fix: build cvm on cvm hardware #5643
Conversation
zachary-bailey
requested review from
juan-lee,
UtheMan,
ganeshkumarashok,
anujmaheshwari1,
AlisonB319,
Devinwong,
lilypan26,
AbelHu,
junjiezhang1997,
jason1028kr,
djsly,
phealy,
r2k1 and
timmy-wright
as code owners
vhdbuilder/packer/init-variables.sh
Outdated
| @@ -111,6 +116,7 @@ if [ -z "${VNET_NAME}" ]; then | |||
| fi | |||
| fi | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Thanks for the call out!
| @@ -75,6 +75,10 @@ if [ "${OS_TYPE}" == "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" == "True" ]; then | |||
| TARGET_COMMAND_STRING+="--security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true" | |||
| fi | |||
|
|
|||
| if [ "${OS_TYPE}" == "Linux" ] && [ ${IMG_SKU} == "20_04-lts-cvm" ]; then | |||
| TARGET_COMMAND_STRING="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" | |||
There was a problem hiding this comment.
If I made it +=, it would still have the VM size from standard images in the string, so I had to make it re write the whole string.
There was a problem hiding this comment.
Same question. What should the size be if arch==arm64 and OS_TYPE== Linux and img_sku=2004? Now it will be set to Standard_DC8ads_v5. Is this expected?
There was a problem hiding this comment.
If I made it +=, it would still have the VM size from standard images in the string, so I had to make it re write the whole string.
but will you not miss the FIPS setting if it's = ? For example --security-type TrustedLaunch
There was a problem hiding this comment.
This condition will only be met if ${IMG_SKU} == "20_04-lts-cvm"
"20_04-lts-cvm" is the IMG_SKU only for CVM, not for 2004 or FIPs in general.
For example the IMG_SKU for 2004fipscontainerd is 20_04-lts. They are all unique per SKU. So this can only execute on our CVM image.
There was a problem hiding this comment.
I see. So you are saying actually "${ENABLE_TRUSTED_LAUNCH}" == "True" is equivalent to ${IMG_SKU}==20_04-lts, right? If that's the case, please leave some comments to explain this. Thanks.
There was a problem hiding this comment.
ENABLE_TRUSTED_LAUNCH is a boolean feature flag assigned to some of our images, some of which are Ubuntu and some of which are Mariner/AZLinux. The feature flag alerts Packer that these Packer VMs need to have the TrustedLaunch feature enabled because they need TPM measurement files to run.
So, the above conditional on line 70 checks to see if the --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true flags need to be appended to the command string to enable the VMs successful provisioning. It is unrelated to CVM, though.
| @@ -63,6 +63,10 @@ if [[ "${OS_TYPE}" == "Linux" && "${ENABLE_TRUSTED_LAUNCH}" == "True" ]]; then | |||
| VM_OPTIONS+=" --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true" | |||
| fi | |||
|
|
|||
| if [ "${OS_TYPE}" == "Linux" ] && [ ${IMG_SKU} == "20_04-lts-cvm" ]; then | |||
| VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" | |||
There was a problem hiding this comment.
what about if [[ "${ARCHITECTURE,,}" == "arm64" ]] but it also meets this if condition? Should the size be Standard_D8pds_v5 or Standard_DC8ads_v5?
There was a problem hiding this comment.
We do not have any ARM64 CVMs. Just the one AMD image.
There was a problem hiding this comment.
I see. Could you please leave a comment for the reason so other people know this is intended? Thanks
There was a problem hiding this comment.
Done! @Devinwong
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR changes the build process to use CVM hardware for CVM image builds. This will allow the use of
apt-get dist-upgradein the install scripts, resulting in the ability to install newer kernel versions.Which issue(s) this PR fixes:
This will fix the CVEs that are currently unmitigated for CVM nodepools.
Requirements: