diff --git a/shim/config/config.go b/shim/config/config.go index acaca69213ce54052e402283cc1a758cf24c4827..6ca914eb845c41b2c952b5b4d0d6135563de577c 100644 --- a/shim/config/config.go +++ b/shim/config/config.go @@ -5,22 +5,21 @@ type Containerd struct { } type Occlum struct { - BuildImage string `toml:"build_image"` + BuildImage string `toml:"build_image"` + EnclaveRuntimePath string `toml:"enclave_runtime_path"` } type Graphene struct { } type EnclaveRuntime struct { - Occlum Occlum `toml:"occlum"` + Occlum Occlum `toml:"occlum"` Graphene Graphene `toml:"graphene"` } type Config struct { - LogLevel string `toml:"log_level"` - SgxToolSign string `toml:"sgx_tool_sign"` - - Containerd Containerd `toml:"containerd"` - + LogLevel string `toml:"log_level"` + SgxToolSign string `toml:"sgx_tool_sign"` + Containerd Containerd `toml:"containerd"` EnclaveRuntime EnclaveRuntime `toml:"enclave_runtime"` } diff --git a/shim/runtime/carrier/constants/constants.go b/shim/runtime/carrier/constants/constants.go index e77714266f60efc297f1d0241cf35cb773716b91..c46db2c9fcb20865a40379f396bd53db7ac47c13 100644 --- a/shim/runtime/carrier/constants/constants.go +++ b/shim/runtime/carrier/constants/constants.go @@ -141,9 +141,9 @@ function copyOcclumLiberaries() { /bin/cp -f /usr/lib/libsgx_u*.so* ${lib_dir} /bin/cp -f /usr/lib/libsgx_enclave_common.so.1 ${lib_dir} /bin/cp -f /usr/lib/libsgx_launch.so.1 ${lib_dir} - ln -sfn .occlum/build/lib/libocclum-pal.so liberpal-occlum.so - # ==== fixme: the file /sbin/ldconfig maybe not exist in customer's image - chroot ${rootfs} /sbin/ldconfig + #/bin/cp -f .occlum/build/lib/libocclum-pal.so ${lib_dir}/liberpal-occlum.so + #ln -sfn .occlum/build/lib/libocclum-pal.so liberpal-occlum.so + #chroot ${rootfs} /sbin/ldconfig popd } @@ -164,6 +164,8 @@ function buildUnsignedEnclave(){ fi # set occlum entrypoint sed -i "s#/bin#${entry_point}#g" Occlum.json + # generate the configuration file Enclave.xml that used by enclave from Occlum.json + /opt/occlum/build/bin/gen_enclave_conf -i Occlum.json -o Enclave.xml # build occlum image /bin/bash ${base_dir}/replace_occlum_image.sh ${rootfs} image # occlum build @@ -171,12 +173,6 @@ function buildUnsignedEnclave(){ mkdir -p ${rootfs}/${work_dir} || true /bin/cp -fr .occlum ${rootfs}/${work_dir} /bin/cp -f Enclave.xml ${rootfs}/${work_dir} - # ===fixme debug==== - /bin/cp -fr image ${rootfs}/${work_dir} - /bin/cp -f Occlum.json ${rootfs}/${work_dir} - # ================== - # copy occlum liberaries to rootfs - copyOcclumLiberaries popd } diff --git a/shim/runtime/carrier/occlum/config.go b/shim/runtime/carrier/occlum/config.go new file mode 100644 index 0000000000000000000000000000000000000000..73d925f4faf9afb9c33646172f8ddc2f3bb87b61 --- /dev/null +++ b/shim/runtime/carrier/occlum/config.go @@ -0,0 +1,166 @@ +package occlum + +import ( + "strconv" + "strings" + + "github.com/sirupsen/logrus" +) + +const ( + EnvUserSpaceSize = "OCCLUM_USER_SPACE_SIZE" + EnvKernelSpaceHeapSize = "OCCLUM_KERNEL_SPACE_HEAP_SIZE" + EnvKernelSpaceStackSize = "OCCLUM_KERNEL_SPACE_STACK_SIZE" + EnvMaxNumOfThreads = "OCCLUM_MAX_NUM_OF_THREADS" + EnvDefaultStackSize = "OCCLUM_DEFAULT_STACK_SIZE" + EnvDefaultHeapSize = "OCCLUM_DEFAULT_HEAP_SIZE" + EnvDefaultMmapSize = "OCCLUM_DEFAULT_MMAP_SIZE" + EnvProductId = "OCCLUM_PRODUCT_ID" + EnvVersionNumber = "OCCLUM_VERSION_NUMBER" + EnvDebuggable = "OCCLUM_DEBUGGABLE" +) + +type OcclumConfig struct { + ResourceLimits ResourceLimits `json:"resource_limits"` + Process Process `json:"process"` + EntryPoints []string `json:"entry_points"` + Env Env `json:"env"` + Metadata Metadata `json:"metadata"` + Mount []Mount `json:"mount"` +} + +type ResourceLimits struct { + UserSpaceSize string `json:"user_space_size"` + KernelSpaceHeapSize string `json:"kernel_space_heap_size"` + KernelSpaceStackSize string `json:"kernel_space_stack_size"` + MaxNumOfThreads int64 `json:"max_num_of_threads"` +} + +type Process struct { + DefaultStackSize string `json:"default_stack_size"` + DefaultHeapSize string `json:"default_heap_size"` + DefaultMmapSize string `json:"default_mmap_size"` +} + +type Env struct { + Default []string `json:"default"` + Untrusted []string `json:"untrusted"` +} + +type Metadata struct { + ProductId int64 `json:"product_id"` + VersionNumber int64 `json:"version_number"` + Debuggable bool `json:"debuggable"` +} + +type Mount struct { + Target string `json:"target"` + Type string `json:"type"` + Source string `json:"source,omitempty"` + Options map[string]interface{} `json:"options,omitempty"` +} + +func (c *OcclumConfig) ApplyEnvs(envs []string) { + for _, env := range envs { + items := strings.SplitN(env, "=", 2) + if len(items) != 2 { + continue + } + k := items[0] + v := items[1] + switch k { + case EnvUserSpaceSize: + c.ResourceLimits.UserSpaceSize = v + break + case EnvKernelSpaceHeapSize: + c.ResourceLimits.KernelSpaceHeapSize = v + break + case EnvKernelSpaceStackSize: + c.ResourceLimits.KernelSpaceStackSize = v + break + case EnvMaxNumOfThreads: + i, err := strconv.ParseInt(v, 10, 64) + if err != nil { + logrus.Error("ApplyEnvs: parse environment variable %s failed. error: %++v", k, err) + } + c.ResourceLimits.MaxNumOfThreads = i + break + case EnvDefaultStackSize: + c.Process.DefaultStackSize = v + break + case EnvDefaultHeapSize: + c.Process.DefaultHeapSize = v + break + case EnvDefaultMmapSize: + c.Process.DefaultMmapSize = v + break + case EnvProductId: + i, err := strconv.ParseInt(v, 10, 64) + if err != nil { + logrus.Error("ApplyEnvs: parse environment variable %s failed. error: %++v", k, err) + } + c.Metadata.ProductId = i + break + case EnvVersionNumber: + i, err := strconv.ParseInt(v, 10, 64) + if err != nil { + logrus.Error("ApplyEnvs: parse environment variable %s failed. error: %++v", k, err) + } + c.Metadata.VersionNumber = i + break + case EnvDebuggable: + i, err := strconv.ParseBool(v) + if err != nil { + logrus.Error("ApplyEnvs: parse environment variable %s failed. error: %++v", k, err) + } + c.Metadata.Debuggable = i + break + } + } +} + +func GetDefaultOcclumConfig() *OcclumConfig { + return &OcclumConfig{ + ResourceLimits: ResourceLimits{ + UserSpaceSize: "256MB", + KernelSpaceHeapSize: "32MB", + KernelSpaceStackSize: "1MB", + MaxNumOfThreads: 32}, + Process: Process{ + DefaultStackSize: "4MB", + DefaultHeapSize: "32MB", + DefaultMmapSize: "80MB", + }, + EntryPoints: []string{"/bin"}, + Env: Env{ + Default: []string{"OCCLUM=yes"}, + Untrusted: []string{"EXAMPLE"}, + }, + Metadata: Metadata{ + ProductId: 0, + VersionNumber: 0, + Debuggable: true, + }, + Mount: []Mount{ + { + Target: "/", + Type: "sefs", + Source: "./image", + Options: map[string]interface{}{"integrity_only": true}, + }, + { + Target: "/root", + Type: "sefs", + }, + { + Target: "/host", + Type: "hostfs", + Source: ".", + }, + { + Target: "/tmp", + Type: "ramfs", + }, + }, + } +} diff --git a/shim/runtime/carrier/occlum/occlum.go b/shim/runtime/carrier/occlum/occlum.go index c4fa52fd916237a87ef8947bcda137fbc783e83a..87d505a8f8f92d780680c285ea3583e4e3af565c 100644 --- a/shim/runtime/carrier/occlum/occlum.go +++ b/shim/runtime/carrier/occlum/occlum.go @@ -2,6 +2,7 @@ package occlum import ( "context" + "encoding/json" "fmt" "io/ioutil" "math/rand" @@ -114,7 +115,7 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier logrus.Debugf("BuildUnsignedEnclave: pull image %s successfully", occlumEnclaveBuilderImage) // Generate the containerId and snapshotId. - // FIXME debug + // FIXME The variables containerId and snapshotId should be generated by utils.GenerateID rand.Seed(time.Now().UnixNano()) containerId := fmt.Sprintf("occlum-enclave-builder-%s", strconv.FormatInt(rand.Int63(), 16)) snapshotId := fmt.Sprintf("occlum-enclave-builder-snapshot-%s", strconv.FormatInt(rand.Int63(), 16)) @@ -199,16 +200,24 @@ func (c *occlum) BuildUnsignedEnclave(req *task.CreateTaskRequest, args *carrier "--work_dir", c.workDirectory, "--rootfs", filepath.Join("/", rootfsDirName), } + var occlumConfigPath string if c.configPath != "" { - cmd = append(cmd, "--occlum_config_path", filepath.Join("/", rootfsDirName, c.configPath)) + occlumConfigPath = filepath.Join("/", rootfsDirName, c.configPath) + } else { + c.configPath = "Occlum.json" + occlumConfigPath = filepath.Join("/", enclaveDataDir, c.configPath) + hostPath := filepath.Join(c.bundle, enclaveDataDir, c.configPath) + if err := c.saveOcclumConfig(hostPath); err != nil { + return "", err + } } + cmd = append(cmd, "--occlum_config_path", occlumConfigPath) logrus.Debugf("BuildUnsignedEnclave: command: %v", cmd) if err := c.execTask(cmd...); err != nil { logrus.Errorf("BuildUnsignedEnclave: exec failed. error: %++v", err) return "", err } enclavePath := filepath.Join("/", rootfsDirName, c.workDirectory, ".occlum/build/lib/libocclum-libos.so") - return enclavePath, nil } @@ -287,6 +296,7 @@ func (c *occlum) Cleanup() error { if c.task.task == nil { return nil } + t := *c.task.task if err := t.Kill(c.context, syscall.SIGTERM); err != nil { logrus.Errorf("Cleanup: kill task %s failed. err: %++v", t.ID(), err) @@ -327,7 +337,10 @@ func (c *occlum) initBundleConfig() error { } c.workDirectory = spec.Process.Cwd c.entryPoints = spec.Process.Args - enclaveRuntimePath := fmt.Sprintf("%s/liberpal-occlum.so", c.workDirectory) + enclaveRuntimePath := c.shimConfig.EnclaveRuntime.Occlum.EnclaveRuntimePath + if enclaveRuntimePath == "" { + enclaveRuntimePath = fmt.Sprintf("%s/liberpal-occlum.so", c.workDirectory) + } envs := map[string]string{ carr_const.EnclaveRuntimePathKeyName: enclaveRuntimePath, carr_const.EnclaveTypeKeyName: string(carr_const.IntelSGX), @@ -344,6 +357,19 @@ func (c *occlum) initBundleConfig() error { return config.SaveSpec(configPath, spec) } +func (o *occlum) saveOcclumConfig(path string) error { + if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil { + return err + } + cfg := GetDefaultOcclumConfig() + cfg.ApplyEnvs(o.spec.Process.Env) + bytes, err := json.Marshal(cfg) + if err != nil { + return err + } + return ioutil.WriteFile(path, bytes, 0644) +} + func createNamespaceIfNotExist(client *containerd.Client, namespace string) error { svc := client.NamespaceService() diff --git a/shim/runtime/v2/rune/v2/service.go b/shim/runtime/v2/rune/v2/service.go index ae2202c7bf8d82b01472276755f1981f9d694298..8cea20f864dafa65f028538511a2533176ba225e 100644 --- a/shim/runtime/v2/rune/v2/service.go +++ b/shim/runtime/v2/rune/v2/service.go @@ -294,12 +294,6 @@ func setOCIRuntime(ctx context.Context, r *taskAPI.CreateTaskRequest) (err error return err } } - - //err = config.UpdateEnclaveEnvConfig(filepath.Join(r.Bundle, "config.json")) - //if err != nil { - // return err - //} - return nil } @@ -324,6 +318,22 @@ func (s *service) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (_ * container, err := runc.NewContainer(ctx, s.platform, r) if err != nil { logrus.Errorf("rune Create NewContainer error: %++v", err) + /*//FIXME debug + if _, err := os.Stat(r.Bundle); err == nil { + path := "/tmp/rune-container-test/runc-rootfs" + os.RemoveAll(path) + os.MkdirAll(path, 0644) + args := []string{ + "-r", r.Bundle, path, + } + if b, err := exec.Command("cp", args...).CombinedOutput(); err != nil { + logrus.Errorf("failed to copy bundles. error:%s, %v", string(b), err) + } + logrus.Infof("copy runc bundle %s to %s", r.Bundle, path) + time.Sleep(time.Minute) + } else { + logrus.Infof("bundle dir is not exist.", r.Bundle) + }*/ return nil, err }