Skip to content

I
inclavare-containers

openanolis / inclavare-containers

通知 4
Star 7
Fork 0
I
inclavare-containers
切换分支/标签
查找文件 普通视图历史永久链接Permalink
README-zh_CN.md 2.1 KB
Newer Older
S
shim: open source code  
stormgbs 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 
# containerd-shim-rune-v2

containerd-shim-rune-v2 is a shim for Inclavare Containers(runE).

## Introduction
![shim-rune](docs/images/shim-rune.png)

## Carrier Framework
Carrier is a abstract framework to build an enclave for the specified enclave runtime (Occlum、Graphene ..) .

![shim-carrier](docs/images/shim-carrier.png)

## Signature Framework

![shim-signature](docs/images/shim-signature.png)

## Build requirements

Go 1.14.x or above.

## How to build and install

### Step 1: Build and install shim binary.
```bash
mkdir -p $GOPATH/src/github.com/alibaba
cd $GOPATH/src/github.com/alibaba 
git clone https://github.com/alibaba/inclavare-containers.git

cd shim
GOOS=linux make binaries
make install
ls -l /usr/local/bin/containerd-shim-rune-v2
```

### Step 2: Configuration

The Configuration file of Inclavare Containers MUST BE placed into `/etc/inclavare-containers/config.toml`

```toml
log_level = "debug" # "debug" "info" "warn" "error"
sgx_tool_sign = "/opt/intel/sgxsdk/bin/x64/sgx_sign"

[containerd]
    socket = "/run/containerd/containerd.sock"

[enclave_runtime]

    [enclave_runtime.occlum]
        build_image = "docker.io/occlum/occlum:0.12.0-ubuntu18.04"

    [enclave_runtime.graphene]

```

Modify containerd configuration file(/etc/containerd/config.toml) and add runtimes rune into it.

```toml
#...
      [plugins.cri.containerd.runtimes.rune]
        runtime_type = "io.containerd.rune.v2"
#...
```

Add RuntimeClass rune into your kubernetes cluster.
```bash
cat <<EOF | kubectl create -f -
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: rune
handler: rune
scheduling:
  nodeSelector:
    # Your rune worker labels.
    #alibabacloud.com/container-runtime: rune
EOF
```

## Run HelloWorld in kubernetes
```bash
cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: helloworld-in-tee
  name: helloworld-in-tee
spec:
  runtimeClassName: rune
  containers:
  - command:
    - /bin/hello_world
    env:
    - name: RUNE_CARRIER
      value: occlum
    image: registry.cn-shanghai.aliyuncs.com/larus-test/hello-world:v2
    imagePullPolicy: IfNotPresent
    name: helloworld
    workingDir: /run/rune
EOF
```