image branch 2 times, most recently from c7dbe2c to ad338fa Compare November 22, 2024 09:45
@msanft msanft requested a review from 3u13r November 22, 2024 16:09
burgerdev
burgerdev reviewed Nov 26, 2024
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for properly organizing the commits, that indeed improves the review experience! I went through up-to-including 6ded3e8 for now.

packages/by-name/ociLayerTar/package.nix Outdated Show resolved Hide resolved
packages/by-name/buildVerityMicroVM/package.nix Show resolved Hide resolved
packages/by-name/kata/kata-kernel-uvm/package.nix Show resolved Hide resolved
packages/by-name/kata/kata-runtime/package.nix Outdated Show resolved Hide resolved
packages/by-name/kata/kata-runtime/package.nix Show resolved Hide resolved
packages/by-name/kata/kata-runtime/package.nix Show resolved Hide resolved
packages/by-name/boot-microvm/package.nix Show resolved Hide resolved
@msanft msanft force-pushed the msanft/kata/nixos-image branch 3 times, most recently from 4d4e74c to 4148507 Compare November 26, 2024 12:57
katexochen
katexochen reviewed Nov 28, 2024
View reviewed changes
packages/by-name/buildVerityMicroVM/package.nix
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

package comment seems outdated. What part of this is microvm specific at this point? Looks like it's just an image in parts compared to packaging it as uki.

Copy link
Contributor Author

@msanft msanft Nov 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's still a valid name for a non-bootable image like this, as you can boot it without a rootfs.

But I'm also open for other suggestions here.

@msanft msanft force-pushed the msanft/kata/nixos-image branch from 4148507 to d14b544 Compare November 28, 2024 14:22
@msanft msanft force-pushed the msanft/kata/nixos-image branch 2 times, most recently from 963b695 to 2d6b621 Compare November 29, 2024 13:56
burgerdev
burgerdev reviewed Dec 2, 2024
View reviewed changes
packages/by-name/kata/kata-runtime/package.nix Show resolved Hide resolved
docs/docs/features-limitations.md Show resolved Hide resolved
nodeinstaller/internal/constants/constants.go Show resolved Hide resolved
packages/by-name/image-podvm/package.nix Show resolved Hide resolved
packages/by-name/kata/contrast-node-installer-image/package.nix Outdated Show resolved Hide resolved
packages/nixos/debug.nix Outdated Show resolved Hide resolved
packages/nixos/kata.nix Outdated Show resolved Hide resolved
tools/tdx-measure/rtmr/rtmr.go Outdated Show resolved Hide resolved
tools/tdx-measure/rtmr/rtmr.go Outdated Show resolved Hide resolved
packages/by-name/qemu-tdx-static/0004-hw-x86-load-initrd-to-static-address.patch Outdated Show resolved Hide resolved
@msanft msanft force-pushed the msanft/kata/nixos-image branch from 2d6b621 to 6b903fc Compare December 2, 2024 08:39
@msanft msanft requested a review from burgerdev December 2, 2024 08:40
@msanft msanft mentioned this pull request Dec 4, 2024
Closed
@msanft msanft force-pushed the msanft/kata/nixos-image branch from 6b903fc to 8fcb77d Compare December 6, 2024 09:50
@msanft msanft force-pushed the msanft/kata/nixos-image branch from 8fcb77d to a48527f Compare December 6, 2024 11:42
msanft added 5 commits December 6, 2024 13:30
@msanft
packages/buildVerityMicroVM: init
aa1269d 
This adds a Nix builder to build a micro VM image for direct Linux boot, specifically for the bare-metal Kata image where this is necessary to satisfy Contrast's security assumptions made on the SNP launch digest computation.
@msanft
packages/kata-kernel-uvm: add config options for bare-metal use
d90736a 
Using the Kata kernel with a baremetal NixOS image requires some additional config options to specify NixOS' sanity checks, so add them here.
@msanft
packages/kata-runtime: allow booting with image and initrd
4ea3dc4 
Kata has a check to see if only image OR initrd are supplied, which is not needed for our use-case. So add a patch to remove that. This should probably be brought upstream in a usable fashion later on.
@msanft
packages/boot-microvm: init
6cf5c05 
This adds a little helper script to boot a Micro VM, as we build them for Kata bare-metal, via QEMU.
@msanft
Add NixOS image for bare-metal Kata
7dc21e1 
This switches the image used in our bare-metal Kata uses (e.g. non-AKS and non-peerpods) to a NixOS image that we build in-tree as a MicroVM image (e.g. separated kernel, initrd, cmdline and rootfs).
@msanft msanft force-pushed the msanft/kata/nixos-image branch from a48527f to 7dc21e1 Compare December 6, 2024 12:31
burgerdev
burgerdev approved these changes Dec 6, 2024
View reviewed changes
Copy link
Contributor

@burgerdev burgerdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm!

@msanft msanft merged commit 223f35f into main Dec 6, 2024
14 checks passed
@msanft msanft deleted the msanft/kata/nixos-image branch December 6, 2024 15:02
@katexochen katexochen mentioned this pull request Dec 13, 2024
Merged
@katexochen katexochen added changelog PRs that should be part of the release notes and removed no changelog PRs not listed in the release notes labels Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@burgerdev burgerdev burgerdev approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r

@katexochen katexochen Awaiting requested review from katexochen katexochen is a code owner

Assignees
No one assigned
Labels
changelog PRs that should be part of the release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msanft @burgerdev @katexochen