Run tests in 1ES Hosted Confidential ACI Pool (#6653)

Author: achamayou

.github/workflows/ci.yml

@@ -167,3 +167,49 @@ jobs:
           # All other acceptably fast tests, which are now supported on Azure Linux.
           ./tests.sh --timeout 360 --output-on-failure -LE "benchmark|suite|unit"
         shell: bash
+
+  build_caci:
+    name: "Confidential Container (ACI) CI"
+    runs-on: [self-hosted, 1ES.Pool=gha-caci-ne]
+    needs: checks
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: "Build Debug"
+        run: |
+          set -ex
+          git config --global --add safe.directory /__w/CCF/CCF
+          mkdir build
+          cd build
+          cmake -GNinja -DCOMPILE_TARGET=snp -DCMAKE_BUILD_TYPE=Debug ..
+          ninja
+        shell: bash
+
+      - name: "Tests"
+        run: |
+          set -ex
+          cd build
+          rm -rf /github/home/.cache
+          mkdir -p /github/home/.cache
+          export ASAN_SYMBOLIZER_PATH=$(realpath /usr/bin/llvm-symbolizer-15)
+          # Unit tests, minus indexing that is sometimes timing out with this few cores
+          ./tests.sh --output-on-failure -L unit -j$(nproc --all) -E indexing
+          # Minimal end to end test that exercises SNP attestation verification
+          # but works within the current 4 core budget
+          ./tests.sh --timeout 360 --output-on-failure -R code_update
+        shell: bash
+
+      - name: "Upload logs"
+        uses: actions/upload-artifact@v4
+        with:
+          name: logs-caci-snp
+          path: |
+            build/workspace/*/*.config.json
+            build/workspace/*/out
+            build/workspace/*/err
+            build/workspace/*.ledger/*
+          if-no-files-found: ignore
+        if: success() || failure()

.snpcc_canary

@@ -2,4 +2,4 @@
  (. =)     Y (0 0)  (x X)    Y  (___) 
    O     \     o      |    /      |
 /-xXx--//-----x=x--/-xXx--/---x-/--->>>--/
-....
+......

docker/ccf_caci_ci

@@ -0,0 +1,11 @@
+FROM mcr.microsoft.com/azurelinux/base/core:3.0
+ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
+RUN gpg --import /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY
+RUN tdnf -y update
+RUN tdnf -y install ca-certificates git
+RUN tdnf -y install wget tar dotnet-sdk-8.0
+ENV RUNNER_ALLOW_RUNASROOT=true
+
+COPY scripts/setup-ci.sh /tmp/setup-ci.sh
+RUN chmod +x /tmp/setup-ci.sh
+RUN /tmp/setup-ci.sh

src/ds/test/work_beacon.cpp

@@ -158,7 +158,7 @@ size_t run_jobs(size_t n_senders, size_t n_receivers)
 
 TEST_CASE("WorkBeacon" * doctest::test_suite("workbeacon"))
 {
-  std::vector<size_t> test_vals{1, 5, 8};
+  std::vector<size_t> test_vals{1, 5};
   for (auto n_senders : test_vals)
   {
     for (auto n_receivers : test_vals)

tests/infra/snp.py

@@ -3,6 +3,7 @@
 
 import os
 import base64
+import glob
 from hashlib import sha256
 
 # Path to the SEV guest device on patched 5.x kernels
@@ -45,10 +46,16 @@ def is_snp():
 
 def get_aci_env():
     env = {}
-    with open(WELL_KNOWN_ACI_ENVIRONMENT_FILE_PATH, "r", encoding="utf-8") as f:
-        for line in f.read().splitlines():
-            env_key, env_value = line.partition("=")[::2]
-            env[env_key] = env_value
+    # If the well-known file exists, read the environment variables from it
+    # Otherwise, try to discover the security context directory
+    if os.path.exists(WELL_KNOWN_ACI_ENVIRONMENT_FILE_PATH):
+        with open(WELL_KNOWN_ACI_ENVIRONMENT_FILE_PATH, "r", encoding="utf-8") as f:
+            for line in f.read().splitlines():
+                env_key, env_value = line.partition("=")[::2]
+                env[env_key] = env_value
+    else:
+        (security_context_dir,) = glob.glob("/security-context-*")
+        env[ACI_SEV_SNP_ENVVAR_UVM_SECURITY_CONTEXT_DIR] = security_context_dir
     return env