Working with the Hyper Protect Secure Build state image

To build the image in another new Hyper Protect Secure Build server instance (for example, after the original instance is deleted or corrupted), you need the state image to recover the signing key and additional internal states of the Hyper Protect Secure Build server instance.

Retrieving the HPSB state image

You can download the state image, so that it is available in the current working directory for possible later use.

  1. To download the state image, run the following command:

    ./build.py get-state-image --env <path>/sbs-config.json
    

    This command creates an encrypted file in your current directory and prints the file name in the output, for example: docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e.2020-10-21_07-20-08.516797.

  2. Save the state image to IBM Cloud Object Storage (COS) by completing the following steps:

    1. Add the following parameters into the sbs-config.json file.

      "COS_API_KEY_ID": "<your_cloud_apikey>",
      "COS_RESOURCE_CRN": "<your_cloud_resource_crn_id>",
      "COS_ENDPOINT": "<your_public_cos_endpoint>",
      "COS_AUTH_ENDPOINT": "https://iam.cloud.ibm.com/oidc/token",
      "STATE_BUCKET_NAME": "<your_bucket_name>",
      
    2. Update the configuration file sbs-config.json.

      ./build.py update --env <path>/sbs-config.json
      
    3. Save the state image to COS.

      ./build.py get-state-image -env <path>/sbs-config.json {-state-bucket-name <your_bucket_name>}
      

      Use the --state-bucket-name option, if you want to override the parameter in the sbs-config.json file, or you don't have one in the file. When you save the state image to COS, you still get meta data of the state image in a local file of the same name as the state image file.

Recovering the state image

Complete the following steps:

  1. Create a HPSB instance by following the instructions in creating the Hyper Protect Secure Build Server configuration, creating the client certificate and CA, server certificate and KEY, retrieving the client certificate and CA, server certificate and KEY in Base64 encoding, Preparing the contract, Bringing up the Hyper Protect Secure Build on the KVM LPAR, and building the image by using the Hyper Protect Secure Build with the same secret that was used to get the state image, otherwise the post state image operation will fail.

  2. Once the instance is up, map the public IP address with the hostname provided for the server in the /etc/hosts file.

    169.XX.XXX.XXX sbs.example.com
    

    Note: If the secure-build-cli is not cloned on the KVM LPAR and you need to access container application from outside of the LPAR, you need to complete the following steps:

    1. Apply ip table rules as the following commands:

      iptables -I FORWARD -o virbr0 -p tcp -d 192.168.x.170 --dport 443 -j ACCEPT
      iptables -t nat -I PREROUTING -p tcp -d 9.20.x.99 --dport 8082 -j DNAT --to 192.168.x.170:443
      

      In the example, 192.168.x.170 is the IP of the guest VSI (HPSB server) and 9.20.x.99 is the KVM Host IP. 8082 is the Host Port.

    2. Change the value of CICD_PORT in the sbs-config.json to the Host Port used while applying the IP table rules. For example:

       "CICD_PORT": "8082",
      
    3. Map the KVM Host IP with the hostname in the /etc/hosts file, if the repository for Secure Build cli is not cloned on the KVM LPAR. For example:

      9.20.x.99 sbs.example.com
      
  3. Check the status of HPSB instance.

    ./build.py status --env <path>/sbs-config.json
    
  4. Run the following command to post the state image.

    ./build.py post-state-image --state-image docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e. 2020-10-21_07-20-08.516797 --env <path>/sbs-config.json
    

    Note:

    • Use the --state-image option to specify the state image file you downloaded previously with the get-state-image command.
    • If your state image is present in IBM Cloud Storage object, use the --name option to specifiy the name of the state image on COS, which is the same as the name of the meta data file you downloaded with the get-state-image command.
    • Use the --state-bucket-name option, if you want to override the parameter in the sbs-config.json file, or you don't have one in the file.
      ./build.py post-state-image -env <path>/sbs-config.json --name docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e.2020-10-21_07-20-08.516797 {-state-bucket-name <your_bucket_name>}
      
  5. Run the following command to update the configuration.

    ./build.py update --env <path>/sbs-config.json
    
  6. Now you can further build your image by using the build command. Eventually your Docker image will be pushed to same registry.

    ./build.py build --env <path>/sbs-config.json
    
  7. Check the build log and wait until the build operation is completed.

    ./build.py log --log build --env <path>/sbs-config.json
    
  8. Check the status of the container.

    ./build.py status --env <path>/sbs-config.json