This is an automated email from the ASF dual-hosted git repository. hsun pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 1fe837595a0237711e5427afcead5489b9fd779e Author: GeminiCarrie <[email protected]> AuthorDate: Fri Apr 7 01:54:32 2023 +0000 Add document: Running the execution service in Occlum --- cmake/scripts/build_occlum_instance.sh | 80 ++++++++++++++++++++++++++++++++++ docs/executing-in-occlum.md | 72 ++++++++++++++++++++++++++++++ 2 files changed, 152 insertions(+) diff --git a/cmake/scripts/build_occlum_instance.sh b/cmake/scripts/build_occlum_instance.sh new file mode 100644 index 00000000..85ff8ca8 --- /dev/null +++ b/cmake/scripts/build_occlum_instance.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set -e + +REQUIRED_ENVS=("TEACLAVE_BIN_INSTALL_DIR" "TEACLAVE_SERVICE_INSTALL_DIR" +"TEACLAVE_OUT_DIR" "MT_SCRIPT_DIR") + +for var in "${REQUIRED_ENVS[@]}"; do + [ -z "${!var}" ] && echo "Please set ${var}" && exit -1 +done + +function generate_yaml() { +echo "includes: + - base.yaml +targets: + - target: /bin + copy: + - files: + - ${TEACLAVE_BIN_INSTALL_DIR}/teaclave_execution_service_libos + - target: /opt/occlum/glibc/lib + copy: + - files: + - /opt/occlum/glibc/lib/libnss_dns.so.2 + - /opt/occlum/glibc/lib/libnss_files.so.2 + - /opt/occlum/glibc/lib/libresolv.so.2 + - /lib/x86_64-linux-gnu/libssl.so.1.1 + - /lib/x86_64-linux-gnu/libcrypto.so.1.1 + - /opt/occlum/glibc/lib/librt.so.1 + - target: /etc + copy: + - files: + - /etc/nsswitch.conf + - target: / + copy: + - files: + - ${TEACLAVE_SERVICE_INSTALL_DIR}/enclave_info.toml + - ${TEACLAVE_SERVICE_INSTALL_DIR}/runtime.config.toml + - dirs: + - ${TEACLAVE_SERVICE_INSTALL_DIR}/auditors + +" > $TEACLAVE_BIN_INSTALL_DIR/teaclave.yaml +} + +cd ${TEACLAVE_BIN_INSTALL_DIR} +rm -rf teaclave_instance +occlum new teaclave_instance && cd teaclave_instance && rm -rf image + +new_json="$(jq '.resource_limits.user_space_size = "2GB" | + .resource_limits.kernel_space_heap_size = "320MB" | + .resource_limits.max_num_of_threads = 700 | + .resource_limits.kernel_space_stack_size = "10MB" | + .process.default_heap_size ="256MB" | + .process.default_mmap_size = "1GB" | + .env.untrusted += ["TEACLAVE_LOG"] ' Occlum.json)" && \ +echo "${new_json}" > Occlum.json +awk '/hostfs/{for(x=NR-2;x<=NR+2;x++)d[x];}{a[NR]=$0}END{for(i=1;i<=NR;i++)if(!(i in d))print a[i]}' Occlum.json > Occlum.json.tmp +mv Occlum.json.tmp Occlum.json + +generate_yaml +copy_bom -f ${TEACLAVE_BIN_INSTALL_DIR}/teaclave.yaml --root image --include-dir /opt/occlum/etc/template +# Required by services +mkdir -p image/tmp/fusion_data +occlum build -f diff --git a/docs/executing-in-occlum.md b/docs/executing-in-occlum.md new file mode 100644 index 00000000..788d6d6d --- /dev/null +++ b/docs/executing-in-occlum.md @@ -0,0 +1,72 @@ +--- +permalink: /docs/executing-in-occlum +--- + +# Executing builtin-functions in Occlum + +The example shows how to run teaclave builtin-functions in Occlum. + +## Build + +1. Clone the teaclave project. + +``` +git clone https://github.com/apache/incubator-teaclave.git ./teaclave && cd ./teaclave +``` + +2. Edit `config/build.config.toml` and add the executable binary as accepted inbound service of scheduler. The following is an example that uses teaclave_execution_service_libos as the name of binary. + +``` +scheduler = ["teaclave_execution_service", "teaclave_execution_service_libos"] +``` +> NOTE +> The same name should be used in `build.config.toml` and `enclave_info.toml`. + +3. Build teaclave project. After building the project, you can find the binary teaclave_execution_service_libos in `${TEACLAVE_BIN_INSTALL_DIR}`. Work at teaclave project source directory. + +```bash +mkdir build && cd build +cmake .. +make +``` + +4. Build occlum instance. `cmake/scripts/build_occlum_instance.sh` is a demo script to build an instance. + +> NOTE +> You should edit the attestation information and the advertised_address of scheduler in `runtime.config.toml` required by teaclave_execution_service_libos before building the occlum instance. + + +5. Update enclave_info and auditors for Teaclave platform. + +```bash +sgx_sign dump -enclave ${TEACLAVE_BIN_INSTALL_DIR}/teaclave_instance/build/lib/libocclum-libos.signed.so \ + -dumpfile ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave.meta.txt + +cat ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave.meta.txt | \ +python ${MT_SCRIPT_DIR}/gen_enclave_info_toml.py teaclave_execution_service_libos \ + > ${TEACLAVE_OUT_DIR}/teaclave_execution_service_libos_enclave_info.toml + +cd ${TEACLAVE_BUILD_ROOT} && make update_sig +``` + +## Run + +Run teaclave services except teaclave_execution_serice and run teaclave_execution_service_libos on Occlum + +```bash +# Required by teaclave services +mkdir -p /tmp/fusiont_data +cd ${TEACLAVE_SERVICE_INSTALL_DIR} + +# Before running services, you should check the information in runtime.config.toml. +# For DCAP mode, start the teaclave_dcap_ref_as service first. +./teaclave_authentication_service & +./teaclave_storage_service & +./teaclave_management_service & +./teaclave_scheduler_service & +./teaclave_access_control_service & +./teaclave_frontend_service & + +cd $TEACLAVE_BIN_INSTALL_DIR/teaclave_instance && occlum run /bin/teaclave_execution_service_libos + +``` \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
