shim

module

v0.0.0-...-1ce85ed Latest Latest Go to latest Published: Jan 18, 2021 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/alibaba/inclavare-containers

README ¶

containerd-shim-rune-v2

containerd-shim-rune-v2 is a shim for Inclavare Containers(runE).

Introduction

shim-rune

Carrier Framework

Carrier is a abstract framework to build an enclave for the specified enclave runtime (Occlum、Graphene ..) .

shim-carrier

Signature Framework

shim-signature

Build requirements

Go 1.13.x or above.

How to build and install

Step 1: Build and install shim binary.

mkdir -p $GOPATH/src/github.com/alibaba
cd $GOPATH/src/github.com/alibaba 
git clone https://github.com/alibaba/inclavare-containers.git

cd shim
GOOS=linux make binaries
make install
ls -l /usr/local/bin/containerd-shim-rune-v2

Step 2: Configuration

The Configuration file of Inclavare Containers MUST BE placed into /etc/inclavare-containers/config.toml

log_level = "info" # "debug" "info" "warn" "error"
sgx_tool_sign = "/opt/intel/sgxsdk/bin/x64/sgx_sign"

[containerd]
    socket = "/run/containerd/containerd.sock"
# The epm section is optional. 
# If the epm serivce is deployed, you can configure a appropriate unix socket address in "epm.socket" field, 
# otherwise just delete the epm section.
[epm]
    socket = "/var/run/epm/epm.sock"
[enclave_runtime]
    # The signature_method represents the signature method for enclave.
    # It can be "server" or "client", the default value is "server"
    signature_method = "server"
    [enclave_runtime.occlum]
        enclave_runtime_path = "/opt/occlum/build/lib/libocclum-pal.so"
        enclave_libos_path = "/opt/occlum/build/lib/libocclum-libos.so"
    [enclave_runtime.graphene]

Modify containerd configuration file(/etc/containerd/config.toml) and add runtimes rune into it.

#...
      [plugins.cri.containerd.runtimes.rune]
        runtime_type = "io.containerd.rune.v2"
#...

Add RuntimeClass rune into your kubernetes cluster.

cat <<EOF | kubectl create -f -
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: rune
handler: rune
scheduling:
  nodeSelector:
    # Your rune worker labels.
    #alibabacloud.com/container-runtime: rune
EOF

Run HelloWorld in kubernetes

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: helloworld-in-tee
  name: helloworld-in-tee
spec:
  runtimeClassName: rune
  containers:
  - command:
    - /bin/hello_world
    env:
    - name: RUNE_CARRIER
      value: occlum
    image: registry.cn-shanghai.aliyuncs.com/larus-test/hello-world:v2
    imagePullPolicy: IfNotPresent
    name: helloworld
    workingDir: /var/run/rune
EOF

Directories ¶

Path	Synopsis
cmd
containerd-shim-rune-v2
signature-server
signature-server/app
signature-server/app/options
config
runtime
carrier
carrier/constants
carrier/empty
carrier/graphene
carrier/occlum
config
signature/client
signature/server
signature/server/api
signature/server/conf
signature/server/mock
signature/server/util
signature/types
utils
v2/rune
v2/rune/constants
v2/rune/v2
v2/rune/v2/attestation

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL