Add workflow for preloading cchost image with oem-perloader

Author: hegao12

launcher/image/cchost/cloudbuild.yaml

@@ -0,0 +1,95 @@
+substitutions:
+  '_BASE_IMAGE': ''
+  '_BASE_IMAGE_PROJECT': ''
+  '_BUCKET_NAME': ''
+  '_IMAGE_ENV': ''
+  '_OUTPUT_IMAGE_NAME': ''
+  '_OUTPUT_IMAGE_FAMILY': ''
+  '_CS_LICENSE': ''
+  '_SHORT_SHA': ''
+
+steps:
+  - name: golang:1.23
+    entrypoint: /bin/bash
+    args:
+      - -c
+      - |
+        cd launcher/launcher
+        CGO_ENABLED=0 go build -o ../image/cchost/preload-dir/confidential_space/cs_container_launcher -ldflags="-X 'main.BuildCommit=${_SHORT_SHA}'"
+  - name: 'gcr.io/cloud-builders/gcloud'
+    id: 'DownloadExpBinary'
+    entrypoint: 'gcloud'
+    args: ['storage',
+           'cp',
+           'gs://confidential-space-images_third-party/confidential_space_experiments',
+           './launcher/image/cchost/preload-dir/confidential_space/confidential_space_experiments']
+  - name: 'alpine'
+    args: ['chmod', '+x', './launcher/image/cchost/preload-dir/confidential_space/confidential_space_experiments']
+  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
+    id: 'ExportBaseImage'
+    args:
+      - 'gcloud'
+      - 'compute'
+      - 'images'
+      - 'export'
+      - '--image=${_BASE_IMAGE}'
+      - '--image-project=${_BASE_IMAGE_PROJECT}'
+      - '--destination-uri=gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_BASE_IMAGE}.tar.gz'
+  - name: 'gcr.io/cloud-builders/gcloud'
+    id: 'DownloadImageFromGCS'
+    entrypoint: 'gcloud'
+    args: ['storage',
+           'cp',
+           'gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_BASE_IMAGE}.tar.gz',
+           './src_image.tar.gz']
+  - name: 'alpine'
+    id: 'ExtractRawImage'
+    args: ['tar', '-xf', './src_image.tar.gz']
+  - name: 'gcr.io/hegao-dev/oem-preloader:v2'
+    id: 'RunOEMPreloader'
+    env:
+      - 'IMAGE_ENV=${_IMAGE_ENV}'
+    args:
+      - '--src-image=./disk.raw'
+      - '--out-image=output.bin'
+      - '--oem-fs-size=500M'
+      - '--disk-size-gb=11'
+      - '--install-dir=./launcher/image/cchost/preload-dir'
+      - '--cmdline-script=./launcher/image/cchost/cmdline.sh'
+  - name: 'alpine'
+    id: 'RenameOutputImage'
+    args: ['mv', 'output.bin', 'disk.raw']
+  - name: 'alpine'
+    id: 'TarOutputImage'
+    args: ['tar', '-zcf', './out_image.tar.gz', 'disk.raw']
+  - name: 'gcr.io/cloud-builders/gcloud'
+    id: 'UploadToGCS'
+    entrypoint: 'gcloud'
+    args: ['storage',
+           'cp',
+           './out_image.tar.gz',
+           'gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_OUTPUT_IMAGE_NAME}.tar.gz']
+  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
+    id: 'CreateGCEImage'
+    args:
+      - 'gcloud'
+      - 'compute'
+      - 'images'
+      - 'create'
+      - '--family=${_OUTPUT_IMAGE_FAMILY}'
+      - '--source-uri=gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_OUTPUT_IMAGE_NAME}.tar.gz'
+      - '--guest-os-features=UEFI_COMPATIBLE'
+      - '-licenses=${_CS_LICENSE},projects/confidential-space-images/global/licenses/ek-certificate-license'
+      - '${_OUTPUT_IMAGE_NAME}'
+  - name: 'gcr.io/cloud-builders/gcloud'
+    id: 'RemoveGCSFiles'
+    entrypoint: 'gcloud'
+    args: ['storage',
+           'rm',
+           'gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_BASE_IMAGE}.tar.gz',
+           'gs://${_BUCKET_NAME}/oem-preloader-${BUILD_ID}/${_OUTPUT_IMAGE_NAME}.tar.gz']
+
+timeout: '3000s'
+
+options:
+  dynamic_substitutions: true

launcher/image/cchost/cmdline.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+GRUB_FILE="$1"
+
+readonly OEM_PATH='/usr/share/oem'
+readonly CS_PATH="${OEM_PATH}/confidential_space"
+
+append_cmdline() {
+  local arg="$1"
+  sed -i -e "s|cros_efi|cros_efi ${arg}|g" "${GRUB_FILE}"
+}
+
+set_default_boot_target() {
+  append_cmdline "systemd.unit=$1"
+}
+
+disable_unit() {
+  append_cmdline "systemd.mask=$1"
+}
+
+enable_unit() {
+  append_cmdline "systemd.wants=$1"
+}
+
+configure_entrypoint() {
+  append_cmdline "'ds=nocloud;s=${OEM_PATH}/'"
+}
+
+configure_necessary_systemd_units() {
+  # Include basic services.
+  enable_unit "basic.target"
+
+  # gcr-wait-online.service is WantedBy=gcr-online.target.
+  # The hostname gcr.io does not resolve until systemd-resolved is enabled.
+  enable_unit "systemd-resolved.service"
+
+  # Dependencies of container-runner.service.
+  enable_unit "network-online.target"
+  enable_unit "gcr-online.target"
+
+}
+
+configure_systemd_units_for_hardened() {
+  configure_necessary_systemd_units
+  # Make entrypoint (via cloud-init) the default unit.
+  set_default_boot_target "cloud-final.service"
+
+  disable_unit "var-lib-docker.mount"
+  disable_unit "docker.service"
+  disable_unit "google-guest-agent.service"
+  disable_unit "google-osconfig-init.service"
+  disable_unit "google-osconfig-agent.service"
+  disable_unit "google-startup-scripts.service"
+  disable_unit "google-shutdown-scripts.service"
+  disable_unit "konlet-startup.service"
+  disable_unit "crash-reporter.service"
+  disable_unit "device_policy_manager.service"
+  disable_unit "docker-events-collector-fluent-bit.service"
+  disable_unit "sshd.service"
+  disable_unit "var-lib-toolbox.mount"
+}
+
+configure_systemd_units_for_debug() {
+  disable_unit "konlet-startup.service"
+}
+
+fix_oem() {
+  sed -i -e 's|systemd.mask=usr-share-oem.mount||g' "${GRUB_FILE}"
+
+  # TODO: Remove this fix once the upstream customizer fixed the bug.
+  # Fix a string manipulation bug in the dm part of the kernel cmd.
+  if grep -q "dm-m2d" "${GRUB_FILE}"; then
+    sed -i -e 's|dm-m2d|dm-mod|g' "${GRUB_FILE}"
+    sed -i -e 's|,oemroot|;oemroot|g' "${GRUB_FILE}"
+  fi
+
+  # Print grub.cfg's kernel command line.
+  grep -i '^\s*linux' "${GRUB_FILE}" | \
+    sed -e 's|.*|[BEGIN_CS_GRUB_CMDLINE]&[END_CS_GRUB_CMDLINE]|g'
+
+  # Convert grub.cfg's kernel command line into what GRUB passes to the kernel.
+  grep -i '^\s*linux' "${GRUB_FILE}" | \
+    sed -e "s|'ds=nocloud;s=/usr/share/oem/'|ds=nocloud;s=/usr/share/oem/|g" | \
+    sed -e 's|\\"|"|g' | \
+    sed -e 's|dm-mod.create="|"dm-mod.create=|g' | \
+    sed -e 's|.*|[BEGIN_CS_CMDLINE]&[END_CS_CMDLINE]|g'
+}
+
+main() {
+  configure_entrypoint
+  append_cmdline "cos.protected_stateful_partition=m"
+  append_cmdline "systemd.default_timeout_start_sec=900s"
+  if [[ "${IMAGE_ENV}" == "debug" ]]; then
+    configure_systemd_units_for_debug
+    append_cmdline "confidential-space.hardened=false"
+  elif [[ "${IMAGE_ENV}" == "hardened" ]]; then
+    configure_systemd_units_for_hardened
+    append_cmdline "confidential-space.hardened=true"
+  fi
+  fix_oem
+}
+
+main

launcher/image/cchost/preload-dir/confidential_space/boot-disk-size-consistency-monitor-cs.json

@@ -0,0 +1,12 @@
+{
+    "plugin": "custom",
+    "pluginConfig": {
+      "invoke_interval": "30m",
+      "timeout": "7s",
+      "max_output_length": 80,
+      "enable_message_change_based_condition_update": false
+    },
+    "source": "boot-disk-size-consistency-monitor",
+    "metricsReporting": false,
+    "rules": []
+  }

launcher/image/cchost/preload-dir/confidential_space/container-runner.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Confidential Space Launcher
+Wants=network-online.target gcr-online.target containerd.service
+After=network-online.target gcr-online.target containerd.service
+
+[Service]
+ExecStart=/usr/share/oem/confidential_space/cs_container_launcher
+ExecStopPost=/usr/share/oem/confidential_space/exit_script.sh
+Restart=no
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

launcher/image/cchost/preload-dir/confidential_space/docker-monitor-cs.json

@@ -0,0 +1,12 @@
+{
+	"plugin": "journald",
+	"pluginConfig": {
+		"source": "dockerd"
+	},
+	"logPath": "/var/log/journal",
+	"lookback": "5m",
+	"bufferSize": 10,
+	"source": "docker-monitor",
+	"metricsReporting": false,
+	"conditions": []
+}

launcher/image/cchost/preload-dir/confidential_space/exit_script.sh

@@ -0,0 +1,13 @@
+#! /bin/bash
+
+if [[ $EXIT_STATUS -eq 3 ]]
+then
+	# reboot after 2 min
+	shutdown --reboot +2
+fi
+
+if [[ $EXIT_STATUS -eq 0 ]] || [[ $EXIT_STATUS -eq 1 ]] || [[ $EXIT_STATUS -eq 2 ]]
+then
+	# poweroff after 2 min
+	shutdown --poweroff +2
+fi

launcher/image/cchost/preload-dir/confidential_space/fluent-bit-cs.conf

@@ -0,0 +1,65 @@
+#
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Forked from https://cos.googlesource.com/cos/overlays/board-overlays/+/refs/heads/master/project-lakitu/app-admin/fluent-bit/files/fluent-bit.conf
+
+[SERVICE]
+    # Flush
+    # =====
+    # set an interval of seconds before to flush records to a destination
+    flush        1
+    # Daemon
+    # ======
+    # instruct Fluent Bit to run in foreground or background mode.
+    daemon       Off
+    # Log_Level
+    # =========
+    # Set the verbosity level of the service, values can be:
+    #
+    # - error
+    # - warning
+    # - info
+    # - debug
+    # - trace
+    #
+    # by default 'info' is set, that means it includes 'error' and 'warning'.
+    log_level    info
+    # Storage
+    # =======
+    # Fluent Bit can use memory and filesystem buffering based mechanisms
+    #
+    # - https://docs.fluentbit.io/manual/administration/buffering-and-storage
+    #
+    # storage metrics
+    # ---------------
+    # publish storage pipeline metrics in '/api/v1/storage'. The metrics are
+    # exported only if the 'http_server' option is enabled.
+    #
+    storage.metrics on
+
+# Collects CS launcher and workload logs.
+[INPUT]
+    Name systemd
+    Tag  confidential-space-launcher
+    Systemd_Filter _SYSTEMD_UNIT=container-runner.service
+    DB /var/log/google-fluentbit/container-runner.log.db
+    Read_From_Tail False
+
+[OUTPUT]
+    Name        stackdriver
+    Match       *
+    Resource    gce_instance
+    severity_key severity

launcher/image/cchost/preload-dir/confidential_space/kernel-monitor-cs.json

@@ -0,0 +1,10 @@
+{
+	"plugin": "kmsg",
+	"logPath": "/dev/kmsg",
+	"lookback": "5m",
+	"bufferSize": 10,
+	"source": "kernel-monitor",
+	"metricsReporting": false,
+	"conditions": [],
+	"rules": []
+}

launcher/image/cchost/preload-dir/confidential_space/system-stats-monitor-cs.json

@@ -0,0 +1,10 @@
+{
+    "memory": {
+      "metricsConfigs": {
+        "memory/bytes_used": {
+          "displayName": "memory/bytes_used"
+        }
+      }
+    },
+    "invokeInterval": "60s"
+}