-
Notifications
You must be signed in to change notification settings - Fork 193
/
linux-sgx-vm-gcc-release.jenkinsfile
48 lines (37 loc) · 1.84 KB
/
linux-sgx-vm-gcc-release.jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
node('whatnots') {
checkout scm
env.SGX = '1'
env.IS_VM = '1'
load '.ci/lib/config-docker.jenkinsfile'
env.DOCKER_ARGS_SGX += '''
--volume=/usr/include/x86_64-linux-gnu/asm/sgx.h:/usr/include/asm/sgx.h:ro
'''
// Overwrite Gramine-specific seccomp policy because it conflicts with KVM requirements, see
// https://github.com/moby/moby/issues/42963 for details.
env.DOCKER_ARGS_COMMON +=
" --security-opt seccomp=${env.WORKSPACE}/scripts/docker_seccomp_aug_2022.json"
// Required by QEMU to run the same Linux kernel in VM (because we use host kernel as guest
// kernel for simplicity)
env.DOCKER_ARGS_COMMON += ' --volume=/boot:/boot:ro'
// only root and `kvm` group can access /dev/kvm, so add `kvm` GID to the in-Docker user
kvm_gid = sh(returnStdout: true, script: 'getent group kvm | cut -d: -f3').trim()
env.DOCKER_ARGS_COMMON += ' --group-add ' + kvm_gid
env.DOCKER_ARGS_COMMON += ' --device=/dev/kvm:/dev/kvm'
// only root and `sgx` group can access /dev/sgx_vepc, so add `sgx` GID to the in-Docker user
sgx_gid = sh(returnStdout: true, script: 'getent group sgx | cut -d: -f3').trim()
env.DOCKER_ARGS_SGX += ' --group-add ' + sgx_gid
env.DOCKER_ARGS_SGX += ' --device=/dev/sgx_vepc:/dev/sgx_vepc'
docker.build(
"local:${env.BUILD_TAG}",
'-f .ci/ubuntu22.04.dockerfile .'
).inside("${env.DOCKER_ARGS_COMMON} ${env.DOCKER_ARGS_SGX}") {
load '.ci/lib/config.jenkinsfile'
load '.ci/lib/config-release.jenkinsfile'
load '.ci/lib/stage-lint.jenkinsfile'
load '.ci/lib/stage-clean-check-prepare.jenkinsfile'
load '.ci/lib/stage-build-sgx-vm.jenkinsfile'
load '.ci/lib/stage-test-vm.jenkinsfile'
load '.ci/lib/stage-clean-vm.jenkinsfile'
load '.ci/lib/stage-clean-check.jenkinsfile'
}
}