Fix: Binary sevctl was absent from debian packages

Solution: Build `sevctl` using an upstream version of Rust (the version in Debian is not supported), and bundle it in the Debian packages. Add a setting in aleph-vm with the path of the bundled binary.
aleph-im · Jun 5, 2024 · 3f67be0 · 3f67be0
1 parent b63d248
commit 3f67be0
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 1 deletion.
diff --git a/.dockerignore b/.dockerignore
@@ -14,3 +14,4 @@
 **/data.tgz
 /pydantic/
 **/target
+/packaging/sevctl/target
diff --git a/.gitignore b/.gitignore
@@ -18,6 +18,7 @@ node_modules
 /runtimes/aleph-debian-11-python/rootfs/
 /packaging/aleph-vm/opt/
 /packaging/target/
+/packaging/sevctl/target/
 /packaging/repositories/*/db/
 /packaging/repositories/*/dists/
 /packaging/repositories/*/pool/

diff --git a/packaging/Makefile b/packaging/Makefile
@@ -18,13 +18,14 @@ debian-package-code:
 	pip3 install --target ./aleph-vm/opt/aleph-vm/ 'aleph-message==0.4.4' 'eth-account==0.10' 'sentry-sdk==1.31.0' 'qmp==1.1.0' 'superfluid==0.2.1' 'sqlalchemy[asyncio]>=2.0' 'aiosqlite==0.19.0' 'alembic==1.13.1' 'aiohttp_cors==0.7.0' 'pyroute2==0.7.12'
 	python3 -m compileall ./aleph-vm/opt/aleph-vm/
 
-debian-package-resources: firecracker-bins vmlinux download-ipfs-kubo
+debian-package-resources: firecracker-bins vmlinux download-ipfs-kubo sevctl-podman
 	rm -fr ./aleph-vm/opt/firecracker
 	mkdir -p ./aleph-vm/opt/firecracker
 	cp -pr ./target/vmlinux.bin ./aleph-vm/opt/firecracker/
 	cp -pr ./target/firecracker ./aleph-vm/opt/firecracker/
 	cp -pr ./target/jailer ./aleph-vm/opt/firecracker/
 	cp -pr ./target/kubo/kubo ./aleph-vm/opt/kubo
+	cp -pr ./target/sevctl ./aleph-vm/opt/sevctl
 
 firecracker-bins: target-dir build-dir
 	mkdir -p ./build/firecracker-release
@@ -45,6 +46,19 @@ download-ipfs-kubo: target-dir build-dir
 	mkdir -p ./target/kubo
 	curl -fsSL https://github.com/ipfs/kubo/releases/download/v0.23.0/kubo_v0.23.0_linux-amd64.tar.gz | tar -xz --directory ./target/kubo
 
+sevctl:
+	cd ./sevctl && cargo build --release --target x86_64-unknown-linux-gnu
+	./sevctl/target/x86_64-unknown-linux-gnu/release/sevctl ok
+	cp ./sevctl/target/x86_64-unknown-linux-gnu/release/sevctl ./target/sevctl
+
+sevctl-podman:
+	# Build sevctl inside an OCI Image with an upstream version of Rust.
+	# sevctl requires a version of Rust more recent than the one available in Debian stable.
+	podman build -t sevctl-builder-debian-12 -f ./debian-12-sevctl.dockerfile .
+	podman run --rm -v $(PWD)/target:/target sevctl-builder-debian-12
+	# Test the binary
+	./target/sevctl -V
+
 version:
 	python3 ./version_from_git.py --inplace deb aleph-vm/DEBIAN/control
 	python3 ./version_from_git.py --inplace __version__ ../src/aleph/vm/version.py

diff --git a/packaging/debian-12-sevctl.dockerfile b/packaging/debian-12-sevctl.dockerfile
@@ -0,0 +1,12 @@
+# Build sevctl inside an OCI Image with an upstream version of Rust.
+# sevctl requires a version of Rust more recent than the one available in Debian stable.
+# The binary built should be static and portable across Linux systems (to be validated).
+
+FROM rust:1.78.0-bookworm
+WORKDIR /opt
+RUN git clone --depth 1 --branch v0.4.3 https://github.com/virtee/sevctl.git
+WORKDIR /opt/sevctl
+RUN cargo build --release --target x86_64-unknown-linux-gnu
+
+VOLUME /target
+CMD cp /opt/sevctl/target/x86_64-unknown-linux-gnu/release/sevctl /target/sevctl
diff --git a/src/aleph/vm/conf.py b/src/aleph/vm/conf.py
@@ -177,6 +177,7 @@ class Settings(BaseSettings):
 
     FIRECRACKER_PATH = Path("/opt/firecracker/firecracker")
     JAILER_PATH = Path("/opt/firecracker/jailer")
+    SEV_CTL_PATH = Path("/opt/sevctl")
     LINUX_PATH = Path("/opt/firecracker/vmlinux.bin")
     INIT_TIMEOUT: float = 20.0