Add CoCo guest components to dstack rootfs#78
Draft
kvinwang wants to merge 1 commit into
Draft
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the meta-dstack Yocto layer to produce a dstack guest rootfs that can boot as a Kata/CoCo confidential guest, including guest-pull compatibility assets (default OPA policy, ocicrypt config, and a static pause bundle) and a documented Kubernetes/Kata TDX smoke-test flow.
Changes:
- Add a new
kata-agent-cocorecipe (Kata Rust agent with initdata + agent-policy support) and acoco-guest-componentsrecipe (AA/CDH/REST API server + pause bundle + configs). - Include the new CoCo/Kata packages in
dstack-rootfsimage composition. - Add documentation for building, packaging, and running a Kubernetes/Kata TDX smoke test.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Links to the new CoCo/Kata Kubernetes smoke-test guide. |
| meta-dstack/recipes-core/kata-agent/kata-agent-coco_git.bb | New Yocto recipe to build/install a modern Kata agent with initdata/policy support. |
| meta-dstack/recipes-core/kata-agent/files/0001-kata-agent-build-with-rust-1.92.patch | Patch to make the selected Kata revision build with Rust 1.92. |
| meta-dstack/recipes-core/images/dstack-rootfs-base.inc | Adds kata-agent-coco and coco-guest-components to the rootfs image install set. |
| meta-dstack/recipes-core/coco-guest-components/coco-guest-components.bb | New Yocto recipe building CoCo guest components and installing compatibility configs/bundle. |
| meta-dstack/recipes-core/coco-guest-components/files/pause-config.json | Adds a static pause OCI config used by Kata guest-pull sandbox creation. |
| meta-dstack/recipes-core/coco-guest-components/files/ocicrypt_config.json | Adds ocicrypt key-provider config pointing at the CDH socket. |
| meta-dstack/recipes-core/coco-guest-components/files/confidential-data-hub.conf | Default CDH config using offline_fs_kbc and a fixed ttRPC socket path. |
| meta-dstack/recipes-core/coco-guest-components/files/coco-pause.c | Minimal static pause binary source for the synthesized sandbox rootfs. |
| meta-dstack/recipes-core/coco-guest-components/files/coco-confidential-data-hub.service | Systemd unit for ttrpc-cdh (installed but not auto-enabled). |
| meta-dstack/recipes-core/coco-guest-components/files/coco-attestation-agent.service | Systemd unit for ttrpc-aa (installed but not auto-enabled). |
| meta-dstack/recipes-core/coco-guest-components/files/coco-api-server-rest.service | Systemd unit for api-server-rest (installed but not auto-enabled). |
| meta-dstack/recipes-core/coco-guest-components/files/attestation-agent.conf | Default AA config for the initial smoke-test flow. |
| docs/coco-k8s-testing.md | End-to-end guide for building the rootfs and running a Kata TDX Kubernetes smoke test with initdata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+103
to
+116
| export CARGO_BUILD_FLAGS="-C rpath" | ||
| export CARGO_PROFILE_RELEASE_DEBUG="true" | ||
|
|
||
| # The CC crate defaults to using CFLAGS when compiling everything. We can | ||
| # give it custom flags for compiling on the host. | ||
| export HOST_CXXFLAGS="" | ||
| export HOST_CFLAGS="" | ||
|
|
||
| bbnote "which rustc:" `which rustc` | ||
| bbnote "rustc --version" `rustc --version` | ||
| bbnote "which cargo:" `which cargo` | ||
| bbnote "cargo --version" `cargo --version` | ||
| bbnote cargo build ${CARGO_BUILD_FLAGS} | ||
| cargo build ${CARGO_BUILD_FLAGS} |
|
|
||
| PROVIDES += "kata-agent" | ||
| RPROVIDES:${PN} += "kata-agent" | ||
| RDEPENDS:${PN} += "bash systemd" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dstack-rootfsand document the Kubernetes/Kata TDX smoke-test flowdstacksubmodule to the latest tested revisionTesting
bitbake dstack-rootfsdstack-rootfs-dstack.cpioand booted it withruntimeClassName: kata-qemu-tdxRunningand logged:hello-from-dstack-cocoLinux dstack-coco-mvp-test 6.18.24-dstack ... x86_64 GNU/Linux