Merge branch 'confidential-containers:main' into main

Update default memory and cpu size for Libvirt provider

Signed-off-by : SAVITRI HUNASHEEKATTI <[email protected]>

.github/workflows/azure-podvm-image-build.yml

@@ -65,7 +65,6 @@ jobs:
         TEE_PLATFORM: az-cvm-vtpm
         VERIFY_PROVENANCE: yes
       run: |
-        make fedora-binaries-builder
         make binaries
 
     - name: Install build dependencies

.github/workflows/e2e_libvirt.yaml

@@ -121,6 +121,8 @@ jobs:
           echo "container_runtime=\"${{ inputs.container_runtime }}\"" >> libvirt.properties
           # For debugging
           cat libvirt.properties
+          # Add the kcli install directory to PATH for later steps
+          echo "${HOME}/.local/bin" >> "$GITHUB_PATH"
 
       - name: Install gh cli
         run: |

.github/workflows/e2e_run_all.yaml

@@ -265,15 +265,18 @@ jobs:
   # Run libvirt s390x e2e tests, based on the mkosi image, if pull request labeled 'test_e2e_libvirt'
   libvirt_s390x:
     name: E2E tests on libvirt for the s390x architecture
-    # Skip s390x e2e tests until Choi is available to set-up the s390x runner's pre-action properly. Then revert this.
-    if: false
+    if: |
+      github.event_name == 'schedule' ||
+      github.event_name == 'workflow_dispatch' ||
+      contains(github.event.pull_request.labels.*.name, 'test_e2e_libvirt') ||
+      contains(github.event.pull_request.labels.*.name, 'test_e2e_libvirt_s390x')
     needs: [podvm_mkosi_s390x, libvirt_e2e_arch_prep, caa_image_s390x]
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON(needs.libvirt_e2e_arch_prep.outputs.matrix) }}
     uses: ./.github/workflows/e2e_libvirt.yaml
     with:
-      runner: S390X
+      runner: s390x-large
       caa_image: ${{ inputs.registry }}/cloud-api-adaptor:${{ inputs.caa_image_tag }}-s390x-dev
       podvm_image: ${{ needs.podvm_mkosi_s390x.outputs.qcow2_oras_image }}
       install_directory_artifact: install_directory

.github/workflows/podvm_mkosi.yaml

@@ -81,6 +81,11 @@ jobs:
           fetch-depth: 0
           ref: "${{ inputs.git_ref }}"
 
+      # Required by rootless mkosi
+      - name: Un-restrict user namespaces
+        if: inputs.arch == 'amd64'
+        run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+
       - name: Rebase the code
         if: github.event_name == 'pull_request_target'
         working-directory: ./
@@ -120,12 +125,6 @@ jobs:
         with:
           version: ${{ env.ORAS_VERSION }}
 
-      - name: Build builder
-        id: build_builder
-        working-directory: src/cloud-api-adaptor/podvm-mkosi
-        run: make fedora-binaries-builder
-        env:
-          ARCH: ${{ inputs.arch }}
 
       - name: Build binaries
         id: build_binaries

src/cloud-api-adaptor/ci-infra/README.md

@@ -16,6 +16,3 @@ CI workflow.
 2. Make changes specific to only CI workflow in second PR. 
 3. Test this second PR CI changes on personal public forked repo and reference test results from CI run in personal repo in this PR.
 4. Get this PR merged on upstream main branch.
-
-> **NOTE**: As this needs to access repository secrets so we cant run changes in CI without merging it refer to [this](https://iterative.ai/blog/testing-external-contributions-using-github-actions-secrets) for more info.
-

src/cloud-api-adaptor/docker/README.md

@@ -14,8 +14,17 @@ The `docker` provider simulates a pod VM inside a docker container.
 
   Ensure you complete the [post install steps](https://docs.docker.com/engine/install/linux-postinstall/) if using non-root user
 
+- Install [yq](https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_amd64), [kubectl](https://storage.googleapis.com/kubernetes-release/release/v1.29.4/bin/linux/amd64/kubectl), [kind](https://kind.sigs.k8s.io/dl/v0.23.0/kind-linux-amd64) manually or using `prereqs.sh` helper script under `src/cloud-api-adaptor/docker`.
 
 - Kubernetes cluster
+```
+# The default cluster name is peer-pods if CLUSTER_NAME variable not set
+export CLUSTER_NAME={your_cluster_name}
+```
+use below command to create a kind cluster before deploy CAA
+```
+./kind_cluster.sh create
+```
 
 ## Build CAA pod-VM image
 

src/cloud-api-adaptor/docs/consuming-prebuilt-podvm-images.md

@@ -18,5 +18,6 @@ The easiest way to extract the qcow2 file from the podvm container image is usin
 $ cd podvm
 $ ./hack/download-image.sh quay.io/confidential-containers/podvm-generic-ubuntu-amd64 . -o podvm.qcow2
 ```
+>Note: images can be checked from https://quay.io/repository/confidential-containers/podvm-generic-ubuntu-amd64?tab=tags, to get available tag e.g. `v0.11.0` if the default tag `latest` is missed.
 
 In case your workload images are pulled from a private registry then you need to provide the authentication file by either [installing along with the cloud-api-adaptor deployment](registries-authentication.md#deploy-authentication-file-along-with-cloud-api-adaptor-deployment) or [statically embedding in the podvm image](registries-authentication.md#statically-embed-authentication-file-in-podvm-image). With the later you will need to build the image from sources, so find detailed instructions in [podvm/README.md](../podvm/README.md).

src/cloud-api-adaptor/entrypoint.sh

@@ -152,13 +152,17 @@ libvirt() {
     test_vars LIBVIRT_URI
 
     [[ "${DISABLECVM}" = "true" ]] && optionals+="-disable-cvm "
+    [[ "${LIBVIRT_CPU}" ]] && optionals+="-CPU ${LIBVIRT_CPU} "
+    [[ "${LIBVIRT_MEMORY}" ]] && optionals+="-Memory ${LIBVIRT_MEMORY} "
+
     set -x
     exec cloud-api-adaptor libvirt \
         -uri "${LIBVIRT_URI}" \
         -data-dir /opt/data-dir \
         -pods-dir /run/peerpod/pods \
         -network-name "${LIBVIRT_NET:-default}" \
         -pool-name "${LIBVIRT_POOL:-default}" \
+
         ${optionals} \
         -socket /run/peerpod/hypervisor.sock
 }

src/cloud-api-adaptor/go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/vishvananda/netns v0.0.4
 	github.com/vmware/govmomi v0.33.1 // indirect
-	golang.org/x/sys v0.27.0
+	golang.org/x/sys v0.28.0
 	google.golang.org/grpc v1.61.2
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/cri-api v0.27.1 // indirect
@@ -56,7 +56,7 @@ require (
 	github.com/pelletier/go-toml/v2 v2.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
-	golang.org/x/crypto v0.24.0
+	golang.org/x/crypto v0.31.0
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
 	google.golang.org/protobuf v1.33.0
 	k8s.io/api v0.26.2
@@ -187,11 +187,11 @@ require (
 	go.opentelemetry.io/otel/trace v1.25.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.17.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/api v0.162.0 // indirect

src/cloud-api-adaptor/go.sum

@@ -613,8 +613,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
 golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
@@ -648,8 +648,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20221004154528-8021a29435af/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
 golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
@@ -662,8 +662,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -699,22 +699,22 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
-golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

src/cloud-api-adaptor/install/overlays/libvirt/kustomization.yaml

@@ -28,6 +28,8 @@ configMapGenerator:
   - LIBVIRT_EFI_FIRMWARE="/usr/share/OVMF/OVMF_CODE_4M.fd" # Edit to change the EFI firmware path, or comment to unset, if not using EFI.
   #- LIBVIRT_LAUNCH_SECURITY="" #sev or s390-pv
   #- LIBVIRT_VOL_NAME="" # Uncomment and set if you want to use a specific volume name. Defaults to podvm-base.qcow2
+  #- LIBVIRT_CPU="2"
+  #- LIBVIRT_Memory="800
   #- PAUSE_IMAGE="" # Uncomment and set if you want to use a specific pause image
   #- TUNNEL_TYPE="" # Uncomment and set if you want to use a specific tunnel type. Defaults to vxlan
   #- VXLAN_PORT="" # Uncomment and set if you want to use a specific vxlan port. Defaults to 4789

src/cloud-api-adaptor/libvirt/config_libvirt.sh

@@ -80,7 +80,15 @@ installKcli() {
     if ! command -v kcli >/dev/null; then
         echo "Installing kcli"
         kcli_version="$(./hack/yq-shim.sh '.tools.kcli' versions.yaml)"
-        sudo pip3 install kcli==${kcli_version}
+        if [ $OS_DISTRO == "ubuntu" ]; then
+            # Work around newer Ubuntu's python venv errors by using pipx to install kcli
+            sudo DEBIAN_FRONTEND=noninteractive apt-get install pipx -y
+            # export PATH="$PATH:$HOME/.local/bin"
+            pipx install kcli==${kcli_version}
+            pipx ensurepath
+        else
+            sudo pip3 install kcli==${kcli_version}
+        fi
     fi
 }
 
@@ -92,7 +100,7 @@ installK8sclis() {
     fi
 }
 
-TEST_E2E_SECURE_COMMS=${TEST_E2E_SECURE_COMMS:-none}.
+TEST_E2E_SECURE_COMMS=${TEST_E2E_SECURE_COMMS:-none}
 echo "SECURE_COMMS is ${TEST_E2E_SECURE_COMMS}"
 
 echo "Installing Go..."
@@ -123,10 +131,22 @@ echo "libvirt_ssh_key_file=\"id_rsa\"" >> libvirt.properties
 echo "CLUSTER_NAME=\"peer-pods\"" >> libvirt.properties
 
 # switch to the appropriate e2e test and add configs to libvirt.properties as needed
-case $TEST_E2E_SECURE_COMMS in
+case ${TEST_E2E_SECURE_COMMS} in
+
+  withoutKbs)
+    echo "processing withoutKbs"
+    echo "SECURE_COMMS=\"true\"" >> libvirt.properties
+    echo "SECURE_COMMS_NO_TRUSTEE=\"true\"" >> libvirt.properties
+    echo "INITDATA=\"\"" >> libvirt.properties
+    ;;
 
   *)
     echo "processing none"
     echo "SECURE_COMMS=\"false\"" >> libvirt.properties
     ;;
 esac
+
+if [[ "${OS_DISTRO}" == "ubuntu" ]] && [[ "${CI:-}" != "true" ]]; then
+    # Reload shell so that pipx install PATH is available
+    exec $SHELL
+fi

src/cloud-api-adaptor/libvirt/e2e_matrix_libvirt.json

@@ -1,6 +1,6 @@
 {
     "container_runtime": ["containerd", "crio"],
-    "secure_comms": ["none"],
+    "secure_comms": ["none", "withoutKbs"],
     "os": ["ubuntu"],
     "provider": ["generic"],
     "arch": ["amd64"]

src/cloud-api-adaptor/podvm-mkosi/Makefile

@@ -17,35 +17,18 @@ VERIFY_PROVENANCE ?= no
 
 .DEFAULT_GOAL := all
 .PHONY: all
-all: fedora-binaries-builder binaries image
+all: binaries image
 
 .PHONY: debug
-debug: fedora-binaries-builder binaries image-debug
+debug:binaries image-debug
 
 .PHONY: container
-container: fedora-binaries-builder binaries image-container
+container: binaries image-container
 
 ifeq ($(ARCH),s390x)
 YQ_CHECKSUM = $(YQ_CHECKSUM_s390x)
 endif
 
-PHONY: fedora-binaries-builder
-fedora-binaries-builder:
-	@echo "Building $(BUILDER) image..."
-	docker buildx build \
-		-t $(PODVM_BUILDER_IMAGE) \
-		--build-arg GO_VERSION=$(GO_VERSION) \
-		--build-arg ARCH=$(ARCH) \
-		--build-arg PROTOC_VERSION=$(PROTOC_VERSION) \
-		--build-arg YQ_VERSION=$(YQ_VERSION) \
-		--build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \
-		--build-arg YQ_ARCH=$(ARCH) \
-		--build-arg PROTOC_ARCH=$(if $(filter amd64,$(ARCH)),x86_64,s390x) \
-		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
-		--load \
-		-f ../podvm/Dockerfile.podvm_builder.fedora ../.
-
-PHONY: binaries
 binaries:
 	@echo "Building binaries..."
 	rm -rf ./resources/binaries-tree
@@ -55,7 +38,14 @@ endif
 	docker buildx build \
 		-t $(PODVM_BINARIES_IMAGE) \
 		--progress=plain \
-		--build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \
+		--build-arg GO_VERSION=$(GO_VERSION) \
+		--build-arg ARCH=$(ARCH) \
+		--build-arg PROTOC_VERSION=$(PROTOC_VERSION) \
+		--build-arg YQ_VERSION=$(YQ_VERSION) \
+		--build-arg YQ_CHECKSUM=$(YQ_CHECKSUM) \
+		--build-arg YQ_ARCH=$(ARCH) \
+		--build-arg PROTOC_ARCH=$(if $(filter amd64,$(ARCH)),x86_64,s390x) \
+		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
 		--build-arg TEE_PLATFORM=$(TEE_PLATFORM) \
 		--build-arg PAUSE_REPO=$(PAUSE_REPO) \
 		--build-arg PAUSE_VERSION=$(PAUSE_VERSION) \
@@ -64,7 +54,8 @@ endif
 		--build-arg VERIFY_PROVENANCE=$(VERIFY_PROVENANCE) \
 		$(if $(AUTHFILE),--build-arg AUTHFILE=$(AUTHFILE),) \
 		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
-		-o type=local,dest="./resources/binaries-tree" \
+		$(if $(filter $(PUSH),true),,-o type=local,dest="./resources/binaries-tree") \
+		$(DOCKER_OPTS) \
 		-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
 
 PHONY: image
@@ -83,7 +74,7 @@ else ifeq ($(ARCH),s390x)
 	sudo -E ../hack/build-s390x-image.sh
 else
 	touch resources/buildBootableImage
-	sudo -E env PATH=$(PATH) nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=production
+	nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=production
 	qemu-img convert -f raw -O qcow2 build/system.raw build/podvm-$(PODVM_DISTRO)-$(ARCH).qcow2
 endif
 
@@ -104,10 +95,9 @@ else ifeq ($(ARCH),s390x)
 	sudo -E ../hack/build-s390x-image.sh
 else
 	touch resources/buildBootableImage
-	sudo -E env PATH=$(PATH) nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=debug
+	nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=debug
 	qemu-img convert -f raw -O qcow2 build/system.raw build/podvm-$(PODVM_DISTRO)-$(ARCH).qcow2
 endif
-	sudo chown -R $(USER): build
 
 PHONY: image-container
 image-container:

src/cloud-api-adaptor/podvm-mkosi/README.md

@@ -92,7 +92,6 @@ Another issue is s390x does not support UEFI. Instead, we can first use **mkosi*
 
 It requires a **s390x host** to build s390x image with make commands:
 ```
-make fedora-binaries-builder
 TEE_PLATFORM=se-attester make binaries
 make image
 # SE_BOOT=true make image