From 2dd9140a758b6c90a03aae1b5d113b3fae09731d Mon Sep 17 00:00:00 2001 From: jiazhiguang Date: Tue, 14 Jul 2020 19:25:39 +0800 Subject: [PATCH] supports build and sign enclave with occlum on host --- shim/cmd/containerd-shim-rune-v2/main.go | 3 +-- shim/runtime/carrier/occlum/occlum.go | 27 ++++++++++++++++++++---- shim/runtime/v2/rune/v2/rune.go | 10 +++++++-- shim/runtime/v2/rune/v2/service.go | 17 ++++++++++----- 4 files changed, 44 insertions(+), 13 deletions(-) diff --git a/shim/cmd/containerd-shim-rune-v2/main.go b/shim/cmd/containerd-shim-rune-v2/main.go index bd0cc7d..20a43e8 100644 --- a/shim/cmd/containerd-shim-rune-v2/main.go +++ b/shim/cmd/containerd-shim-rune-v2/main.go @@ -3,9 +3,8 @@ package main import ( - "github.com/containerd/containerd/runtime/v2/shim" - "github.com/alibaba/inclavare-containers/shim/runtime/v2/rune/v2" + "github.com/containerd/containerd/runtime/v2/shim" ) func main() { diff --git a/shim/runtime/carrier/occlum/occlum.go b/shim/runtime/carrier/occlum/occlum.go index 2ba37cf..5577969 100644 --- a/shim/runtime/carrier/occlum/occlum.go +++ b/shim/runtime/carrier/occlum/occlum.go @@ -63,9 +63,7 @@ func NewOcclumCarrier(ctx context.Context, bundle string) (carrier.Carrier, erro if _, err := toml.DecodeFile(constants.ConfigurationPath, &cfg); err != nil { return nil, err } - setLogLevel(cfg.LogLevel) - return &occlum{ context: ctx, bundle: bundle, @@ -82,7 +80,8 @@ func (c *occlum) Name() string { // BuildUnsignedEnclave impl Carrier. func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier.BuildUnsignedEnclaveArgs) ( unsignedEnclave string, err error) { - + timeStart := time.Now() + ts := timeStart // Initialize environment variables for occlum in config.json if err := c.initBundleConfig(); err != nil { return "", err @@ -99,6 +98,7 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier } else { c.task.client = client } + logrus.Debugf("BuildUnsignedEnclave: create containerd client time cost: %d", (time.Now().Sub(timeStart))/time.Second) logrus.Debugf("BuildUnsignedEnclave: get containerd client successfully") if err = createNamespaceIfNotExist(client, namespace); err != nil { @@ -108,10 +108,12 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier // pull the image that used to build enclave. occlumEnclaveBuilderImage := c.shimConfig.EnclaveRuntime.Occlum.BuildImage + timeStart = time.Now() image, err := client.Pull(c.context, occlumEnclaveBuilderImage, containerd.WithPullUnpack) if err != nil { return "", fmt.Errorf("failed to pull image %s. error: %++v", occlumEnclaveBuilderImage, err) } + logrus.Debugf("BuildUnsignedEnclave: pull occlum SDK image time cost: %d", (time.Now().Sub(timeStart))/time.Second) logrus.Debugf("BuildUnsignedEnclave: pull image %s successfully", occlumEnclaveBuilderImage) // Generate the containerId and snapshotId. @@ -161,6 +163,7 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier mounts = append(mounts, rootfsMount, dataMount) // create a container + timeStart = time.Now() container, err := client.NewContainer( c.context, containerId, @@ -178,6 +181,7 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier } else { c.task.container = &container } + logrus.Debugf("BuildUnsignedEnclave: create occlum SDK container time cost: %d", (time.Now().Sub(timeStart))/time.Second) // Create a task from the container. t, err := container.NewTask(c.context, cio.NewCreator(cio.WithStdio)) @@ -213,17 +217,21 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier } cmd = append(cmd, "--occlum_config_path", occlumConfigPath) logrus.Debugf("BuildUnsignedEnclave: command: %v", cmd) + timeStart = time.Now() if err := c.execTask(cmd...); err != nil { logrus.Errorf("BuildUnsignedEnclave: exec failed. error: %++v", err) return "", err } + logrus.Debugf("BuildUnsignedEnclave: init and build enclave time cost: %d", (time.Now().Sub(timeStart))/time.Second) enclavePath := filepath.Join("/", rootfsDirName, c.workDirectory, "./build/lib/libocclum-libos.so") + logrus.Debugf("BuildUnsignedEnclave: total time cost: %d", (time.Now().Sub(ts))/time.Second) return enclavePath, nil } // GenerateSigningMaterial impl Carrier. func (c *occlum) GenerateSigningMaterial(req *task.CreateTaskRequest, args *carrier.CommonArgs) ( signingMaterial string, err error) { + timeStart := time.Now() signingMaterial = filepath.Join("/", rootfsDirName, c.workDirectory, "enclave_sig.dat") args.Config = filepath.Join("/", rootfsDirName, c.workDirectory, "Enclave.xml") cmd := []string{ @@ -239,12 +247,14 @@ func (c *occlum) GenerateSigningMaterial(req *task.CreateTaskRequest, args *carr return "", err } logrus.Debugf("GenerateSigningMaterial: sgx_sign gendata successfully") + logrus.Debugf("GenerateSigningMaterial: total time cost: %d", (time.Now().Sub(timeStart))/time.Second) return signingMaterial, nil } // CascadeEnclaveSignature impl Carrier. func (c *occlum) CascadeEnclaveSignature(req *task.CreateTaskRequest, args *carrier.CascadeEnclaveSignatureArgs) ( signedEnclave string, err error) { + timeStart := time.Now() var bufferSize int64 = 1024 * 4 signedEnclave = filepath.Join("/", rootfsDirName, c.workDirectory, "./build/lib/libocclum-libos.signed.so") publicKey := filepath.Join("/", enclaveDataDir, "public_key.pem") @@ -273,30 +283,36 @@ func (c *occlum) CascadeEnclaveSignature(req *task.CreateTaskRequest, args *carr return "", err } logrus.Debugf("CascadeEnclaveSignature: sgx_sign catsig successfully") + logrus.Debugf("CascadeEnclaveSignature: total time cost: %d", (time.Now().Sub(timeStart))/time.Second) return signedEnclave, nil } // Cleanup impl Carrier. func (c *occlum) Cleanup() error { + timeStart := time.Now() + ts := timeStart defer func() { if c.task.client != nil { c.task.client.Close() } + logrus.Debugf("Cleanup: total time cost: %d", (time.Now().Sub(ts))/time.Second) }() defer func() { if c.task.container != nil { + timeStart = time.Now() container := *c.task.container if err := container.Delete(c.context, containerd.WithSnapshotCleanup); err != nil { logrus.Errorf("Cleanup: delete container %s failed. err: %++v", container.ID(), err) } logrus.Debugf("Cleanup: delete container %s successfully.", container.ID()) + logrus.Debugf("Cleanup: delete occlum SDK container time cost: %d", (time.Now().Sub(ts))/time.Second) } }() if c.task.task == nil { return nil } - + timeStart = time.Now() t := *c.task.task if err := t.Kill(c.context, syscall.SIGTERM); err != nil { logrus.Errorf("Cleanup: kill task %s failed. err: %++v", t.ID(), err) @@ -321,10 +337,13 @@ func (c *occlum) Cleanup() error { } break } + logrus.Debugf("Cleanup: kill occlum SDK container task time cost: %d", (time.Now().Sub(timeStart))/time.Second) + timeStart = time.Now() if _, err := t.Delete(c.context); err != nil { logrus.Errorf("Cleanup: delete task %s failed. error: %++v", t.ID(), err) return err } + logrus.Debugf("Cleanup: delete occlum SDK container task time cost: %d", (time.Now().Sub(timeStart))/time.Second) logrus.Debugf("Cleanup: clean occlum container and task successfully") return nil } diff --git a/shim/runtime/v2/rune/v2/rune.go b/shim/runtime/v2/rune/v2/rune.go index 48821d6..75b124b 100644 --- a/shim/runtime/v2/rune/v2/rune.go +++ b/shim/runtime/v2/rune/v2/rune.go @@ -8,6 +8,7 @@ import ( "os/exec" "path" "path/filepath" + "time" "github.com/BurntSushi/toml" shim_config "github.com/alibaba/inclavare-containers/shim/config" @@ -29,13 +30,15 @@ import ( // runE main flow. func (s *service) carrierMain(req *taskAPI.CreateTaskRequest) (carrier.Carrier, error) { + timeStart := time.Now() + ts := time.Now() var err error var carr carrier.Carrier defer func() { carr.Cleanup() + logrus.Debugf("carrierMain: total time cost: %d", (time.Now().Sub(ts))/time.Second) }() - found, carrierKind, err := getCarrierKind(req.Bundle) if err != nil { return carr, err @@ -93,6 +96,7 @@ func (s *service) carrierMain(req *taskAPI.CreateTaskRequest) (carrier.Carrier, if _, err := toml.DecodeFile(constants.ConfigurationPath, &cfg); err != nil { return carr, err } + timeStart = time.Now() materialRealPath := signingMaterial if carrierKind == rune.Occlum { materialRealPath = filepath.Join(req.Bundle, signingMaterial) @@ -114,6 +118,8 @@ func (s *service) carrierMain(req *taskAPI.CreateTaskRequest) (carrier.Carrier, } defer os.RemoveAll(path.Dir(publicKey)) } + logrus.Debugf("carrierMain: sign enclave time cost: %d", (time.Now().Sub(timeStart))/time.Second) + defer os.RemoveAll(path.Dir(publicKey)) commonArgs.Key = publicKey signatureFile = signature } @@ -125,7 +131,7 @@ func (s *service) carrierMain(req *taskAPI.CreateTaskRequest) (carrier.Carrier, if err != nil { return carr, err } - logrus.Debugf("Finished carrier: %v, signedEnclave: %s", carr, signedEnclave) + logrus.Debugf("carrierMain: finished carrier: %v, signedEnclave: %s", carr, signedEnclave) return carr, nil } diff --git a/shim/runtime/v2/rune/v2/service.go b/shim/runtime/v2/rune/v2/service.go index ba49452..10f8a9b 100644 --- a/shim/runtime/v2/rune/v2/service.go +++ b/shim/runtime/v2/rune/v2/service.go @@ -300,9 +300,10 @@ func setOCIRuntime(ctx context.Context, r *taskAPI.CreateTaskRequest) (err error // Create a new initial process and container with the underlying OCI runtime func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ *taskAPI.CreateTaskResponse, err error) { + timeStart := time.Now() + ts := timeStart s.mu.Lock() defer s.mu.Unlock() - err = setOCIRuntime(ctx, r) if err != nil { return nil, err @@ -313,7 +314,9 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * return nil, err } if carrierKind != rune.Skeleton { + timeStart = time.Now() carr, err := s.carrierMain(r) + logrus.Debugf("Create: carrierMain time cost: %d", (time.Now().Sub(timeStart))/time.Second) if err != nil { return nil, err } @@ -321,8 +324,9 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * } data, _ := json.Marshal(r) - logrus.Infof("CreateTaskRequest: %s", string(data)) + logrus.Infof("CreateTaskRequest: %s, Carrier: %v", string(data), carrierKind) + timeStart = time.Now() container, err := runc.NewContainer(ctx, s.platform, r) /*if carr.Name() == "occlum" { @@ -348,8 +352,8 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * //} }*/ - data, _ = json.Marshal(container) - logrus.Infof("rune.NewContainer success: %s %s", r.ID, string(data)) + logrus.Debugf("Create: create container time cost: %d", (time.Now().Sub(timeStart))/time.Second) + logrus.Infof("rune.NewContainer success: %s", r.ID) var opts options.Options if r.Options != nil { @@ -371,7 +375,6 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * } s.containers[r.ID] = container - s.send(&eventstypes.TaskCreate{ ContainerID: r.ID, Bundle: r.Bundle, @@ -397,6 +400,8 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * // log.G(ctx).Infof("Attestation Failed!") //} } + logrus.Debugf("Create: total time cost: %d", (time.Now().Sub(timeStart))/time.Second) + logrus.Debugf("Create: total time cost: %d", (time.Now().Sub(ts))/time.Second) return &taskAPI.CreateTaskResponse{ Pid: uint32(container.Pid()), }, nil @@ -404,6 +409,7 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * // Start a process func (s *service) Start(ctx context.Context, r *taskAPI.StartRequest) (*taskAPI.StartResponse, error) { + timeStart := time.Now() container, err := s.getContainer(r.ID) if err != nil { return nil, err @@ -433,6 +439,7 @@ func (s *service) Start(ctx context.Context, r *taskAPI.StartRequest) (*taskAPI. }) } s.eventSendMu.Unlock() + logrus.Debugf("Start: total time cost: %d", (time.Now().Sub(timeStart))/time.Second) return &taskAPI.StartResponse{ Pid: uint32(p.Pid()), }, nil -- GitLab