未验证 提交 3fb58326 编写于 作者: H hustliyilin 提交者: GitHub

docs: Update rune 0.2.0 release docs

- Add docs/running_rune_with_occlum_bundle.md
- Remove docs/running_rune_with_docker.md
- Update skeleton README.md to add way to run rune with skeleton bundle
- Update README.md of inclavare-containers
- Add docs/running_rune_with_occlum.md
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
上级 492d9b30
...@@ -45,14 +45,14 @@ In addition, you can write your own enclave runtime with any programming languag ...@@ -45,14 +45,14 @@ In addition, you can write your own enclave runtime with any programming languag
## Using rune ## Using rune
### Run Occlum ### Run Occlum
Please refer to [this guide](https://github.com/occlum/occlum/blob/master/docs/rune_quick_start.md) to run `Occlum` with `rune`. Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_occlum_bundle.md) to run `Occlum` with `rune`.
### Run Docker
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_docker.md) to run `Docker` with `rune`.
### Run skeleton ### Run skeleton
Skeleton is an example of enclave runtime, interfacing with Enclave Runtime PAL API for easy interfacing with `rune`. Skeleton sample code is helpful to write your own enclave runtime. Skeleton is an example of enclave runtime, interfacing with Enclave Runtime PAL API for easy interfacing with `rune`. Skeleton sample code is helpful to write your own enclave runtime.
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) to run skeleton with `rune`. Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) to run skeleton with `rune`.
### Run OCI bundle
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_occlum_bundle.md) to run `occlum bundle` with `rune`.
For more information about Enclave Runtime PAL API, please refer to [Enclave Runtime PAL API Specification](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec.md). For more information about Enclave Runtime PAL API, please refer to [Enclave Runtime PAL API Specification](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/spec.md).
# Quick Start: Running rune with Docker
## Build and install rune
`rune` is a CLI tool for spawning and running enclaves in containers according to the OCI specification.
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/README.md#rune) to build `rune` from scratch.
---
## Configure Docker runtimes
Add the `rune` OCI runtime configuration in dockerd config file (`/etc/docker/daemon.json`) in your system.
``` JSON
{
"runtimes": {
"rune": {
"path": "/usr/local/sbin/rune",
"runtimeArgs": []
}
}
}
```
then restart docker service on your system.
> e.g. `sudo systemctl restart docker` for CentOS, or `sudo service docker restart` for Ubuntu
You can check whether `rune` is correctly added to container runtime or not with
``` shell
sudo docker info | grep rune
Runtimes: rune runc
```
---
## Running Docker using rune
You need to specify a set of parameters to `docker run` in order to use `rune`, e.g,
``` shell
docker run -it --rm --runtime=rune \
-e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/run/rune/liberpal-skeleton.so \
-e ENCLAVE_RUNTIME_ARGS=skeleton,debug \
$image
```
where:
- @runtime: choose the runtime (`rune`, `runc` or others) to use for this container.
- @ENCLAVE_TYPE: specify the type of enclave hardware to use, such as `intelSgx`.
- @ENCLAVE_PATH: specify the path to enclave runtime to launch.
- @ENCLAVE_ARGS: specify the specific arguments to enclave runtime, seperated by the comma.
Note that the skeleton is a sample enclave runtime. Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/rune/libenclave/internal/runtime/pal/skeleton/README.md) to run skeleton with `rune`. In addition, refer to [this guide]() to run more useful Occlum library OS.
# Quick Start: rune on Occlum
[rune](https://github.com/alibaba/inclavare-containers) is a set of tools for running trusted applications in containers with the hardware-assisted enclave technology.
## Hardware requirements
- Install [Intel SGX driver for Linux](https://github.com/intel/linux-sgx-driver#build-and-install-the-intelr-sgx-driver), required by Intel SGX SDK && PSW.
- Install [enable_rdfsbase kernel module](https://github.com/occlum/enable_rdfsbase#how-to-build), allowing to use `rdfsbase` -family instructions in Occlum.
---
## Build Occlum application Docker image
### Download Occlum sdk image
``` shell
docker pull occlum/occlum:0.13.0-centos7.5
docker run -it --privileged --device /dev/isgx \
occlum/occlum:0.13.0-centos7.5
```
### Prepare the materials
Before Occlum build, execute the following command to set your Occlum instance dir:
``` shell
export OCCLUM_INSTANCE_DIR=occlum-app
```
You can build a "hello world" demo application or your own product with an [Occlum CentOS Docker image](https://hub.docker.com/r/occlum/occlum/tags).
[This guide](https://github.com/occlum/occlum#hello-occlum) can help you to create your first occlum build.
After Occlum build, execute the following commands in Occlum sdk container environment:
``` shell
yum install -y libseccomp-devel
mkdir /root/rune_workdir
cp -a ${OCCLUM_INSTANCE_DIR} /root/rune_workdir
cd /root/rune_workdir
cp ${OCCLUM_INSTANCE_DIR}/build/lib/libocclum-pal.so /usr/lib/liberpal-occlum.so
```
### Build occlum application image
Now you can build your occlum application image in the same Occlum sdk container environment.
You need to [download docker](https://docs.docker.com/engine/install/centos/) in the Occlum sdk container environment. And type the following command to start your docker service.
``` shell
dockerd -b docker0 --storage-driver=vfs &
```
Type the following commands to create a `Dockerfile`:
``` Dockerfile
cat >Dockerfile <<EOF
FROM centos:7.5.1804
ENV OCCLUM_INSTANCE_DIR=occlum-app
RUN mkdir -p /run/rune/${OCCLUM_INSTANCE_DIR}
WORKDIR /run/rune
COPY ${OCCLUM_INSTANCE_DIR} ${OCCLUM_INSTANCE_DIR}
ENTRYPOINT ["/bin/hello_world"]
EOF
```
and then build it with the command:
```shell
docker build . -t ${Occlum_application_image}
```
---
## Install rune binarys
You can download rune centos binarys from 0.2.0 release, it includes
- `rune` : is a set of tools for running trusted applications in containers with the hardware-assisted enclave technology. You can install `rune` in `/usr/local/sbin` on your centos system.
- `liberpal-occlum.so` : is the path to occlum to launch. you can install it on `/usr/lib` on your centos system.
- `sgx_linux_x64_sdk_2.9.101.2.bin` : is a [SGX SDK](https://github.com/intel/linux-sgx#install-the-intelr-sgx-sdk-1) binary.
- `sgx_linux_x64_psw_2.9.101.2.bin` : is a [SGX PSW](https://github.com/intel/linux-sgx#install-the-intelr-sgx-psw) binary.
### Install `sgx_linux_x64_sdk_2.9.101.2.bin`
Type the following commands to Install `sgx_linux_x64_sdk_2.9.101.2.bin` on your centos system.
``` shell
yum install -y make
mkdir -p /opt/intel
mv sgx_linux_x64_sdk_2.9.101.2.bin /opt/intel
cd /opt/intel
yes yes | ./sgx_linux_x64_sdk_2.9.101.2.bin
```
### Install `sgx_linux_x64_psw_2.9.101.2.bin`
Type the following commands to Install `sgx_linux_x64_psw_2.9.101.2.bin` on your centos system.
``` shell
yum install -y https://cbs.centos.org/kojifiles/packages/protobuf/3.6.1/4.el7/x86_64/protobuf-3.6.1-4.el7.x86_64.rpm
mv sgx_linux_x64_psw_2.9.101.2.bin /opt/intel
cd /opt/intel
./sgx_linux_x64_psw_2.9.101.2.bin
source /opt/intel/sgxsdk/environment
LD_LIBRARY_PATH="/opt/intel/sgxpsw/aesm:$LD_LIBRARY_PATH"
/opt/intel/sgxpsw/aesm/aesm_service
```
---
## Config Docker Runtimes
Add the `rune` OCI runtime configuration in dockerd config file (`/etc/docker/daemon.json`) on your system.
``` JSON
{
"runtimes": {
"rune": {
"path": "/usr/local/sbin/rune",
"runtimeArgs": []
}
}
}
```
then restart docker service on your system.
> e.g. `sudo systemctl restart docker` for CentOS, or `sudo service docker restart` for Ubuntu
You can check whether `rune` is correctly added to container runtime or not with
``` shell
sudo docker info | grep rune
Runtimes: rune runc
```
---
## Run Occlum application image using rune
You need to specify a set of parameters to `docker run` in order to use `rune`, e.g,
``` shell
docker run -it --rm --runtime=rune \
-e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-occlum.so \
-e ENCLAVE_RUNTIME_ARGS=${OCCLUM_INSTANCE_DIR} \
${Occlum_application_image}
```
where:
- @runtime: choose the runtime (`rune`, `runc`, or others) to use for this container.
- @ENCLAVE_TYPE: specify the type of enclave hardware to use, such as `intelSgx`.
- @ENCLAVE_PATH: specify the path to enclave runtime to launch. For an Occlum application, you need to specify the path of `liberpal-occlum.so` which is a soft link to `libocclum-pal.so` of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`).
- @ENCLAVE_ARGS: specify the specific arguments to enclave runtime, separated by the comma. For an Occlum application, you need to specify the name of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`) in this parameter.
# Quick Start: Running rune with Occlum bundle
## Build and install rune
`rune` is a CLI tool for spawning and running enclaves in containers according to the OCI specification.
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/README.md#rune) to build `rune` from scratch.
---
## Build Occlum application docker image
Please refer to [this guide](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_occlum_bundle.md) to build the Occlum application Docker image.
## Create Occlum application bundle
In order to use `rune` you must have your container in the format of an OCI bundle. If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing Occlum application Docker container.
``` shell
# create the top most bundle directory
mkdir -p "$HOME/rune_workdir"
cd "$HOME/rune_workdir"
mkdir rune-container
cd rune-container
# create the rootfs directory
mkdir rootfs
# export Occlum application image via Docker into the rootfs directory
docker export $(docker create ${Occlum_application_image}) | sudo tar -C rootfs -xvf -
```
After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. `rune` provides a spec command which is similar to `runc` to generate a template file that you are then able to edit.
``` shell
rune spec
```
To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
In order to run the hello world demo program in Occlum with `rune`, you need to change the entrypoint from `sh` to `/bin/hello_world`
``` json
"process": {
"args": [
"/bin/hello_world"
],
}
```
and then configure enclave runtime as following:
``` json
"annotations": {
"enclave.type": "intelSgx",
"enclave.runtime.path": "/usr/lib/liberpal-occlum.so",
"enclave.runtime.args": "$OCCLUM_INSTANCE_DIR"
}
```
where:
- @enclave.type: specify the type of enclave hardware to use, such as `intelSgx`.
- @enclave.runtime.path: specify the path to enclave runtime to launch. For an Occlum application, you need to specify the path of `liberpal-occlum.so` which is a soft link to `libocclum-pal.so` of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`).
- @enclave.runtime.args: specify the specific arguments to enclave runtime, separated by the comma. For an Occlum application, you need to specify the name of your Occlum instance dir (`OCCLUM_INSTANCE_DIR`) in this parameter.
---
## Run Occlum application
Assuming you have an OCI bundle from the previous step you can execute the container in this way.
``` shell
cd "$HOME/rune_workdir/rune-container"
sudo rune run ${Occlum_application_container_name}
```
...@@ -8,35 +8,32 @@ Refer to [this guide](https://github.com/alibaba/inclavare-containers/tree/maste ...@@ -8,35 +8,32 @@ Refer to [this guide](https://github.com/alibaba/inclavare-containers/tree/maste
```shell ```shell
cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/skeleton" cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/skeleton"
make make
cp liberpal-skeletion.so /usr/lib
``` ```
# Build skeleton docker image # Build skeleton docker image
```shell ```shell
cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/skeleton" cd "${path_to_inclavare_containers}/rune/libenclave/internal/runtime/pal/skeleton"
cat >Dockerfile <<EOF cat >Dockerfile <<EOF
FROM centos:7.2.1511 FROM centos:7.5.1804
RUN mkdir -p /run/rune RUN mkdir -p /run/rune
WORKDIR /run/rune WORKDIR /run/rune
RUN yum install -y libseccomp-devel
COPY liberpal-skeleton.so .
COPY encl.bin . COPY encl.bin .
COPY encl.elf . COPY encl.elf .
COPY encl.ss . COPY encl.ss .
COPY encl.token . COPY encl.token .
RUN ldconfig
EOF EOF
docker build . -t liberpal-skeleton docker build . -t liberpal-skeleton
``` ```
# Run skeleton docker image # Build and install rune
## Build and install rune
`rune` is a CLI tool for spawning and running enclaves in containers according to the OCI specification. `rune` is a CLI tool for spawning and running enclaves in containers according to the OCI specification.
Please refer to [this guide](https://github.com/alibaba/inclavare-containers#rune) to build `rune` from scratch. Please refer to [this guide](https://github.com/alibaba/inclavare-containers#rune) to build `rune` from scratch.
# Run skeleton docker image
## Configure Docker runtimes ## Configure Docker runtimes
Add the `rune` OCI runtime configuration in dockerd config file (`/etc/docker/daemon.json`) in your system. Add the `rune` OCI runtime configuration in dockerd config file (`/etc/docker/daemon.json`) in your system.
...@@ -64,7 +61,62 @@ Runtimes: rune runc ...@@ -64,7 +61,62 @@ Runtimes: rune runc
```shell ```shell
docker run -it --rm --runtime=rune \ docker run -it --rm --runtime=rune \
-e ENCLAVE_TYPE=intelSgx \ -e ENCLAVE_TYPE=intelSgx \
-e ENCLAVE_RUNTIME_PATH=/run/rune/liberpal-skeleton.so \ -e ENCLAVE_RUNTIME_PATH=/usr/lib/liberpal-skeleton.so \
-e ENCLAVE_RUNTIME_ARGS="debug" \ -e ENCLAVE_RUNTIME_ARGS="debug" \
liberpal-skeleton liberpal-skeleton
``` ```
where:
- @runtime: choose the runtime (`rune`, `runc` or others) to use for this container.
- @ENCLAVE_TYPE: specify the type of enclave hardware to use, such as `intelSgx`.
- @ENCLAVE_PATH: specify the path to enclave runtime to launch.
- @ENCLAVE_ARGS: specify the specific arguments to enclave runtime, seperated by the comma.
# Run skeleton OCI bundle
## Create skeleton bundle
In order to use `rune` you must have your container in the format of an OCI bundle. If you have Docker installed you can use its `export` method to acquire a root filesystem from an existing skeleton Docker container.
``` shell
# create the top most bundle directory
cd "$HOME/rune_workdir"
mkdir rune-container
cd rune-container
# create the rootfs directory
mkdir rootfs
# export skeleton image via Docker into the rootfs directory
docker export $(docker create liberpal-skeleton) | sudo tar -C rootfs -xvf -
```
After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. `rune` provides a spec command which is similar to `runc` to generate a template file that you are then able to edit.
``` shell
rune spec
```
To find features and documentation for fields in the spec please refer to the [specs](https://github.com/opencontainers/runtime-spec) repository.
In order to run the skeleton bundle with `rune`, you need to configure enclave runtime as following:
``` json
"annotations": {
"enclave.type": "intelSgx",
"enclave.runtime.path": "/usr/lib/liberpal-skeleton.so",
"enclave.runtime.args": "debug"
}
```
where:
- @enclave.type: specify the type of enclave hardware to use, such as intelSgx.
- @enclave.runtime.path: specify the path to enclave runtime to launch.
- @enclave.runtime.args: specify the specific arguments to enclave runtime, seperated by the comma.
---
## Run skeleton application
Assuming you have an OCI bundle from the previous step you can execute the container in this way.
``` shell
cd "$HOME/rune_workdir/rune-container"
sudo rune run "liberpal-skeleton"
```
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册