You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@teaclave.apache.org by GitBox <gi...@apache.org> on 2021/07/19 20:44:16 UTC
[GitHub] [incubator-teaclave] mssun commented on issue #525: Integration with Graphene
mssun commented on issue #525:
URL: https://github.com/apache/incubator-teaclave/issues/525#issuecomment-882846476
Hi @bigdata-memory, thanks for the proposal.
Teaclave is a FaaS-like platform consisting of multiple services. One can register and invoke functions to the platform through the frontend service. Then, Teaclave will help to do authentication, authorization, task preparation, etc and finally dispatch a task to the *execution service*. Currently, we have three executors for different languages and scenarios. For example, the *builtin* executor only execute functions written in Rust natively, while, the *mesapy* executor can run functions written in Python dynamically.
Therefore, to integrate with Graphene, or any other LibOS kind of system in Teaclave, we need to introduce another kind of executor. Luckly, the execution service in Teaclave are designed as a stateless and isolated service which takes a task, executes it and write back the result. Inputs/Outputs of a functions are defined as function arguments, input/output files stored in protected file system. In our design, we prohibit any untrusted I/O interfaces (e.g., write date to the untrusted file system, networks I/O) in the executor to protecting sensitive data operated by the function.
Above are some background about our design rationals. Here, I list some concepts involved in integrating with Graphene.
- **RPC**: All Teaclave services communicate with each other via trusted channel (i.e., attested TLS). You can find all protocol definitions in Protobuf in this directory: https://github.com/apache/incubator-teaclave/tree/master/services/proto/src/proto. An execution service instance will periodically fetch tasks from the scheduler service and execute it.
- **Attestation**: We do mutual attestation when establishing trusted RPC channel through attested TLS.
- **Executor Runtime**: Providing interfaces to an executor to read/write input/output files stored in the protected file system.
- **`TeaclaveExecutor` Trait**: The `TeaclaveExecutor` trait defines interfaces of a task.
Recently, we added a WebAssembly executor. You can see recents changes to see how to add an executor in Teaclave. Here is a simple document https://teaclave.apache.org/docs/adding-executors/.
The WebAssembly executor is just a reference. For integrating with Graphene (or other LibOS executors), the design may be different. I'm not sure whether to link the LibOS within the execution service or put it as a separate enclave along with the execution service. The later may need additional attestation mechanism.
At last, can you propose a simple design so that we can work on it together? Please let me know if you have any questions regarding to the current Teaclave design. Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org