From b43c9922e45254ba64f22cda9c7d7f63659f94cd Mon Sep 17 00:00:00 2001 From: Jiankun Lu Date: Fri, 2 Dec 2022 15:58:13 -0800 Subject: [PATCH] Update cloudbuild workflow for launcher Fix TextRefreshToken test. Create a overall cloudbuild file can trigger image building and testing cloudbuild workflow. Signed-off-by: Jiankun Lu --- cloudbuild.yaml | 77 +++++++++---------- go.work.sum | 3 + launcher/container_runner_test.go | 6 +- launcher/image/cloudbuild.yaml | 48 ++++++++++++ .../image/test/test_hardened_cloudbuild.yaml | 6 +- run_cloudbuild.sh | 23 ++---- 6 files changed, 99 insertions(+), 64 deletions(-) create mode 100644 launcher/image/cloudbuild.yaml diff --git a/cloudbuild.yaml b/cloudbuild.yaml index c53c70e21..685610e52 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -1,48 +1,41 @@ substitutions: - '_BASE_IMAGE': 'cos-dev-105-17234-0-0' - '_BASE_IMAGE_PROJECT': 'cos-cloud' + '_BASE_IMAGE': '' + '_OUTPUT_IMAGE_PREFIX': 'confidential-space' '_OUTPUT_IMAGE_SUFFIX': '' - '_IMAGE_ENV': 'debug' - '_BUCKET_NAME': '${PROJECT_ID}_cloudbuild' steps: - - name: golang:1.18 - entrypoint: /bin/bash - args: - - -c - - | - cd launcher/launcher - go build -o ../image/launcher - - name: 'gcr.io/cos-cloud/cos-customizer' - args: ['start-image-build', - '-build-context=launcher/image', - '-gcs-bucket=${_BUCKET_NAME}', - '-gcs-workdir=customizer-${BUILD_ID}', - '-image-name=${_BASE_IMAGE}', - '-image-project=${_BASE_IMAGE_PROJECT}'] - - name: 'gcr.io/cos-cloud/cos-customizer' - args: ['run-script', - '-script=preload.sh', - '-env=IMAGE_ENV=${_IMAGE_ENV}'] - - name: 'gcr.io/cos-cloud/cos-customizer' - args: ['seal-oem'] - - name: 'gcr.io/cos-cloud/cos-customizer' - args: ['run-script', - '-script=fixup_oem.sh'] - - name: 'gcr.io/cos-cloud/cos-customizer' - args: ['finish-image-build', - '-oem-size=500M', - '-disk-size-gb=11', - '-image-name=confidential-space-${_OUTPUT_IMAGE_SUFFIX}', - '-image-family=confidential-space-dev', - '-image-project=${PROJECT_ID}', - '-licenses=projects/confidential-space-images/global/licenses/confidential-space', - '-licenses=projects/confidential-space-images/global/licenses/ek-certificate-license', - '-zone=us-central1-a', - '-project=${PROJECT_ID}'] +- name: 'gcr.io/cloud-builders/gcloud' + env: + - 'BASE_IMAGE=$_BASE_IMAGE' + - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX' + - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX' + - 'PROJECT_ID=$PROJECT_ID' + script: | + #!/usr/bin/env bash -timeout: '3000s' + # if BASE_IMAGE is not specified, use the latest COS dev image + base_image=${BASE_IMAGE} + if [ -z ${base_image}] + then + echo "getting the latest COS image" + base_image=$(gcloud compute images describe-from-family cos-dev --project cos-cloud | grep name | cut -d ' ' -f 2) + fi -options: - logging: CLOUD_LOGGING_ONLY - dynamic_substitutions: true + debug_image_name=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX} + hardened_image_name=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX} + + echo "building the debug image with the base image: ${base_image}" + gcloud builds submit --config=launcher/image/cloudbuild.yaml \ + --substitutions _BASE_IMAGE=${base_image},_OUTPUT_IMAGE_NAME=${debug_image_name},_IMAGE_ENV=debug & + + echo "building the hardened image with the base image: ${base_image}" + gcloud builds submit --config=launcher/image/cloudbuild.yaml \ + --substitutions _BASE_IMAGE=${base_image},_OUTPUT_IMAGE_NAME=${hardened_image_name},_IMAGE_ENV=hardened & + + echo "waiting for images to be built..." + wait + + echo "running hardened image tests on ${hardened_image_name}" + cd launcher/image/test + gcloud builds submit --config=test_hardened_cloudbuild.yaml \ + --substitutions _IMAGE_NAME=${hardened_image_name},_IMAGE_PROJECT=${PROJECT_ID} diff --git a/go.work.sum b/go.work.sum index 394b02cf9..29d9e89d0 100644 --- a/go.work.sum +++ b/go.work.sum @@ -1,3 +1,6 @@ +cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= +cloud.google.com/go/storage v1.22.1 h1:F6IlQJZrZM++apn9V5/VfS3gbTUYg98PS3EMQAzqtfg= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/googleapis/gax-go v2.0.2+incompatible h1:silFMLAnr330+NRuag/VjIGF7TLp/LBrV2CJKFLWEww= +github.com/googleapis/go-type-adapters v1.0.0 h1:9XdMn+d/G57qq1s8dNc5IesGCXHf6V2HZ2JwRxfA2tA= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= diff --git a/launcher/container_runner_test.go b/launcher/container_runner_test.go index d1a32a56b..0d19d2756 100644 --- a/launcher/container_runner_test.go +++ b/launcher/container_runner_test.go @@ -122,9 +122,9 @@ func TestRefreshToken(t *testing.T) { t.Errorf("Initial token written to file does not match expected token: got %v, want %v", data, expectedToken) } - // Expect refreshTime to be no greater than expectedTTL * refreshRatio. - if refreshTime >= time.Duration(float64(ttl)*defaultRefreshMultiplier) { - t.Errorf("Refresh time cannot exceed ttl*refreshRato: got %v, expect no greater than %v", refreshTime, time.Duration(float64(ttl)*defaultRefreshMultiplier)) + // Expect refreshTime to be no greater than expectedTTL. + if refreshTime >= time.Duration(float64(ttl)) { + t.Errorf("Refresh time cannot exceed ttl: got %v, expect no greater than %v", refreshTime, time.Duration(float64(ttl))) } } diff --git a/launcher/image/cloudbuild.yaml b/launcher/image/cloudbuild.yaml new file mode 100644 index 000000000..1f17a65e3 --- /dev/null +++ b/launcher/image/cloudbuild.yaml @@ -0,0 +1,48 @@ +substitutions: + '_BASE_IMAGE': '' + '_OUTPUT_IMAGE_NAME': '' + '_BASE_IMAGE_PROJECT': 'cos-cloud' + '_IMAGE_ENV': '' + '_BUCKET_NAME': '${PROJECT_ID}_cloudbuild' + +steps: + - name: golang:1.18 + entrypoint: /bin/bash + args: + - -c + - | + cd launcher/launcher + go build -o ../image/launcher + - name: 'gcr.io/cos-cloud/cos-customizer' + args: ['start-image-build', + '-build-context=launcher/image', + '-gcs-bucket=${_BUCKET_NAME}', + '-gcs-workdir=customizer-${BUILD_ID}', + '-image-name=${_BASE_IMAGE}', + '-image-project=${_BASE_IMAGE_PROJECT}'] + - name: 'gcr.io/cos-cloud/cos-customizer' + args: ['run-script', + '-script=preload.sh', + '-env=IMAGE_ENV=${_IMAGE_ENV}'] + - name: 'gcr.io/cos-cloud/cos-customizer' + args: ['seal-oem'] + - name: 'gcr.io/cos-cloud/cos-customizer' + args: ['run-script', + '-script=fixup_oem.sh'] + - name: 'gcr.io/cos-cloud/cos-customizer' + args: ['finish-image-build', + '-oem-size=500M', + '-disk-size-gb=11', + '-image-name=${_OUTPUT_IMAGE_NAME}', + '-image-family=confidential-space-dev', + '-image-project=${PROJECT_ID}', + '-licenses=projects/confidential-space-images/global/licenses/confidential-space', + '-licenses=projects/confidential-space-images/global/licenses/ek-certificate-license', + '-zone=us-central1-a', + '-project=${PROJECT_ID}'] + +timeout: '3000s' + +options: + logging: CLOUD_LOGGING_ONLY + dynamic_substitutions: true diff --git a/launcher/image/test/test_hardened_cloudbuild.yaml b/launcher/image/test/test_hardened_cloudbuild.yaml index cd60cb374..6c4fe3bcc 100644 --- a/launcher/image/test/test_hardened_cloudbuild.yaml +++ b/launcher/image/test/test_hardened_cloudbuild.yaml @@ -1,8 +1,8 @@ substitutions: # Expects hardened image (not debug) and should have startup-script service # disabled. google-startup-scripts.service is only enabled with multi-user.target. - '_IMAGE_NAME': 'confidential-space-51031c1-dev-hardened' - '_BASE_IMAGE_PROJECT': 'confidential-space-images-dev' + '_IMAGE_NAME': '' + '_IMAGE_PROJECT': '' '_METADATA_FILE': 'startup-script=data/echo_startupscript.sh' '_CLEANUP': 'true' steps: @@ -11,7 +11,7 @@ steps: env: - 'BUILD_ID=$BUILD_ID' args: ['create_vm.sh','-i', '${_IMAGE_NAME}', - -p, '${_BASE_IMAGE_PROJECT}', + -p, '${_IMAGE_PROJECT}', -f, '${_METADATA_FILE}' ] - name: 'gcr.io/cloud-builders/gcloud' diff --git a/run_cloudbuild.sh b/run_cloudbuild.sh index aa867fb67..74e2023b5 100755 --- a/run_cloudbuild.sh +++ b/run_cloudbuild.sh @@ -1,20 +1,10 @@ #!/bin/bash -# Run script using run_cloudbuild.sh -# +# Run the script: ./run_cloudbuild.sh set -euxo pipefail -if [ $# -eq 0 ]; then - echo "No arguments supplied. Run with image-type." - exit 1 -elif [[ "$1" != "hardened" && "$1" != "debug" ]]; then - echo "Incorrect args: image-type must be one of debug|hardened" - exit 1 -fi - # Append a timestamp, as there is a check in finish-image-build that checks if # the image already exists. -IMAGE_SUFFIX="$1-$USER-test-image-`date +%s`" -BUCKET_NAME="$USER-confidential-space-test-images" +IMAGE_SUFFIX="$USER-test-image-`date +%s`" DIR=$(dirname -- "${BASH_SOURCE[0]}") echo "Running Cloud Build on directory $DIR" @@ -24,9 +14,10 @@ echo "Running Cloud Build on directory $DIR" # # Ensure you grant Cloud Build access to Compute Images: # https://pantheon.corp.google.com/compute/images?referrer=search&tab=exports&project=$PROJECT_ID -gcloud beta builds submit --config=$DIR/cloudbuild.yaml \ - --substitutions=_OUTPUT_IMAGE_SUFFIX="$IMAGE_SUFFIX",_BUCKET_NAME="$BUCKET_NAME",_IMAGE_ENV="$1" +gcloud beta builds submit --config=${DIR}/cloudbuild.yaml \ + --substitutions=_OUTPUT_IMAGE_SUFFIX="${IMAGE_SUFFIX}" echo "Image creation successful." -echo "Create a VM using:" -echo "gcloud compute instances create confidential-space-test --image=confidential-space-$IMAGE_SUFFIX" +echo "Create a VM using the debug image confidential-space-debug-${IMAGE_SUFFIX}" +echo "gcloud compute instances create confidential-space-test --image=confidential-space-debug-${IMAGE_SUFFIX} --metadata ..." +echo "Or use the hardened image confidential-space-hardened-${IMAGE_SUFFIX}"