Working with the Hyper Protect Secure Build state image
To build the image in another new Hyper Protect Secure Build server instance (for example, after the original instance is deleted or corrupted), you need the state image to recover the signing key and additional internal states of the Hyper Protect Secure Build server instance.
Retrieving the HPSB state image
You can download the state image, so that it is available in the current working directory for possible later use.
-
To download the state image, run the following command:
./build.py get-state-image --env <path>/sbs-config.json
This command creates an encrypted file in your current directory and prints the file name in the output, for example:
docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e.2020-10-21_07-20-08.516797
. -
Save the state image to IBM Cloud Object Storage (COS) by completing the following steps:
-
Add the following parameters into the
sbs-config.json
file."COS_API_KEY_ID": "<your_cloud_apikey>", "COS_RESOURCE_CRN": "<your_cloud_resource_crn_id>", "COS_ENDPOINT": "<your_public_cos_endpoint>", "COS_AUTH_ENDPOINT": "https://iam.cloud.ibm.com/oidc/token", "STATE_BUCKET_NAME": "<your_bucket_name>",
-
Update the configuration file
sbs-config.json
../build.py update --env <path>/sbs-config.json
-
Save the state image to COS.
./build.py get-state-image -env <path>/sbs-config.json {-state-bucket-name <your_bucket_name>}
Use the
--state-bucket-name
option, if you want to override the parameter in thesbs-config.json
file, or you don't have one in the file. When you save the state image to COS, you still get meta data of the state image in a local file of the same name as the state image file.
-
Recovering the state image
Complete the following steps:
-
Create a HPSB instance by following the instructions in creating the Hyper Protect Secure Build Server configuration, creating the client certificate and CA, server certificate and KEY, retrieving the client certificate and CA, server certificate and KEY in Base64 encoding, Preparing the contract, Bringing up the Hyper Protect Secure Build on the KVM LPAR, and building the image by using the Hyper Protect Secure Build with the same secret that was used to get the state image, otherwise the post state image operation will fail.
-
Once the instance is up, map the public IP address with the hostname provided for the server in the
/etc/hosts
file.169.XX.XXX.XXX sbs.example.com
Note: If the secure-build-cli is not cloned on the KVM LPAR and you need to access container application from outside of the LPAR, you need to complete the following steps:
-
Apply ip table rules as the following commands:
iptables -I FORWARD -o virbr0 -p tcp -d 192.168.x.170 --dport 443 -j ACCEPT iptables -t nat -I PREROUTING -p tcp -d 9.20.x.99 --dport 8082 -j DNAT --to 192.168.x.170:443
In the example,
192.168.x.170
is the IP of the guest VSI (HPSB server) and9.20.x.99
is the KVM Host IP.8082
is the Host Port. -
Change the value of CICD_PORT in the
sbs-config.json
to the Host Port used while applying the IP table rules. For example:"CICD_PORT": "8082",
-
Map the KVM Host IP with the hostname in the
/etc/hosts
file, if the repository for Secure Build cli is not cloned on the KVM LPAR. For example:9.20.x.99 sbs.example.com
-
-
Check the status of HPSB instance.
./build.py status --env <path>/sbs-config.json
-
Run the following command to post the state image.
./build.py post-state-image --state-image docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e. 2020-10-21_07-20-08.516797 --env <path>/sbs-config.json
Note:
- Use the
--state-image
option to specify the state image file you downloaded previously with theget-state-image
command. - If your state image is present in IBM Cloud Storage object, use the
--name
option to specifiy the name of the state image on COS, which is the same as the name of the meta data file you downloaded with theget-state-image
command. - Use the
--state-bucket-name
option, if you want to override the parameter in thesbs-config.json
file, or you don't have one in the file../build.py post-state-image -env <path>/sbs-config.json --name docker.io.<user_name>.sbs22.s390x-v0.1-60fd72e.2020-10-21_07-20-08.516797 {-state-bucket-name <your_bucket_name>}
- Use the
-
Run the following command to update the configuration.
./build.py update --env <path>/sbs-config.json
-
Now you can further build your image by using the
build
command. Eventually your Docker image will be pushed to same registry../build.py build --env <path>/sbs-config.json
-
Check the build log and wait until the build operation is completed.
./build.py log --log build --env <path>/sbs-config.json
-
Check the status of the container.
./build.py status --env <path>/sbs-config.json