You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@teaclave.apache.org by GitBox <gi...@apache.org> on 2021/09/14 21:38:09 UTC

[GitHub] [incubator-teaclave] bigdata-memory opened a new issue #553: Support containerized Intel Aesmd service

bigdata-memory opened a new issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553


   ### Motivation & problem statement
   As recommended in [Intel Linux SGX repo.](https://github.com/intel/linux-sgx), the aesmd service is to be built and run as a [containerized service](https://github.com/intel/linux-sgx/blob/master/docker/build/build_and_run_aesm_docker.sh#L41). it created a [named volume](https://github.com/intel/linux-sgx/blob/8abc6dd8cb44e3cef8294c508e77803ffeb8ed12/docker/build/build_and_run_aesm_docker.sh#L36) `aesmd-socket` that should be mounted into `/var/run/aesmd` folder in relying container. 
   
   However, the docker compose files in Teaclave are using the following stanza to mount host based aesmd socket
   ![stanze_aemd_mount](https://user-images.githubusercontent.com/10856796/133334968-9e3bbafd-dab9-45f1-b22b-022e65da92d7.png)
   That causes the following failure when starting with any docker compose files.
   ![aesmd_socket_notfound](https://user-images.githubusercontent.com/10856796/133333373-58071e70-52b2-4b36-a932-6d367ae339da.png)
   
   ### Proposed solution
   I propose a solution to address this problems to streamline the usage of Teaclave services coordinated with containerized aesmd service through docker compose. the solution requires to introduce the following changes to Teaclave docker compose files and associated documents.
   
   - Remove the following configuration from all docker compose files for all services (3 files)
   ```
         - type: bind
           source: /var/run/aesmd/aesm.socket
           target: /var/run/aesmd/aesm.socket
   ```
   1. docker-compose-ubuntu-1804-intel-sgx.yml
   2. docker-compose-ubuntu-1804-isgx.yml
   3. docker-compose-ubuntu-1804.yml 
   
   - Add the following override compose files for host based aesmd socket bind mount for every services
   1. docker-compose-ubuntu-1804-intel-sgx-with-host-aesmd-socket.yml
   2. docker-compose-ubuntu-1804-isgx-with-host-aesmd-socket.yml
   3. docker-compose-ubuntu-1804-with-host-aesmd-socket.yml 
   with the following bind mount configuration
   ```
         - type: bind
           source: /var/run/aesmd/aesm.socket
           target: /var/run/aesmd/aesm.socket
   ```
   - Add the following override compose files for containerized aesmd socket volume mount for every services
   1. docker-compose-ubuntu-1804-intel-sgx-with-aesmd-socket-volume.yml
   2. docker-compose-ubuntu-1804-isgx-with-aesmd-socket-volume.yml
   3. docker-compose-ubuntu-1804-with-aesmd-socket-volume.yml 
   ```
         -  aesmd-socket:/var/run/aesmd
   ```
   
   In addition, the README.md should be updated accordingly. Thanks.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun commented on issue #553: Support containerized Intel Aesmd service

Posted by GitBox <gi...@apache.org>.
mssun commented on issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-919548754


   Thanks for the proposal. I'm thinking if we still need keep the docker-compose files using the host aesmd. If not, we don't have to maintain these many `yml` files for both host aesmd and containerized aesmd.
   
   Also, we need to have a separate docker file for the AESM service only: `aesm-service.ubuntu-1804.Dockerfile`. I saw `linux-sgx/Dockerfile` uses multi-sage builds (https://docs.docker.com/develop/develop-images/multistage-build/) for different targets. I don't think this is suitable for us.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] bigdata-memory commented on issue #553: Support containerized Intel Aesmd service

Posted by GitBox <gi...@apache.org>.
bigdata-memory commented on issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920101869


   @mssun Alternatively, we can ask user to create a bind volume using the following command if they don't use containerized aesmd service.
   ```
   docker volume create --driver local \
   --opt type=none \
   --opt device= /var/run/aesmd\
   --opt o=bind aesmd-socket
   ```
   
   In addition, It is already provided as containerized way to use aesmd service (https://github.com/intel/linux-sgx/blob/6b8d2d14d0daf8ed421165eb3347e7ee15bbf9d0/docker/build/Dockerfile#L65), the end user could just directly run the script `linux-sgx/docker/build/build_and_run_aesm_docker.sh` (https://github.com/intel/linux-sgx/blob/master/docker/build/build_and_run_aesm_docker.sh#L41) to start aesmd service, so we can rely on it to serve the SGX related requests from Teaclave, just need to mount `aesmd-socket` volume in such way to avoid possible conflict with host aesmd service. thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun commented on issue #553: Support containerized Intel Aesmd service

Posted by GitBox <gi...@apache.org>.
mssun commented on issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920242133


   Yes, thanks for listing the alternatives to start AESM service.
   
   The goal here is to make the process simple and smooth for the first time users so that they can deploy Teaclave with minimal efforts. Otherwise, it will introduce more confusions. Of course, we can document different setups for different usage scenarios.
   
   With that being said, a separate dockerfile (`aesm-service.ubuntu-1804.Dockerfile`) and using `docker-compose` to manage all containers should be a good option. What do you think?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] bigdata-memory commented on issue #553: Support containerized Intel Aesmd service

Posted by GitBox <gi...@apache.org>.
bigdata-memory commented on issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920550194


   @mssun Sounds good to me +1, thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org

[GitHub] [incubator-teaclave] mssun closed issue #553: Support containerized Intel Aesmd service

Posted by GitBox <gi...@apache.org>.
mssun closed issue #553:
URL: https://github.com/apache/incubator-teaclave/issues/553


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@teaclave.apache.org
For additional commands, e-mail: notifications-help@teaclave.apache.org