Add versioning system for dependencies

[stevenhorsman]

At the moment of the components we pull in (most notably to the podvm image) are either not versioned (e.g. kata-agent, attestation-agent)- so we pull in the latest code, or versions in particular files (skopeo, umoci, pause image, ubuntu version). In order to ensure our 'supply chain' is reliable and trusted and in future to enable us to have reproducible builds, we should consider adding a centralised place to control the versions of files, maybe similar to versions.yaml that kata-containers has.

[tumberino]

Example

---
cloud-img:
  - distro: ubuntu
    architecture: amd64
    source:
      url: https://cloud-images.ubuntu.com/releases/focal/release-20230107/ubuntu-20.04-server-cloudimg-amd64.img
      checksum: 3895e38566e5c2c019f5c6f825ab7570ee34dac6b9142fab0c7e5a78084c4280
  - distro: ubuntu
    architecture: s390x
    source:
      url: https://cloud-images.ubuntu.com/releases/focal/release-20230107/ubuntu-20.04-server-cloudimg-s390x.img
      checksum: 24673aa86785573d3a92e15166ff81beff88cbb0abc01938f156eb1332e87cd3

[wainersm]

Taking the Dockerfile.podvm as an example, there are UBUNTU_IMAGE_URL and UBUNTU_IMAGE_CHECKSUM build arguments:

ARG UBUNTU_IMAGE_URL=https://cloud-images.ubuntu.com/releases/focal/release-20230107/ubuntu-20.04-server-cloudimg-amd64.img
ARG UBUNTU_IMAGE_CHECKSUM=3895e38566e5c2c019f5c6f825ab7570ee34dac6b9142fab0c7e5a78084c4280

How to feed the information from version.yaml (suppose we will use that file) as the example @jtumber-ibm provided on the comment above? Currently the podvm (and podvm_builder) build process is manual. Does it mean we will need a script or Make targets to automate the build process so that it reads from the version.yaml to pass the correct versions as arguments to the podvm build?

[tumberino]

How to feed the information from version.yaml (suppose we will use that file) as the example @jtumber-ibm provided on the comment above? Currently the podvm (and podvm_builder) build process is manual. Does it mean we will need a script or Make targets to automate the build process so that it reads from the version.yaml to pass the correct versions as arguments to the podvm build?

I think initally we can just use it as a manually reference, but then I think we could add a helper script to extract the information to pass to other commands.

[katexochen]

Are there any plans how to go on with this? The versions.yml is now merged, but it is still incomplete. How are we going to use this during the build? @jtumber-ibm suggested to add a script to inject this?

[tumberino]

Are there any plans how to go on with this? The versions.yml is now merged, but it is still incomplete. How are we going to use this during the build? @jtumber-ibm suggested to add a script to inject this?

The first step, in my opinion, is to have any defaults in the various Makefiles be able to select defaults from this file. We should also add a note to the project README that the versions.yaml file can be used for manual reference as well.

I'll open this issue back up as there is still more to be done in terms of the full system for dependencies

[stevenhorsman]

It might be worth keeping an eye on https://github.com/confidential-containers/cloud-api-adaptor/pull/1018/files as that might clash with any implementation of this if they don't line up.

[katexochen]

Maybe we should have a broader discussion on the topic of builds and define some goals instead of doing steps in different directions.

[tumberino]

Maybe we should have a broader discussion on the topic of builds and define some goals instead of doing steps in different directions.

Agreed, want to start a thread on the CNC slack or a open a new issue to agree to a plan? Potentially lots of changes happening at once at the moment