Skip to content

osguard-ci: Add Code Integrity variant of OS Guard #14505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 21, 2025
Merged

osguard-ci: Add Code Integrity variant of OS Guard #14505

merged 5 commits into from
Aug 21, 2025
+423 −32

Conversation

christopherco
Copy link
Contributor

@christopherco christopherco commented Aug 13, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Add new image configuration definition for OS Guard that enables code
integrity enhancements.

To enable code integrity checking for containers, this image activates
the containerd erofs-snapshotter with an updated
/etc/containerd/config.toml configuration, and also configures cni
appropriately for pod networking.

Additionally this image enables SELinux in enforcing mode for another
important security layer.

Finally, update the OS Guard generation script to handle generating
OS Guard image configurations using different delta files, and simplify
the process of adding new delta configurations by creating the GEN_JOBS
array, where each entry follows the schema:

<base-template>|<delta-template>|<output>

Also update the test function to check all entries of GEN_JOBS for diffs.

Signed-off-by: Chris Co chrco@microsoft.com

Does this affect the toolchain?

NO

Associated issues
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service bot added Tools Schema Changes to image configurations labels Aug 13, 2025
Base automatically changed from chrco/osguard-refactor to 3.0-dev August 13, 2025 21:49
@microsoft-github-policy-service microsoft-github-policy-service bot added the 3.0-dev PRs Destined for AzureLinux 3.0 label Aug 13, 2025
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch from 4b1433a to 67feea2 Compare August 13, 2025 22:43
@christopherco christopherco marked this pull request as ready for review August 13, 2025 22:47
@christopherco christopherco requested a review from a team as a code owner August 13, 2025 22:47
aadhar-agarwal
aadhar-agarwal reviewed Aug 13, 2025
View reviewed changes
aadhar-agarwal
aadhar-agarwal reviewed Aug 13, 2025
View reviewed changes
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch from 67feea2 to 9002eca Compare August 14, 2025 03:41
@christopherco christopherco mentioned this pull request Aug 14, 2025
Merged
12 tasks
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch 3 times, most recently from f73c572 to c4bf9bf Compare August 16, 2025 05:27
@christopherco christopherco marked this pull request as draft August 17, 2025 03:17
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch 2 times, most recently from 54fb301 to fb8fcac Compare August 17, 2025 04:36
@christopherco christopherco marked this pull request as ready for review August 17, 2025 05:01
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch from 2ffc767 to 62b4f55 Compare August 17, 2025 21:21
reubeno
reubeno reviewed Aug 18, 2025
View reviewed changes
Copy link
Member

@reubeno reubeno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes generally look good to me; just a few specific questions and comments.

PawelWMS
PawelWMS reviewed Aug 18, 2025
View reviewed changes
christopherco
christopherco commented Aug 18, 2025
View reviewed changes
PawelWMS
PawelWMS reviewed Aug 18, 2025
View reviewed changes
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch from 58a947a to edfa33d Compare August 19, 2025 07:56
@christopherco
osguard-ci: Add Code Integrity variant of OS Guard
326b822 
Add new image configuration definition for OS Guard that enables code
integrity enhancements.

To enable code integrity checking for containers, this image activates
the containerd erofs-snapshotter in /etc/containerd/config.toml and
configures cni appropriately.

Additionally this image enables SELinux in enforcing mode for SELinux
MAC enforcement.

Finally, update the OS Guard generation script to handle generating
OS Guard image configurations using different delta files, and simplify
the process of adding new delta configurations by creating the GEN_JOBS
array, where each entry follows the schema:

	<base-template>|<delta-template>|<output>

Also update the test function to check all entries of GEN_JOBS for diffs.

Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
add explanations for configs in osguard-ci-delta
ecc8dbf 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
Remove cni configuration
136506a 
We expect the next-level customizer to provide the CNI configuration for
pod networking.

This behavior matches general-purpose containerd behavior when invoked
through CRI interface.

Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
Simplify containerd config and annotate with comments
befd97e 
Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco
scripts: make generate-osguard-imageconfigs.sh CWD-independent
1d75f45 
Make the generate-osguard-imageconfigs.sh script work from any directory
by determining paths based on the script's own location rather than
relying on the current working directory.

Changes:
- Use SCRIPT_DIR to determine script location and calculate relative paths
- Replace hardcoded relative paths with dynamic path resolution
- Add validation for expected directory structure
- Update documentation to reflect CWD independence
- Use absolute path for merge_yaml.py invocation

This allows users to run the script from anywhere in the repository
without needing to cd to toolkit/scripts first, improving usability
and reducing potential user errors.

Signed-off-by: Chris Co <chrco@microsoft.com>
@christopherco christopherco force-pushed the chrco/osguard-refactor-add-ci branch from edfa33d to 1d75f45 Compare August 20, 2025 06:27
@christopherco christopherco merged commit 51d068a into 3.0-dev Aug 21, 2025
34 of 37 checks passed
@christopherco christopherco deleted the chrco/osguard-refactor-add-ci branch August 21, 2025 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PawelWMS PawelWMS PawelWMS left review comments

@aadhar-agarwal aadhar-agarwal aadhar-agarwal approved these changes

@reubeno reubeno reubeno approved these changes

@jiria jiria jiria approved these changes

Assignees
No one assigned
Labels
3.0-dev PRs Destined for AzureLinux 3.0 Schema Changes to image configurations Tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@christopherco @reubeno @jiria @PawelWMS @aadhar-agarwal