Add support for SLES 15 SP4

This commit adds support for SLES (SUSE Linux Enterprise Server). The
support was tested with version 15 SP4.

Signed-off-by: Adarsh Anand <[email protected]>

Documentation/index.rst

@@ -317,8 +317,8 @@ in :file:`config.yaml.template`.
    unpredictable. Currently supported distros are Ubuntu 20.04, Ubuntu 21.04,
    Ubuntu 22.04, Ubuntu 23.04, Debian 10, Debian 11, Debian 12, CentOS 8, CentOS
    Stream 9, Red Hat Universal Base Image (UBI) 8, Red Hat Universal Base Image
-   (UBI) 9, Red Hat Universal Base Image (UBI) 8 minimal and Red Hat Universal Base Image
-   9 minimal.
+   (UBI) 9, Red Hat Universal Base Image (UBI) 8 minimal, Red Hat Universal Base Image
+   9 minimal and SUSE Linux Enterprise Server 15.
 
    Default value is ``auto`` which means GSC automatically detects the distro
    of the supplied Docker image. Users also have the option to provide one of

config.yaml.template

@@ -10,6 +10,7 @@
 # - quay.io/centos/centos:stream9
 # - redhat/ubi8:8.8, redhat/ubi9:9.4
 # - redhat/ubi8-minimal:8.8, redhat/ubi9-minimal:9.4
+# - registry.suse.com/suse/sle15:15.4
 
 # If Distro is set to "auto", GSC detects the distro automatically by examining the supplied
 # Docker image. Alternatively, Distro can be set to one of the supported distros mentioned above.

gsc.py

@@ -115,7 +115,7 @@ def extract_binary_info_from_image_config(config, env):
 
 
 def extract_environment_from_image_config(config):
-    env_list = config['Env']
+    env_list = config['Env'] or []
     base_image_environment = ''
     for env_var in env_list:
         # TODO: switch to loader.env_src_file = "file:file_with_serialized_envs" if
@@ -244,6 +244,21 @@ def handle_redhat_repo_configs(distro, tmp_build_path):
         # software updates and support from Red Hat.
         shutil.copytree(sslclientkey_dir, tmp_build_path / 'pki/entitlement')
 
+def handle_suse_repo_configs(distro, tmp_build_path):
+    if not distro.startswith('registry.suse.com/suse/sle'):
+        return
+
+    if not os.path.exists('/etc/zypp/credentials.d/SCCcredentials'):
+        print('Cannot find your SUSE Customer Center credentials file at '
+                '/etc/zypp/credentials.d/SCCcredentials. Please register and subscribe your SUSE '
+                'system to the SUSE Customer Center.')
+        sys.exit(1)
+
+    # This file contains the credentials for the SUSE Customer Center (SCC) account for the
+    # system to authenticate and receive software updates and support from SUSE. Copy it to
+    # the temporary build directory to include it in the graminized Docker image.
+    shutil.copyfile('/etc/zypp/credentials.d/SCCcredentials', tmp_build_path / 'SCCcredentials')
+
 def template_path(distro):
     if distro == 'quay.io/centos/centos':
         return 'centos/stream'
@@ -253,6 +268,9 @@ def template_path(distro):
             return 'redhat/ubi-minimal'
         return 'redhat/ubi'
 
+    if distro.startswith('registry.suse.com/suse/sle'):
+        return 'suse'
+
     return distro
 
 def assert_not_none(value, error_message):
@@ -264,6 +282,10 @@ def get_ubi_version(distro):
     match_ = re.match(r'^redhat/ubi(\d+)(-minimal)?:(\d+).(\d+)$', distro)
     return match_.group(1) if match_ else None
 
+def get_sles_version(distro):
+    match_ = re.match(r'^registry.suse.com/suse/sle(\d+):(\d+\.\d+)$', distro)
+    return match_.group(2) if match_ else None
+
 def get_image_distro(docker_socket, image_name):
     out = docker_socket.containers.run(image_name, entrypoint='cat /etc/os-release', remove=True)
     out = out.decode('UTF-8')
@@ -283,13 +305,16 @@ def get_image_distro(docker_socket, image_name):
             distro = f'redhat/ubi{version[0]}:{version_str}'
         else:
             distro = f'redhat/ubi{version[0]}-minimal:{version_str}'
+    elif os_release['ID'] == 'sles':
+        distro = f'registry.suse.com/suse/sle{version[0]}:{version_str}'
     else:
         # Some OS distros (e.g. Alpine) have very precise versions (e.g. 3.17.3),
         # and to support these OS distros, we need to truncate at the 2nd dot.
         distro = os_release['ID'] + ':' + '.'.join(version[:2])
 
     if os_release['NAME'] == 'CentOS Stream':
         distro = f'quay.io/centos/centos:stream{version[0]}'
+
     return distro
 
 def fetch_and_validate_distro_support(docker_socket, image_name, env):
@@ -345,6 +370,8 @@ def gsc_build(args):
     env.filters['shlex_quote'] = shlex.quote
     env.filters['assert_not_none'] = assert_not_none
     env.globals['get_ubi_version'] = get_ubi_version
+    env.globals['get_sles_version'] = get_sles_version
+    env.globals['template_path'] = template_path
     env.globals.update(config)
     env.globals.update(vars(args))
     env.globals.update({'app_image': original_image_name})
@@ -426,6 +453,7 @@ def gsc_build(args):
     shutil.copyfile('keys/intel-sgx-deb.key', tmp_build_path / 'intel-sgx-deb.key')
 
     handle_redhat_repo_configs(distro, tmp_build_path)
+    handle_suse_repo_configs(distro, tmp_build_path)
 
     build_docker_image(docker_socket.api, tmp_build_path, unsigned_image_name, 'Dockerfile.build',
                        rm=args.rm, nocache=args.no_cache, buildargs=extract_build_args(args))
@@ -461,6 +489,8 @@ def gsc_build_gramine(args):
     env = jinja2.Environment()
     env.filters['assert_not_none'] = assert_not_none
     env.globals['get_ubi_version'] = get_ubi_version
+    env.globals['get_sles_version'] = get_sles_version
+    env.globals['template_path'] = template_path
     env.globals.update(config)
     env.globals.update(vars(args))
 
@@ -496,6 +526,7 @@ def gsc_build_gramine(args):
     shutil.copyfile('keys/intel-sgx-deb.key', tmp_build_path / 'intel-sgx-deb.key')
 
     handle_redhat_repo_configs(distro, tmp_build_path)
+    handle_suse_repo_configs(distro, tmp_build_path)
 
     build_docker_image(docker_socket.api, tmp_build_path, gramine_image_name, 'Dockerfile.compile',
                        rm=args.rm, nocache=args.no_cache, buildargs=extract_build_args(args))

templates/Dockerfile.common.compile.template

@@ -30,7 +30,7 @@ RUN cd /gramine \
     && meson setup build/ --prefix="/gramine/meson_build_output" \
        --buildtype={{buildtype}} \
        -Ddirect=enabled -Dsgx=enabled \
-       {% if Distro.startswith('ubuntu') %}-Ddcap=enabled{% endif %} \
+       {% if template_path(Distro) == 'ubuntu' %}-Ddcap=enabled{% endif %} \
        {% if "linux-sgx-driver" in SGXDriver.Repository %} \
        -Dsgx_driver=oot -Dsgx_driver_include_path=/gramine/driver \
        {% else %} \

templates/suse/Dockerfile.build.template

@@ -0,0 +1,44 @@
+{% extends "Dockerfile.common.build.template" %}
+
+{% block install %}
+
+{% set ver = get_sles_version(Distro) | assert_not_none(
+    'ERROR: Unsupported SLES distribution - ' + Distro)
+%}
+
+RUN zypper update -y \
+    && zypper install -y suseconnect-ng \
+    && mkdir -p /etc/zypp/credentials.d
+
+COPY SCCcredentials /etc/zypp/credentials.d/
+
+RUN SUSEConnect -p PackageHub/{{ver}}/x86_64 \
+    && SUSEConnect -p sle-module-basesystem/{{ver}}/x86_64 \
+    && zypper install -y \
+        binutils \
+        openssl \
+        libprotobuf-c-devel \
+        python3 \
+        python3-cryptography \
+        python3-pip \
+        python3-protobuf \
+        python3-pyelftools \
+        python3-click \
+        python3-Jinja2 \
+        python3-tomli \
+        python3-voluptuous \
+        which \
+    && /usr/bin/python3 -B -m pip install 'tomli-w>=0.4.0' \
+    && zypper clean -a \
+    && rm -rf /etc/zypp/credentials.d/SCCcredentials
+
+{% if buildtype != "release" %}
+RUN zypper install -y \
+        gdb \
+        less \
+        libunwind \
+        python3-pytest \
+        strace \
+        vim
+{% endif %}
+{% endblock %}

templates/suse/Dockerfile.compile.template

@@ -0,0 +1,52 @@
+{% extends "Dockerfile.common.compile.template" %}
+
+{% block install %}
+
+{% set ver = get_sles_version(Distro) | assert_not_none(
+    'ERROR: Unsupported SLES distribution - ' + Distro)
+%}
+
+RUN zypper update -y \
+    && zypper install -y suseconnect-ng \
+    && mkdir -p /etc/zypp/credentials.d
+
+COPY SCCcredentials /etc/zypp/credentials.d/
+
+RUN SUSEConnect -p PackageHub/{{ver}}/x86_64 \
+    && SUSEConnect -p sle-module-basesystem/{{ver}}/x86_64 \
+    && SUSEConnect -p sle-module-desktop-applications/{{ver}}/x86_64 \
+    && SUSEConnect -p sle-module-development-tools/{{ver}}/x86_64 \
+    && zypper install -y \
+        autoconf \
+        bison \
+        cmake \
+        curl \
+        flex \
+        gawk \
+        gcc11 \
+        gcc11-c++ \
+        git \
+        libevent-devel \
+        libprotobuf-c-devel \
+        libprotobuf-c1 \
+        make \
+        meson \
+        nasm \
+        ninja \
+        openssl \
+        patch \
+        pkg-config \
+        protobuf-devel \
+        python3 \
+        python3-cryptography \
+        python3-pip \
+        python3-protobuf \
+        python3-tomli \
+        rpm-build \
+        wget \
+        which \
+    && /usr/bin/python3 -B -m pip install 'tomli-w>=0.4.0' \
+    && update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-11 10 \
+    && update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-11 10
+
+{% endblock %}

templates/suse/Dockerfile.sign.template

@@ -0,0 +1,15 @@
+{% extends "Dockerfile.common.sign.template" %}
+
+{% block uninstall %}
+RUN \
+   pip3 uninstall -y click jinja2 \
+      tomli tomli-w pyelftools voluptuous  \
+   && zypper remove -y binutils \
+      openssl \
+      python3-cryptography \
+      python3-protobuf \
+   && zypper clean -a;
+
+{% endblock %}
+
+{% block path %}export PYTHONPATH="${PYTHONPATH:+$PYTHONPATH:}$(find /gramine/meson_build_output/lib64 -type d -path '*/site-packages')" &&{% endblock %}

templates/suse/apploader.template

@@ -0,0 +1 @@
+{% extends "centos/apploader.template" %}

templates/suse/entrypoint.manifest.template

@@ -0,0 +1 @@
+{% extends "centos/entrypoint.manifest.template" %}