Add custom guest-components build support

yousef-cohere · yousef-cohere · commit 2505ef8cbaef · 2026-03-25T17:27:44.000-04:00
- Add gc_builder stage to Dockerfile.podvm_binaries.ubuntu that compiles
  attestation-agent and api-server-rest from a configurable guest-components
  Git repo/ref when AA_FEATURES or GUEST_COMPONENTS_REF are set.
- Extend Makefile with AA_FEATURES, GUEST_COMPONENTS_REPO, and
  GUEST_COMPONENTS_REF variables to pass custom build parameters.
- Add /run tmpfs mount (80% RAM) to fstab for container image layers.
diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile
@@ -15,6 +15,15 @@ PODVM_CONTAINER_NAME ?= $(REGISTRY)/podvm-docker-image-$(DISTRO_ARCH)
 VERIFY_PROVENANCE ?= no
 MKOSI_VERSION ?= v22
 
+# Set to a comma-separated list of cargo features to build attestation-agent
+# from source instead of pulling the pre-built OCI artifact.
+# Example: AA_FEATURES=bin,ttrpc,kbs,coco_as,rust-crypto,tdx-attester,nvidia-attester
+AA_FEATURES ?=
+
+# Git repo + ref for guest-components. When GUEST_COMPONENTS_REF is non-empty,
+# api-server-rest is also built from source alongside attestation-agent.
+GUEST_COMPONENTS_REPO ?= https://github.com/confidential-containers/guest-components.git
+
 _SHA := $(shell git rev-parse --short HEAD)
 _SHA_DIRTY := $(shell [ -n "$$(git status --porcelain 2>/dev/null)" ] && printf -- '-dirty')
 IMAGE_VERSION ?= $(_SHA)$(_SHA_DIRTY)
@@ -78,6 +87,8 @@ endif
 		--build-arg PAUSE_BIN=$(PAUSE_BIN) \
 		--build-arg IMAGE_NAME=mkosi-podvm-binaries \
 		--build-arg VERIFY_PROVENANCE=$(VERIFY_PROVENANCE) \
+		$(if $(AA_FEATURES),--build-arg AA_FEATURES=$(AA_FEATURES),) \
+		$(if $(GUEST_COMPONENTS_REF),--build-arg GUEST_COMPONENTS_REF=$(GUEST_COMPONENTS_REF) --build-arg GUEST_COMPONENTS_REPO=$(GUEST_COMPONENTS_REPO),) \
 		$(if $(AUTHFILE),--build-arg AUTHFILE=$(AUTHFILE),) \
 		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
 		$(if $(filter $(PUSH),true),,-o type=local,dest="./resources/binaries-tree") \
diff --git a/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/fstab b/src/cloud-api-adaptor/podvm-mkosi/mkosi.skeleton/etc/fstab
@@ -0,0 +1 @@
+tmpfs /run tmpfs rw,nosuid,nodev,size=80% 0 0
diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.ubuntu b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.ubuntu
@@ -5,6 +5,47 @@
 #
 # Build binaries for mkosi podvm image
 #
+
+# Optional: build guest-components binaries from source.
+# When AA_FEATURES is non-empty, attestation-agent is compiled with the given
+# cargo features (e.g. tdx + nvidia) instead of using the upstream pre-built binary.
+# When GUEST_COMPONENTS_REF is non-empty, api-server-rest is also compiled from
+# the same checkout so both binaries stay in sync.
+FROM rust:1.90-bookworm AS gc_builder
+ARG AA_FEATURES=""
+ARG GUEST_COMPONENTS_REF=""
+ARG GUEST_COMPONENTS_REPO="https://github.com/confidential-containers/guest-components.git"
+ARG DEBIAN_FRONTEND=noninteractive
+RUN set -e; \
+    if [ -n "${GUEST_COMPONENTS_REF}" ]; then \
+      apt-get update && \
+      apt-get install -y --no-install-recommends \
+        protobuf-compiler pkg-config clang libssl-dev libtss2-dev && \
+      apt-get clean && rm -rf /var/lib/apt/lists/* && \
+      mkdir -p /build/gc && cd /build/gc && \
+      git init && \
+      git remote add origin "${GUEST_COMPONENTS_REPO}" && \
+      git fetch --depth=1 origin "${GUEST_COMPONENTS_REF}" && \
+      git reset --hard FETCH_HEAD; \
+    fi
+RUN set -e; \
+    if [ -n "${AA_FEATURES}" ] && [ -n "${GUEST_COMPONENTS_REF}" ]; then \
+      cd /build/gc/attestation-agent/attestation-agent && \
+      cargo build --release --no-default-features \
+        --features "${AA_FEATURES}" --bin ttrpc-aa && \
+      cp /build/gc/target/release/ttrpc-aa /aa-binary; \
+    else \
+      touch /aa-binary; \
+    fi
+RUN set -e; \
+    if [ -n "${GUEST_COMPONENTS_REF}" ]; then \
+      cd /build/gc/api-server-rest && \
+      cargo build --release && \
+      cp /build/gc/target/release/api-server-rest /api-server-rest-binary; \
+    else \
+      touch /api-server-rest-binary; \
+    fi
+
 FROM ubuntu:24.04 AS builder
 
 ARG ARCH="x86_64"
@@ -107,5 +148,16 @@ RUN ./hack/cross-build-extras.sh
 
 RUN LIBC=gnu make binaries
 
+ARG AA_FEATURES=""
+ARG GUEST_COMPONENTS_REF=""
+COPY --from=gc_builder /aa-binary /tmp/aa-binary
+COPY --from=gc_builder /api-server-rest-binary /tmp/api-server-rest-binary
+RUN if [ -n "${AA_FEATURES}" ]; then \
+      install -m0755 /tmp/aa-binary /src/cloud-api-adaptor/podvm/files/usr/local/bin/attestation-agent; \
+    fi
+RUN if [ -n "${GUEST_COMPONENTS_REF}" ]; then \
+      install -m0755 /tmp/api-server-rest-binary /src/cloud-api-adaptor/podvm/files/usr/local/bin/api-server-rest; \
+    fi
+
 FROM scratch
 COPY --from=podvm_binaries_builder /src/cloud-api-adaptor/podvm/files /

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+tmpfs /run tmpfs rw,nosuid,nodev,size=80% 0 0`