Merge pull request #255 from Dstack-TEE/kms-gw-action

Add Actions for gateway/kms release

Author: kvinwang

.github/workflows/gateway-release.yml

@@ -0,0 +1,75 @@
+name: Gateway Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'gateway-v*'
+permissions:
+  attestations: write
+  id-token: write
+  contents: write
+  packages: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag
+        run: |
+          # Extract version from tag (e.g., gateway-v1.2.3 -> 1.2.3)
+          VERSION=${GITHUB_REF#refs/tags/gateway-v}
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "Parsed version: $VERSION"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get Git commit timestamps
+        run: |
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+          echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: gateway/dstack-app/builder
+          push: true
+          tags: ${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }}
+          platforms: linux/amd64
+          provenance: false
+          build-args: |
+            DSTACK_REV=${{ env.GIT_REV }}
+            SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway"
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "Gateway Release v${{ env.VERSION }}"
+          body: |
+            ## Docker Image Information
+
+            **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }}`
+
+            **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
+
+            **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }})

.github/workflows/kms-release.yml

@@ -0,0 +1,101 @@
+name: KMS Release
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'kms-v*'
+permissions:
+  attestations: write
+  id-token: write
+  contents: write
+  packages: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse version from tag
+        run: |
+          # Extract version from tag (e.g., kms-v1.2.3 -> 1.2.3)
+          VERSION=${GITHUB_REF#refs/tags/kms-v}
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "Parsed version: $VERSION"
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Write GIT_REV
+        run: git rev-parse HEAD > kms/dstack-app/builder/.GIT_REV
+
+      - name: Get Git commit timestamps
+        run: |
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+          echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v5
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+        with:
+          context: kms/dstack-app/builder
+          push: true
+          tags: ${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }}
+          platforms: linux/amd64
+          provenance: false
+          build-args: |
+            DSTACK_REV=${{ env.GIT_REV }}
+            DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}
+            SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms"
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+          cache-dependency-path: kms/auth-eth/package-lock.json
+
+      - name: Install dependencies and compile contracts
+        run: |
+          cd kms/auth-eth
+          npm ci
+          npx hardhat compile
+
+      - name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: "KMS Release v${{ env.VERSION }}"
+          files: |
+            kms/auth-eth/artifacts/contracts/DstackKms.sol/DstackKms.json
+            kms/auth-eth/artifacts/contracts/DstackApp.sol/DstackApp.json
+          body: |
+            ## Docker Image Information
+
+            **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }}`
+
+            **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}`
+
+            **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }})
+
+            ## Contract ABIs
+
+            This release includes the compiled contract ABIs:
+            - `DstackKms.json` - Main KMS contract ABI
+            - `DstackApp.json` - Application contract ABI

gateway/dstack-app/Dockerfile

@@ -0,0 +1,49 @@
+FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS gateway-builder
+ARG DSTACK_REV
+WORKDIR /src
+
+# Install build dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    build-essential \
+    libssl-dev \
+    protobuf-compiler \
+    libprotobuf-dev \
+    libclang-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Clone and checkout specific revision
+RUN git clone https://github.com/Dstack-TEE/dstack.git && \
+    cd dstack && \
+    git checkout ${DSTACK_REV}
+
+# Build the gateway binary
+WORKDIR /src/dstack
+RUN cargo build --release -p dstack-gateway
+
+# Runtime stage
+FROM debian:bookworm@sha256:ced9eb5eca0a3ba2e29d0045513863b3baaee71cd8c2eed403c9f7d3eaccfd2b
+WORKDIR /app
+
+# Install runtime dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    wireguard-tools \
+    iproute2 \
+    jq \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy the built binary
+COPY --from=gateway-builder /src/dstack/target/release/dstack-gateway /usr/local/bin/dstack-gateway
+
+# Copy entrypoint script
+COPY entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Store git revision for reproducibility
+ARG DSTACK_REV
+RUN echo "${DSTACK_REV}" > /etc/.GIT_REV
+
+ENTRYPOINT ["/app/entrypoint.sh"]
+CMD ["dstack-gateway"]

gateway/dstack-app/builder/Dockerfile

@@ -0,0 +1,40 @@
+FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS gateway-builder
+COPY ./shared /build
+ARG DSTACK_REV
+WORKDIR /build
+RUN ./pin-packages.sh ./builder-pinned-packages.txt
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    build-essential \
+    musl-tools \
+    libssl-dev \
+    protobuf-compiler \
+    libprotobuf-dev \
+    clang \
+    libclang-dev
+RUN git clone https://github.com/Dstack-TEE/dstack.git && \
+    cd dstack && \
+    git checkout ${DSTACK_REV}
+RUN rustup target add x86_64-unknown-linux-musl
+RUN cd dstack && cargo build --release -p dstack-gateway --target x86_64-unknown-linux-musl
+RUN echo "${DSTACK_REV}" > /build/.GIT_REV
+
+FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe
+COPY ./shared /build
+WORKDIR /build
+RUN ./pin-packages.sh ./pinned-packages.txt && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git \
+    wireguard-tools \
+    iproute2 \
+    jq \
+    && rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache
+COPY --from=gateway-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-gateway /usr/local/bin/dstack-gateway
+COPY --from=gateway-builder /build/.GIT_REV /etc/
+WORKDIR /app
+COPY entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+ENTRYPOINT ["/app/entrypoint.sh"]
+CMD ["dstack-gateway"]

gateway/dstack-app/builder/README.md

@@ -0,0 +1,55 @@
+# Dstack KMS Builder
+
+This directory contains the necessary files to build and run the dstack-kms Docker image for development.
+
+## Overview
+
+The builder creates a Docker image that includes:
+- The dstack-kms service compiled from Rust source code
+- Command line tool dstack-acpi-tables for generating ACPI tables for dstack CVM
+
+## Prerequisites
+
+- Docker with BuildKit support (v20.10.0+)
+- Git
+
+## Building the Image
+
+To build the KMS Docker image, use the provided `build-image.sh` script:
+
+```bash
+./build-image.sh <image-name>[:<tag>]
+```
+
+For example:
+```bash
+./build-image.sh kvin/kms
+```
+
+## Running the Built Image
+
+### Using Docker Compose
+
+The easiest way to run the KMS service is using the provided `docker-compose.yaml`:
+
+```yaml
+services:
+  kms:
+    image: kvin/kms
+    ports:
+      - "8003:8000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./kms:/kms
+    environment:
+      - IMAGE_DOWNLOAD_URL=${IMAGE_DOWNLOAD_URL:-http://localhost:8001/mr_{OS_IMAGE_HASH}.tar.gz}
+      - AUTH_TYPE=dev
+      - DEV_DOMAIN=kms.1022.kvin.wang
+      - QUOTE_ENABLED=false
+```
+
+To start the service:
+
+```bash
+docker-compose up
+```

gateway/dstack-app/builder/build-image.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+set -e
+
+#NO_CACHE=--no-cache
+
+extract-packages() {
+    local name=$1
+    local pkg_list_file=$2
+    if [ -z "$pkg_list_file" ]; then
+        return
+    fi
+    docker run --rm --entrypoint bash $name -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > "$pkg_list_file"
+}
+
+# Function to build Docker image and optionally extract package list
+docker-build() {
+    local name=$1
+    local target=$2
+    local pkg_list_file=$3
+    # Get the commit timestamp for SOURCE_DATE_EPOCH
+    local commit_timestamp=$(git show -s --format=%ct $GIT_REV)
+    local build_args="--build-arg SOURCE_DATE_EPOCH=$commit_timestamp --build-arg DSTACK_REV=$GIT_REV"
+
+    local args="--builder buildkit_20 $NO_CACHE $build_args"
+
+    # Add target if specified
+    if [ -n "$target" ]; then
+        args="$args --target $target"
+    fi
+
+    # Build the image
+    docker buildx build $args --output type=docker,name=$name,rewrite-timestamp=true --progress=plain .
+    extract-packages $name $pkg_list_file
+}
+
+NAME=$1
+if [ -z "$NAME" ]; then
+    echo "Usage: $0 <name>[:<tag>]"
+    exit 1
+fi
+
+# Check if buildkit_20 already exists before creating it
+if ! docker buildx inspect buildkit_20 &>/dev/null; then
+    docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
+fi
+
+touch shared/builder-pinned-packages.txt
+touch shared/pinned-packages.txt
+GIT_REV=${GIT_REV:-HEAD}
+GIT_REV=$(git rev-parse $GIT_REV)
+
+docker-build "$NAME" "" "shared/pinned-packages.txt"
+docker-build "gateway-builder-temp" "gateway-builder" "shared/builder-pinned-packages.txt"
+
+git_status=$(git status --porcelain -- shared/)
+if [ -n "$git_status" ]; then
+    echo "The working tree is not clean, please commit or stash your changes before re-running the build"
+    exit 1
+fi
+