[DNS/WIP/TEST] Can we build the image with docker in SLSA now?

Change-Id: Id6589cc258bbc9d3f8562fb784ee220895994a58
project-oak · Apr 18, 2024 · 51470bf · 51470bf
1 parent 01a7f5f
commit 51470bf
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 12 deletions.
diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
@@ -25,17 +25,17 @@ jobs:
       fail-fast: false
       matrix:
         buildconfig:
-          - buildconfigs/key_xor_test_app.toml
-          - buildconfigs/oak_containers_kernel.toml
-          - buildconfigs/oak_containers_stage1.toml
+          #- buildconfigs/key_xor_test_app.toml
+          #- buildconfigs/oak_containers_kernel.toml
+          #- buildconfigs/oak_containers_stage1.toml
           - buildconfigs/oak_containers_system_image.toml
-          - buildconfigs/oak_echo_enclave_app.toml
-          - buildconfigs/oak_echo_raw_enclave_app.toml
-          - buildconfigs/oak_functions_enclave_app.toml
-          - buildconfigs/oak_functions_insecure_enclave_app.toml
-          - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml
-          - buildconfigs/stage0_bin.toml
-          - buildconfigs/oak_orchestrator.toml
+          #- buildconfigs/oak_echo_enclave_app.toml
+          #- buildconfigs/oak_echo_raw_enclave_app.toml
+          #- buildconfigs/oak_functions_enclave_app.toml
+          #- buildconfigs/oak_functions_insecure_enclave_app.toml
+          #- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml
+          #- buildconfigs/stage0_bin.toml
+          #- buildconfigs/oak_orchestrator.toml
 
     permissions:
       actions: read

diff --git a/buildconfigs/oak_containers_system_image.toml b/buildconfigs/oak_containers_system_image.toml
@@ -2,11 +2,12 @@
 # building the `stage1` binary, and its provenance.
 # See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
 command = [
+  "--volume=/var/run/docker.sock:/var/run/docker.sock",
   "nix",
   "develop",
   ".#systemImageProvenance",
   "--command",
   "just",
-  "oak_containers_system_image",
+  "oak_containers_system_base_image",
 ]
 artifact_path = "./oak_containers_system_image/target/image.tar.xz"
diff --git a/flake.nix b/flake.nix
@@ -240,7 +240,9 @@
                 rust
                 bazelShell
               ];
-              packages = [ ];
+              packages = [
+                docker
+               ];
             };
             # Shell for most CI steps (i.e. without contaniners support).
             ci = pkgs.mkShell {

diff --git a/justfile b/justfile
@@ -95,6 +95,9 @@ oak_containers_kernel:
 oak_containers_system_image:
     env --chdir=oak_containers_system_image DOCKER_BUILDKIT=0 bash build.sh
 
+oak_containers_system_base_image:
+    env --chdir=oak_containers_system_image DOCKER_BUILDKIT=0 bash build-base.sh
+
 # Profile the Wasm execution and generate a flamegraph.
 profile_wasm:
     # If it fails with SIGSEGV, try running again.