Skip to content

Add CoCo guest components to dstack rootfs#78

Draft
kvinwang wants to merge 1 commit into
mainfrom
feat/coco-guest-components-integration
Draft

Add CoCo guest components to dstack rootfs#78
kvinwang wants to merge 1 commit into
mainfrom
feat/coco-guest-components-integration

Conversation

@kvinwang

@kvinwang kvinwang commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add Yocto recipes for the CoCo guest components and a modern Kata agent with initdata/policy support
  • include the compatibility files required by Kata confidential guest-pull: default OPA policy, ocicrypt config, and a static pause bundle
  • install the CoCo/Kata pieces into dstack-rootfs and document the Kubernetes/Kata TDX smoke-test flow
  • update the dstack submodule to the latest tested revision

Testing

  • bitbake dstack-rootfs
  • Built an ext4 Kata guest image from dstack-rootfs-dstack.cpio and booted it with runtimeClassName: kata-qemu-tdx
  • Verified the test Pod reached Running and logged:
    • hello-from-dstack-coco
    • Linux dstack-coco-mvp-test 6.18.24-dstack ... x86_64 GNU/Linux

Copilot AI review requested due to automatic review settings July 3, 2026 03:47

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the meta-dstack Yocto layer to produce a dstack guest rootfs that can boot as a Kata/CoCo confidential guest, including guest-pull compatibility assets (default OPA policy, ocicrypt config, and a static pause bundle) and a documented Kubernetes/Kata TDX smoke-test flow.

Changes:

  • Add a new kata-agent-coco recipe (Kata Rust agent with initdata + agent-policy support) and a coco-guest-components recipe (AA/CDH/REST API server + pause bundle + configs).
  • Include the new CoCo/Kata packages in dstack-rootfs image composition.
  • Add documentation for building, packaging, and running a Kubernetes/Kata TDX smoke test.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
README.md Links to the new CoCo/Kata Kubernetes smoke-test guide.
meta-dstack/recipes-core/kata-agent/kata-agent-coco_git.bb New Yocto recipe to build/install a modern Kata agent with initdata/policy support.
meta-dstack/recipes-core/kata-agent/files/0001-kata-agent-build-with-rust-1.92.patch Patch to make the selected Kata revision build with Rust 1.92.
meta-dstack/recipes-core/images/dstack-rootfs-base.inc Adds kata-agent-coco and coco-guest-components to the rootfs image install set.
meta-dstack/recipes-core/coco-guest-components/coco-guest-components.bb New Yocto recipe building CoCo guest components and installing compatibility configs/bundle.
meta-dstack/recipes-core/coco-guest-components/files/pause-config.json Adds a static pause OCI config used by Kata guest-pull sandbox creation.
meta-dstack/recipes-core/coco-guest-components/files/ocicrypt_config.json Adds ocicrypt key-provider config pointing at the CDH socket.
meta-dstack/recipes-core/coco-guest-components/files/confidential-data-hub.conf Default CDH config using offline_fs_kbc and a fixed ttRPC socket path.
meta-dstack/recipes-core/coco-guest-components/files/coco-pause.c Minimal static pause binary source for the synthesized sandbox rootfs.
meta-dstack/recipes-core/coco-guest-components/files/coco-confidential-data-hub.service Systemd unit for ttrpc-cdh (installed but not auto-enabled).
meta-dstack/recipes-core/coco-guest-components/files/coco-attestation-agent.service Systemd unit for ttrpc-aa (installed but not auto-enabled).
meta-dstack/recipes-core/coco-guest-components/files/coco-api-server-rest.service Systemd unit for api-server-rest (installed but not auto-enabled).
meta-dstack/recipes-core/coco-guest-components/files/attestation-agent.conf Default AA config for the initial smoke-test flow.
docs/coco-k8s-testing.md End-to-end guide for building the rootfs and running a Kata TDX Kubernetes smoke test with initdata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +103 to +116
export CARGO_BUILD_FLAGS="-C rpath"
export CARGO_PROFILE_RELEASE_DEBUG="true"

# The CC crate defaults to using CFLAGS when compiling everything. We can
# give it custom flags for compiling on the host.
export HOST_CXXFLAGS=""
export HOST_CFLAGS=""

bbnote "which rustc:" `which rustc`
bbnote "rustc --version" `rustc --version`
bbnote "which cargo:" `which cargo`
bbnote "cargo --version" `cargo --version`
bbnote cargo build ${CARGO_BUILD_FLAGS}
cargo build ${CARGO_BUILD_FLAGS}

PROVIDES += "kata-agent"
RPROVIDES:${PN} += "kata-agent"
RDEPENDS:${PN} += "bash systemd"
@kvinwang kvinwang marked this pull request as draft July 3, 2026 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants