search

confidential-containers / trustee

Attestation and Secret Delivery Components
Apache License 2.0
52 stars 77 forks source link

Release KBS Client Binary #333

Open fitzthum opened 5 months ago

fitzthum commented 5 months ago

It would be handy if we released a binary for the KBS client. Unlike the services that we already release, we probably don't want this to be a standalone container image. We could use something like oras to provide a binary via a registry. We should be able to push a staged and release version of the client tool just like we do with the other components.

We'll also want to consider multiple platforms.

wainersm commented 5 months ago

It would be useful for the Kata CI where we are working to have attestation tests (https://github.com/kata-containers/kata-containers/pull/9114) and we'd like to avoid having to compile the client. Kata CI intents to consume released versions of KBS project, so technically a binary within a tarball each release would be sufficient, however, we might end up on a situation where we need to track a commit (to consume a fix) so that having a staged binaries much more flexible.

One concern, regardless whether an executable in tarball or oras, is that it will be required to be statically compiled. Due to some dependencies on attesters implementations, it might be not feasible. An alternative to try is to compile with sample_only feature, reducing the dependencies, but then the resulting kbs-client will be only used for configuration.

Cc @mkulke @fitzthum @portersrc

portersrc commented 5 months ago

Not sure if you'd confirmed the dependencies on sample_only, but it's indeed a trimmer list (no libcrypto dependency, etc.):


$ ldd kbs-client
        linux-vdso.so.1 (0x00007ffdd55d6000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2ae2099000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2ae1fb2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2ae0a00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ae20ca000)```
wainersm commented 4 months ago

Hi @portersrc !

Not sure if you'd confirmed the dependencies on sample_only, but it's indeed a trimmer list (no libcrypto dependency, etc.):

$ ldd kbs-client
        linux-vdso.so.1 (0x00007ffdd55d6000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2ae2099000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2ae1fb2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2ae0a00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ae20ca000)```

It seems easy to get the sample_only built statically on Ubuntu then. Thanks for checking it out!

portersrc commented 3 months ago

PR 349 is merged, which seems to have successfully triggered an oras push, and kbs-client is now available here: https://github.com/confidential-containers/trustee/pkgs/container/staged-images%2Fkbs-client

$ oras pull ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-x86_64-linux-gnu-ac59d337bbacc36990f71ced3de2e86619f236d3
Downloading 999bf5866c77 kbs-client
Downloaded  999bf5866c77 kbs-client
Pulled [registry] ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-x86_64-linux-gnu-ac59d337bbacc36990f71ced3de2e86619f236d3
Digest: sha256:7569fc4761d9c1d765f33a840efda82b8409345f0022893ccef188b0322e50b2
$ ls
kbs-client
$ chmod +x kbs-client
$ ./kbs-client --version
KBS client 0.1.0
$ ldd kbs-client
        statically linked

Do we want to add more platforms?