Skip to content

I
inclavare-containers

openanolis / inclavare-containers

通知 4
Star 7
Fork 0
I
inclavare-containers
未验证 提交 40e6bf80 编写于 作者: S stormgbs 提交者: GitHub
浏览文件
操作

Merge pull request #140 from jiazhiguang/features/shim-makefile 

update the dosc for creating rune containers in Kubernetes cluster
上级 bb01385f 4672dad8
显示空白变更内容
内联 并排
Showing with 28 addition and 36 deletion
docs/create_a_confidential_computing_kubernetes_cluster_with_inclavare_containers.md
浏览文件 @ 40e6bf80
...@@ -7,7 +7,7 @@ This page shows how to create a single control-plane Kubernetes and install the ...@@ -7,7 +7,7 @@ This page shows how to create a single control-plane Kubernetes and install the
- A machine with Intel SGX hardware support. - A machine with Intel SGX hardware support.
- Make sure you have one of the following operating systems: - Make sure you have one of the following operating systems:
- Ubuntu 18.04 server 64bits - Ubuntu 18.04 server 64bits
- CentOS 7.5 64bits - CentOS 8.1 64bits
- Download the packages or binaries corresponding to your operating system from the [releases page](https://github.com/alibaba/inclavare-containers/releases). - Download the packages or binaries corresponding to your operating system from the [releases page](https://github.com/alibaba/inclavare-containers/releases).
| Module Name | CentOS | Ubuntu | | Module Name | CentOS | Ubuntu |
...@@ -15,10 +15,6 @@ This page shows how to create a single control-plane Kubernetes and install the ...@@ -15,10 +15,6 @@ This page shows how to create a single control-plane Kubernetes and install the
| occlum-pal | occlum-pal-${version}.el7.x86_64.rpm | occlum-pal_${version}_amd64.deb | | occlum-pal | occlum-pal-${version}.el7.x86_64.rpm | occlum-pal_${version}_amd64.deb |
| shim-rune | shim-rune-${version}.el7.x86_64.rpm | shim-rune_${version}_amd64.deb | | shim-rune | shim-rune-${version}.el7.x86_64.rpm | shim-rune_${version}_amd64.deb |
| rune | rune-${version}.el7.x86_64.rpm | rune_${version}_amd64.deb | | rune | rune-${version}.el7.x86_64.rpm | rune_${version}_amd64.deb |
| SGX SDK | sgx_linux_x64_sdk.bin | - |
| SGX PSW | sgx_linux_x64_psw.bin | - |
**Note:** The SGX SDK and PSW installers on Ubuntu operating system are available from [Intel](https://download.01.org/intel-sgx/sgx-linux/2.9.1/distro/ubuntu18.04-server/).
## Objectives ## Objectives
...@@ -31,27 +27,9 @@ This page shows how to create a single control-plane Kubernetes and install the ...@@ -31,27 +27,9 @@ This page shows how to create a single control-plane Kubernetes and install the
### 1. Install Linux SGX software stack ### 1. Install Linux SGX software stack
The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, and Intel SGX PSW. The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, and Intel SGX PSW.
Please follow [Intel SGX Installation Guide](https://download.01.org/intel-sgx/sgx-linux/2.9.1/docs/Intel_SGX_Installation_Guide_Linux_2.9.1_Open_Source.pdf) to install SGX driver, SDK and PSW, the recommended version is 2.9.1.
- Step 1. Build and install the Intel SGX driver Note that you should install the OOT SGX driver that without ECDSA attestation.
Please refer to the [documentation](https://github.com/intel/linux-sgx-driver#build-and-install-the-intelr-sgx-driver) to build and install the Intel SGX driver. It is recommended that the version equal to or greater than `sgx_driver_2.5`.
- Step 2. Install Intel SGX SDK and Intel Platform Software
Please refer to the [documentation](https://github.com/alibaba/inclavare-containers/blob/master/docs/running_rune_with_occlum.md#install-inclavare-containers-binary) to install SGX SDK and SGX PSW.
- Step 3. Check the aesmd daemon status
Make sure the aesmd daemon is started and running. The expected result is as following:
```
$ systemctl status aesmd.service
● aesmd.service - Intel(R) Architectural Enclave Service Manager
Loaded: loaded (/usr/lib/systemd/system/aesmd.service; enabled; vendor preset: disabled)
Active: active (running) since 2020-07-01 22:45:10 CST; 12h ago
Process: 30597 ExecStart=/opt/intel/sgxpsw/aesm/aesm_service (code=exited, status=0/SUCCESS)
Process: 30590 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
...
```
### 2. Install Occlum software stack ### 2. Install Occlum software stack
[Occlum](https://github.com/occlum/occlum) is the only enclave runtime supported by shim-rune currently. `enable-rdfsdbase` and `occlum-pal` are used by Occlum.<br /> [Occlum](https://github.com/occlum/occlum) is the only enclave runtime supported by shim-rune currently. `enable-rdfsdbase` and `occlum-pal` are used by Occlum.<br />
...@@ -62,16 +40,30 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an ...@@ -62,16 +40,30 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an
Please follow the [documentation](https://github.com/occlum/enable_rdfsbase) to install `enable-rdfsdbase`. Please follow the [documentation](https://github.com/occlum/enable_rdfsbase) to install `enable-rdfsdbase`.
- Step 2. Install occlum-pal - Step 2. Install package libsga-uae-service
`libsga-uae-service` is used by occlum-pal, go to the SGX RPM local repo and run the following command:
- On CentOS
```bash
sudo rpm -ivh libsgx-uae-service-2.9.101.2-1.el8.x86_64.rpm
```
- On Ubuntu
```
wget https://download.01.org/intel-sgx/sgx-linux/2.9.1/distro/ubuntu18.04-server/debian_pkgs/libs/libsgx-uae-service/libsgx-uae-service_2.9.101.2-xenial1_amd64.deb -O libsgx-uae-service_2.9.101.2-xenial1_amd64.deb
sudo dpkg -i libsgx-uae-service_2.9.101.2-xenial1_amd64.deb
```
- Step 3. Install occlum-pal
- On CentOS - On CentOS
```bash ```bash
version=0.14.0-1 version=0.15.1-1
sudo rpm -ivh occlum-pal-${version}.el7.x86_64.rpm sudo rpm -ivh occlum-pal-${version}.el7.x86_64.rpm
``` ```
- On Ubuntu - On Ubuntu
```bash ```bash
version=0.14.0-1 version=0.15.1-1
sudo dpkg -i occlum-pal_${version}_amd64.deb sudo dpkg -i occlum-pal_${version}_amd64.deb
``` ```
...@@ -88,14 +80,14 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an ...@@ -88,14 +80,14 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an
- Step 2. Download and install the `rune` package - Step 2. Download and install the `rune` package
- On CentOS - On CentOS
```bash ```bash
version=0.3.0-1 version=0.4.0-1
sudo yum install -y libseccomp sudo yum install -y libseccomp
sudo rpm -ivh rune-${version}.el7.x86_64.rpm sudo rpm -ivh rune-${version}.el7.x86_64.rpm
``` ```
- On Ubuntu - On Ubuntu
```bash ```bash
version=0.3.0-1 version=0.4.0-1
sudo dpkg -i rune_${version}_amd64.deb sudo dpkg -i rune_${version}_amd64.deb
``` ```
...@@ -105,13 +97,13 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an ...@@ -105,13 +97,13 @@ The Linux SGX software stack is comprised of Intel SGX driver, Intel SGX SDK, an
- On CentOS - On CentOS
```bash ```bash
version=0.3.0-1 version=0.4.0-1
sudo rpm -ivh shim-rune-${version}.el7.x86_64.rpm sudo rpm -ivh shim-rune-${version}.el7.x86_64.rpm
``` ```
- On Ubuntu - On Ubuntu
```bash ```bash
version=0.3.0-1 version=0.4.0-1
sudo dpkg -i shim-rune_${version}_amd64.deb sudo dpkg -i shim-rune_${version}_amd64.deb
``` ```
...@@ -182,7 +174,7 @@ containerd is an industry-standard container runtime with an emphasis on simplic ...@@ -182,7 +174,7 @@ containerd is an industry-standard container runtime with an emphasis on simplic
It is recommended to download the occlum SDK image in advance, which is configured in the filed `enclave_runtime.occlum.build_image` in `/etc/inclavare-containers/config.toml` . This image will be used when creating pods. Note that downloading this image in advance can save the container launch time.  <br />Run the following command to download the Occlum SDK image: It is recommended to download the occlum SDK image in advance, which is configured in the filed `enclave_runtime.occlum.build_image` in `/etc/inclavare-containers/config.toml` . This image will be used when creating pods. Note that downloading this image in advance can save the container launch time.  <br />Run the following command to download the Occlum SDK image:
```bash ```bash
ctr image pull docker.io/occlum/occlum:0.14.0-ubuntu18.04 ctr image pull docker.io/occlum/occlum:0.15.1-ubuntu18.04
``` ```
### 6. Create a single control-plane Kubernetes cluster with kubeadm ### 6. Create a single control-plane Kubernetes cluster with kubeadm
......
docs/develop_and_deploy_hello_world_application_in_kubernetes_cluster.md
浏览文件 @ 40e6bf80
...@@ -7,7 +7,7 @@ This page shows how to develop a "Hello World" application, build a "Hello World ...@@ -7,7 +7,7 @@ This page shows how to develop a "Hello World" application, build a "Hello World
- You need to have a Kubernetes cluster and the nodes' hardware in the cluster must support Intel SGX. If you do not already have a cluster, you can create one following the documentation [Create a confidential computing Kubernetes cluster with inclavare-containers](create_a_confidential_computing_kubernetes_cluster_with_inclavare_containers.md). - You need to have a Kubernetes cluster and the nodes' hardware in the cluster must support Intel SGX. If you do not already have a cluster, you can create one following the documentation [Create a confidential computing Kubernetes cluster with inclavare-containers](create_a_confidential_computing_kubernetes_cluster_with_inclavare_containers.md).
- Make sure you have one of the following operating systems: - Make sure you have one of the following operating systems:
- Ubuntu 18.04 server 64bits - Ubuntu 18.04 server 64bits
- CentOS 7.5 64bits - CentOS 8.1 64bits
## Objectives ## Objectives
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册