-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathContainerfile
83 lines (79 loc) · 3.44 KB
/
Containerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
ARG DTK_IMAGE
ARG SIGNER_SDK_IMAGE
ARG DRIVER_IMAGE
ARG DRIVER_VERSION
ARG AWS_AUTH_SECRET
FROM ${DTK_IMAGE} as dtk
USER root
ARG DRIVER_REPO
ARG DRIVER_VERSION
ARG ADDITIONAL_BUILD_DEPS
WORKDIR /home/builder
COPY --chmod=0755 scripts/build-commands.sh /home/builder/build-commands.sh
RUN if [ -n "$ADDITIONAL_BUILD_DEPS" ]; then \
dnf -y install -- $ADDITIONAL_BUILD_DEPS && \
dnf clean all && \
rm -rf /var/cache/yum; \
fi
RUN source /etc/driver-toolkit-release.sh && \
echo $KERNEL_VERSION > /tmp/BUILD_KERNEL_VER && \
git clone --depth 1 --branch $DRIVER_VERSION $DRIVER_REPO && \
cd $(basename $DRIVER_REPO .git) && \
/home/builder/build-commands.sh && \
cp -p /usr/src/kernels/$KERNEL_VERSION/scripts/sign-file /usr/local/bin/sign-file
FROM ${SIGNER_SDK_IMAGE} as signer
ARG AWS_AUTH_SECRET
ARG AWS_DEFAULT_REGION
ARG AWS_KMS_KEY_LABEL
ARG GENKEY_FILE
USER root
COPY --from=dtk /home/builder /opt/drivers/
COPY --from=dtk /tmp/BUILD_KERNEL_VER /tmp/BUILD_KERNEL_VER
COPY --chmod=0755 --from=dtk /usr/local/bin/sign-file /usr/local/bin/sign-file
COPY --chmod=0755 set_pkcs11_engine /usr/bin/set_pkcs11_engine
COPY ssl/x509.keygen /etc/aws-kms-pkcs11/x509.genkey
RUN --mount=type=secret,id=${AWS_AUTH_SECRET}/AWS_KMS_TOKEN echo "export AWS_KMS_TOKEN="$(cat /run/secrets/${AWS_AUTH_SECRET}/AWS_KMS_TOKEN) >> /tmp/envfile
RUN --mount=type=secret,id=${AWS_AUTH_SECRET}/AWS_ACCESS_KEY_ID echo "export AWS_ACCESS_KEY_ID="$(cat /run/secrets/${AWS_AUTH_SECRET}/AWS_ACCESS_KEY_ID) >> /tmp/envfile
RUN --mount=type=secret,id=${AWS_AUTH_SECRET}/AWS_SECRET_ACCESS_KEY echo "export AWS_SECRET_ACCESS_KEY="$(cat /run/secrets/${AWS_AUTH_SECRET}/AWS_SECRET_ACCESS_KEY) >> /tmp/envfile
RUN echo "export AWS_KMS_KEY_LABEL=${AWS_KMS_KEY_LABEL}" >> /tmp/envfile && \
echo "export AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}" >> /tmp/envfile && \
source /tmp/envfile && \
sed -i '1i openssl_conf = openssl_init' /etc/pki/tls/openssl.cnf && \
cat /etc/aws-kms-pkcs11/openssl-pkcs11.conf >> /etc/pki/tls/openssl.cnf && \
cat <<EOF > /etc/aws-kms-pkcs11/config.json
{
"slots": [
{
"label": "$AWS_KMS_KEY_LABEL",
"kms_key_id": "$AWS_KMS_TOKEN",
"aws_region": "$AWS_DEFAULT_REGION",
"certificate_path": "/etc/aws-kms-pkcs11/cert.pem"
}
]
}
EOF
RUN source /tmp/envfile && \
export PKCS11_MODULE_PATH=/usr/lib64/pkcs11/aws_kms_pkcs11.so && \
openssl req -config /etc/aws-kms-pkcs11/x509.genkey -x509 -key "pkcs11:model=0;manufacturer=aws_kms;serial=0;token=$AWS_KMS_KEY_LABEL" -keyform engine -engine pkcs11 -out /etc/aws-kms-pkcs11/cert.pem -days 36500 && \
oot_modules="/opt/drivers/" && \
find "$oot_modules" -type f -name "*.ko" | while IFS= read -r file; do \
signedfile="${oot_modules}$(basename "${file%.*}")-signed.ko"; \
echo "Signing ${file}\n"; \
sign-file sha256 \
"pkcs11:model=0;manufacturer=aws_kms;serial=0;token=$AWS_KMS_KEY_LABEL" \
/etc/aws-kms-pkcs11/cert.pem \
"$file" \
"$signedfile"; \
done
FROM ${DRIVER_IMAGE} as rpmbuilder
ARG DRIVER_VERSION
ARG KERNEL_VERSION
COPY --from=signer /opt/drivers /opt/drivers
COPY --from=signer /tmp/BUILD_KERNEL_VER /tmp/BUILD_KERNEL_VER
RUN dnf -y install rpmdevtools rpmlint kmod && \
dnf clean all && \
rm -rf /var/cache/yum
WORKDIR /home/rpmbuilder
RUN KERNEL_VERSION=$(cat /tmp/BUILD_KERNEL_VER)
LABEL DRIVER_VERSION=$DRIVER_VERSION
LABEL KERNEL_VERSION=$KERNEL_VERSION