test

.github/actions/setup_btrfs/action.yml

@@ -0,0 +1,19 @@
+name: setup btrfs
+description: Setup btrfs and do a second checkout
+
+runs:
+  using: "composite"
+  steps:
+     # This removes the checkout and creates a btrfs volume with maximized
+      # build space. Should only be used after setting up the Nix store.
+    - name: Maximize build space
+      uses: katexochen/maximize-build-space@btrfs
+      with:
+        swap-size-mb: 1024
+        remove-dotnet: "true"
+        remove-android: "true"
+        remove-haskell: "true"
+        remove-codeql: "true"
+        remove-docker-images: "true"
+    - name: Second checkout
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

.github/workflows/e2e_servicemesh.yml

@@ -31,6 +31,7 @@ jobs:
         with:
           githubToken: ${{ secrets.GITHUB_TOKEN }}
           cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - uses: ./.github/actions/setup_btrfs
       - name: Log in to ghcr.io Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:

justfile

@@ -6,7 +6,7 @@ push target:
     #!/usr/bin/env bash
     set -euo pipefail
     mkdir -p {{ workspace_dir }}
-    pushedImg=$(nix run .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}")
+    pushedImg=$(nix run -L .#containers.push-{{ target }} -- "$container_registry/contrast/{{ target }}")
     printf "ghcr.io/edgelesssys/contrast/%s:latest=%s\n" "{{ target }}" "$pushedImg" >> {{ workspace_dir }}/just.containerlookup
 
 # Build the coordinator, containerize and push it.

packages/by-name/kata/kata-image/package.nix

@@ -22,6 +22,7 @@
   cryptsetup,
   closureInfo,
   erofs-utils,
+  strace,
 }:
 
 let
@@ -137,13 +138,29 @@ stdenv.mkDerivation rec {
     util-linux
     tdnf
     buildimage
+    strace
   ];
 
   sourceRoot = "${src.name}/tools/osbuilder/rootfs-builder";
 
   buildPhase = ''
     runHook preBuild
 
+    # Check if filesystem is ext.*
+    fstype=$(stat -f -c %T .)
+    if [[ $fstye == "ext4" || $fstype == "ext2/ext3" ]]; then
+      echo "Due to a bug in libfakeroot, kata-image can unfortunately not be built on $fstype filesystems."
+      echo "As a workaround, you can build the derivation on a different filesystem with the following:"
+      echo "systemctl edit nix-daemon"
+      echo "Then, when editing the unit, enter:"
+      echo "[Service]"
+      echo 'Environment=TMPDIR=/some-non-ext*-filesystem'
+      echo "Then restart the nix-daemon with:"
+      echo "systemctl restart nix-daemon"
+      echo "Then rebuild the derivation."
+      exit 1
+    fi
+
     # use a fakeroot environment to build the rootfs as a tar
     # this is required to create files with the correct ownership and permissions
     # including suid

packages/by-name/kata/runtime-class-files/package.nix

@@ -55,7 +55,6 @@ stdenvNoCC.mkDerivation {
   buildPhase = ''
     mkdir -p $out
     sha256sum ${image} ${kernel} ${qemu-snp.bin} ${qemu-tdx.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-snp} ${ovmf-tdx} | sha256sum | cut -d " " -f 1 > $out/launch-digest.hex
-    printf "contrast-cc-%s" "$(cat $out/launch-digest.hex | head -c 32)" > $out/runtime-handler
   '';
 
   passthru = {

packages/by-name/microsoft/runtime-class-files/package.nix

@@ -24,8 +24,6 @@ stdenvNoCC.mkDerivation {
   buildPhase = ''
     mkdir -p $out
     igvmmeasure -b ${igvm} | dd conv=lcase > $out/launch-digest.hex
-    echo -n "contrast-cc-" > $out/runtime-handler
-    cat $out/launch-digest.hex | head -c 32 >> $out/runtime-handler
   '';
 
   passthru = {