Skip to content

local-build: Do not build measured rootfs on s390x #10841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 6, 2025
Merged

local-build: Do not build measured rootfs on s390x #10841

merged 2 commits into from
Feb 6, 2025

Conversation

BbolroC
Copy link
Member

@BbolroC BbolroC commented Feb 5, 2025
edited
Loading

IBM SE has encountered a boot failure issue since the guest OS was upgraded to Ubuntu 22.04. We identified that the issue is caused by the initramfs, which is built for the measured rootfs scenario. IBM SE ensures that the initrd is measured by genprotimg and verified by the ultravisor. To address this, let’s skip building the measured rootfs on s390x. This PR also skips end-to-end tests for trusted storage for IBM SE.

For reviewers: the changes are already verified at https://github.com/kata-containers/kata-containers/actions/runs/13150558902/job/36740406368

Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com

FYI: @hbrueckner

@BbolroC BbolroC requested a review from fidencio February 5, 2025 18:48
@katacontainersbot katacontainersbot added the size/small Small and simple task label Feb 5, 2025
fidencio
fidencio approved these changes Feb 6, 2025
View reviewed changes
Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @BbolroC!

stevenhorsman
stevenhorsman approved these changes Feb 6, 2025
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @BbolroC!

@BbolroC
local-build: Do not use measured rootfs on s390x
27ce3ee 
IBM SE ensures to make initrd measured by genprotimg and verified by ultravisor.
Let's not build the measured rootf on s390x.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC BbolroC force-pushed the make-measured-rootfs-configurable branch from bb4e646 to d5db47b Compare February 6, 2025 09:13
@BbolroC
Copy link
Member Author

BbolroC commented Feb 6, 2025
edited
Loading

Update: I got an error below while building shim-v2-tarball:

INFO: Enable rootfs measurement config
ERROR: Root hash file for measured rootfs not found at /home/ansible/gha-runner/_layout/_work/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/root_hash.txt

I've put the same conditional in install_shimv2() to make sure that the measured rootfs is not set on s390x.

@BbolroC
tests: Skip trusted storage tests for IBM SE
1bdb34e 
Let's skip all tests for trusted storage until kata-containers#10838 is resolved.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC BbolroC force-pushed the make-measured-rootfs-configurable branch from d5db47b to 1bdb34e Compare February 6, 2025 11:09
@BbolroC BbolroC mentioned this pull request Feb 6, 2025
Open
hbrueckner
hbrueckner approved these changes Feb 6, 2025
View reviewed changes
Copy link
Contributor

@hbrueckner hbrueckner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

/lgtm

@BbolroC
Copy link
Member Author

BbolroC commented Feb 6, 2025

The tests for trusted storage have started failing for qemu-coco-dev without the measured rootfs. It was caused by the same reason reported in #10838. k8s-measured-rootfs.bats has also started failing.

I've updated the PR to skip the affected tests based on the platform rather than KATA_HYPERVISOR. Further investigation will be carried out in a separate PR. Thanks.

@BbolroC BbolroC merged commit 48c5b1f into kata-containers:main Feb 6, 2025
285 of 298 checks passed
@BbolroC BbolroC deleted the make-measured-rootfs-configurable branch February 6, 2025 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fidencio fidencio fidencio approved these changes

@stevenhorsman stevenhorsman stevenhorsman approved these changes

+1 more reviewer

@hbrueckner hbrueckner hbrueckner approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
ok-to-test size/small Small and simple task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@BbolroC @fidencio @hbrueckner @stevenhorsman @katacontainersbot