Skip to content

Merge pull request #501 from confidential-containers/dependabot/cargo… #1053

Merge pull request #501 from confidential-containers/dependabot/cargo…

Merge pull request #501 from confidential-containers/dependabot/cargo… #1053

Workflow file for this run

name: enclave-cc e2e test
on:
push:
branches:
- main
pull_request:
branches:
- main
env:
CONTAINERD_VERSION: 1.6.8.1
permissions:
contents: read
jobs:
e2e:
strategy:
fail-fast: false
matrix:
include:
- runner: sgx
sgx_mode: HW
kbc: cc-kbc
- runner: ubuntu-22.04
sgx_mode: SIM
kbc: sample-kbc
name: SGX_MODE=${{ matrix.sgx_mode }} KBC=${{ matrix.kbc }}
runs-on: ${{ matrix.runner }}
env:
SGX_MODE: ${{ matrix.sgx_mode }}
KBC: ${{ matrix.kbc }}
PAYLOAD_ARTIFACTS: ${{ github.workspace }}/coco
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
with:
check-latest: true
go-version-file: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.mod
cache-dependency-path: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim/go.sum
- name: Install confidential-containers/containerd
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
curl -fsSL https://github.com/confidential-containers/containerd/releases/download/v$CONTAINERD_VERSION/cri-containerd-cni-$CONTAINERD_VERSION-linux-amd64.tar.gz | sudo tar zx -C /
- name: Configure and start containerd
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
sudo mkdir /run/containerd-test
/usr/local/bin/containerd config default | sed -e 's:\(/[a-z]*/containerd\):\1-test:'| tee $PWD/containerd-test.toml
cat <<EOF | tee -a $PWD/containerd-test.toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.enclavecc]
cri_handler = "cc"
runtime_type = "io.containerd.rune.v2"
EOF
echo "runtime-endpoint: unix:///run/containerd-test/containerd.sock" | sudo tee /etc/crictl.yaml
sudo /usr/local/bin/containerd -c $PWD/containerd-test.toml -l debug &
sleep 5
- name: Test containerd is running
run: |
sudo crictl info
test $(sudo crictl info | jq '.config.containerd.runtimes.enclavecc|length') != 0
- name: Install io.containerd.rune.v2
run: |
make binaries
sudo ln -sf $PWD/bin/containerd-shim-rune-v2 /usr/local/bin/containerd-shim-rune-v2
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim
- name: Configure io.containerd.rune.v2
if: ${{ matrix.runner == 'ubuntu-22.04' }}
run: |
sudo mkdir /etc/enclave-cc
sed -e 's#\(.*container_instance = "\)\(.*\)$#\1'$PAYLOAD_ARTIFACTS'\2#g' config/config.toml | sudo tee /etc/enclave-cc/config.toml
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/src/shim
- name: Build unified bundle
run: |
mkdir $PAYLOAD_ARTIFACTS
docker build . -f tools/packaging/build/unified-bundle/Dockerfile --build-arg SGX_MODE=${SGX_MODE} --build-arg KBC=${KBC} -t unified-instance:build
docker export $(docker create unified-instance:build) | tee > ${PAYLOAD_ARTIFACTS}/unified-instance.tar
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc
- name: Install config.json for agent-enclave bundle
run: |
jq -a -f sgx-mode-config.filter config.json.template | tee ${PAYLOAD_ARTIFACTS}/config.json
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/tools/packaging/build/unified-bundle
- name: Install enclave-cc bundles
run: |
mkdir -p opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
sudo tar -xf unified-instance.tar -C opt/confidential-containers/share/enclave-cc-agent-instance/rootfs
cp config.json opt/confidential-containers/share/enclave-cc-agent-instance/
mkdir -p opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
sudo tar -xf unified-instance.tar -C opt/confidential-containers/share/enclave-cc-boot-instance/rootfs
working-directory: ${{env.PAYLOAD_ARTIFACTS}}
- name: Install decrypt_config.conf and ocicrypt.conf for agent-enclave bundle
run: |
sudo install -D -t $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs ocicrypt.conf
sudo install decrypt_config-$SGX_MODE-$KBC.conf $PAYLOAD_ARTIFACTS/opt/confidential-containers/share/enclave-cc-agent-instance/rootfs/configs/decrypt_config.conf
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e
- name: Test image pull and unpack
if: ${{ matrix.sgx_mode == 'SIM' }}
run: |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json)
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-unencrypted-$SGX_MODE.json sandbox.json)
sudo crictl start $CONTAINER_ID
sleep 5
sudo crictl logs $CONTAINER_ID
sudo crictl -t 10s stopp $SANDBOX_ID || true
sudo crictl -t 10s rmp $SANDBOX_ID || true
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e
- name: Test image decryption
run: |
SANDBOX_ID=$(sudo crictl runp --runtime enclavecc sandbox.json)
CONTAINER_ID=$(sudo crictl create --with-pull $SANDBOX_ID hello-world-encrypted-$SGX_MODE-$KBC.json sandbox.json)
sudo crictl start $CONTAINER_ID
sleep 5
sudo crictl logs $CONTAINER_ID
sudo crictl -t 10s stopp $SANDBOX_ID || true
sudo crictl -t 10s rmp $SANDBOX_ID || true
working-directory: ${{ github.workspace }}/src/github.com/confidential-containers/enclave-cc/test/e2e