You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by hs...@apache.org on 2023/04/10 07:26:27 UTC

[incubator-teaclave] 02/03: Add document: Running the execution service in Occlum

This is an automated email from the ASF dual-hosted git repository.

hsun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git

commit 1fe837595a0237711e5427afcead5489b9fd779e
Author: GeminiCarrie <sp...@163.com>
AuthorDate: Fri Apr 7 01:54:32 2023 +0000

    Add document: Running the execution service in Occlum
---
 cmake/scripts/build_occlum_instance.sh | 80 ++++++++++++++++++++++++++++++++++
 docs/executing-in-occlum.md            | 72 ++++++++++++++++++++++++++++++
 2 files changed, 152 insertions(+)

diff --git a/cmake/scripts/build_occlum_instance.sh b/cmake/scripts/build_occlum_instance.sh
new file mode 100644
index 00000000..85ff8ca8
--- /dev/null
+++ b/cmake/scripts/build_occlum_instance.sh
@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -e
+
+REQUIRED_ENVS=("TEACLAVE_BIN_INSTALL_DIR" "TEACLAVE_SERVICE_INSTALL_DIR" 
+"TEACLAVE_OUT_DIR" "MT_SCRIPT_DIR")
+
+for var in "${REQUIRED_ENVS[@]}"; do
+    [ -z "${!var}" ] && echo "Please set ${var}" && exit -1
+done
+
+function generate_yaml() {
+echo "includes:
+  - base.yaml
+targets:
+  - target: /bin
+    copy:
+      - files:
+        - ${TEACLAVE_BIN_INSTALL_DIR}/teaclave_execution_service_libos
+  - target: /opt/occlum/glibc/lib
+    copy:
+      - files:
+        - /opt/occlum/glibc/lib/libnss_dns.so.2
+        - /opt/occlum/glibc/lib/libnss_files.so.2
+        - /opt/occlum/glibc/lib/libresolv.so.2
+        - /lib/x86_64-linux-gnu/libssl.so.1.1
+        - /lib/x86_64-linux-gnu/libcrypto.so.1.1
+        - /opt/occlum/glibc/lib/librt.so.1
+  - target: /etc
+    copy:
+      - files:
+        - /etc/nsswitch.conf
+  - target: /
+    copy:
+      - files:
+        - ${TEACLAVE_SERVICE_INSTALL_DIR}/enclave_info.toml
+        - ${TEACLAVE_SERVICE_INSTALL_DIR}/runtime.config.toml
+      - dirs:
+        - ${TEACLAVE_SERVICE_INSTALL_DIR}/auditors      
+        
+"  > $TEACLAVE_BIN_INSTALL_DIR/teaclave.yaml
+}
+
+cd ${TEACLAVE_BIN_INSTALL_DIR}
+rm -rf teaclave_instance
+occlum new teaclave_instance && cd teaclave_instance && rm -rf image
+
+new_json="$(jq '.resource_limits.user_space_size = "2GB" |
+              .resource_limits.kernel_space_heap_size = "320MB" |
+              .resource_limits.max_num_of_threads = 700 |
+              .resource_limits.kernel_space_stack_size = "10MB" |
+              .process.default_heap_size ="256MB" |
+              .process.default_mmap_size = "1GB" |
+              .env.untrusted += ["TEACLAVE_LOG"] ' Occlum.json)" && \
+echo "${new_json}" > Occlum.json
+awk '/hostfs/{for(x=NR-2;x<=NR+2;x++)d[x];}{a[NR]=$0}END{for(i=1;i<=NR;i++)if(!(i in d))print a[i]}' Occlum.json > Occlum.json.tmp 
+mv Occlum.json.tmp Occlum.json
+
+generate_yaml
+copy_bom -f ${TEACLAVE_BIN_INSTALL_DIR}/teaclave.yaml --root image --include-dir /opt/occlum/etc/template
+# Required by services
+mkdir -p image/tmp/fusion_data
+occlum build -f
diff --git a/docs/executing-in-occlum.md b/docs/executing-in-occlum.md
new file mode 100644
index 00000000..788d6d6d
--- /dev/null
+++ b/docs/executing-in-occlum.md
@@ -0,0 +1,72 @@
+---
+permalink: /docs/executing-in-occlum
+---
+
+# Executing builtin-functions in Occlum
+
+The example shows how to run teaclave builtin-functions in Occlum.
+
+## Build 
+
+1. Clone the teaclave project.
+
+```
+git clone https://github.com/apache/incubator-teaclave.git ./teaclave && cd ./teaclave
+```
+
+2. Edit `config/build.config.toml` and add the executable binary as accepted inbound service of scheduler. The following is an example that uses teaclave_execution_service_libos as the name of binary. 
+
+```
+scheduler      = ["teaclave_execution_service", "teaclave_execution_service_libos"]
+```
+> NOTE  
+> The same name should be used in `build.config.toml` and `enclave_info.toml`.
+
+3. Build teaclave project. After building the project, you can find the binary teaclave_execution_service_libos in `${TEACLAVE_BIN_INSTALL_DIR}`. Work at teaclave project source directory.
+
+```bash
+mkdir build && cd build
+cmake ..
+make
+```
+
+4. Build occlum instance. `cmake/scripts/build_occlum_instance.sh` is a demo script to build an instance.
+
+> NOTE  
+> You should edit the attestation information and the advertised_address of scheduler in `runtime.config.toml` required by teaclave_execution_service_libos before building the occlum instance.
+
+
+5. Update enclave_info and auditors for Teaclave platform.
+
+```bash
+sgx_sign dump -enclave ${TEACLAVE_BIN_INSTALL_DIR}/teaclave_instance/build/lib/libocclum-libos.signed.so \
+    -dumpfile ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave.meta.txt
+
+cat ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave.meta.txt | \
+python ${MT_SCRIPT_DIR}/gen_enclave_info_toml.py teaclave_execution_service_libos \
+    > ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave_info.toml
+
+cd ${TEACLAVE_BUILD_ROOT} && make update_sig
+```
+
+## Run
+
+Run teaclave services except teaclave_execution_serice and run teaclave_execution_service_libos on Occlum
+
+```bash
+# Required by teaclave services
+mkdir -p /tmp/fusiont_data 
+cd ${TEACLAVE_SERVICE_INSTALL_DIR} 
+
+# Before running services, you should check the information in runtime.config.toml.
+# For DCAP mode, start the teaclave_dcap_ref_as service first.
+./teaclave_authentication_service &
+./teaclave_storage_service &
+./teaclave_management_service &
+./teaclave_scheduler_service &
+./teaclave_access_control_service &
+./teaclave_frontend_service &
+
+cd $TEACLAVE_BIN_INSTALL_DIR/teaclave_instance && occlum run /bin/teaclave_execution_service_libos
+
+```
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org