Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generate sbkeys scripts: change docker mounts #3287

Merged
merged 1 commit into from
Jul 25, 2023
Merged

generate sbkeys scripts: change docker mounts #3287

merged 1 commit into from
Jul 25, 2023

Conversation

webern
Copy link
Contributor

@webern webern commented Jul 24, 2023
edited
Loading

Issue number:

Related to #2669 and Twoliter #14

Description of changes:

Because the new Twoliter build tool will execute docker run commands
from within a container that has the host docker socket mounted, it is
necessary for "inner" and "outer" bind mount paths to match.

Additionally, it was found that generate-aws-sbkeys needed
--network=host on at least some systems.

Testing done:

cargo make build-sbkeys works.

cargo make build-sbkeys
$ tree sbkeys
sbkeys
├── generate-aws-sbkeys
├── generate-local-sbkeys
├── local
│   ├── code-sign.crt
│   ├── code-sign.key
│   ├── config-sign.key
│   ├── db.crt
│   ├── db.key
│   ├── efi-vars.aws
│   ├── efi-vars.json
│   ├── KEK.crt
│   ├── KEK.key
│   ├── PK.crt
│   ├── PK.key
│   ├── shim-sign.crt
│   ├── shim-sign.key
│   ├── vendor.crt
│   └── vendor.key
└── README.md

I ran:

$ ./generate-aws-sbkeys \
  --sdk-image public.ecr.aws/bottlerocket/bottlerocket-sdk-x86_64:v0.33.0 \
  --aws-region us-west-2 \
  --pk-ca arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/aae216e7-e06c-4a3e-b47d-a6954a8bf9bc \
  --kek-ca arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/727a99c4-d5e3-4022-8814-14013150cdd8 \
  --db-ca arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/55e6854a-d705-484a-b645-9b99e510da9b \
  --vendor-ca arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/ae007fb7-d9d2-4205-9811-a809387c2698 \
  --shim-sign-key arn:aws:kms:us-west-2:123456789012:key/mrk-304fc2402af049908b9d370363cf2cb3 \
  --code-sign-key arn:aws:kms:us-west-2:123456789012:key/mrk-9da6264259be415d9e75a8ed423455b7 \
  --config-sign-key arn:aws:kms:us-west-2:123456789012:key/mrk-5e12880d47854da6baa0a7eec1f8eb94 \
  --output-dir ${PWD}/aws-sb-test-3

It worked and I got:

$ tree sbkeys
sbkeys
├── aws-sb-test-3
│   ├── config-sign.key
│   ├── db.crt
│   ├── efi-vars.aws
│   ├── efi-vars.json
│   ├── KEK.crt
│   ├── kms-sign.json
│   ├── PK.crt
│   └── vendor.crt

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@webern webern requested a review from bcressey July 24, 2023 18:21
stmcginnis
stmcginnis approved these changes Jul 24, 2023
View reviewed changes
Copy link
Contributor

@stmcginnis stmcginnis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense!

bcressey
bcressey approved these changes Jul 24, 2023
View reviewed changes
Copy link
Contributor

@bcressey bcressey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. For consistency it might make sense to give sbkeys/generate-aws-sbkeys the same treatment, so the pattern doesn't get copied from there to other scripts.

Does tools/docker-go need the same treatment?

@webern
generate sbkeys scripts: change docker mounts
a8259be 
Because the new Twoliter build tool will execute docker run commands
from within a container that has the host docker socket mounted, it is
necessary for "inner" and "outer" bind mount paths to match.

Additionally, it was found that generate-aws-sbkeys needed
--network=host on at least some systems.
@webern webern changed the title generate-local-sbkeys script: change docker mounts @webern generate sbkeys scripts: change docker mounts Jul 25, 2023
@webern webern changed the title @webern generate sbkeys scripts: change docker mounts generate sbkeys scripts: change docker mounts Jul 25, 2023
@webern webern mentioned this pull request Jul 25, 2023
Closed
@webern webern merged commit 24fa601 into bottlerocket-os:develop Jul 25, 2023
38 checks passed
@webern webern deleted the sbkeys-mounts branch July 25, 2023 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcressey bcressey bcressey approved these changes

@cbgbt cbgbt cbgbt approved these changes

@stmcginnis stmcginnis stmcginnis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@webern @bcressey @cbgbt @stmcginnis