Codify the creation of test containers

Signed-off-by: Chris Porter <[email protected]>

.github/workflows/porter-gha-testing.yaml

@@ -0,0 +1,191 @@
+name: Porter GHA Testing
+run-name: ${{ github.actor }} is doing the porter GHA testing
+on: [push]
+jobs:
+  Explore-GitHub-Actions:
+    env:
+      RUSTC_VERSION: 1.72.0
+    #runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    #runs-on: self-hosted
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Check out guest-components
+        uses: actions/checkout@v4
+        with:
+          repository: confidential-containers/guest-components
+          ref: refs/heads/main
+          path: ./guest-components
+      - name: Install Protoc
+        uses: arduino/setup-protoc@v3
+      - name: Import [email protected] key
+        working-directory: container-images
+        run: gpg --batch --import keys/sign/github-runner.keys
+      - name: Install expect
+        run: sudo apt-get install -y expect
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: "v2.4.1"
+      - name: Log in to ghcr
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # 0. all
+      - name: Make all
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+        run: |
+          cd guest-components/attestation-agent/coco_keyprovider
+          cargo build --release
+          RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 &
+          cd ../../../container-images
+          echo "Waiting for coco-keyprovider on localhost:50000"
+          timeout_count=1
+          while ! nc -z localhost 50000; do
+              timeout_count=$((timeout_count+1))
+              sleep 1
+              if [ $timeout_count == 5 ]; then
+                  echo "ERROR: Timed out. Exiting."
+                  exit 1
+              fi
+          done
+          echo "coco-keyprovider is ready"
+          make all
+      ## 1. unsig (works)
+      #- name: Make unsig
+      #  working-directory: container-images
+      #  run: make unsig
+      ## 2. cosign-sig (works)
+      #- name: Make cosign-sig
+      #  working-directory: container-images
+      #  env:
+      #    COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      #  run: make cosign-sig
+      ## 3. simple-sig (works)
+      #- name: Make simple-sig
+      #  working-directory: container-images
+      #  run: make simple-sig
+      ## 4. enc-unsig (works)
+      #- name: Launch coco-keyprovider and make enc-unsig
+      #  run: |
+      #    cd guest-components/attestation-agent/coco_keyprovider
+      #    cargo build --release
+      #    RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 &
+      #    cd ../../../container-images
+      #    echo "Waiting for coco-keyprovider on localhost:50000"
+      #    timeout_count=1
+      #    while ! nc -z localhost 50000; do
+      #        timeout_count=$((timeout_count+1))
+      #        sleep 1
+      #        if [ $timeout_count == 5 ]; then
+      #            echo "ERROR: Timed out. Exiting."
+      #            exit 1
+      #        fi
+      #    done
+      #    echo "coco-keyprovider is ready"
+      #    make enc-unsig
+      ## 5. enc-cosign-sig (works)
+      #- name: Launch coco-keyprovider and make enc-cosign-sig
+      #  run: |
+      #    cd guest-components/attestation-agent/coco_keyprovider
+      #    cargo build --release
+      #    RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 &
+      #    cd ../../../container-images
+      #    echo "Waiting for coco-keyprovider on localhost:50000"
+      #    timeout_count=1
+      #    while ! nc -z localhost 50000; do
+      #        timeout_count=$((timeout_count+1))
+      #        sleep 1
+      #        if [ $timeout_count == 5 ]; then
+      #            echo "ERROR: Timed out. Exiting."
+      #            exit 1
+      #        fi
+      #    done
+      #    echo "coco-keyprovider is ready"
+      #    make enc-cosign-sig
+      ## 6. test-container-unencrypted (works)
+      #- name: Make test-container-unencrypted
+      #  working-directory: container-images
+      #  run: make test-container-unencrypted
+      ## 7. test-container-encrypted (works)
+      #- name: Make test-container-encrypted
+      #  run: |
+      #    cd guest-components/attestation-agent/coco_keyprovider
+      #    cargo build --release
+      #    RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000 &
+      #    cd ../../../container-images
+      #    echo "Waiting for coco-keyprovider on localhost:50000"
+      #    timeout_count=1
+      #    while ! nc -z localhost 50000; do
+      #        timeout_count=$((timeout_count+1))
+      #        sleep 1
+      #        if [ $timeout_count == 5 ]; then
+      #            echo "ERROR: Timed out. Exiting."
+      #            exit 1
+      #        fi
+      #    done
+      #    echo "coco-keyprovider is ready"
+      #    make test-container-encrypted
+      ## 8. busybox (works)
+      #- name: Make busybox
+      #  working-directory: container-images
+      #  run: make busybox
+      #
+      #
+      #
+      #
+      #
+      #
+      #
+      #
+      #
+      #
+      #
+      #- name: runc version check
+      #  run: |
+      #    runc --version
+      #- name: Basic echo and docker version
+      #  run: |
+      #    echo "Start 1"
+      #    docker --version
+      #    echo "End"
+      #- name: Check if gcc is here
+      #  run: |
+      #    gcc -dumpmachine
+      #- name: What is my whatever
+      #  run: |
+      #    which clang
+      #- name: build main.c
+      #  working-directory: try-static-link
+      #  run: |
+      #    gcc main.c
+      #    ldd a.out
+      #- name: build main.c with static link
+      #  working-directory: try-static-link
+      #  run: |
+      #    gcc -static main.c
+      #    ldd a.out
+      #- name: Check for oras
+      #  run: |
+      #    oras --help
+      #- name: Check for rustc
+      #  run: |
+      #    rustc --version
+      #- name: Check gpg
+      #  run: |
+      #    gpg --version
+      #- name: Rust toolchain installation
+      #  uses: actions-rs/toolchain@v1
+      #  with:
+      #    profile: minimal
+      #    toolchain: ${{ env.RUSTC_VERSION }}
+      #    override: true
+      #    components: rustfmt, clippy
+      #    target: x86_64-unknown-linux-gnu
+      #- name: Check for nc
+      #  run: nc -h

container-images/Makefile

@@ -0,0 +1,118 @@
+#
+# This makefile's targets rebuild various container images that can be used
+# for development and testing in the CoCo project.
+# They also are intended to serve as an up-to-date reference for creating
+# new images.
+#
+# Note: The targets push to ghcr, which requires proper credentials and
+# `docker login`.
+#
+
+.PHONY: unsig \
+cosign-sig \
+simple-sig \
+enc-unsig \
+enc-cosign-sig \
+test-container-unencrypted \
+test-container-encrypted \
+busybox
+
+SHELL=/bin/bash
+
+
+# FIXME need to choose sane package URLs/names/tags
+COCO_PKG=confidential-containers/test-container
+COCO_PKG_IMGRS=confidential-cointainers/test-container-image-rs
+
+
+
+all: \
+    unsig \
+    cosign-sig \
+    simple-sig \
+    enc-unsig \
+    enc-cosign-sig \
+    test-container-unencrypted \
+    test-container-encrypted \
+    busybox
+
+
+
+unsig:
+	docker build \
+      -t ghcr.io/$(COCO_PKG):unsig \
+      -f dockerfiles/alpine-with-sshd/Dockerfile \
+      .
+	docker push ghcr.io/$(COCO_PKG):unsig
+
+
+cosign-sig:
+	docker build \
+      -t ghcr.io/$(COCO_PKG):cosign-sig \
+      -f dockerfiles/alpine-with-sshd/Dockerfile \
+      .
+	docker push ghcr.io/$(COCO_PKG):cosign-sig
+	# FIXME Replace expect script with something better
+	${CURDIR}/scripts/make-cosign-sig.exp $(COCO_PKG) cosign-sig
+
+
+# NOTE: This depends on a gpg key owned by [email protected].
+# That is, before issuing this make target, have to do something like:
+#   $ gpg --batch --import ./keys/sign/github-runner.keys
+simple-sig:
+	skopeo \
+      copy \
+      --debug \
+      --insecure-policy \
+      --sign-by [email protected] \
+      --sign-passphrase-file $(shell pwd)/keys/sign/git-runner-password.txt \
+      docker-daemon:ghcr.io/$(COCO_PKG):unsig \
+      docker://ghcr.io/$(COCO_PKG):simple-sig
+
+
+# NOTE: This requires coco-keyprovider running from guest-components...
+# That is, before issuing this make target, have to do something like:
+#   $ cd guest-components/attestation-agent/coco_keyprovider
+#   $ RUST_LOG=coco_keyprovider cargo run --release -- --socket 127.0.0.1:50000
+enc-unsig: unsig
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+    skopeo copy \
+      --insecure-policy \
+      --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+      docker-daemon:ghcr.io/$(COCO_PKG):unsig \
+      docker://ghcr.io/$(COCO_PKG):enc-unsig
+
+
+# NOTE: see enc-unsig about coco-keyprovider
+# NOTE: see cosign-sig about replacing expect script
+enc-cosign-sig: cosign-sig
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+    skopeo copy \
+      --insecure-policy \
+      --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+      docker-daemon:ghcr.io/$(COCO_PKG):cosign-sig \
+      docker://ghcr.io/$(COCO_PKG):enc-cosign-sig
+	./scripts/make-cosign-sig.exp $(COCO_PKG) enc-cosign-sig
+
+
+test-container-unencrypted:
+	docker build \
+      -t ghcr.io/$(COCO_PKG):unencrypted \
+      -f dockerfiles/alpine-with-sshd/Dockerfile \
+      .
+	docker push ghcr.io/$(COCO_PKG):unencrypted
+
+
+# NOTE: see enc-unsig about coco-keyprovider
+test-container-encrypted: test-container-unencrypted
+	OCICRYPT_KEYPROVIDER_CONFIG="$(shell pwd)/configs/ocicrypt.conf" \
+    skopeo copy \
+      --insecure-policy \
+      --encryption-key provider:attestation-agent:keypath=$(shell pwd)/keys/encrypt/key1::keyid=kbs:///default/key/key_id1::algorithm=A256GCM \
+      docker-daemon:ghcr.io/$(COCO_PKG):unencrypted \
+      docker://ghcr.io/$(COCO_PKG):encrypted
+
+
+busybox:
+	docker build -t ghcr.io/$(COCO_PKG_IMGRS):busybox dockerfiles/busybox
+	docker push ghcr.io/$(COCO_PKG_IMGRS):busybox

container-images/configs/ocicrypt-simplekbs.conf

@@ -0,0 +1,5 @@
+{
+  "key-providers": {
+    "attestation-agent": {
+      "grpc": "127.0.0.1:44444"
+}}}

container-images/configs/ocicrypt.conf

@@ -0,0 +1,5 @@
+{
+  "key-providers": {
+    "attestation-agent": {
+      "grpc": "127.0.0.1:50000"
+}}}

container-images/dockerfiles/alpine-with-sshd/Dockerfile

@@ -0,0 +1,21 @@
+FROM alpine:3.14
+RUN apk update && apk upgrade && apk add openssh-server
+
+# Use the ssh-demo image's legacy keys. To generate new ones, can do something
+# like:
+#   RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
+COPY keys/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key
+COPY keys/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ed25519_key.pub
+
+# A password needs to be set for login to work. An empty password is
+# unproblematic as password-based login to root is not allowed.
+RUN passwd -d root
+
+# Use the ssh-demo user/client's legacy keys. To generate new ones, can do
+# something like:
+#   $ ssh-keygen -t ed25519 -f ccv0-ssh -P "" -C ""`
+COPY keys/ssh/ccv0-ssh.pub /root/.ssh/authorized_keys
+ENTRYPOINT /usr/sbin/sshd -D
+
+# Can connect to the running container with something like:
+#   $ ssh -i keys/ssh/ccv0-ssh root@<container-ip-addr>