Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release KBS Client Binary #333

Open
fitzthum opened this issue Feb 20, 2024 · 4 comments
Open

Release KBS Client Binary #333

fitzthum opened this issue Feb 20, 2024 · 4 comments

Comments

@fitzthum
Copy link
Member

It would be handy if we released a binary for the KBS client. Unlike the services that we already release, we probably don't want this to be a standalone container image. We could use something like oras to provide a binary via a registry. We should be able to push a staged and release version of the client tool just like we do with the other components.

We'll also want to consider multiple platforms.

@wainersm
Copy link
Member

It would be useful for the Kata CI where we are working to have attestation tests (kata-containers/kata-containers#9114) and we'd like to avoid having to compile the client. Kata CI intents to consume released versions of KBS project, so technically a binary within a tarball each release would be sufficient, however, we might end up on a situation where we need to track a commit (to consume a fix) so that having a staged binaries much more flexible.

One concern, regardless whether an executable in tarball or oras, is that it will be required to be statically compiled. Due to some dependencies on attesters implementations, it might be not feasible. An alternative to try is to compile with sample_only feature, reducing the dependencies, but then the resulting kbs-client will be only used for configuration.

Cc @mkulke @fitzthum @portersrc

@portersrc
Copy link
Member

portersrc commented Feb 23, 2024

Not sure if you'd confirmed the dependencies on sample_only, but it's indeed a trimmer list (no libcrypto dependency, etc.):

$ ldd kbs-client
        linux-vdso.so.1 (0x00007ffdd55d6000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2ae2099000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2ae1fb2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2ae0a00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ae20ca000)```

@wainersm
Copy link
Member

wainersm commented Mar 5, 2024

Hi @portersrc !

Not sure if you'd confirmed the dependencies on sample_only, but it's indeed a trimmer list (no libcrypto dependency, etc.):

$ ldd kbs-client
        linux-vdso.so.1 (0x00007ffdd55d6000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f2ae2099000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f2ae1fb2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2ae0a00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ae20ca000)```

It seems easy to get the sample_only built statically on Ubuntu then. Thanks for checking it out!

@portersrc
Copy link
Member

PR 349 is merged, which seems to have successfully triggered an oras push, and kbs-client is now available here:
https://github.com/confidential-containers/trustee/pkgs/container/staged-images%2Fkbs-client

$ oras pull ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-x86_64-linux-gnu-ac59d337bbacc36990f71ced3de2e86619f236d3
Downloading 999bf5866c77 kbs-client
Downloaded  999bf5866c77 kbs-client
Pulled [registry] ghcr.io/confidential-containers/staged-images/kbs-client:sample_only-x86_64-linux-gnu-ac59d337bbacc36990f71ced3de2e86619f236d3
Digest: sha256:7569fc4761d9c1d765f33a840efda82b8409345f0022893ccef188b0322e50b2
$ ls
kbs-client
$ chmod +x kbs-client
$ ./kbs-client --version
KBS client 0.1.0
$ ldd kbs-client
        statically linked

Do we want to add more platforms?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants