You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesatee.apache.org by ms...@apache.org on 2019/11/24 04:00:04 UTC
[incubator-mesatee] branch master updated: Provide Dockerfiles for
all services and docker-compose.yml to manage services (#90)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-mesatee.git
The following commit(s) were added to refs/heads/master by this push:
new fe13855 Provide Dockerfiles for all services and docker-compose.yml to manage services (#90)
fe13855 is described below
commit fe138557a642ec2bef66528e01bb02b75e45dada
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Sat Nov 23 19:59:58 2019 -0800
Provide Dockerfiles for all services and docker-compose.yml to manage services (#90)
---
Dockerfile => docker/Dockerfile.build | 0
docker/Dockerfile.runtime.fns | 23 +++++++
docker/Dockerfile.runtime.kms | 23 +++++++
docker/Dockerfile.runtime.tdfs | 23 +++++++
docker/Dockerfile.runtime.tms | 23 +++++++
docker/config.toml | 68 ++++++++++++++++++++
docker/docker-compose.yml | 116 ++++++++++++++++++++++++++++++++++
7 files changed, 276 insertions(+)
diff --git a/Dockerfile b/docker/Dockerfile.build
similarity index 100%
rename from Dockerfile
rename to docker/Dockerfile.build
diff --git a/docker/Dockerfile.runtime.fns b/docker/Dockerfile.runtime.fns
new file mode 100644
index 0000000..51fad65
--- /dev/null
+++ b/docker/Dockerfile.runtime.fns
@@ -0,0 +1,23 @@
+FROM ubuntu:18.04
+
+ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server"
+ENV LIBSGX_ENCLAVE_COMMON libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb
+ENV LIBSGX_ENCLAVE_COMMON_URL "$SGX_DOWNLOAD_URL_BASE/$LIBSGX_ENCLAVE_COMMON"
+
+RUN apt-get update && apt-get install -q -y \
+ lsof \
+ wget \
+ libcurl4-openssl-dev \
+ libprotobuf-dev
+
+RUN wget -O $LIBSGX_ENCLAVE_COMMON "$LIBSGX_ENCLAVE_COMMON_URL" && \
+ mkdir /etc/init && \
+ dpkg -i $LIBSGX_ENCLAVE_COMMON && \
+ rm $LIBSGX_ENCLAVE_COMMON
+
+ADD release/service/fns /mesatee/
+ADD release/service/fns.enclave.signed.so /mesatee/
+ADD release/service/enclave_info.txt /mesatee/
+ADD release/service/auditors /mesatee/auditors
+
+ENTRYPOINT ["/mesatee/fns"]
diff --git a/docker/Dockerfile.runtime.kms b/docker/Dockerfile.runtime.kms
new file mode 100644
index 0000000..34a26e5
--- /dev/null
+++ b/docker/Dockerfile.runtime.kms
@@ -0,0 +1,23 @@
+FROM ubuntu:18.04
+
+ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server"
+ENV LIBSGX_ENCLAVE_COMMON libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb
+ENV LIBSGX_ENCLAVE_COMMON_URL "$SGX_DOWNLOAD_URL_BASE/$LIBSGX_ENCLAVE_COMMON"
+
+RUN apt-get update && apt-get install -q -y \
+ lsof \
+ wget \
+ libcurl4-openssl-dev \
+ libprotobuf-dev
+
+RUN wget -O $LIBSGX_ENCLAVE_COMMON "$LIBSGX_ENCLAVE_COMMON_URL" && \
+ mkdir /etc/init && \
+ dpkg -i $LIBSGX_ENCLAVE_COMMON && \
+ rm $LIBSGX_ENCLAVE_COMMON
+
+ADD release/service/kms /mesatee/
+ADD release/service/kms.enclave.signed.so /mesatee/
+ADD release/service/enclave_info.txt /mesatee/
+ADD release/service/auditors /mesatee/auditors
+
+ENTRYPOINT ["/mesatee/kms"]
diff --git a/docker/Dockerfile.runtime.tdfs b/docker/Dockerfile.runtime.tdfs
new file mode 100644
index 0000000..f5eda67
--- /dev/null
+++ b/docker/Dockerfile.runtime.tdfs
@@ -0,0 +1,23 @@
+FROM ubuntu:18.04
+
+ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server"
+ENV LIBSGX_ENCLAVE_COMMON libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb
+ENV LIBSGX_ENCLAVE_COMMON_URL "$SGX_DOWNLOAD_URL_BASE/$LIBSGX_ENCLAVE_COMMON"
+
+RUN apt-get update && apt-get install -q -y \
+ lsof \
+ wget \
+ libcurl4-openssl-dev \
+ libprotobuf-dev
+
+RUN wget -O $LIBSGX_ENCLAVE_COMMON "$LIBSGX_ENCLAVE_COMMON_URL" && \
+ mkdir /etc/init && \
+ dpkg -i $LIBSGX_ENCLAVE_COMMON && \
+ rm $LIBSGX_ENCLAVE_COMMON
+
+ADD release/service/tdfs /mesatee/
+ADD release/service/tdfs.enclave.signed.so /mesatee/
+ADD release/service/enclave_info.txt /mesatee/
+ADD release/service/auditors /mesatee/auditors
+
+ENTRYPOINT ["/mesatee/tdfs"]
diff --git a/docker/Dockerfile.runtime.tms b/docker/Dockerfile.runtime.tms
new file mode 100644
index 0000000..111757e
--- /dev/null
+++ b/docker/Dockerfile.runtime.tms
@@ -0,0 +1,23 @@
+FROM ubuntu:18.04
+
+ENV SGX_DOWNLOAD_URL_BASE "https://download.01.org/intel-sgx/linux-2.6/ubuntu18.04-server"
+ENV LIBSGX_ENCLAVE_COMMON libsgx-enclave-common_2.6.100.51363-bionic1_amd64.deb
+ENV LIBSGX_ENCLAVE_COMMON_URL "$SGX_DOWNLOAD_URL_BASE/$LIBSGX_ENCLAVE_COMMON"
+
+RUN apt-get update && apt-get install -q -y \
+ lsof \
+ wget \
+ libcurl4-openssl-dev \
+ libprotobuf-dev
+
+RUN wget -O $LIBSGX_ENCLAVE_COMMON "$LIBSGX_ENCLAVE_COMMON_URL" && \
+ mkdir /etc/init && \
+ dpkg -i $LIBSGX_ENCLAVE_COMMON && \
+ rm $LIBSGX_ENCLAVE_COMMON
+
+ADD release/service/tms /mesatee/
+ADD release/service/tms.enclave.signed.so /mesatee/
+ADD release/service/enclave_info.txt /mesatee/
+ADD release/service/auditors /mesatee/auditors
+
+ENTRYPOINT ["/mesatee/tms"]
diff --git a/docker/config.toml b/docker/config.toml
new file mode 100644
index 0000000..2fe4e08
--- /dev/null
+++ b/docker/config.toml
@@ -0,0 +1,68 @@
+# MesaTEE Runtime Configuration
+#
+# Note that this config is loaded at running time. We don't have to trust the
+# content though. Maliciously crafted config from this file will not break data
+# confidentiality/integrity.
+
+# Topology of MesaTEE Services
+
+# ┌───────────────────────────────────────────────────┐
+# │ │FNS API Endpoint
+# │ ▼
+# │ ┌─────────────────────┐
+# │ │Function Node Service│
+# │ TMS Internal ┌────────────────│ (FNS) │─┐
+# │ Endpoint │ └─────────────────────┘ │
+# │ ▼ │ │
+# ┌────────┐ ┌───────────────────────┐ │ │ ┌──────────────────────┐
+# │ User │ │Task Management Service│ ┌────────────┘ │ │Key Management Service│
+# │ │──────▶│ (TMS) │ │ ├─▶│ (KMS) │
+# └────────┘ └───────────────────────┘ │ │ └──────────────────────┘
+# │ TMS API Endpoint │ │ ┌───────────────────┐ │KMS Internal
+# │ │ │ │Trusted Distributed│ │ Endpoint
+# │ └──────────────┴─▶│ File System │──┘
+# │ TDFS Internal│ (TDFS) │
+# │ Endpoint └───────────────────┘
+# │ ▲
+# │ │ TDFS API Endpoint
+# └───────────────────────────────────────────────────┘
+
+# This section configures the MesaTEE API endpoints where a user MUST connect to.
+# `listen_ip` specifies the IPv4/6 address that the service should listen on;
+# `connect_ip` is a required field for FNS only. The user is not required to
+# know this address; instead the user SHOULD expect to get this address from TMS.
+
+# This is a required section.
+[api_endpoints]
+tms = { listen_ip = "0.0.0.0", port = 5554 }
+tdfs = { listen_ip = "0.0.0.0", port = 5065 }
+fns = { listen_ip = "0.0.0.0", connect_ip = "127.0.0.1", port = 3444 }
+
+
+# This section configures the internal endpoints used by MesaTEE services.
+# `listen_ip` specifies the IPv4/6 address that the service should listen on;
+# `connect_ip` specifies the IPv4/6 address that the other services should connect to;
+# A user SHOULD NOT connect to these endpoints.
+# This is a required section.
+[internal_endpoints]
+tms = { listen_ip = "0.0.0.0", connect_ip = "172.18.18.100", port = 5555 }
+tdfs = { listen_ip = "0.0.0.0", connect_ip = "172.18.18.101", port = 5066 }
+kms = { listen_ip = "0.0.0.0", connect_ip = "172.18.18.102", port = 6016 }
+acs = { listen_ip = "0.0.0.0", connect_ip = "172.18.18.103", port = 5077 }
+
+
+# This section configures the IAS API key/spid which are used to connect to
+# Intel® Attestation Service (IAS).
+# This is a required section.
+[ias_client_config]
+spid = { env = "IAS_SPID" }
+key = { env = "IAS_KEY" }
+
+
+# This section configures the auditors.
+# This is a required section.
+[audited_enclave_config]
+enclave_info = { path = "enclave_info.txt" }
+signature_a = { path = "auditors/godzilla/godzilla.sign.sha256" }
+signature_b = { path = "auditors/optimus_prime/optimus_prime.sign.sha256" }
+signature_c = { path = "auditors/albus_dumbledore/albus_dumbledore.sign.sha256" }
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 0000000..8b2e99b
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,116 @@
+version: '3.7'
+
+services:
+ mesatee-tms:
+ build:
+ context: ../
+ dockerfile: docker/Dockerfile.runtime.tms
+ ports:
+ - 5554:5554
+ expose:
+ - 5555
+ volumes:
+ - ./config.toml:/mesatee/config.toml
+ - type: bind
+ source: /var/run/aesmd/aesm.socket
+ target: /var/run/aesmd/aesm.socket
+ devices:
+ - /dev/isgx
+ working_dir: /mesatee
+ environment:
+ - IAS_SPID
+ - IAS_KEY
+ - RUST_LOG
+ networks:
+ front:
+ mesatee_net:
+ ipv4_address: 172.18.18.100
+
+ mesatee-tdfs:
+ build:
+ context: ../
+ dockerfile: docker/Dockerfile.runtime.tdfs
+ ports:
+ - 5065:5065
+ expose:
+ - 5066
+ volumes:
+ - ./config.toml:/mesatee/config.toml
+ - type: bind
+ source: /tmp/mesatee_storage
+ target: /tmp/mesatee_storage
+ - type: bind
+ source: /var/run/aesmd/aesm.socket
+ target: /var/run/aesmd/aesm.socket
+ devices:
+ - /dev/isgx
+ working_dir: /mesatee
+ environment:
+ - IAS_SPID
+ - IAS_KEY
+ - RUST_LOG
+ - MESATEE_STORAGE_DIR=/tmp/mesatee_storage
+ networks:
+ front:
+ mesatee_net:
+ ipv4_address: 172.18.18.101
+
+ mesatee-fns:
+ build:
+ context: ../
+ dockerfile: docker/Dockerfile.runtime.fns
+ ports:
+ - 3444:3444
+ volumes:
+ - ./config.toml:/mesatee/config.toml
+ - type: bind
+ source: /tmp/mesatee_storage
+ target: /tmp/mesatee_storage
+ - type: bind
+ source: /var/run/aesmd/aesm.socket
+ target: /var/run/aesmd/aesm.socket
+ devices:
+ - /dev/isgx
+ working_dir: /mesatee
+ environment:
+ - IAS_SPID
+ - IAS_KEY
+ - RUST_LOG
+ - MESATEE_STORAGE_DIR=/tmp/mesatee_storage
+ networks:
+ front:
+ mesatee_net:
+ ipv4_address: 172.18.18.104
+
+ mesatee-kms:
+ build:
+ context: ../
+ dockerfile: docker/Dockerfile.runtime.kms
+ expose:
+ - 6016
+ volumes:
+ - ./config.toml:/mesatee/config.toml
+ - type: bind
+ source: /var/run/aesmd/aesm.socket
+ target: /var/run/aesmd/aesm.socket
+ devices:
+ - /dev/isgx
+ working_dir: /mesatee
+ environment:
+ - IAS_SPID
+ - IAS_KEY
+ - RUST_LOG
+ networks:
+ mesatee_net:
+ ipv4_address: 172.18.18.102
+
+networks:
+ mesatee_net:
+ driver: bridge
+ driver_opts:
+ com.docker.network.enable_ipv6: "false"
+ ipam:
+ driver: default
+ config:
+ - subnet: 172.18.18.0/24
+ front:
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@mesatee.apache.org
For additional commands, e-mail: commits-help@mesatee.apache.org