Re: [apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
Closed #553 via #559. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553#event-5412730975
Re: [apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
@mssun Sounds good to me +1, thanks. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920550194
Re: [apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
Yes, thanks for listing the alternatives to start AESM service. The goal here is to make the process simple and smooth for the first time users so that they can deploy Teaclave with minimal efforts. Otherwise, it will introduce more confusions. Of course, we can document different setups for different usage scenarios. With that being said, a separate dockerfile (`aesm-service.ubuntu-1804.Dockerfile`) and using `docker-compose` to manage all containers should be a good option. What do you think? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920242133
Re: [apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
@mssun Alternatively, we can ask user to create a bind volume using the following command if they don't use containerized aesmd service. ``` docker volume create --driver local \ --opt type=none \ --opt device= /var/run/aesmd\ --opt o=bind aesmd-socket ``` In addition, It is already provided as containerized way to use aesmd service (https://github.com/intel/linux-sgx/blob/6b8d2d14d0daf8ed421165eb3347e7ee15bbf9d0/docker/build/Dockerfile#L65), the end user could just directly run the script `linux-sgx/docker/build/build_and_run_aesm_docker.sh` (https://github.com/intel/linux-sgx/blob/master/docker/build/build_and_run_aesm_docker.sh#L41) to start aesmd service, so we can rely on it to serve the SGX related requests from Teaclave, just need to mount `aesmd-socket` volume in such way to avoid possible conflict with host aesmd service. thanks. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-920101869
Re: [apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
Thanks for the proposal. I'm thinking if we still need keep the docker-compose files using the host aesmd. If not, we don't have to maintain these many `yml` files for both host aesmd and containerized aesmd. Also, we need to have a separate docker file for the AESM service only: `aesm-service.ubuntu-1804.Dockerfile`. I saw `linux-sgx/Dockerfile` uses multi-sage builds (https://docs.docker.com/develop/develop-images/multistage-build/) for different targets. I don't think this is suitable for us. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553#issuecomment-919548754
[apache/incubator-teaclave] Support containerized Intel Aesmd service (#553)
### Motivation & problem statement As recommended in [Intel Linux SGX repo.](https://github.com/intel/linux-sgx), the aesmd service is to be built and run as a [containerized service](https://github.com/intel/linux-sgx/blob/master/docker/build/build_and_run_aesm_docker.sh#L41). it created a [named volume](https://github.com/intel/linux-sgx/blob/8abc6dd8cb44e3cef8294c508e77803ffeb8ed12/docker/build/build_and_run_aesm_docker.sh#L36) `aesmd-socket` that should be mounted into `/var/run/aesmd` folder in relying container. However, the docker compose files in Teaclave are using the following stanza to mount host based aesmd socket  That causes the following failure when starting with any docker compose files.  ### Proposed solution I propose a solution to address this problems to streamline the usage of Teaclave services coordinated with containerized aesmd service through docker compose. the solution requires to introduce the following changes to Teaclave docker compose files and associated documents. - Remove the following configuration from all docker compose files for all services (3 files) ``` - type: bind source: /var/run/aesmd/aesm.socket target: /var/run/aesmd/aesm.socket ``` 1. docker-compose-ubuntu-1804-intel-sgx.yml 2. docker-compose-ubuntu-1804-isgx.yml 3. docker-compose-ubuntu-1804.yml - Add the following override compose files for host based aesmd socket bind mount for every services 1. docker-compose-ubuntu-1804-intel-sgx-with-host-aesmd-socket.yml 2. docker-compose-ubuntu-1804-isgx-with-host-aesmd-socket.yml 3. docker-compose-ubuntu-1804-with-host-aesmd-socket.yml with the following bind mount configuration ``` - type: bind source: /var/run/aesmd/aesm.socket target: /var/run/aesmd/aesm.socket ``` - Add the following override compose files for containerized aesmd socket volume mount for every services 1. docker-compose-ubuntu-1804-intel-sgx-with-aesmd-socket-volume.yml 2. docker-compose-ubuntu-1804-isgx-with-aesmd-socket-volume.yml 3. docker-compose-ubuntu-1804-with-aesmd-socket-volume.yml ``` - aesmd-socket:/var/run/aesmd ``` In addition, the README.md should be updated accordingly. Thanks. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/apache/incubator-teaclave/issues/553
