Merge pull request #229 from Dstack-TEE/kms-builder

Add reproducible docker image builder for KMS

Author: kvinwang

kms/dstack-app/.gitignore

@@ -1,2 +1,3 @@
 .app-compose.json
 .env
+.GIT_REV

kms/dstack-app/builder/Dockerfile

@@ -0,0 +1,60 @@
+FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS kms-builder
+COPY ./shared /build
+ARG DSTACK_REV
+WORKDIR /build
+RUN ./pin-packages.sh ./kms-pinned-packages.txt
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    build-essential \
+    musl-tools \
+    libssl-dev \
+    protobuf-compiler \
+    libprotobuf-dev \
+    clang \
+    libclang-dev
+RUN git clone https://github.com/Dstack-TEE/dstack.git && \
+    cd dstack && \
+    git checkout ${DSTACK_REV}
+RUN rustup target add x86_64-unknown-linux-musl
+RUN cd dstack && cargo build --release -p dstack-kms --target x86_64-unknown-linux-musl
+
+FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe
+COPY ./shared /build
+WORKDIR /build
+ARG QEMU_REV=d98440811192c08eafc07c7af110593c6b3758ff
+RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    libslirp-dev \
+    python3-pip \
+    ninja-build \
+    pkg-config \
+    libglib2.0-dev \
+    python3-sphinx \
+    python3-sphinx-rtd-theme \
+    build-essential \
+    flex \
+    bison && \
+    rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
+RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch passthrough-dump-acpi --single-branch && \
+    cd qemu-tdx && git fetch --depth 1 origin ${QEMU_REV} && \
+    git checkout ${QEMU_REV} && \
+    ../config-qemu.sh ./build /usr/local && \
+    cd build && \
+    ninja && \
+    strip qemu-system-x86_64 && \
+    install -m 755 qemu-system-x86_64 /usr/local/bin/dstack-acpi-tables && \
+    cd ../ && \
+    install -d /usr/local/share/qemu && \
+    install -m 644 pc-bios/efi-virtio.rom /usr/local/share/qemu/ && \
+    install -m 644 pc-bios/kvmvapic.bin /usr/local/share/qemu/ && \
+    install -m 644 pc-bios/linuxboot_dma.bin /usr/local/share/qemu/ && \
+    cd .. && rm -rf qemu-tdx
+COPY --from=kms-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-kms /usr/local/bin/dstack-kms
+COPY entrypoint.sh /entrypoint.sh
+COPY .GIT_REV /etc/.GIT_REV
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["dstack-kms"]

kms/dstack-app/builder/README.md

@@ -0,0 +1,55 @@
+# Dstack KMS Builder
+
+This directory contains the necessary files to build and run the dstack-kms Docker image for development.
+
+## Overview
+
+The builder creates a Docker image that includes:
+- The dstack-kms service compiled from Rust source code
+- Command line tool dstack-acpi-tables for generating ACPI tables for dstack CVM
+
+## Prerequisites
+
+- Docker with BuildKit support (v20.10.0+)
+- Git
+
+## Building the Image
+
+To build the KMS Docker image, use the provided `build-image.sh` script:
+
+```bash
+./build-image.sh <image-name>[:<tag>]
+```
+
+For example:
+```bash
+./build-image.sh kvin/kms
+```
+
+## Running the Built Image
+
+### Using Docker Compose
+
+The easiest way to run the KMS service is using the provided `docker-compose.yaml`:
+
+```yaml
+services:
+  kms:
+    image: kvin/kms
+    ports:
+      - "8003:8000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./kms:/kms
+    environment:
+      - IMAGE_DOWNLOAD_URL=${IMAGE_DOWNLOAD_URL:-http://localhost:8001/mr_{OS_IMAGE_HASH}.tar.gz}
+      - AUTH_TYPE=dev
+      - DEV_DOMAIN=kms.1022.kvin.wang
+      - QUOTE_ENABLED=false
+```
+
+To start the service:
+
+```bash
+docker-compose up
+```

kms/dstack-app/builder/build-image.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+
+NO_CACHE=--no-cache
+
+extract-packages() {
+    local name=$1
+    local pkg_list_file=$2
+    if [ -z "$pkg_list_file" ]; then
+        return
+    fi
+    docker run --rm --entrypoint bash $name -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > "$pkg_list_file"
+}
+
+# Function to build Docker image and optionally extract package list
+docker-build() {
+    local name=$1
+    local target=$2
+    local pkg_list_file=$3
+    # Get the commit timestamp for SOURCE_DATE_EPOCH
+    local commit_timestamp=$(git show -s --format=%ct $GIT_REV)
+    local build_args="--build-arg SOURCE_DATE_EPOCH=$commit_timestamp --build-arg DSTACK_REV=$GIT_REV"
+
+    local args="--builder buildkit_20 $NO_CACHE $build_args"
+
+    # Add target if specified
+    if [ -n "$target" ]; then
+        args="$args --target $target"
+    fi
+
+    # Build the image
+    docker buildx build $args --output type=docker,name=$name,rewrite-timestamp=true --progress=plain .
+    extract-packages $name $pkg_list_file
+}
+
+NAME=$1
+if [ -z "$NAME" ]; then
+    echo "Usage: $0 <name>[:<tag>]"
+    exit 1
+fi
+
+# Check if buildkit_20 already exists before creating it
+if ! docker buildx inspect buildkit_20 &>/dev/null; then
+    docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
+fi
+
+touch shared/kms-pinned-packages.txt
+touch shared/qemu-pinned-packages.txt
+GIT_REV=$(git rev-parse HEAD)
+echo $GIT_REV > .GIT_REV
+
+# First build the qemu-builder stage and extract package list
+docker-build "$NAME" "" "shared/qemu-pinned-packages.txt"
+# Then build the kms-builder stage and extract package list
+docker-build "kms-builder-temp" "kms-builder" "shared/kms-pinned-packages.txt"
+
+git_status=$(git status --porcelain -- shared/)
+if [ -n "$git_status" ]; then
+    echo "The working tree is not clean, please commit or stash your changes before re-running the build"
+    exit 1
+fi
+
+rm .GIT_REV

kms/dstack-app/builder/entrypoint.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+set -e
+
+cat <<EOF > ./kms.toml
+[rpc]
+address = "0.0.0.0"
+port = 8000
+
+[rpc.tls]
+key = "/kms/certs/rpc.key"
+certs = "/kms/certs/rpc.crt"
+
+[rpc.tls.mutual]
+ca_certs = "/kms/certs/tmp-ca.crt"
+mandatory = false
+
+[core]
+cert_dir = "/kms/certs"
+admin_token_hash = ""
+
+[core.image]
+verify = true
+cache_dir = "/kms/images"
+download_url = "${IMAGE_DOWNLOAD_URL}"
+download_timeout = "2m"
+
+[core.auth_api]
+type = "${AUTH_TYPE}"
+
+[core.auth_api.webhook]
+url = "${AUTH_RPC_URL}"
+
+[core.auth_api.dev]
+gateway_app_id = "any"
+
+[core.onboard]
+enabled = true
+auto_bootstrap_domain = "${DEV_DOMAIN}"
+quote_enabled = ${QUOTE_ENABLED}
+address = "0.0.0.0"
+port = 8000
+EOF
+
+exec "$@"

kms/dstack-app/builder/shared/config-qemu.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+BUILD_DIR="$1"
+PREFIX="$2"
+if [ -z "$BUILD_DIR" ]; then
+  echo "Usage: $0 <build-directory>"
+  exit 1
+fi
+
+mkdir -p "$BUILD_DIR"
+cd "$BUILD_DIR"
+
+export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct)
+export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\""
+export LDFLAGS="-Wl,--build-id=none"
+
+../configure \
+  --prefix="$PREFIX" \
+  --target-list=x86_64-softmmu \
+  --disable-werror
+
+echo ""
+echo "Build configured for reproducibility in $BUILD_DIR"
+echo "To build, run: cd $BUILD_DIR && make"