diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml new file mode 100644 index 0000000..4894564 --- /dev/null +++ b/.github/workflows/build-docker.yml @@ -0,0 +1,179 @@ +name: Build Docker Images + +on: + push: + branches: + - 'master' + - 'main' + tags: + - 'v*.*.*' + pull_request: + branches: + - 'master' + - 'main' + +jobs: + build-and-push: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v6 + + - name: Docker Setup Buildx + id: buildx + uses: docker/setup-buildx-action@v3 + with: + driver: docker-container + driver-opts: image=moby/buildkit:master,network=host + + - name: Docker meta (fde) + id: meta-fde + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/openanolis/cryptpilot-fde + labels: | + org.opencontainers.image.title=cryptpilot-fde + org.opencontainers.image.description=Full-disk encryption tooling for system volumes + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=long + type=raw,value=latest,enable={{is_default_branch}} + + - name: Docker meta (crypt) + id: meta-crypt + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/openanolis/cryptpilot-crypt + labels: | + org.opencontainers.image.title=cryptpilot-crypt + org.opencontainers.image.description=Data volume encryption tooling + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=long + type=raw,value=latest,enable={{is_default_branch}} + + - name: Docker meta (verity) + id: meta-verity + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/openanolis/cryptpilot-verity + labels: | + org.opencontainers.image.title=cryptpilot-verity + org.opencontainers.image.description=Integrity measurement tool for directory trees + tags: | + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=long + type=raw,value=latest,enable={{is_default_branch}} + + # Build all three images sequentially to maximize cache reuse + # Builder stage is shared and cached across all three builds + - name: Build cryptpilot-fde + uses: docker/build-push-action@v6.9.0 + with: + context: . + file: Dockerfile + target: release-fde + tags: | + cryptpilot-fde:test + ${{ steps.meta-fde.outputs.tags }} + labels: ${{ steps.meta-fde.outputs.labels }} + outputs: type=docker,dest=${{ runner.temp }}/cryptpilot-fde.tar + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Build cryptpilot-crypt + uses: docker/build-push-action@v6.9.0 + with: + context: . + file: Dockerfile + target: release-crypt + tags: | + cryptpilot-crypt:test + ${{ steps.meta-crypt.outputs.tags }} + labels: ${{ steps.meta-crypt.outputs.labels }} + outputs: type=docker,dest=${{ runner.temp }}/cryptpilot-crypt.tar + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Build cryptpilot-verity + uses: docker/build-push-action@v6.9.0 + with: + context: . + file: Dockerfile + target: release-verity + tags: | + cryptpilot-verity:test + ${{ steps.meta-verity.outputs.tags }} + labels: ${{ steps.meta-verity.outputs.labels }} + outputs: type=docker,dest=${{ runner.temp }}/cryptpilot-verity.tar + cache-from: type=gha + cache-to: type=gha,mode=max + + # Test all images + - name: Load and test cryptpilot-fde + run: | + docker load --input ${{ runner.temp }}/cryptpilot-fde.tar + docker run --rm cryptpilot-fde:test cryptpilot-fde --version + + - name: Load and test cryptpilot-crypt + run: | + docker load --input ${{ runner.temp }}/cryptpilot-crypt.tar + docker run --rm cryptpilot-crypt:test cryptpilot-crypt --version + + - name: Load and test cryptpilot-verity + run: | + docker load --input ${{ runner.temp }}/cryptpilot-verity.tar + docker run --rm cryptpilot-verity:test cryptpilot-verity --version + + # Push images (only on tag or master/main branch) + - name: Login to GHCR Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push cryptpilot-fde + env: + IMAGE_TAGS: ${{ steps.meta-fde.outputs.tags }} + run: | + set -e + set -x + for tag in ${IMAGE_TAGS}; do + docker tag cryptpilot-fde:test ${tag} + docker push ${tag} + done + + - name: Push cryptpilot-crypt + env: + IMAGE_TAGS: ${{ steps.meta-crypt.outputs.tags }} + run: | + set -e + set -x + for tag in ${IMAGE_TAGS}; do + docker tag cryptpilot-crypt:test ${tag} + docker push ${tag} + done + + - name: Push cryptpilot-verity + env: + IMAGE_TAGS: ${{ steps.meta-verity.outputs.tags }} + run: | + set -e + set -x + for tag in ${IMAGE_TAGS}; do + docker tag cryptpilot-verity:test ${tag} + docker push ${tag} + done diff --git a/APPLICATION/cryptpilot-crypt/buildspec.yml b/APPLICATION/cryptpilot-crypt/buildspec.yml new file mode 100644 index 0000000..ba30508 --- /dev/null +++ b/APPLICATION/cryptpilot-crypt/buildspec.yml @@ -0,0 +1,37 @@ +name: &NAME +version: &VERSION +image_type: &IMAGE_TYPE +baseos_version: &BASEOS_VERSION + +# 定义镜像仓库信息 +repository_info: + acr: &ACR_PROD confidential-ai-registry.cn-shanghai.cr.aliyuncs.com/product + +# 定义镜像测试信息 +t-one: + # 配置测试信息 workspace 和模版 + workspace: &WORKSPACE container_ci_test + project: &PROJECT default_container_ci_test + test_suite: &TEST_SUITE image-ci-test + # 执行测试 case, 多个用数组表示 + test_conf: &TEST_CONF group=app_container + test_case: &TEST_CASE app_container_default + cloud_server_tag: &CLOUD_SERVER_TAG [anolis-container-ci-x86] + +# 构建镜像配置 +images: + # 分组名称,支持自定义 + Cryptpilot-Crypt: + target: release-crypt + build: true + test: true + region: cn-hongkong + platform: [linux/amd64] + docker_file: + path: Dockerfile + scene: + args: [] + tags: [[0.5.0, latest]] + registry: [*ACR_PROD] + # 测试配置 + test_config: [*WORKSPACE, *PROJECT, *TEST_SUITE, *TEST_CONF, *TEST_CASE, *CLOUD_SERVER_TAG[0], ''] \ No newline at end of file diff --git a/APPLICATION/cryptpilot-crypt/version.yml b/APPLICATION/cryptpilot-crypt/version.yml new file mode 100644 index 0000000..aaaf0ba --- /dev/null +++ b/APPLICATION/cryptpilot-crypt/version.yml @@ -0,0 +1,13 @@ +# 版本关系依赖表,默认继承 version-base.yml 配置,可重写覆盖 +BaseDependency: ../version-base.yml +Dependency: + name: cryptpilot-crypt + image_type: application + versions: + 1.0.1: + # 对 AI 框架版本对 python 版本的要求 + python_version: [] + # gpu 对 cuda 版本的要求 + cuda_version: [] + # 对 baseos 的要求,*AnolisOS8.6 表示 Anolis8.6 + baseos_version: [*Alinux3.2304] \ No newline at end of file diff --git a/APPLICATION/cryptpilot-fde/buildspec.yml b/APPLICATION/cryptpilot-fde/buildspec.yml new file mode 100644 index 0000000..242a0b8 --- /dev/null +++ b/APPLICATION/cryptpilot-fde/buildspec.yml @@ -0,0 +1,37 @@ +name: &NAME +version: &VERSION +image_type: &IMAGE_TYPE +baseos_version: &BASEOS_VERSION + +# 定义镜像仓库信息 +repository_info: + acr: &ACR_PROD confidential-ai-registry.cn-shanghai.cr.aliyuncs.com/product + +# 定义镜像测试信息 +t-one: + # 配置测试信息 workspace 和模版 + workspace: &WORKSPACE container_ci_test + project: &PROJECT default_container_ci_test + test_suite: &TEST_SUITE image-ci-test + # 执行测试 case, 多个用数组表示 + test_conf: &TEST_CONF group=app_container + test_case: &TEST_CASE app_container_default + cloud_server_tag: &CLOUD_SERVER_TAG [anolis-container-ci-x86] + +# 构建镜像配置 +images: + # 分组名称,支持自定义 + Cryptpilot-Fde: + target: release-fde + build: true + test: true + region: cn-hongkong + platform: [linux/amd64] + docker_file: + path: Dockerfile + scene: + args: [] + tags: [[0.5.0, latest]] + registry: [*ACR_PROD] + # 测试配置 + test_config: [*WORKSPACE, *PROJECT, *TEST_SUITE, *TEST_CONF, *TEST_CASE, *CLOUD_SERVER_TAG[0], ''] \ No newline at end of file diff --git a/APPLICATION/cryptpilot-fde/version.yml b/APPLICATION/cryptpilot-fde/version.yml new file mode 100644 index 0000000..7e7347b --- /dev/null +++ b/APPLICATION/cryptpilot-fde/version.yml @@ -0,0 +1,13 @@ +# 版本关系依赖表,默认继承 version-base.yml 配置,可重写覆盖 +BaseDependency: ../version-base.yml +Dependency: + name: cryptpilot-fde + image_type: application + versions: + 1.0.1: + # 对 AI 框架版本对 python 版本的要求 + python_version: [] + # gpu 对 cuda 版本的要求 + cuda_version: [] + # 对 baseos 的要求,*AnolisOS8.6 表示 Anolis8.6 + baseos_version: [*Alinux3.2304] \ No newline at end of file diff --git a/APPLICATION/cryptpilot-verity/buildspec.yml b/APPLICATION/cryptpilot-verity/buildspec.yml new file mode 100644 index 0000000..9e37c42 --- /dev/null +++ b/APPLICATION/cryptpilot-verity/buildspec.yml @@ -0,0 +1,37 @@ +name: &NAME +version: &VERSION +image_type: &IMAGE_TYPE +baseos_version: &BASEOS_VERSION + +# 定义镜像仓库信息 +repository_info: + acr: &ACR_PROD confidential-ai-registry.cn-shanghai.cr.aliyuncs.com/product + +# 定义镜像测试信息 +t-one: + # 配置测试信息 workspace 和模版 + workspace: &WORKSPACE container_ci_test + project: &PROJECT default_container_ci_test + test_suite: &TEST_SUITE image-ci-test + # 执行测试 case, 多个用数组表示 + test_conf: &TEST_CONF group=app_container + test_case: &TEST_CASE app_container_default + cloud_server_tag: &CLOUD_SERVER_TAG [anolis-container-ci-x86] + +# 构建镜像配置 +images: + # 分组名称,支持自定义 + Cryptpilot-Verity: + target: release-verity + build: true + test: true + region: cn-hongkong + platform: [linux/amd64] + docker_file: + path: Dockerfile + scene: + args: [] + tags: [[0.5.0, latest]] + registry: [*ACR_PROD] + # 测试配置 + test_config: [*WORKSPACE, *PROJECT, *TEST_SUITE, *TEST_CONF, *TEST_CASE, *CLOUD_SERVER_TAG[0], ''] \ No newline at end of file diff --git a/APPLICATION/cryptpilot-verity/version.yml b/APPLICATION/cryptpilot-verity/version.yml new file mode 100644 index 0000000..3617537 --- /dev/null +++ b/APPLICATION/cryptpilot-verity/version.yml @@ -0,0 +1,13 @@ +# 版本关系依赖表,默认继承 version-base.yml 配置,可重写覆盖 +BaseDependency: ../version-base.yml +Dependency: + name: cryptpilot-verity + image_type: application + versions: + 1.0.1: + # 对 AI 框架版本对 python 版本的要求 + python_version: [] + # gpu 对 cuda 版本的要求 + cuda_version: [] + # 对 baseos 的要求,*AnolisOS8.6 表示 Anolis8.6 + baseos_version: [*Alinux3.2304] \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..40f1eda --- /dev/null +++ b/Dockerfile @@ -0,0 +1,98 @@ +# Builder stage - build RPM packages +FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest AS builder + +# Replace mirrors for faster yum install +RUN sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo +# Increase yum download speed +RUN sed -i 's/^max_parallel_downloads=.*/max_parallel_downloads=20/' /etc/yum.conf ; if ! grep -q '^max_parallel_downloads=' /etc/yum.conf; then sed -i '/^\[main\]$/a max_parallel_downloads=20' /etc/yum.conf; fi ; + +# Install Rust toolchain +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ + sh -s -- -y --no-modify-path --default-toolchain none + +WORKDIR /code/ + +COPY rust-toolchain.toml . + +# Install toolchain and cache it +RUN . "$HOME/.cargo/env" && rustup show + +# Install build dependencies +RUN yum install -y git protobuf-devel gcc cmake clang clang-libs \ + cryptsetup-devel perl-IPC-Cmd device-mapper-devel fuse3-devel \ + rpmdevtools yum-utils && \ + yum clean all + +COPY . . + +# Setup RPM build tree +RUN rpmdev-setuptree + +# Build RPM packages using the same process as rpm-build target +RUN . "$HOME/.cargo/env" && \ + # Create source tarball + make create-tarball && \ + # Copy tarball to RPM build sources + cp /tmp/cryptpilot-$(grep '^version' Cargo.toml | awk -F' = ' '{print $2}' | tr -d '"')-vendored-source.tar.gz ~/rpmbuild/SOURCES/ && \ + # Install build dependencies from spec file (like yum-builddep) + yum-builddep -y --skip-unavailable ./cryptpilot.spec && \ + # Build RPM packages + rpmbuild -ba ./cryptpilot.spec --define 'with_rustup 1' + + +# Release stage for cryptpilot-fde +FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest AS release-fde + +# Replace mirrors for faster yum install +RUN sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo +# Increase yum download speed +RUN sed -i 's/^max_parallel_downloads=.*/max_parallel_downloads=20/' /etc/yum.conf ; if ! grep -q '^max_parallel_downloads=' /etc/yum.conf; then sed -i '/^\[main\]$/a max_parallel_downloads=20' /etc/yum.conf; fi ; + +# Copy RPM from builder +COPY --from=builder /root/rpmbuild/RPMS/x86_64/cryptpilot-fde-*.rpm /tmp/ + +# Install FDE package and its dependencies +# yum install will automatically resolve and install all dependencies from spec +RUN yum install -y /tmp/cryptpilot-fde-*.rpm && \ + yum clean all && \ + rm -rf /var/cache/yum /tmp/*.rpm + +CMD ["cryptpilot-fde"] + + +# Release stage for cryptpilot-crypt +FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest AS release-crypt + +# Replace mirrors for faster yum install +RUN sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo +# Increase yum download speed +RUN sed -i 's/^max_parallel_downloads=.*/max_parallel_downloads=20/' /etc/yum.conf ; if ! grep -q '^max_parallel_downloads=' /etc/yum.conf; then sed -i '/^\[main\]$/a max_parallel_downloads=20' /etc/yum.conf; fi ; + +# Copy RPM from builder +COPY --from=builder /root/rpmbuild/RPMS/x86_64/cryptpilot-crypt-*.rpm /tmp/ + +# Install Crypt package and its dependencies +RUN yum install -y /tmp/cryptpilot-crypt-*.rpm && \ + yum clean all && \ + rm -rf /var/cache/yum /tmp/*.rpm + +CMD ["cryptpilot-crypt"] + + +# Release stage for cryptpilot-verity +FROM alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest AS release-verity + +# Replace mirrors for faster yum install +RUN sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo +# Increase yum download speed +RUN sed -i 's/^max_parallel_downloads=.*/max_parallel_downloads=20/' /etc/yum.conf ; if ! grep -q '^max_parallel_downloads=' /etc/yum.conf; then sed -i '/^\[main\]$/a max_parallel_downloads=20' /etc/yum.conf; fi ; + +# Copy RPM from builder +COPY --from=builder /root/rpmbuild/RPMS/x86_64/cryptpilot-verity-*.rpm /tmp/ + +# Install Verity package and its dependencies +RUN yum install -y /tmp/cryptpilot-verity-*.rpm && \ + yum clean all && \ + rm -rf /var/cache/yum /tmp/*.rpm + +CMD ["cryptpilot-verity"] diff --git a/Makefile b/Makefile index 4075c14..974c54a 100644 --- a/Makefile +++ b/Makefile @@ -263,6 +263,14 @@ define update-debian-changelog @rm -f /tmp/deb_changelog_entry.txt /tmp/deb_commits.txt endef +# Function to update buildspec.yml version tags +# Updates tags in all three APPLICATION buildspec.yml files +define update-buildspec-yml + @sed -i -E 's/(tags: \[\[)[0-9]+\.[0-9]+\.[0-9]+(, latest\]\])/\1$(1)\2/' APPLICATION/cryptpilot-fde/buildspec.yml + @sed -i -E 's/(tags: \[\[)[0-9]+\.[0-9]+\.[0-9]+(, latest\]\])/\1$(1)\2/' APPLICATION/cryptpilot-crypt/buildspec.yml + @sed -i -E 's/(tags: \[\[)[0-9]+\.[0-9]+\.[0-9]+(, latest\]\])/\1$(1)\2/' APPLICATION/cryptpilot-verity/buildspec.yml +endef + # Main bump version function # $(1) = version type (major/minor/patch) # $(2) = new version number @@ -279,12 +287,15 @@ define bump-version-internal $(call update-rpm-spec,$(2)) @echo "Updating Debian changelog..." $(call update-debian-changelog,$(2)) + @echo "Updating buildspec.yml files..." + $(call update-buildspec-yml,$(2)) @echo "Version bump complete. New version: $(2)" @echo "Changes made:" @echo " - Updated Cargo.toml" @echo " - Updated Cargo.lock" @echo " - Updated RPM spec version and changelog" @echo " - Updated Debian changelog" + @echo " - Updated APPLICATION buildspec.yml files" @echo "" @echo "If it is ok to commit, run the following commands:" @echo " git add ." @@ -308,3 +319,22 @@ bump-version-minor: bump-version-patch: $(call bump-version-internal,patch,$(NEW_VERSION_PATCH),v$(CURRENT_VERSION)) +# Docker build targets +.PHONY: docker-build +docker-build: docker-build-fde docker-build-crypt docker-build-verity + +.PHONY: docker-build-fde +docker-build-fde: + docker build -f Dockerfile --target release-fde -t cryptpilot-fde:latest . + +.PHONY: docker-build-crypt +docker-build-crypt: + docker build -f Dockerfile --target release-crypt -t cryptpilot-crypt:latest . + +.PHONY: docker-build-verity +docker-build-verity: + docker build -f Dockerfile --target release-verity -t cryptpilot-verity:latest . + +.PHONY: docker-build-all +docker-build-all: docker-build +