deploy: support running sc2 on azure vms

.gitignore

@@ -14,6 +14,9 @@ svsm.bin
 bzImage
 coconut-qemu.igvm
 
+# Ansible inventories
+ansible/inventory
+
 # Kubernetes stuff
 .config
 

ansible/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+host_key_checking = False

ansible/tasks/apt.yaml

@@ -0,0 +1,25 @@
+---
+
+# Currently the provisioned VM image for CoCo on Azure VMs uses Ubuntu 20.04
+# so we need to add an APT repository to install python3.10
+# - name: "Add deadsnakes APT repository"
+#   become: yes
+#   apt_repository:
+#     repo: "ppa:deadsnakes/ppa"
+
+- name: "Install APT depdencencies"
+  become: yes
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg2
+      - libssl-dev
+      - pkg-config
+      - software-properties-common
+      - python3.10-dev
+      - python3-pip
+      - python3.10-venv
+      - unzip
+    update_cache: yes

ansible/tasks/code.yaml

@@ -0,0 +1,34 @@
+---
+
+- name: "Create code dir"
+  file:
+    path: "/home/{{ ansible_user }}/git"
+    state: directory
+
+- name: "Clone SC2 repos"
+  git:
+    repo: "https://www.github.com/sc2-sys/{{ item }}.git"
+    dest: "/home/{{ ansible_user }}/git/sc2-sys/{{ item }}"
+    depth: 1
+    update: yes
+    recursive: no
+    clone: yes
+    force: yes
+    accept_hostkey: yes
+  with_items:
+    - "applications"
+    - "deploy"
+    - "experiments"
+
+- name: "Clone virtee repos"
+  git:
+    repo: "https://www.github.com/virtee/{{ item }}.git"
+    dest: "/home/{{ ansible_user }}/git/virtee/{{ item }}"
+    depth: 1
+    update: yes
+    recursive: no
+    clone: yes
+    force: yes
+    accept_hostkey: yes
+  with_items:
+    - "snphost"

ansible/tasks/docker.yaml

@@ -0,0 +1,27 @@
+---
+
+- name: "Add Docker GPG key"
+  become: yes
+  apt_key: url=https://download.docker.com/linux/ubuntu/gpg
+
+- name: "Add Docker APT repository"
+  become: yes
+  apt_repository:
+    repo: "deb [arch=amd64] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
+
+- name: "Install Docker"
+  become: yes
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+    update_cache: yes
+
+- name: "Add user to docker group"
+  become: yes
+  user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: yes

ansible/tasks/qemu.yaml

@@ -0,0 +1,14 @@
+---
+
+- name: "Download the QEMU package with Azure's SNP patches"
+  get_url:
+    url: "https://github.com/jepio/AMDSEV/releases/download/v2024.02.24/snp-qemu_2024.10.28-0_amd64.deb"
+    dest: "/tmp/snp-qemu.deb"
+    mode: '0644'
+
+- name: "Install the new QEMU package"
+  become: true
+  apt:
+    deb: "/tmp/snp-qemu.deb"
+    state: present
+

ansible/tasks/rust.yaml

@@ -0,0 +1,17 @@
+---
+
+- name: "Install Rust using rustup"
+  shell: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+  args:
+    creates: ~/.cargo/bin/rustc
+
+- name: "Add Cargo bin directory to PATH"
+  lineinfile:
+    path: ~/.bashrc
+    line: 'export PATH="$HOME/.cargo/bin:$PATH"'
+    create: yes
+
+- name: "Reload shell profile"
+  shell: source ~/.bashrc
+  args:
+    executable: /bin/bash

ansible/tasks/update_host_kernel.yaml

@@ -0,0 +1,41 @@
+---
+
+- name: "Download the kernel with Azure's patches"
+  get_url:
+    url: "https://github.com/jepio/AMDSEV/releases/download/v2024.02.24/linux-image-6.8.0-rc5-next-20240221-snp-host-2cfe07293708_6.8.0-rc5-g2cfe07293708-2_amd64.deb"
+    dest: "/tmp/linux-image.deb"
+    mode: '0644'
+
+- name: "Install the new kernel package"
+  become: true
+  apt:
+    deb: "/tmp/linux-image.deb"
+    state: present
+
+- name: "Update GRUB to pick up the newly installed kernel"
+  become: true
+  command: update-grub
+
+- name: "List all installed kernels"
+  shell: dpkg --list | grep linux-image
+  register: installed_kernels
+
+# You can see the different options by running `dpkg --list | grep linux-image`
+- name: "Set the default kernel in GRUB"
+  become: true
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_DEFAULT='
+    line: 'GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux 6.8.0-rc5-next-20240221-snp-host-2cfe07293708"'
+
+- name: "Update GRUB configuration again to pick up new changes"
+  become: true
+  command: update-grub
+  when: installed_kernels is changed
+
+- name: "Reboot the system to apply the new kernel"
+  become: true
+  reboot:
+    reboot_timeout: 600
+    test_command: uname -r
+  register: reboot_result

ansible/vm.yaml

@@ -0,0 +1,16 @@
+---
+
+- hosts: all
+  gather_facts: yes
+  tasks:
+    - include_tasks: tasks/apt.yaml
+    # Install docker before updating the host kernel so that the reboot in the
+    # latter also means we can use docker without sudo (which also requires a
+    # reboot)
+    - include_tasks: tasks/docker.yaml
+    # TODO: manually cherry-pick patches on top of svsm/linux
+    - include_tasks: tasks/update_host_kernel.yaml
+    - include_tasks: tasks/qemu.yaml
+    - include_tasks: tasks/rust.yaml
+    - include_tasks: tasks/code.yaml
+      # - include_tasks: tasks/sc2.yml

bin/workon.sh

@@ -49,6 +49,12 @@ else
     echo "sc2-deploy: WARN: neither SNP nor TDX is enabled"
 fi
 
+if [ "$(sudo dmidecode -s system-manufacturer 2>/dev/null)" == "Microsoft Corporation" ]; then
+    export SC2_ON_AZURE="yes"
+else
+    export SC2_ON_AZURE="no"
+fi
+
 # ----------------------------------
 # VM cache config
 # ----------------------------------
@@ -71,11 +77,17 @@ export PS1="(sc2-deploy) $PS1"
 # Splash
 # -----------------------------
 
+if [ "$SC2_ON_AZURE" == "yes" ]; then
+    tee_str="${SC2_TEE}-azure"
+else
+    tee_str="${SC2_TEE}"
+fi
+
 echo ""
 echo "----------------------------------"
 echo "CLI for SC2 Deployment Scripts"
 echo "CoCo Version: ${COCO_VERSION}"
-echo "TEE: ${SC2_TEE}"
+echo "TEE: ${tee_str}"
 echo "----------------------------------"
 echo ""
 

docker/ovmf.dockerfile

@@ -28,3 +28,23 @@ RUN mkdir -p ${CODE_DIR} \
     && build -a X64 -b RELEASE -t GCC5 -p OvmfPkg/OvmfPkgX64.dsc \
     && touch  OvmfPkg/AmdSev/Grub/grub.efi \
     && build -a X64 -b RELEASE -t GCC5 -p OvmfPkg/AmdSev/AmdSevX64.dsc
+
+ARG OVMF_VERSION_AZURE
+ARG CODE_DIR=/git/sc2-sys/edk2-azure
+RUN mkdir -p ${CODE_DIR} \
+    && git clone \
+        --branch ${OVMF_VERSION_AZURE} \
+        --depth 1 \
+        https://github.com/tianocore/edk2.git \
+        ${CODE_DIR} \
+    && cd ${CODE_DIR} \
+    && sed -i \
+        's#https://github\.com/Zeex/subhook\.git#https://github.com/tianocore/edk2-subhook.git#g' \
+        .gitmodules \
+    && git submodule update --init \
+    && export PYTHON3_ENABLE=TRUE \
+    && export PYTHON_COMMAND=python3 \
+    && make -j $(nproc) -C BaseTools/ \
+    && . ./edksetup.sh --reconfig \
+    && touch  OvmfPkg/AmdSev/Grub/grub.efi \
+    && build -a X64 -b RELEASE -t GCC5 -p OvmfPkg/AmdSev/AmdSevX64.dsc

requirements.txt

@@ -1,4 +1,5 @@
 ansible>=8.4.0
+azure-cli>=2.68.0
 black>=23.9.1
 flake8>=7.1.1
 invoke>=2.1.0

tasks/__init__.py

@@ -1,5 +1,6 @@
 from invoke import Collection
 
+from . import azure
 from . import coco
 from . import containerd
 from . import cosign
@@ -26,6 +27,7 @@
 from . import svsm
 
 ns = Collection(
+    azure,
     coco,
     containerd,
     cosign,