gha: Enable attestation-service images for s390x

This commit introduces a job matrix to allow a s390x self-hosted runner to run alongside the existing x86_64 one. Additionally, two new steps (e.g., {pre,post} action) are introduced to manage the self-hosted runner since it is not provisioned instantly for CI. To make the published images support multiple architecture, a new job `publish_multi_arch_image` is also introduced. Signed-off-by: Hyounggyu Choi <[email protected]>
confidential-containers · May 8, 2024 · c458aa8 · c458aa8
1 parent 3aa6a97
commit c458aa8
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 16 deletions.
diff --git a/.github/workflows/as-build-and-push.yaml b/.github/workflows/as-build-and-push.yaml
@@ -7,10 +7,18 @@ on:
 
 jobs:
   build_and_push:
-    runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       fail-fast: false
       matrix:
+        instance:
+          - ubuntu-latest
+          - s390x
+        tag:
+          - coco-as-grpc
+          - coco-as-restful
+          - rvps
         include:
           - docker_file: attestation-service/Dockerfile.as-grpc
             tag: coco-as-grpc
@@ -21,8 +29,17 @@ jobs:
           - docker_file: attestation-service/rvps/Dockerfile
             tag: rvps
             name: RVPS
+    runs-on: ${{ matrix.instance }}
 
     steps:
+    - name: Take a pre-action for self-hosted runner
+      run: |
+        # NOTE: Use file checking instead triggering a step based on a runner type
+        # to avoid updating the step for each new self-hosted runner.
+        if [ -f "${HOME}/script/pre_action.sh" ]; then
+          "${HOME}/script/pre_action.sh" cc-trustee
+        fi
+
     - name: Checkout code
       uses: actions/checkout@v4
 
@@ -39,4 +56,57 @@ jobs:
     - name: Build ${{ matrix.name }} Container Image
       run: |
         commit_sha=${{ github.sha }}
-        DOCKER_BUILDKIT=1 docker build -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest . -f ${{ matrix.docker_file }} --push
+        arch=$(uname -m)
+        DOCKER_BUILDKIT=1 docker build -f ${{ matrix.docker_file }} --push --build-arg ARCH=${arch} \
+          -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch} \
+          -t ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch} .
+
+    - name: Take a post-action for self-hosted runner
+      if: always()
+      run: |
+        # Please check out the note in the pre-action step for the reason of using file checking
+        if [ -f "${HOME}/script/post_action.sh" ]; then
+          "${HOME}/script/post_action.sh" cc-trustee
+        fi
+
+  publish_multi_arch_image:
+    needs: build_and_push
+    permissions:
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        tag:
+          - coco-as-grpc
+          - coco-as-restful
+          - rvps
+        include:
+          - tag: coco-as-grpc
+            name: gRPC CoCo-AS
+          - tag: coco-as-restful
+            name: RESTful CoCo-AS
+          - tag: rvps
+            name: RVPS
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GHCR Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Publish Multi-arch Image for ${{ matrix.name }}
+      run: |
+        commit_sha=${{ github.sha }}
+        docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha} \
+          ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-s390x \
+          ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-x86_64
+        docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}
+        docker manifest create ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest \
+          ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-s390x \
+          ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-x86_64
+        docker manifest push ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest
diff --git a/attestation-service/Dockerfile.as-grpc b/attestation-service/Dockerfile.as-grpc
@@ -3,44 +3,47 @@
 # SPDX-License-Identifier: Apache-2.0
 
 FROM rust:latest as builder
+ARG ARCH=x86_64
 
 WORKDIR /usr/src/attestation-service
 COPY . .
 
 # Install golang
-RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz && \
-    tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
+RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
+    wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
+    tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz
 
 ENV PATH="/usr/local/go/bin:${PATH}"
 
 # Install TPM Build Dependencies
 RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev
 
 # Install TDX Build Dependencies
-RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev
+    apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi
 
 # Build and Install gRPC attestation-service
 RUN cargo install --path attestation-service/attestation-service --bin grpc-as --features grpc-bin --locked
 
 
 FROM ubuntu:22.04
+ARG ARCH=x86_64
 
 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service"
 
 # Install TDX Runtime Dependencies
 RUN apt-get update && apt-get install curl gnupg openssl -y && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
 
-RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     apt-get update && \
     apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi
 
 # Copy TPM Runtime Dependencies
-COPY --from=builder /usr/lib/x86_64-linux-gnu/libtss* /usr/lib/x86_64-linux-gnu
+COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu
 
 COPY --from=builder /usr/local/cargo/bin/grpc-as /usr/local/bin/grpc-as
 

diff --git a/attestation-service/Dockerfile.as-restful b/attestation-service/Dockerfile.as-restful
@@ -3,43 +3,46 @@
 # SPDX-License-Identifier: Apache-2.0
 
 FROM rust:latest as builder
+ARG ARCH=x86_64
 
 WORKDIR /usr/src/attestation-service
 COPY . .
 
 # Install golang
-RUN wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz && \
-    tar -C /usr/local -xzf go1.20.1.linux-amd64.tar.gz
+RUN if [ "${ARCH}" = "x86_64" ]; then GOARCH="amd64"; else GOARCH="${ARCH}"; fi && \
+    wget https://go.dev/dl/go1.20.1.linux-${GOARCH}.tar.gz && \
+    tar -C /usr/local -xzf go1.20.1.linux-${GOARCH}.tar.gz
 
 ENV PATH="/usr/local/go/bin:${PATH}"
 
 # Install TPM Build Dependencies
 RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev
 
 # Install TDX Build Dependencies
-RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev
+    apt-get update && apt-get install -y libtdx-attest-dev libsgx-dcap-quote-verify-dev; fi
 
 # Build and Install RESTful attestation-service
 RUN cargo install --path attestation-service/attestation-service --bin restful-as --features restful-bin --locked
 
 FROM ubuntu:22.04
+ARG ARCH=x86_64
 
 LABEL org.opencontainers.image.source="https://github.com/confidential-containers/attestation-service"
 
 # Install TDX Runtime Dependencies
 RUN apt-get update && apt-get install curl gnupg openssl -y && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
 
-RUN curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
+RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
     echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     apt-get update && \
     apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi
 
 # Copy TPM Runtime Dependencies
-COPY --from=builder /usr/lib/x86_64-linux-gnu/libtss* /usr/lib/x86_64-linux-gnu
+COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu
 
 COPY --from=builder /usr/local/cargo/bin/restful-as /usr/local/bin/restful-as