running_rune_with_occlum_bundle.md 2.8 KB
Newer Older
1
# Quick Start: Running rune with Occlum bundle
jia zhang's avatar
jia zhang 已提交
2

3 4 5 6 7 8 9
## Build and install rune
`rune` is a CLI tool for spawning and running enclaves in containers according to the OCI specification.

Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/README.md#rune) to build `rune` from scratch.

---

jia zhang's avatar
jia zhang 已提交
10 11
## Build Occlum application container image
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_occlum.md) to build the Occlum application container image.
12 13

## Create Occlum application bundle
jia zhang's avatar
jia zhang 已提交
14
In order to use `rune` you must have your container image in the format of an OCI bundle. If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Occlum application container image.
15

jia zhang's avatar
jia zhang 已提交
16
```shell
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
# create the top most bundle directory
mkdir -p "$HOME/rune_workdir"
cd "$HOME/rune_workdir"
mkdir rune-container
cd rune-container

# create the rootfs directory
mkdir rootfs

# export Occlum application image via Docker into the rootfs directory
docker export $(docker create ${Occlum_application_image}) | sudo tar -C rootfs -xvf -
```

After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. `rune` provides a spec command which is similar to `runc` to generate a template file that you are then able to edit.

jia zhang's avatar
jia zhang 已提交
32
```shell
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
rune spec
```

To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.

In order to run the hello world demo program in Occlum with `rune`, you need to change the entrypoint from `sh` to `/bin/hello_world`
``` json
  "process": {
      "args": [
          "/bin/hello_world"
      ],
  }
```

and then configure enclave runtime as following:
``` json
  "annotations": {
      "enclave.type": "intelSgx",
      "enclave.runtime.path": "/usr/lib/liberpal-occlum.so",
      "enclave.runtime.args": "$OCCLUM_INSTANCE_DIR"
  }
```

where:
- @enclave.type: specify the type of enclave hardware to use, such as `intelSgx`.
- @enclave.runtime.path: specify the path to enclave runtime to launch. For an Occlum application, you need to specify the path of `liberpal-occlum.so` which is a soft link to `libocclum-pal.so` of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`).
- @enclave.runtime.args: specify the specific arguments to enclave runtime, separated by the comma. For an Occlum application, you need to specify the name of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`) in this parameter.
jia zhang's avatar
jia zhang 已提交
60

61 62 63 64 65
---

## Run Occlum application
Assuming you have an OCI bundle from the previous step you can execute the container in this way.

jia zhang's avatar
jia zhang 已提交
66
```shell
67 68 69
cd "$HOME/rune_workdir/rune-container"
sudo rune run ${Occlum_application_container_name}
```