From afc8354d5502008f76397e37648f5732211f27b1 Mon Sep 17 00:00:00 2001 From: zny666 Date: Mon, 5 Aug 2024 23:10:28 +0800 Subject: [PATCH 1/2] add reproducible build for CDH Signed-off-by: zny666 --- rbi-CDH/Dockerfile | 46 ++++++++++++++++++++++++++++++++++++++++++++++ rbi-CDH/README.md | 23 +++++++++++++++++++++++ rbi-CDH/run.sh | 23 +++++++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 rbi-CDH/Dockerfile create mode 100644 rbi-CDH/README.md create mode 100644 rbi-CDH/run.sh diff --git a/rbi-CDH/Dockerfile b/rbi-CDH/Dockerfile new file mode 100644 index 000000000..28a857036 --- /dev/null +++ b/rbi-CDH/Dockerfile @@ -0,0 +1,46 @@ +FROM rust:1.80.0-bookworm as builder + +# The list of build argument with docker build --build-arg NAME=VALUE +# Define the default commit of source code +ARG CDH_COMMIT=HEAD + +# Set the working directory inside the container +WORKDIR /usr/src/guest-components + +# Clone the specific commit from the GitHub repository +RUN apt-get update && apt-get install -y git=1:2.39.2-1.1 \ + && git clone https://github.com/confidential-containers/guest-components.git . \ + && git checkout ${CDH_COMMIT} + +# Install additional build dependencies +RUN apt-cache madison protobuf-compiler +RUN apt-get install -y protobuf-compiler=3.21.12-3 + +# Build and install confidential-data-hub with specific configurations +RUN cd confidential-data-hub && make + +# Install ossfs, Gocryptofs and Runtime Dependencies +RUN apt-get update && apt-get install -y wget=1.21.3-1+b2 gdebi-core=0.9.5.7+nmu6 fuse=2.9.9-6+b1 gocryptfs=2.3-1+b4 && wget https://gosspublic.alicdn.com/ossfs/ossfs_1.91.2_ubuntu22.04_amd64.deb && gdebi -n ossfs_1.91.2_ubuntu22.04_amd64.deb && rm ossfs_1.91.2_ubuntu22.04_amd64.deb + + +FROM ubuntu:jammy-20240627.1 + +LABEL org.opencontainers.image.source="https://github.com/inclavare-containers/confidential-data-hub" + +# Copy ossfs +COPY --from=builder /usr/local/bin/ossfs /usr/local/bin/ossfs +# Copy gocryptfs +COPY --from=builder /usr/bin/gocryptfs /usr/local/bin/gocryptfs +# Copy confidential-data-hub binary +COPY --from=builder /usr/src/guest-components/target/x86_64-unknown-linux-gnu/release/confidential-data-hub /usr/local/bin/confidential-data-hub + + +# Default Config File Path (/etc/confidential-data-hub.toml) +VOLUME [ "/etc/confidential-data-hub.toml" ] + +# Start confidential-data-hub listening to request: 127.0.0.1:50000 +# CMD [ "confidential-data-hub" ] + + + +EXPOSE 50000 diff --git a/rbi-CDH/README.md b/rbi-CDH/README.md new file mode 100644 index 000000000..32d06b305 --- /dev/null +++ b/rbi-CDH/README.md @@ -0,0 +1,23 @@ +# Reproducible Build Confidential-data-hub + + + +## Files + + + +- `run.sh` main script. Use `./run.sh` to run. +- `Makefile` script to make build docker image. +- `Dockerfile` to build docker. + + + +## Instructions + +First, run the script to start. + +```shell +sudo sh run.sh +``` + +if build process is successful, the binary CDH file ` confidential-data-hub` is in `./pkg1`, then bash `./pkg1/confidential-data-hub` to run it. \ No newline at end of file diff --git a/rbi-CDH/run.sh b/rbi-CDH/run.sh new file mode 100644 index 000000000..d372c1928 --- /dev/null +++ b/rbi-CDH/run.sh @@ -0,0 +1,23 @@ +#! /bin/bash + +CDH_COMMIT="bf7ccd301d3f50bfcb4cc9e38ae187141ce35072" + +sudo docker build --progress=plain --no-cache --build-arg CDH_COMMIT=${CDH_COMMIT} -t rbi-cdh:v1 . +sudo docker build --progress=plain --no-cache --build-arg CDH_COMMIT=${CDH_COMMIT} -t rbi-cdh:v2 . + +mkdir -m 755 -p pkg1 +mkdir -m 755 -p pkg2 + +sudo docker run -d --network host --name cdh-build1 rbi-cdh:v1 +sudo docker run -d --network host --name cdh-build2 rbi-cdh:v2 + +sudo docker cp cdh-build1:/usr/local/bin/confidential-data-hub ./pkg1 +sudo docker cp cdh-build2:/usr/local/bin/confidential-data-hub ./pkg2 + +diffoscope ./pkg1/confidential-data-hub ./pkg2/confidential-data-hub --html diff.html + +sudo docker stop cdh-build1 +sudo docker stop cdh-build2 + +sudo docker rm cdh-build1 +sudo docker rm cdh-build2 From 0b5766e72711637cd3c964d397e04987ec2b6ba0 Mon Sep 17 00:00:00 2001 From: zny666 Date: Mon, 5 Aug 2024 23:13:06 +0800 Subject: [PATCH 2/2] add reproducible build for CDH Signed-off-by: zny666 --- rbi-CDH/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rbi-CDH/README.md b/rbi-CDH/README.md index 32d06b305..aa8f1f1f4 100644 --- a/rbi-CDH/README.md +++ b/rbi-CDH/README.md @@ -7,7 +7,6 @@ - `run.sh` main script. Use `./run.sh` to run. -- `Makefile` script to make build docker image. - `Dockerfile` to build docker. @@ -20,4 +19,4 @@ First, run the script to start. sudo sh run.sh ``` -if build process is successful, the binary CDH file ` confidential-data-hub` is in `./pkg1`, then bash `./pkg1/confidential-data-hub` to run it. \ No newline at end of file +if build process is successful, the binary CDH file ` confidential-data-hub` is in `./pkg1`, then bash `./pkg1/confidential-data-hub` to run it.