Skip to content

Latest commit

 

History

History
107 lines (87 loc) · 2.6 KB

README.md

File metadata and controls

107 lines (87 loc) · 2.6 KB
Raw

containerd-shim-rune-v2

containerd-shim-rune-v2 is a shim for Inclavare Containers(runE).

Introduction

shim-rune

Carrier Framework

Carrier is a abstract framework to build an enclave for the specified enclave runtime (Occlum、Graphene ..) .

shim-carrier

Signature Framework

shim-signature

Build requirements

Go 1.13.x or above.

How to build and install

Step 1: Build and install shim binary.

mkdir -p $GOPATH/src/github.com/alibaba
cd $GOPATH/src/github.com/alibaba 
git clone https://github.com/alibaba/inclavare-containers.git

cd shim
GOOS=linux make binaries
make install
ls -l /usr/local/bin/containerd-shim-rune-v2

Step 2: Configuration

The Configuration file of Inclavare Containers MUST BE placed into /etc/inclavare-containers/config.toml

log_level = "debug" # "debug" "info" "warn" "error"
sgx_tool_sign = "/opt/intel/sgxsdk/bin/x64/sgx_sign"

[containerd]
    socket = "/run/containerd/containerd.sock"
# The epm section is optional. 
# If the epm serivce is deployed, you can configure a appropriate unix socket address in "epm.socket" field, 
# otherwise just delete the epm section.
[epm]
    socket = "/run/epm/epm.sock"
[enclave_runtime]
    # The signature_method represents the signature method for enclave.
    # It can be "server" or "client", the default value is "server"
    signature_method = "server"
    [enclave_runtime.occlum]
        enclave_runtime_path = "/opt/occlum/build/lib/libocclum-pal.so"
        enclave_libos_path = "/opt/occlum/build/lib/libocclum-libos.so"
    [enclave_runtime.graphene]

Modify containerd configuration file(/etc/containerd/config.toml) and add runtimes rune into it.

#...
      [plugins.cri.containerd.runtimes.rune]
        runtime_type = "io.containerd.rune.v2"
#...

Add RuntimeClass rune into your kubernetes cluster.

cat <<EOF | kubectl create -f -
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: rune
handler: rune
scheduling:
  nodeSelector:
    # Your rune worker labels.
    #alibabacloud.com/container-runtime: rune
EOF

Run HelloWorld in kubernetes

cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  labels:
    run: helloworld-in-tee
  name: helloworld-in-tee
spec:
  runtimeClassName: rune
  containers:
  - command:
    - /bin/hello_world
    env:
    - name: RUNE_CARRIER
      value: occlum
    image: registry.cn-shanghai.aliyuncs.com/larus-test/hello-world:v2
    imagePullPolicy: IfNotPresent
    name: helloworld
    workingDir: /run/rune
EOF