Merge pull request #193 from confidential-containers/dependabot/go_mo… #413
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: enclave-cc e2e test | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
env: | |
CONTAINERD_VERSION: 1.6.8.1 | |
permissions: | |
contents: read | |
jobs: | |
e2e: | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- runner: sgx-ecc | |
sgx_mode: HW | |
kbc: cc-kbc | |
- runner: ubuntu-22.04 | |
sgx_mode: SIM | |
kbc: sample-kbc | |
name: SGX_MODE=${{ matrix.sgx_mode }} KBC=${{ matrix.kbc }} | |
runs-on: ${{ matrix.runner }} | |
env: | |
SGX_MODE: ${{ matrix.sgx_mode }} | |
KBC: ${{ matrix.kbc }} | |
PAYLOAD_ARTIFACTS: ${{ github.workspace }}/coco | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc | |
- uses: actions/setup-go@v4 | |
with: | |
check-latest: true | |
go-version-file: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.mod | |
cache-dependency-path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.sum | |
- name: Install confidential-containers/containerd | |
if: ${{ matrix.runner == 'ubuntu-22.04' }} | |
run: | | |
curl -fsSL https://github.com/confidential-containers/containerd/releases/download/v$CONTAINERD_VERSION/cri-containerd-cni-$CONTAINERD_VERSION-linux-amd64.tar.gz | sudo tar zx -C / | |
- name: Configure and start containerd | |
if: ${{ matrix.runner == 'ubuntu-22.04' }} | |
run: | | |
sudo mkdir /run/containerd-test | |
/usr/local/bin/containerd config default | sed -e 's:\(/[a-z]*/containerd\):\1-test:'| tee $PWD/containerd-test.toml | |
cat <<EOF | tee -a $PWD/containerd-test.toml | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.enclavecc] | |
cri_handler = "cc" | |
runtime_type = "io.containerd.rune.v2" | |
EOF | |
echo "runtime-endpoint: unix:///run/containerd-test/containerd.sock" | sudo tee /etc/crictl.yaml | |
sudo /usr/local/bin/containerd -c $PWD/containerd-test.toml -l debug & | |
sleep 5 | |
- name: Test containerd is running | |
run: | | |
sudo crictl info | |
test $(sudo crictl info | jq '.config.containerd.runtimes.enclavecc|length') != 0 | |
- name: Install io.containerd.rune.v2 | |
run: | | |
make binaries | |
sudo ln -sf $PWD/bin/containerd-shim-rune-v2 /usr/local/bin/containerd-shim-rune-v2 | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim | |
- name: Configure io.containerd.rune.v2 | |
if: ${{ matrix.runner == 'ubuntu-22.04' }} | |
run: | | |
sudo mkdir /etc/enclave-cc | |
sed -e 's#\(.*container_instance = "\)\(.*\)$#\1'$PAYLOAD_ARTIFACTS'\2#g' config/config.toml | sudo tee /etc/enclave-cc/config.toml | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim | |
- name: Build agent-enclave bundle | |
run: | | |
mkdir $PAYLOAD_ARTIFACTS | |
docker build . -f tools/packaging/build/agent-enclave-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t agent-instance:build | |
docker export $(docker create agent-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/agent-instance.tar | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc | |
- name: Install config.json for agent-enclave bundle | |
run: | | |
jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/tools/packaging/build/agent-enclave-bundle | |
- name: Build boot-instance bundle | |
run: | | |
docker build . -f tools/packaging/build/boot-instance-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} -t boot-instance:build | |
docker export $(docker create boot-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/boot-instance.tar | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc | |
- name: Install enclave-cc bundles | |
run: | | |
mkdir -p opt/confidential-containers/share/enclave-cc-agent-instance/rootfs | |
sudo tar -xf agent-instance.tar -C opt/confidential-containers/share/enclave-cc-agent-instance/rootfs | |
cp config.json opt/confidential-containers/share/enclave-cc-agent-instance/ | |
mkdir -p opt/confidential-containers/share/enclave-cc-boot-instance/rootfs | |
sudo tar -xf boot-instance.tar -C opt/confidential-containers/share/enclave-cc-boot-instance/rootfs | |
working-directory: ${{env.PAYLOAD_ARTIFACTS}} | |
- name: Install decrypt_config.conf and ocicrypt.conf for agent-enclave bundle | |
run: | | |
sudo install -D -t $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs ocicrypt.conf | |
sudo install decrypt_config-$SGX_MODE-$KBC.conf $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e | |
- name: Test image pull and unpack | |
if: ${{ matrix.sgx_mode == 'SIM' }} | |
run: | | |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json) | |
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-unencrypted-$SGX_MODE.json sandbox.json) | |
sudo crictl start $CONTAINER_ID | |
sleep 5 | |
sudo crictl logs $CONTAINER_ID | |
sudo crictl -t 10s stopp $SANDBOX_ID || true | |
sudo crictl -t 10s rmp $SANDBOX_ID || true | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e | |
- name: Test image decryption | |
run: | | |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json) | |
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-encrypted-$SGX_MODE-$KBC.json sandbox.json) | |
sudo crictl start $CONTAINER_ID | |
sleep 5 | |
sudo crictl logs $CONTAINER_ID | |
sudo crictl -t 10s stopp $SANDBOX_ID || true | |
sudo crictl -t 10s rmp $SANDBOX_ID || true | |
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e |