From 8c3930938174aa51c0321371b491ab82c8f17e7a Mon Sep 17 00:00:00 2001 From: Hsy-Intel Date: Wed, 8 May 2024 15:58:56 +0800 Subject: [PATCH] Add TDX dockerfile & CI for asterinas --- .github/workflows/docker_build.yml | 23 +- Makefile | 2 + docs/src/SUMMARY.md | 1 + docs/src/kernel/intel_tdx.md | 116 ++++++++++ tools/bump_version.sh | 2 + tools/docker/.gitignore | 1 + ...ockerfile.ubuntu22.04 => Dockerfile.jinja} | 204 +++++++++--------- tools/docker/README.md | 32 ++- tools/docker/gen_dockerfile.py | 58 +++++ tools/docker/run_dev_container.sh | 7 +- 10 files changed, 339 insertions(+), 107 deletions(-) create mode 100644 docs/src/kernel/intel_tdx.md create mode 100644 tools/docker/.gitignore rename tools/docker/{Dockerfile.ubuntu22.04 => Dockerfile.jinja} (68%) create mode 100644 tools/docker/gen_dockerfile.py diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml index c81eab970..d0990a43d 100644 --- a/.github/workflows/docker_build.yml +++ b/.github/workflows/docker_build.yml @@ -29,17 +29,38 @@ jobs: echo "aster_version=$( cat VERSION )" >> "$GITHUB_OUTPUT" echo "rust_version=$( grep -m1 -o 'nightly-[0-9]\+-[0-9]\+-[0-9]\+' rust-toolchain.toml )" >> "$GITHUB_OUTPUT" + - name: Generate Dockerfile + run: | + pip install Jinja2 + python3 ./tools/docker/gen_dockerfile.py + - name: Build and push development image uses: docker/build-push-action@v4 with: context: . - file: ./tools/docker/Dockerfile.ubuntu22.04 + file: ./tools/docker/Dockerfile platforms: linux/amd64 push: true tags: asterinas/asterinas:${{ steps.fetch-versions.outputs.aster_version }} build-args: | "ASTER_RUST_VERSION=${{ steps.fetch-versions.outputs.rust_version }}" + - name: Generate Dockerfile for Intel TDX + run: | + pip install Jinja2 + python3 ./tools/docker/gen_dockerfile.py + + - name: Build and push development image for Intel TDX + uses: docker/build-push-action@v4 + with: + context: . + file: ./tools/docker/Dockerfile + platforms: linux/amd64 + push: true + tags: asterinas/asterinas:${{ steps.fetch-versions.outputs.aster_version }}-tdx + build-args: | + "ASTER_RUST_VERSION=${{ steps.fetch-versions.outputs.rust_version }}" + - name: Generate OSDK Dockerfile run: | python3 ./osdk/tools/docker/gen_dockerfile.py diff --git a/Makefile b/Makefile index 0a2c937ae..377c88818 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,8 @@ CARGO_OSDK_ARGS += --release endif ifeq ($(INTEL_TDX), 1) +BOOT_PROTOCOL = linux-efi-handover64 +CARGO_OSDK_ARGS += --scheme tdx CARGO_OSDK_ARGS += --features intel_tdx endif diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 5acf73c63..af5f85e89 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -6,6 +6,7 @@ * [Getting Started](kernel/README.md) * [Advanced Build and Test Instructions](kernel/advanced-instructions.md) + * [Intel TDX](kernel/intel_tdx.md) * [The Framekernel Architecture](kernel/the-framekernel-architecture.md) * [Linux Compatibility](kernel/linux-compatibility.md) * [Roadmap](kernel/roadmap.md) diff --git a/docs/src/kernel/intel_tdx.md b/docs/src/kernel/intel_tdx.md new file mode 100644 index 000000000..2de6a2068 --- /dev/null +++ b/docs/src/kernel/intel_tdx.md @@ -0,0 +1,116 @@ +# Intel TDX + +Asterinas can serve as a secure guest OS for Intel TDX-protected virtual machines (VMs). +This documentation describes +how Asterinas can be run and tested easily on a TDX-enabled Intel server. + +Intel TDX (Trust Domain Extensions) is a Trusted Execution Environment (TEE) technology +that enhances VM security +by creating isolated, hardware-enforced trust domains +with encrypted memory, secure initialization, and attestation mechanisms. +For more information about Intel TDX, jump to the last section. + +## Why choose Asterinas for Intel TDX + +VM TEEs such as Intel TDX deserve a more secure option for its guest OS than Linux. +Linux, +with its inherent memory safety issues and large Trusted Computing Base (TCB), +has long suffered from security vulnerabilities due to memory safety bugs. +Additionally, +when Linux is used as the guest kernel inside a VM TEE, +it must process untrusted inputs +(over 1500 instances in Linux, per Intel's estimation) +from the host (via hypercalls, MMIO, and etc.). +These untrusted inputs create new attack surfaces +that can be exploited through memory safety vulnerabilities, +known as Iago attacks. + +Asterinas offers greater memory safety than Linux, +particularly against Iago attacks. +Thanks to its framekernel architecture, +the memory safety of Asterinas relies solely on the Asterinas Framework, +excluding the safe device drivers built on top of the Asterinas Framework +that may handle untrusted inputs from the host. +For more information, see [our talk on OC3'24](https://www.youtube.com/watch?v=3AQ5lpXujGo). + +## Prepare the Intel TDX Environment + +Please make sure your server supports Intel TDX. + +See [this guide](https://github.com/canonical/tdx/tree/noble-24.04?tab=readme-ov-file#4-setup-host-os) +or other materials to enable Intel TDX in host OS. + +To verify the TDX host status, +you can type: + +```bash +dmesg | grep "TDX module initialized" +``` + +The following result is an example: + +```bash +[ 20.507296] tdx: TDX module initialized. +``` + +`TDX module initialized` means TDX module is loaded successfully. + +## Build and run Asterinas + +1. Download the latest source code. + +```bash +git clone https://github.com/asterinas/asterinas +``` + +2. Run a Docker container as the development environment. + +```bash +docker run -it --privileged --network=host --device=/dev/kvm -v ./asterinas:/root/asterinas asterinas/asterinas:0.4.2_tdx +``` + +3. Inside the container, +go to the project folder to build and run Asterinas. + +```bash +make run INTEL_TDX=1 +``` + +If everything goes well, +Asterinas is now up and running inside a TDVM. + +## About Intel TDX + +Intel® Trust Domain Extensions (Intel® TDX) +is Intel's newest confidential computing technology. +This hardware-based trusted execution environment (TEE) +facilitates the deployment of trust domains (TD), +which are hardware-isolated virtual machines (VM) designed to +protect sensitive data and applications from unauthorized access. + +A CPU-measured Intel TDX module enables Intel TDX. +This software module runs in a new CPU Secure Arbitration Mode (SEAM) +as a peer virtual machine manager (VMM), +and supports TD entry and exit +using the existing virtualization infrastructure. +The module is hosted in a reserved memory space +identified by the SEAM Range Register (SEAMRR). + +Intel TDX uses hardware extensions for managing and encrypting memory +and protects both the confidentiality and integrity +of the TD CPU state from non-SEAM mode. + +Intel TDX uses architectural elements such as SEAM, +a shared bit in Guest Physical Address (GPA), +secure Extended Page Table (EPT), +physical-address-metadata table, +Intel® Total Memory Encryption – Multi-Key (Intel® TME-MK), +and remote attestation. + +Intel TDX ensures data integrity, confidentiality, and authenticity, +which empowers engineers and tech professionals +to create and maintain secure systems, +enhancing trust in virtualized environments. + +For more information, +please refer to [Intel TDX website](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html). diff --git a/tools/bump_version.sh b/tools/bump_version.sh index 77cb4e94e..71434c7fe 100755 --- a/tools/bump_version.sh +++ b/tools/bump_version.sh @@ -86,6 +86,7 @@ validate_bump_type() { SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) ASTER_SRC_DIR=${SCRIPT_DIR}/.. +DOCS_DIR=${ASTER_SRC_DIR}/docs CARGO_TOML_PATH=${ASTER_SRC_DIR}/Cargo.toml OSDK_CARGO_TOML_PATH=${ASTER_SRC_DIR}/osdk/Cargo.toml VERSION_PATH=${ASTER_SRC_DIR}/VERSION @@ -112,6 +113,7 @@ cargo update -p asterinas --precise $new_version update_image_versions ${ASTER_SRC_DIR}/README.md update_image_versions ${ASTER_SRC_DIR}/README_CN.md update_image_versions ${SCRIPT_DIR}/docker/README.md +update_image_versions ${DOCS_DIR}/src/kernel/intel_tdx.md # Update Docker image versions in workflows WORKFLOWS=$(find "${ASTER_SRC_DIR}/.github/workflows/" -type f -name "*.yml") diff --git a/tools/docker/.gitignore b/tools/docker/.gitignore new file mode 100644 index 000000000..5a044a197 --- /dev/null +++ b/tools/docker/.gitignore @@ -0,0 +1 @@ +**/Dockerfile \ No newline at end of file diff --git a/tools/docker/Dockerfile.ubuntu22.04 b/tools/docker/Dockerfile.jinja similarity index 68% rename from tools/docker/Dockerfile.ubuntu22.04 rename to tools/docker/Dockerfile.jinja index 5b28bb7c4..e41e09ad0 100644 --- a/tools/docker/Dockerfile.ubuntu22.04 +++ b/tools/docker/Dockerfile.jinja @@ -2,22 +2,22 @@ #= Install packages for Docker building ==================================== -FROM ubuntu:22.04 as build-base +FROM {{ base_image }} as build-base SHELL ["/bin/bash", "-c"] ARG DEBIAN_FRONTEND=noninteractive # Please keep the list sorted by name -RUN apt update && apt-get install -y --no-install-recommends \ - build-essential \ - ca-certificates \ - curl \ - git-core \ - gnupg \ - libssl-dev \ - python3-pip \ - python-is-python3 \ +RUN apt update && apt-get install -y --no-install-recommends \ + build-essential \ + ca-certificates \ + curl \ + git-core \ + gnupg \ + libssl-dev \ + python3-pip \ + python-is-python3 \ wget #= Build benchmark ========================================================= @@ -26,37 +26,37 @@ FROM build-base as build-benchmarks # Download the source files of benchmarks WORKDIR /root -RUN apt install -y automake \ - libtool \ +RUN apt install -y automake \ + libtool \ pkg-config -RUN wget https://github.com/akopytov/sysbench/archive/1.0.20.tar.gz \ - && tar -zxvf 1.0.20.tar.gz \ +RUN wget https://github.com/akopytov/sysbench/archive/1.0.20.tar.gz \ + && tar -zxvf 1.0.20.tar.gz \ && rm 1.0.20.tar.gz RUN git clone https://github.com/nicktehrany/membench.git RUN git clone https://github.com/esnet/iperf.git # Build sysbench WORKDIR /root/sysbench-1.0.20 -RUN ./autogen.sh \ - && ./configure --without-mysql --prefix=/usr/local/benchmark/sysbench \ - && make -j \ +RUN ./autogen.sh \ + && ./configure --without-mysql --prefix=/usr/local/benchmark/sysbench \ + && make -j \ && make install # Build membench WORKDIR /root/membench RUN make -j \ - && mkdir /usr/local/benchmark/membench \ + && mkdir /usr/local/benchmark/membench \ && cp membench /usr/local/benchmark/membench/ # Build iperf WORKDIR /root/iperf -RUN ./configure --prefix=/usr/local/benchmark/iperf \ - && make -j \ +RUN ./configure --prefix=/usr/local/benchmark/iperf \ + && make -j \ && make install - + WORKDIR /root -RUN rm -rf sysbench-1.0.20 \ - membench \ +RUN rm -rf sysbench-1.0.20 \ + membench \ iperf #= Build syscall test ========================================================= @@ -77,18 +77,19 @@ FROM build-bazel as syscall_test # Build the syscall test binaries COPY regression/syscall_test /root/syscall_test WORKDIR /root/syscall_test -RUN export BUILD_DIR=build && \ +RUN export BUILD_DIR=build && \ make ${BUILD_DIR}/syscall_test_bins +{% if not intel_tdx %} #= Build QEMU ================================================================= FROM build-base as build-qemu -RUN apt update && apt-get install -y --no-install-recommends \ - libgcrypt-dev `# optional build dependency` \ - libglib2.0-dev `# build dependency` \ - libpixman-1-dev `# build dependency` \ - libusb-dev `# optional build dependency` \ +RUN apt update && apt-get install -y --no-install-recommends \ + libgcrypt-dev `# optional build dependency` \ + libglib2.0-dev `# build dependency` \ + libpixman-1-dev `# build dependency` \ + libusb-dev `# optional build dependency` \ meson \ ninja-build RUN apt clean && rm -rf /var/lib/apt/lists/* @@ -100,13 +101,13 @@ FROM build-qemu as qemu # The QEMU version in the Ubuntu 22.04 repository is 6.*, which has a bug to cause OVMF debug to fail. # The libslirp dependency is for QEMU's network backend. WORKDIR /root -RUN wget -O qemu.tar.xz https://download.qemu.org/qemu-8.2.1.tar.xz \ - && mkdir /root/qemu \ - && tar xf qemu.tar.xz --strip-components=1 -C /root/qemu \ +RUN wget -O qemu.tar.xz https://download.qemu.org/qemu-8.2.1.tar.xz \ + && mkdir /root/qemu \ + && tar xf qemu.tar.xz --strip-components=1 -C /root/qemu \ && rm qemu.tar.xz WORKDIR /root/qemu -RUN ./configure --target-list=x86_64-softmmu --prefix=/usr/local/qemu --enable-slirp \ - && make -j \ +RUN ./configure --target-list=x86_64-softmmu --prefix=/usr/local/qemu --enable-slirp \ + && make -j \ && make install WORKDIR /root RUN rm -rf /root/qemu @@ -115,11 +116,11 @@ RUN rm -rf /root/qemu FROM build-base as build-ovmf -RUN apt update && apt-get install -y --no-install-recommends \ - bison \ - flex \ - iasl \ - nasm \ +RUN apt update && apt-get install -y --no-install-recommends \ + bison \ + flex \ + iasl \ + nasm \ uuid-dev RUN apt clean && rm -rf /var/lib/apt/lists/* @@ -129,24 +130,24 @@ FROM build-ovmf as ovmf WORKDIR /root RUN git clone --depth 1 --branch edk2-stable202402 --recurse-submodules --shallow-submodules https://github.com/tianocore/edk2.git WORKDIR /root/edk2 -RUN source ./edksetup.sh \ - && make -C BaseTools \ - && build -a X64 -t GCC5 -b DEBUG -p OvmfPkg/OvmfPkgX64.dsc -D DEBUG_ON_SERIAL_PORT \ +RUN source ./edksetup.sh \ + && make -C BaseTools \ + && build -a X64 -t GCC5 -b DEBUG -p OvmfPkg/OvmfPkgX64.dsc -D DEBUG_ON_SERIAL_PORT \ && build -a X64 -t GCC5 -b RELEASE -p OvmfPkg/OvmfPkgX64.dsc #= Build GRUB ================================================================= FROM build-base as build-grub -RUN apt update && apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - autopoint \ - bison \ - flex \ - gawk \ - gettext \ - libfreetype6-dev \ +RUN apt update && apt-get install -y --no-install-recommends \ + autoconf \ + automake \ + autopoint \ + bison \ + flex \ + gawk \ + gettext \ + libfreetype6-dev \ pkg-config RUN apt clean && rm -rf /var/lib/apt/lists/* @@ -158,28 +159,29 @@ FROM build-grub as grub # in the GRUB release. The Ubuntu release notoriously modifies the GRUB source code and enforce # EFI handover boot, which is deprecated. So we have to build GRUB from source. WORKDIR /root -RUN wget -O grub.tar.xz https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz \ - && mkdir /root/grub \ - && tar xf grub.tar.xz --strip-components=1 -C /root/grub \ +RUN wget -O grub.tar.xz https://ftp.gnu.org/gnu/grub/grub-2.12.tar.xz \ + && mkdir /root/grub \ + && tar xf grub.tar.xz --strip-components=1 -C /root/grub \ && rm grub.tar.xz # Fetch and install the Unicode font data for grub. -RUN wget -O unifont.pcf.gz https://unifoundry.com/pub/unifont/unifont-15.1.04/font-builds/unifont-15.1.04.pcf.gz \ - && mkdir -pv /usr/share/fonts/unifont \ - && gunzip -c unifont.pcf.gz > /usr/share/fonts/unifont/unifont.pcf \ +RUN wget -O unifont.pcf.gz https://unifoundry.com/pub/unifont/unifont-15.1.04/font-builds/unifont-15.1.04.pcf.gz \ + && mkdir -pv /usr/share/fonts/unifont \ + && gunzip -c unifont.pcf.gz > /usr/share/fonts/unifont/unifont.pcf \ && rm unifont.pcf.gz WORKDIR /root/grub -RUN echo depends bli part_gpt > grub-core/extra_deps.lst \ - && ./configure \ - --target=x86_64 \ - --disable-efiemu \ - --with-platform=efi \ - --enable-grub-mkfont \ - --prefix=/usr/local/grub \ - --disable-werror \ - && make -j \ +RUN echo depends bli part_gpt > grub-core/extra_deps.lst \ + && ./configure \ + --target=x86_64 \ + --disable-efiemu \ + --with-platform=efi \ + --enable-grub-mkfont \ + --prefix=/usr/local/grub \ + --disable-werror \ + && make -j \ && make install WORKDIR /root RUN rm -rf /root/grub +{% endif %} #= Build busybox ============================================================== @@ -191,13 +193,13 @@ FROM build-busybox as busybox WORKDIR /root RUN wget -O busybox.tar.bz2 https://busybox.net/downloads/busybox-1.35.0.tar.bz2 \ - && mkdir /root/busybox \ - && tar xf busybox.tar.bz2 --strip-components=1 -C /root/busybox \ + && mkdir /root/busybox \ + && tar xf busybox.tar.bz2 --strip-components=1 -C /root/busybox \ && rm busybox.tar.bz2 WORKDIR /root/busybox -RUN make defconfig \ - && sed -i "s/# CONFIG_STATIC is not set/CONFIG_STATIC=y/g" .config \ - && sed -i "s/# CONFIG_FEATURE_SH_STANDALONE is not set/CONFIG_FEATURE_SH_STANDALONE=y/g" .config \ +RUN make defconfig \ + && sed -i "s/# CONFIG_STATIC is not set/CONFIG_STATIC=y/g" .config \ + && sed -i "s/# CONFIG_FEATURE_SH_STANDALONE is not set/CONFIG_FEATURE_SH_STANDALONE=y/g" .config \ && make -j #= The final stages to produce the Asterinas development image ==================== @@ -207,42 +209,44 @@ FROM build-base as rust # Install Rust with both nightly and stable ENV PATH="/root/.cargo/bin:${PATH}" ARG ASTER_RUST_VERSION -RUN curl https://sh.rustup.rs -sSf | \ - sh -s -- --default-toolchain ${ASTER_RUST_VERSION} -y \ - && rustup toolchain install stable \ - && rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git \ - && cargo -V \ +RUN curl https://sh.rustup.rs -sSf | \ + sh -s -- --default-toolchain ${ASTER_RUST_VERSION} -y \ + && rustup toolchain install stable \ + && rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git \ + && cargo -V \ && rustup component add rust-src rustc-dev llvm-tools-preview # Install cargo tools -RUN cargo install \ - cargo-binutils \ +RUN cargo install \ + cargo-binutils \ mdbook FROM rust # Install all Asterinas dependent packages -RUN apt update && apt-get install -y --no-install-recommends \ - clang-format `# formatting regression tests` \ - cpio \ - cpuid \ - exfatprogs \ - file \ - gdb \ - grub-efi-amd64 \ - grub-efi-amd64-bin \ - grub-efi-amd64-dbg \ - libpixman-1-dev `# running dependency for QEMU` \ - mtools `# used by grub-mkrescue` \ - net-tools \ - openssh-server \ - ovmf `# provide an alternative stable firmware`\ - pkg-config \ - strace \ - sudo \ - unzip \ - vim \ - xorriso \ +RUN apt update && apt-get install -y --no-install-recommends \ + clang-format `# formatting regression tests` \ + cpio \ + cpuid \ + exfatprogs \ + file \ + gdb \ + grub-efi-amd64 \ + {% if not intel_tdx %} + grub-efi-amd64-bin \ + grub-efi-amd64-dbg \ + ovmf `# provide an alternative stable firmware` \ + {% endif %} + libpixman-1-dev `# running dependency for QEMU` \ + mtools `# used by grub-mkrescue` \ + net-tools \ + openssh-server \ + pkg-config \ + strace \ + sudo \ + unzip \ + vim \ + xorriso \ zip # Clean apt cache RUN apt clean && rm -rf /var/lib/apt/lists/* @@ -251,6 +255,7 @@ RUN apt clean && rm -rf /var/lib/apt/lists/* COPY --from=syscall_test /root/syscall_test/build/syscall_test_bins /root/syscall_test_bins ENV ASTER_PREBUILT_SYSCALL_TEST=/root/syscall_test_bins +{% if not intel_tdx %} # Install QEMU built from the previous stages COPY --from=qemu /usr/local/qemu /usr/local/qemu ENV PATH="/usr/local/qemu/bin:${PATH}" @@ -265,6 +270,7 @@ COPY --from=grub /usr/local/grub /usr/local/grub ENV PATH="/usr/local/grub/bin:${PATH}" # Make a symbolic link for `unicode.pf2` from Ubuntu 22.04 package RUN ln -sf /usr/share/grub/unicode.pf2 /usr/local/grub/share/grub/unicode.pf2 +{% endif %} # Install Busybox built from the previous stages COPY --from=busybox /root/busybox/busybox /bin/busybox diff --git a/tools/docker/README.md b/tools/docker/README.md index 69149de90..bab233d5c 100644 --- a/tools/docker/README.md +++ b/tools/docker/README.md @@ -7,17 +7,37 @@ Asterinas development Docker images are provided to facilitate developing and te To build a Docker image for Asterinas and test it on your local machine, navigate to the root directory of the Asterinas source code tree and execute the following command: ```bash +cd /tools/docker +# Generate Dockerfile +python3 gen_dockerfile.py +cd +# Build Docker image docker buildx build \ - -f tools/docker/Dockerfile.ubuntu22.04 \ - --build-arg ASTER_RUST_VERSION=$RUST_VERSION \ - -t asterinas/asterinas:$ASTER_VERSION \ + -f tools/docker/Dockerfile \ + --build-arg ASTER_RUST_VERSION=${RUST_VERSION} \ + -t asterinas/asterinas:${ASTER_VERSION} \ . ``` The meanings of the two environment variables in the command are as follows: -- `$ASTER_VERSION`: Represents the version number of Asterinas. You can find this in the `VERSION` file. -- `$RUST_VERSION`: Denotes the required Rust toolchain version, as specified in the `rust-toolchain` file. +- `${ASTER_VERSION}`: Represents the version number of Asterinas. You can find this in the `VERSION` file. +- `${RUST_VERSION}`: Denotes the required Rust toolchain version, as specified in the `rust-toolchain` file. + +For Intel TDX Docker Image, you can execute the following command: + +```bash +cd /tools/docker +# Generate Dockerfile for Intel TDX +python3 gen_dockerfile.py --intel-tdx +cd +# Build Docker image +docker buildx build \ + -f tools/docker/Dockerfile \ + --build-arg ASTER_RUST_VERSION=${RUST_VERSION} \ + -t asterinas/asterinas:${ASTER_VERSION}-tdx \ + . +``` ## Tagging Docker Images @@ -32,4 +52,4 @@ For bug fixes or small changes, increment the last number of a [SemVer](https:// ## Uploading Docker Images -New versions of Asterinas's Docker images are automatically uploaded to DockerHub through Github Actions. Simply submit your PR that updates Asterinas's Docker image for review. After getting the project maintainers' approval, the [Docker image building workflow](../../.github/workflows/docker_build.yml) will be started, building the new Docker image and pushing it to DockerHub. \ No newline at end of file +New versions of Asterinas's Docker images are automatically uploaded to DockerHub through Github Actions. Simply submit your PR that updates Asterinas's Docker image for review. After getting the project maintainers' approval, the [Docker image building workflow](../../.github/workflows/docker_build.yml) will be started, building the new Docker image and pushing it to DockerHub. diff --git a/tools/docker/gen_dockerfile.py b/tools/docker/gen_dockerfile.py new file mode 100644 index 000000000..20473cce9 --- /dev/null +++ b/tools/docker/gen_dockerfile.py @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: MPL-2.0 + +import argparse +import os +import sys +import logging +from jinja2 import Environment, FileSystemLoader + +logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s') + +def parse_arguments(): + parser = argparse.ArgumentParser(description='The Dockerfile generator for OSDK.') + parser.add_argument('--intel-tdx', action='store_true', help='Include Intel TDX support') + parser.add_argument( + '--out-dir', + type=str, + default='.', + help='Output the Dockerfile under this directory. \ + By default, the output directory is the current working directory.' + ) + return parser.parse_args() + +def setup_output_directory(out_dir): + if os.path.isabs(out_dir): + logging.error("The --out-dir argument must be a relative path.") + sys.exit(1) + template_dir = os.path.dirname(os.path.abspath(__file__)) + if out_dir == '.': + return template_dir + output_directory_path = os.path.join(template_dir, out_dir) + if not os.path.exists(output_directory_path): + os.makedirs(output_directory_path) + return output_directory_path + +def load_template(): + template_dir = os.path.dirname(os.path.abspath(__file__)) + env = Environment(loader=FileSystemLoader(template_dir), trim_blocks=True, lstrip_blocks=True) + template = env.get_template('Dockerfile.jinja') + return template + +def write_dockerfile(output_directory, content): + output_path = os.path.join(output_directory, 'Dockerfile') + with open(output_path, 'w') as file: + file.write(content) + logging.info(f'Dockerfile has been generated at {output_path}.') + +def main(): + args = parse_arguments() + output_dir = setup_output_directory(args.out_dir) + base_image = "intelcczoo/tdvm:ubuntu22.04-mvp_2023ww15" if args.intel_tdx else "ubuntu:22.04" + + template = load_template() + rendered_content = template.render(base_image=base_image, intel_tdx=args.intel_tdx) + + write_dockerfile(output_dir, rendered_content) + +if __name__ == '__main__': + main() diff --git a/tools/docker/run_dev_container.sh b/tools/docker/run_dev_container.sh index a7e333428..d8ed8c42a 100755 --- a/tools/docker/run_dev_container.sh +++ b/tools/docker/run_dev_container.sh @@ -8,6 +8,11 @@ SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) ASTER_SRC_DIR=${SCRIPT_DIR}/../.. CARGO_TOML_PATH=${SCRIPT_DIR}/../../Cargo.toml VERSION=$( cat ${ASTER_SRC_DIR}/VERSION ) -IMAGE_NAME=asterinas/asterinas:${VERSION} + +if [ "$1" = "intel-tdx" ]; then + IMAGE_NAME="asterinas/asterinas:${VERSION}-tdx" +else + IMAGE_NAME="asterinas/asterinas:${VERSION}" +fi docker run -it --privileged --network=host --device=/dev/kvm -v ${ASTER_SRC_DIR}:/root/asterinas ${IMAGE_NAME}