From 51470bf138ca566590e4c353e0e53bb6bc4ed04c Mon Sep 17 00:00:00 2001
From: Jason LeBrun <jibbl@google.com>
Date: Thu, 18 Apr 2024 23:33:35 +0000
Subject: [PATCH] [DNS/WIP/TEST] Can we build the image with docker in SLSA
 now?

Change-Id: Id6589cc258bbc9d3f8562fb784ee220895994a58
---
 .github/workflows/provenance.yaml             | 20 +++++++++----------
 buildconfigs/oak_containers_system_image.toml |  3 ++-
 flake.nix                                     |  4 +++-
 justfile                                      |  3 +++
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
index 0a2becb5cdb..8fd293635e4 100644
--- a/.github/workflows/provenance.yaml
+++ b/.github/workflows/provenance.yaml
@@ -25,17 +25,17 @@ jobs:
       fail-fast: false
       matrix:
         buildconfig:
-          - buildconfigs/key_xor_test_app.toml
-          - buildconfigs/oak_containers_kernel.toml
-          - buildconfigs/oak_containers_stage1.toml
+          #- buildconfigs/key_xor_test_app.toml
+          #- buildconfigs/oak_containers_kernel.toml
+          #- buildconfigs/oak_containers_stage1.toml
           - buildconfigs/oak_containers_system_image.toml
-          - buildconfigs/oak_echo_enclave_app.toml
-          - buildconfigs/oak_echo_raw_enclave_app.toml
-          - buildconfigs/oak_functions_enclave_app.toml
-          - buildconfigs/oak_functions_insecure_enclave_app.toml
-          - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml
-          - buildconfigs/stage0_bin.toml
-          - buildconfigs/oak_orchestrator.toml
+          #- buildconfigs/oak_echo_enclave_app.toml
+          #- buildconfigs/oak_echo_raw_enclave_app.toml
+          #- buildconfigs/oak_functions_enclave_app.toml
+          #- buildconfigs/oak_functions_insecure_enclave_app.toml
+          #- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml
+          #- buildconfigs/stage0_bin.toml
+          #- buildconfigs/oak_orchestrator.toml
 
     permissions:
       actions: read
diff --git a/buildconfigs/oak_containers_system_image.toml b/buildconfigs/oak_containers_system_image.toml
index f962981378c..d74d7bae993 100644
--- a/buildconfigs/oak_containers_system_image.toml
+++ b/buildconfigs/oak_containers_system_image.toml
@@ -2,11 +2,12 @@
 # building the `stage1` binary, and its provenance.
 # See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker.
 command = [
+  "--volume=/var/run/docker.sock:/var/run/docker.sock",
   "nix",
   "develop",
   ".#systemImageProvenance",
   "--command",
   "just",
-  "oak_containers_system_image",
+  "oak_containers_system_base_image",
 ]
 artifact_path = "./oak_containers_system_image/target/image.tar.xz"
diff --git a/flake.nix b/flake.nix
index 8679d960daa..24b13b81bfe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -240,7 +240,9 @@
                 rust
                 bazelShell
               ];
-              packages = [ ];
+              packages = [
+                docker
+               ];
             };
             # Shell for most CI steps (i.e. without contaniners support).
             ci = pkgs.mkShell {
diff --git a/justfile b/justfile
index b8b50d311a4..2c905c8e953 100644
--- a/justfile
+++ b/justfile
@@ -95,6 +95,9 @@ oak_containers_kernel:
 oak_containers_system_image:
     env --chdir=oak_containers_system_image DOCKER_BUILDKIT=0 bash build.sh
 
+oak_containers_system_base_image:
+    env --chdir=oak_containers_system_image DOCKER_BUILDKIT=0 bash build-base.sh
+
 # Profile the Wasm execution and generate a flamegraph.
 profile_wasm:
     # If it fails with SIGSEGV, try running again.