Skip to content

Commit

Permalink
Merge pull request google#269 from jkl73/autotest
Browse files Browse the repository at this point in the history
Update cloudbuild workflow for launcher
  • Loading branch information
jkl73 authored Dec 13, 2022
2 parents 8c21e8e + b43c992 commit 8e530dc
Show file tree
Hide file tree
Showing 6 changed files with 99 additions and 64 deletions.
77 changes: 35 additions & 42 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -1,48 +1,41 @@
substitutions:
'_BASE_IMAGE': 'cos-dev-105-17234-0-0'
'_BASE_IMAGE_PROJECT': 'cos-cloud'
'_BASE_IMAGE': ''
'_OUTPUT_IMAGE_PREFIX': 'confidential-space'
'_OUTPUT_IMAGE_SUFFIX': ''
'_IMAGE_ENV': 'debug'
'_BUCKET_NAME': '${PROJECT_ID}_cloudbuild'

steps:
- name: golang:1.18
entrypoint: /bin/bash
args:
- -c
- |
cd launcher/launcher
go build -o ../image/launcher
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['start-image-build',
'-build-context=launcher/image',
'-gcs-bucket=${_BUCKET_NAME}',
'-gcs-workdir=customizer-${BUILD_ID}',
'-image-name=${_BASE_IMAGE}',
'-image-project=${_BASE_IMAGE_PROJECT}']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['run-script',
'-script=preload.sh',
'-env=IMAGE_ENV=${_IMAGE_ENV}']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['seal-oem']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['run-script',
'-script=fixup_oem.sh']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['finish-image-build',
'-oem-size=500M',
'-disk-size-gb=11',
'-image-name=confidential-space-${_OUTPUT_IMAGE_SUFFIX}',
'-image-family=confidential-space-dev',
'-image-project=${PROJECT_ID}',
'-licenses=projects/confidential-space-images/global/licenses/confidential-space',
'-licenses=projects/confidential-space-images/global/licenses/ek-certificate-license',
'-zone=us-central1-a',
'-project=${PROJECT_ID}']
- name: 'gcr.io/cloud-builders/gcloud'
env:
- 'BASE_IMAGE=$_BASE_IMAGE'
- 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX'
- 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX'
- 'PROJECT_ID=$PROJECT_ID'
script: |
#!/usr/bin/env bash
timeout: '3000s'
# if BASE_IMAGE is not specified, use the latest COS dev image
base_image=${BASE_IMAGE}
if [ -z ${base_image}]
then
echo "getting the latest COS image"
base_image=$(gcloud compute images describe-from-family cos-dev --project cos-cloud | grep name | cut -d ' ' -f 2)
fi
options:
logging: CLOUD_LOGGING_ONLY
dynamic_substitutions: true
debug_image_name=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX}
hardened_image_name=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}
echo "building the debug image with the base image: ${base_image}"
gcloud builds submit --config=launcher/image/cloudbuild.yaml \
--substitutions _BASE_IMAGE=${base_image},_OUTPUT_IMAGE_NAME=${debug_image_name},_IMAGE_ENV=debug &
echo "building the hardened image with the base image: ${base_image}"
gcloud builds submit --config=launcher/image/cloudbuild.yaml \
--substitutions _BASE_IMAGE=${base_image},_OUTPUT_IMAGE_NAME=${hardened_image_name},_IMAGE_ENV=hardened &
echo "waiting for images to be built..."
wait
echo "running hardened image tests on ${hardened_image_name}"
cd launcher/image/test
gcloud builds submit --config=test_hardened_cloudbuild.yaml \
--substitutions _IMAGE_NAME=${hardened_image_name},_IMAGE_PROJECT=${PROJECT_ID}
3 changes: 3 additions & 0 deletions go.work.sum
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc=
cloud.google.com/go/storage v1.22.1 h1:F6IlQJZrZM++apn9V5/VfS3gbTUYg98PS3EMQAzqtfg=
github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
github.com/googleapis/gax-go v2.0.2+incompatible h1:silFMLAnr330+NRuag/VjIGF7TLp/LBrV2CJKFLWEww=
github.com/googleapis/go-type-adapters v1.0.0 h1:9XdMn+d/G57qq1s8dNc5IesGCXHf6V2HZ2JwRxfA2tA=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
6 changes: 3 additions & 3 deletions launcher/container_runner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,9 @@ func TestRefreshToken(t *testing.T) {
t.Errorf("Initial token written to file does not match expected token: got %v, want %v", data, expectedToken)
}

// Expect refreshTime to be no greater than expectedTTL * refreshRatio.
if refreshTime >= time.Duration(float64(ttl)*defaultRefreshMultiplier) {
t.Errorf("Refresh time cannot exceed ttl*refreshRato: got %v, expect no greater than %v", refreshTime, time.Duration(float64(ttl)*defaultRefreshMultiplier))
// Expect refreshTime to be no greater than expectedTTL.
if refreshTime >= time.Duration(float64(ttl)) {
t.Errorf("Refresh time cannot exceed ttl: got %v, expect no greater than %v", refreshTime, time.Duration(float64(ttl)))
}
}

Expand Down
48 changes: 48 additions & 0 deletions launcher/image/cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
substitutions:
'_BASE_IMAGE': ''
'_OUTPUT_IMAGE_NAME': ''
'_BASE_IMAGE_PROJECT': 'cos-cloud'
'_IMAGE_ENV': ''
'_BUCKET_NAME': '${PROJECT_ID}_cloudbuild'

steps:
- name: golang:1.18
entrypoint: /bin/bash
args:
- -c
- |
cd launcher/launcher
go build -o ../image/launcher
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['start-image-build',
'-build-context=launcher/image',
'-gcs-bucket=${_BUCKET_NAME}',
'-gcs-workdir=customizer-${BUILD_ID}',
'-image-name=${_BASE_IMAGE}',
'-image-project=${_BASE_IMAGE_PROJECT}']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['run-script',
'-script=preload.sh',
'-env=IMAGE_ENV=${_IMAGE_ENV}']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['seal-oem']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['run-script',
'-script=fixup_oem.sh']
- name: 'gcr.io/cos-cloud/cos-customizer'
args: ['finish-image-build',
'-oem-size=500M',
'-disk-size-gb=11',
'-image-name=${_OUTPUT_IMAGE_NAME}',
'-image-family=confidential-space-dev',
'-image-project=${PROJECT_ID}',
'-licenses=projects/confidential-space-images/global/licenses/confidential-space',
'-licenses=projects/confidential-space-images/global/licenses/ek-certificate-license',
'-zone=us-central1-a',
'-project=${PROJECT_ID}']

timeout: '3000s'

options:
logging: CLOUD_LOGGING_ONLY
dynamic_substitutions: true
6 changes: 3 additions & 3 deletions launcher/image/test/test_hardened_cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
substitutions:
# Expects hardened image (not debug) and should have startup-script service
# disabled. google-startup-scripts.service is only enabled with multi-user.target.
'_IMAGE_NAME': 'confidential-space-51031c1-dev-hardened'
'_BASE_IMAGE_PROJECT': 'confidential-space-images-dev'
'_IMAGE_NAME': ''
'_IMAGE_PROJECT': ''
'_METADATA_FILE': 'startup-script=data/echo_startupscript.sh'
'_CLEANUP': 'true'
steps:
Expand All @@ -11,7 +11,7 @@ steps:
env:
- 'BUILD_ID=$BUILD_ID'
args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
-p, '${_BASE_IMAGE_PROJECT}',
-p, '${_IMAGE_PROJECT}',
-f, '${_METADATA_FILE}'
]
- name: 'gcr.io/cloud-builders/gcloud'
Expand Down
23 changes: 7 additions & 16 deletions run_cloudbuild.sh
Original file line number Diff line number Diff line change
@@ -1,20 +1,10 @@
#!/bin/bash
# Run script using run_cloudbuild.sh <image-type: debug, hardened>
#
# Run the script: ./run_cloudbuild.sh
set -euxo pipefail

if [ $# -eq 0 ]; then
echo "No arguments supplied. Run with image-type."
exit 1
elif [[ "$1" != "hardened" && "$1" != "debug" ]]; then
echo "Incorrect args: image-type must be one of debug|hardened"
exit 1
fi

# Append a timestamp, as there is a check in finish-image-build that checks if
# the image already exists.
IMAGE_SUFFIX="$1-$USER-test-image-`date +%s`"
BUCKET_NAME="$USER-confidential-space-test-images"
IMAGE_SUFFIX="$USER-test-image-`date +%s`"

DIR=$(dirname -- "${BASH_SOURCE[0]}")
echo "Running Cloud Build on directory $DIR"
Expand All @@ -24,9 +14,10 @@ echo "Running Cloud Build on directory $DIR"
#
# Ensure you grant Cloud Build access to Compute Images:
# https://pantheon.corp.google.com/compute/images?referrer=search&tab=exports&project=$PROJECT_ID
gcloud beta builds submit --config=$DIR/cloudbuild.yaml \
--substitutions=_OUTPUT_IMAGE_SUFFIX="$IMAGE_SUFFIX",_BUCKET_NAME="$BUCKET_NAME",_IMAGE_ENV="$1"
gcloud beta builds submit --config=${DIR}/cloudbuild.yaml \
--substitutions=_OUTPUT_IMAGE_SUFFIX="${IMAGE_SUFFIX}"

echo "Image creation successful."
echo "Create a VM using:"
echo "gcloud compute instances create confidential-space-test --image=confidential-space-$IMAGE_SUFFIX"
echo "Create a VM using the debug image confidential-space-debug-${IMAGE_SUFFIX}"
echo "gcloud compute instances create confidential-space-test --image=confidential-space-debug-${IMAGE_SUFFIX} --metadata ..."
echo "Or use the hardened image confidential-space-hardened-${IMAGE_SUFFIX}"

0 comments on commit 8e530dc

Please sign in to comment.