preparations for e2e tests on baremetal SNP #730
Conversation
Freax13
force-pushed
the
tom/snp-baremetal-ci
branch
27 times, most recently
from
f98a8f9 to
f740fbd
Compare
Freax13
changed the title
Freax13
force-pushed
the
tom/snp-baremetal-ci
branch
4 times, most recently
from
2e4cce5 to
a4546ef
Compare
Freax13
force-pushed
the
tom/snp-baremetal-ci
branch
from
a4546ef to
afa1b22
Compare
Unfortunately the launch measurement is vCPU type dependent (it doesn't have to be that way, but QEMU sets up different vCPU types differently, so thanks, QEMU?!). Assume Genoa for now.
This will allow us to test on platforms other than aks-clh-snp.
The generic default manifest (not the default for AKS) isn't valid because it's missing TCB values. We want to emit invalid manifests and it's up to the user to fill in the missing values. Instead of failing, we now tell the user to fix the reference values for the selected platform.
We use this kernel module with `dm-mod.create="dm-verit...` to protect the image file.
The calculation of the launch measurement has been adjusted accordingly.
The previous rc0 had a bug somewhere that influenced the launch measurement. This bug has been fixed in rc1.
Freax13
force-pushed
the
tom/snp-baremetal-ci
branch
from
afa1b22 to
00dc2c6
Compare
| jobs: | ||
| test: | ||
| runs-on: | ||
| labels: snp |
There was a problem hiding this comment.
I think this is a GHA shortcoming, but it'd be very nice if we could make this test work on both SNP and TDX, without another duplication. But afaict, you cannot have dynamic values (e.g. an input) in runs-on. Not saying this PR should or can do anything about that, but just keeping it here as a note.
There was a problem hiding this comment.
If I understand this section in the docs correctly, this might work.
There was a problem hiding this comment.
I think this would enable us to create tests that run on all platforms unconditionally, but still not one test that runs on one, selectable platform
There was a problem hiding this comment.
You can also run steps conditionally.
There was a problem hiding this comment.
Yeah, but this won't be a step. We could execute everything but the actual step on GH-hosted runners and then transfer files over, but I fear that this is going to have a higher total cost in the end.
When the node-installer restarts K3s, the watch call fails. Watch has a retry loop internally, but it only retries starting the request, once it has established a request and that request dies spuriously, watch, doesn't reconnect.
Freax13
force-pushed
the
tom/snp-baremetal-ci
branch
from
00dc2c6 to
825b761
Compare
This PR implements all the necessary changes to run CI on our baremetal machine in the office.