feat(BOUN-650): ci should build the docker base image for api bn

.gitlab/CODEOWNERS

@@ -38,6 +38,7 @@ go_deps.bzl               @dfinity-lab/teams/idx
 # [IC-OS]
 /ic-os/                                          @dfinity-lab/teams/node-team
 /ic-os/boundary-guestos/                         @dfinity-lab/teams/boundarynode-team @dfinity-lab/teams/node-team
+/ic-os/boundary-api-guestos/                     @dfinity-lab/teams/boundarynode-team @dfinity-lab/teams/node-team
 /ic-os/guestos/tests/e2e-benchmarking-suite.py   @dfinity-lab/teams/runtime-owners
 
 # [GitLab-CI]

gitlab-ci/config/00--common--rules.yml

@@ -263,6 +263,7 @@
     - if: '$CI_PIPELINE_SOURCE == "parent_pipeline"'
       changes:
         - ic-os/boundary-guestos/rootfs/Dockerfile.base
+        - ic-os/boundary-api-guestos/rootfs/Dockerfile.base
         - ic-os/guestos/rootfs/Dockerfile.base
         - ic-os/guestos/rootfs/packages.common
         - ic-os/guestos/rootfs/packages.dev

gitlab-ci/config/46--guest-os-build--guest-base-image.yml

@@ -12,6 +12,12 @@
       -f Dockerfile.base .
   docker build -q -t dfinity/boundaryos-base-snp:"$TAG" -t dfinity/boundaryos-base-snp:latest \
       --build-arg CPU_SUPPORT="snp" -f Dockerfile.base .
+  # boundary-api-guestos-base & boundary-api-guestos-base-snp
+  cd "${CI_PROJECT_DIR}/ic-os/boundary-api-guestos/rootfs"
+  docker build -q -t dfinity/boundary-api-guestos-base:"$TAG" -t dfinity/boundary-api-guestos-base:latest \
+      -f Dockerfile.base .
+  docker build -q -t dfinity/boundary-api-guestos-base-snp:"$TAG" -t dfinity/boundary-api-guestos-base-snp:latest \
+      --build-arg CPU_SUPPORT="snp" -f Dockerfile.base .
   # hostos-base & hostos-base-dev
   cd "${CI_PROJECT_DIR}/ic-os/hostos/rootfs"
   docker build -q -t dfinity/hostos-base:"$TAG" -t dfinity/hostos-base:latest \
@@ -52,6 +58,8 @@ build-push-base-images:
          ic-os/guestos/rootfs/docker-base.dev
          ic-os/boundary-guestos/rootfs/docker-base.prod
          ic-os/boundary-guestos/rootfs/docker-base.snp
+         ic-os/boundary-api-guestos/rootfs/docker-base.prod
+         ic-os/boundary-api-guestos/rootfs/docker-base.snp
          ic-os/hostos/rootfs/docker-base.prod
          ic-os/hostos/rootfs/docker-base.dev
          ic-os/setupos/rootfs/docker-base.prod

ic-os/boundary-api-guestos/rootfs/Dockerfile.base

@@ -0,0 +1,343 @@
+# Boundary API Guestos - Base Image
+#
+# Build steps:
+# - `docker build -t dfinity/boundary-api-guestos-base:<tag> -f Dockerfile.base .`
+# - `docker push/pull dfinity/boundary-api-guestos-base:<tag>`
+# - `docker build -t dfinity/boundary-api-guestos-base-snp:<tag> --build-arg CPU_SUPPORT="snp" -f Dockerfile.base
+# - `docker push/pull dfinity/boundary-api-guestos-base-snp:<tag>`
+
+# NOTE! If you edit this file, you will need to perform the following
+# operations to get your changes deployed.
+#
+# 1. Get your MR approved and merged into master
+# 2. On the next hourly master pipeline (Run post-merge tests), click the "deploy-guest-os-baseimg" job
+# 3. Note the sha256 and update the sha256 reference in the neighboring Dockerfiles.
+
+# AMD SEV-SNP support version and sha256
+ARG snp_tag=sev-snp-release-2022-06-01
+ARG snp_sha=d61ed4419c2e98925e28ccc6e55dbb0b2c5d4b1c
+ARG snp_libc_host_sha=c3c6024b36aeb10a4414627088a642ab0795c660
+ARG snp_libc_guest_sha=9591f3b5f157a6ec985c9ab441f0f2529613323e
+
+ARG snp_kernel_version_guest=5.17.0-rc6-snp-guest-dfa5ba8348e4
+ARG snp_kernel_version_host=5.14.0-rc2-snp-host-6d4469b86f90
+ARG snp_kernel_pkg=linux-image-${snp_kernel_version_guest}_${snp_kernel_version_guest}-1_amd64.deb
+ARG snp_kernel_libc_host=linux-libc-dev_${snp_kernel_version_host}-1_amd64.deb
+ARG snp_kernel_libc_guest=linux-libc-dev_${snp_kernel_version_guest}-1_amd64.deb
+
+#
+# First build stage: download software, build and verify it (such that it
+# does not change under our noses).
+#
+FROM ubuntu:20.04 AS download
+
+USER root:root
+
+ENV TZ=UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommends install \
+    ca-certificates \
+    curl \
+    pkg-config \
+    libffi-dev \
+    libssl-dev \
+    ssl-cert \
+    rustc \
+    cargo \
+    perl \
+    git \
+    autoconf \
+    make \
+    automake \
+    g++ \
+    gcc \
+    uuid-dev
+
+WORKDIR /tmp
+
+# Download SNP support
+ARG snp_tag
+ARG snp_sha
+ARG snp_libc_host_sha
+ARG snp_libc_guest_sha
+ARG snp_kernel_pkg
+ARG snp_kernel_libc_host
+ARG snp_kernel_libc_guest
+
+RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_pkg} && \
+    echo "${snp_sha}  ${snp_kernel_pkg}" | shasum -c
+RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_libc_guest} && \
+    echo "${snp_libc_guest_sha}  ${snp_kernel_libc_guest}" | shasum -c
+RUN curl -L -O https://github.com/dfinity/AMDSEV/releases/download/${snp_tag}/${snp_kernel_libc_host} && \
+    echo "${snp_libc_host_sha}  ${snp_kernel_libc_host}" | shasum -c
+
+# Download and verify vector
+RUN \
+    curl -L -O https://packages.timber.io/vector/0.24.1/vector_0.24.1-1_amd64.deb && \
+    echo "605b5bd2a0b3d03a252addfebb24e35af6929523cc9129a468039874806b3492  vector_0.24.1-1_amd64.deb" | shasum -c
+
+# Download and verify node_exporter
+RUN \
+    curl -L -O https://github.com/prometheus/node_exporter/releases/download/v1.5.0/node_exporter-1.5.0.linux-amd64.tar.gz && \
+    echo "af999fd31ab54ed3a34b9f0b10c28e9acee9ef5ac5a5d5edfdde85437db7acbb  node_exporter-1.5.0.linux-amd64.tar.gz" | shasum -c
+
+# Download and verify process-exporter
+RUN \
+    curl -L -O https://github.com/ncabatoff/process-exporter/releases/download/v0.7.10/process-exporter-0.7.10.linux-amd64.tar.gz && \
+    echo "52503649649c0be00e74e8347c504574582b95ad428ff13172d658e82b3da1b5  process-exporter-0.7.10.linux-amd64.tar.gz" | shasum -c
+
+# Download libnginx-mod-http-ndk.deb
+RUN \
+   curl -L -O https://github.com/dfinity/nginx-modules/releases/download/v0.0.10/libnginx-mod-http-ndk_0.3.1_amd64.deb && \
+   echo "74826f983c224f19f73da9710fa41b2eb0af6c6cc66f4d1f53657c90dab1eab2  libnginx-mod-http-ndk_0.3.1_amd64.deb" | shasum -c
+
+# Download libnginx-mod-http-cbor-input.deb
+RUN \
+   curl -L -O https://github.com/dfinity/nginx-modules/releases/download/v0.0.10/libnginx-mod-http-cbor-input_0.0.10_amd64.deb && \
+   echo "8461c9cfab5c944807f98e6517088bf14966edbc11228638e396cb8d1cd02ca0  libnginx-mod-http-cbor-input_0.0.10_amd64.deb" | shasum -c
+
+# Download libnginx-mod-http-cbor-req-ic.deb
+RUN \
+   curl -L -O https://github.com/dfinity/nginx-modules/releases/download/v0.0.10/libnginx-mod-http-cbor-req-ic_0.0.10_amd64.deb && \
+   echo "b3ef2ec3f73c8076c34ecb9b0f2710c0ed280b6ccfaad7fea80e524cf9f08868  libnginx-mod-http-cbor-req-ic_0.0.10_amd64.deb" | shasum -c
+
+# Download libnginx-mod-http-cbor-resp-ic.deb
+RUN \
+   curl -L -O https://github.com/dfinity/nginx-modules/releases/download/v0.0.10/libnginx-mod-http-cbor-resp-ic_0.0.10_amd64.deb && \
+   echo "7d40c0587539f7b7da3667f21d4b79f0e58d5874551a3526e831162d237618ec  libnginx-mod-http-cbor-resp-ic_0.0.10_amd64.deb" | shasum -c
+
+# Download and build sev-guest tool
+RUN \
+    git clone https://github.com/dfinity/sev-guest.git && \
+    dpkg -i /tmp/${snp_kernel_libc_guest} && \
+    dpkg -i /tmp/${snp_kernel_libc_host} && \
+    dpkg -i /tmp/${snp_kernel_libc_guest} && \
+    cd /tmp/sev-guest && make
+
+# Build ngx_http_geoip2_module
+FROM ubuntu:20.04 AS ngx_http_geoip2_module
+
+USER root:root
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN \
+    apt-get update && \
+    apt-get install -y \
+        software-properties-common \
+        gpg
+
+RUN \
+    add-apt-repository -y ppa:maxmind/ppa
+
+RUN \
+    apt-get install -y \
+        libmaxminddb-dev \
+        libmaxminddb0 \
+        mmdb-bin
+
+RUN \
+    apt-get install -y \
+        curl \
+        gcc \
+        libpcre3 \
+        libpcre3-dev \
+        make \
+        zlib1g \
+        zlib1g-dev
+
+ARG NGX_HTTP_GEOIP2_MODULE_TAG=3.4
+RUN \
+    curl -sLv \
+        https://github.com/leev/ngx_http_geoip2_module/archive/refs/tags/${NGX_HTTP_GEOIP2_MODULE_TAG}.tar.gz \
+    | tar -xzf -
+
+ARG NGINX_VERSION=1.21.3
+RUN \
+    curl -sLv \
+        http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
+    | tar -xzf -
+
+WORKDIR /nginx-${NGINX_VERSION}
+
+RUN \
+    ./configure \
+        --with-compat \
+        --add-dynamic-module=/ngx_http_geoip2_module-${NGX_HTTP_GEOIP2_MODULE_TAG}/ && \
+    make modules && \
+    mv objs/ngx_http_geoip2_module.so /tmp/
+
+#
+# Second build stage:
+# - Download and cache minimal Ubuntu Server 20.04 LTS Docker image
+# - Install and cache upstream packages from built-in Ubuntu repositories
+# - Copy downloaded archives from first build stage into the target image
+#
+FROM ubuntu:20.04
+
+USER root:root
+
+ENV TZ=UTC
+ENV SOURCE_DATE_EPOCH=0
+
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+# Preparation and install of packages for nginx
+RUN apt-get -y update && apt-get -y upgrade && apt-get -y --no-install-recommends install gnupg 
+RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ABF5BD827BD9BF62
+
+RUN echo "deb http://nginx.org/packages/mainline/ubuntu/ focal nginx" >> /etc/apt/sources.list.d/nginx.list &&\
+    echo "deb-src http://nginx.org/packages/mainline/ubuntu/ focal nginx" >> /etc/apt/sources.list.d/nginx.list 
+
+# GeoIP repository
+RUN \
+    apt-get update && \
+    apt-get install -y \
+        software-properties-common \
+        gpg
+
+RUN \
+    add-apt-repository -y ppa:maxmind/ppa
+
+RUN \
+    apt-get update && \
+    apt-get -y upgrade && \
+    apt-get -y --no-install-recommends install \
+        attr \
+        ca-certificates \
+        checkpolicy \
+        chrony \
+        cryptsetup \
+        curl \
+        dante-server \
+        faketime \
+        fdisk \
+        haveged \
+        initramfs-tools \
+        inotify-tools \
+        iproute2 \
+        iputils-ping \
+        isc-dhcp-client \
+        less \
+        libffi-dev \
+        liblmdb0 \
+        libmaxminddb0 \
+        libssl-dev \
+        linux-image-virtual-hwe-20.04 \
+        logrotate \
+        lshw \
+        lvm2 \
+        net-tools \
+        nftables \
+        nginx-module-njs=1.21.3+0.7.0-1~focal \
+        nginx=1.21.3-1~focal \
+        opensc \
+        openssh-client openssh-server \
+        parted \
+        pciutils \
+        pcsc-tools pcscd \
+        policycoreutils \
+        python \
+        python3-dev \
+        rsync \
+        ssl-cert \
+        sudo \
+        systemd systemd-sysv systemd-journal-remote \
+        udev \
+        usbutils \
+        vim \
+        zstd \
+        fcgiwrap \
+        incron
+
+# For the common image, just use common to use the default kernel of Ubuntu
+# For the SEV-SNP image, use "snp"  -- this can
+# be set via docker build args (see above).
+ARG CPU_SUPPORT=common
+
+# Copy AMD SEV-SNP kernel support
+ARG snp_tag
+ARG snp_kernel_pkg
+ARG snp_kernel_libc_guest
+ARG snp_kernel_libc_host
+COPY --from=download /tmp/${snp_kernel_pkg} /tmp/${snp_kernel_pkg}
+
+# Copy sev-guest tool
+COPY --from=download /tmp/sev-guest/sev-guest-get-report /opt/ic/bin/sev-guest-get-report
+COPY --from=download /tmp/sev-guest/sev-guest-parse-report /opt/ic/bin/sev-guest-parse-report
+COPY --from=download /tmp/sev-guest/sev-guest-kdf /opt/ic/bin/sev-guest-kdf
+
+# Install AMD SEV-SNP kernel support
+ARG CPU_SUPPORT
+ARG snp_tag
+ARG snp_kernel_version_guest
+ARG snp_kernel_pkg
+
+RUN \
+    echo "CPU_SUPPORT: ${CPU_SUPPORT}" && \
+    if [ "${CPU_SUPPORT}" = "snp" ] ; then \
+		dpkg -i /tmp/${snp_kernel_pkg} && \
+		# Create initrd for the new kernel
+		update-initramfs -b /boot -c -k ${snp_kernel_version_guest} && \
+		# Create soft link for vmlinuz and initrd.img pointing to the updated images
+        cd /boot && \
+		unlink vmlinuz && \
+		unlink initrd.img && \
+		ln -s vmlinuz-${snp_kernel_version_guest} vmlinuz && \
+		ln -s initrd.img-${snp_kernel_version_guest} initrd.img ; \
+     fi
+
+# Cleanup
+RUN rm /tmp/${snp_kernel_pkg}
+
+# Install vector
+COPY --from=download /tmp/vector_0.24.1-1_amd64.deb /tmp/vector_0.24.1-1_amd64.deb
+RUN dpkg -i --force-confold /tmp/vector_0.24.1-1_amd64.deb && \
+    rm /tmp/vector_0.24.1-1_amd64.deb
+
+# Install node_exporter
+COPY --from=download /tmp/node_exporter-1.5.0.linux-amd64.tar.gz /tmp/node_exporter-1.5.0.linux-amd64.tar.gz
+RUN cd /tmp/ && \
+    mkdir -p /etc/node_exporter && \
+    tar --strip-components=1 -C /usr/local/bin/ -zvxf node_exporter-1.5.0.linux-amd64.tar.gz node_exporter-1.5.0.linux-amd64/node_exporter && \
+    rm /tmp/node_exporter-1.5.0.linux-amd64.tar.gz
+
+# Install process-exporter
+COPY --from=download /tmp/process-exporter-0.7.10.linux-amd64.tar.gz /tmp/process-exporter-0.7.10.linux-amd64.tar.gz
+RUN cd /tmp/ && \
+    tar --strip-components=1 -C /usr/local/bin/ -zvxf process-exporter-0.7.10.linux-amd64.tar.gz process-exporter-0.7.10.linux-amd64/process-exporter && \
+    rm /tmp/process-exporter-0.7.10.linux-amd64.tar.gz
+
+### Nginx Modules
+
+ARG NGINX_MODULES_PATH=/usr/lib/nginx/modules/
+
+WORKDIR /tmp
+
+# Install libnginx-mod-http-ndk 
+COPY --from=download /tmp/libnginx-mod-http-ndk_0.3.1_amd64.deb .
+RUN \
+    dpkg -i libnginx-mod-http-ndk_0.3.1_amd64.deb && \
+    rm libnginx-mod-http-ndk_0.3.1_amd64.deb
+
+# Install libnginx-mod-http-cbor-input
+COPY --from=download /tmp/libnginx-mod-http-cbor-input_0.0.10_amd64.deb .
+RUN \
+    dpkg -i libnginx-mod-http-cbor-input_0.0.10_amd64.deb && \
+    rm libnginx-mod-http-cbor-input_0.0.10_amd64.deb
+
+# Install libnginx-mod-http-cbor-req-ic
+COPY --from=download /tmp/libnginx-mod-http-cbor-req-ic_0.0.10_amd64.deb .
+RUN \
+    dpkg -i libnginx-mod-http-cbor-req-ic_0.0.10_amd64.deb && \
+    rm libnginx-mod-http-cbor-req-ic_0.0.10_amd64.deb
+
+# Install libnginx-mod-http-cbor-resp-ic
+COPY --from=download /tmp/libnginx-mod-http-cbor-resp-ic_0.0.10_amd64.deb .
+RUN \
+    dpkg -i libnginx-mod-http-cbor-resp-ic_0.0.10_amd64.deb && \
+    rm libnginx-mod-http-cbor-resp-ic_0.0.10_amd64.deb
+
+# Install ngx_http_geoip2
+COPY --from=ngx_http_geoip2_module \
+    /tmp/ngx_http_geoip2_module.so ${NGINX_MODULES_PATH}

ic-os/boundary-api-guestos/rootfs/docker-base.prod

@@ -0,0 +1 @@
+dfinity/boundary-api-guestos-base@sha256:daf089138995dc7904ff7be43702b0eb7aa671f2a15bc540f3ee49cd1e10ed02

ic-os/boundary-api-guestos/rootfs/docker-base.snp

@@ -0,0 +1 @@
+dfinity/boundary-api-guestos-base-snp@sha256:4e84b2738d9d8ed77d08b1d8581e853dfaa5cfd61e8d850ab2318bb9020d7c24