Substitute ramFS with a temporary SEFS at "/tmp"
This commit is contained in:
LI Qing
Tate, Hongliang Tian
parent
b04aa2d7ea
commit
3f6bcec1c5
@ -152,7 +152,10 @@ Occlum can be configured easily via a config file named `Occlum.json`, which is
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/tmp",
|
"target": "/tmp",
|
||||||
"type": "ramfs"
|
"type": "sefs",
|
||||||
|
"options": {
|
||||||
|
"temporary": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
2
deps/sefs
vendored
2
deps/sefs
vendored
@ -1 +1 @@
|
|||||||
Subproject commit fcb81443be49344e26fc1017534f1a6eec397d49
|
Subproject commit f06c02dfc5fa91cb9be7574f1882cdab863673f1
|
||||||
@ -54,7 +54,10 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/tmp",
|
"target": "/tmp",
|
||||||
"type": "ramfs"
|
"type": "sefs",
|
||||||
|
"options": {
|
||||||
|
"temporary": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@ -131,6 +131,7 @@ pub struct ConfigMountOptions {
|
|||||||
pub integrity_only: bool,
|
pub integrity_only: bool,
|
||||||
pub mac: Option<sgx_aes_gcm_128bit_tag_t>,
|
pub mac: Option<sgx_aes_gcm_128bit_tag_t>,
|
||||||
pub layers: Option<Vec<ConfigMount>>,
|
pub layers: Option<Vec<ConfigMount>>,
|
||||||
|
pub temporary: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Config {
|
impl Config {
|
||||||
@ -249,6 +250,7 @@ impl ConfigMountOptions {
|
|||||||
integrity_only,
|
integrity_only,
|
||||||
mac,
|
mac,
|
||||||
layers,
|
layers,
|
||||||
|
temporary: input.temporary,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -385,4 +387,6 @@ struct InputConfigMountOptions {
|
|||||||
pub mac: Option<String>,
|
pub mac: Option<String>,
|
||||||
#[serde(default)]
|
#[serde(default)]
|
||||||
pub layers: Option<Vec<InputConfigMount>>,
|
pub layers: Option<Vec<InputConfigMount>>,
|
||||||
|
#[serde(default)]
|
||||||
|
pub temporary: bool,
|
||||||
}
|
}
|
||||||
|
|||||||
@ -111,7 +111,8 @@ fn mount_nonroot_fs_according_to(mount_config: &Vec<ConfigMount>, root: &MNode)
|
|||||||
return_errno!(EINVAL, "Source is expected for SEFS");
|
return_errno!(EINVAL, "Source is expected for SEFS");
|
||||||
}
|
}
|
||||||
let source_path = mc.source.as_ref().unwrap();
|
let source_path = mc.source.as_ref().unwrap();
|
||||||
let sefs = {
|
let sefs = if !mc.options.temporary {
|
||||||
|
{
|
||||||
SEFS::open(
|
SEFS::open(
|
||||||
Box::new(SgxStorage::new(source_path, false, None)),
|
Box::new(SgxStorage::new(source_path, false, None)),
|
||||||
&time::OcclumTimeProvider,
|
&time::OcclumTimeProvider,
|
||||||
@ -124,7 +125,14 @@ fn mount_nonroot_fs_according_to(mount_config: &Vec<ConfigMount>, root: &MNode)
|
|||||||
&time::OcclumTimeProvider,
|
&time::OcclumTimeProvider,
|
||||||
&SgxUuidProvider,
|
&SgxUuidProvider,
|
||||||
)
|
)
|
||||||
})?;
|
})?
|
||||||
|
} else {
|
||||||
|
SEFS::create(
|
||||||
|
Box::new(SgxStorage::new(source_path, false, None)),
|
||||||
|
&time::OcclumTimeProvider,
|
||||||
|
&SgxUuidProvider,
|
||||||
|
)?
|
||||||
|
};
|
||||||
mount_fs_at(sefs, &root, target_dirname)?;
|
mount_fs_at(sefs, &root, target_dirname)?;
|
||||||
}
|
}
|
||||||
TYPE_HOSTFS => {
|
TYPE_HOSTFS => {
|
||||||
|
|||||||
@ -8,6 +8,7 @@ use std::io::{Read, Seek, SeekFrom, Write};
|
|||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
use std::sgxfs::{remove, OpenOptions, SgxFile};
|
use std::sgxfs::{remove, OpenOptions, SgxFile};
|
||||||
use std::sync::{Arc, SgxMutex as Mutex};
|
use std::sync::{Arc, SgxMutex as Mutex};
|
||||||
|
use std::untrusted::fs;
|
||||||
|
|
||||||
pub struct SgxStorage {
|
pub struct SgxStorage {
|
||||||
path: PathBuf,
|
path: PathBuf,
|
||||||
@ -157,6 +158,17 @@ impl Storage for SgxStorage {
|
|||||||
fn is_integrity_only(&self) -> bool {
|
fn is_integrity_only(&self) -> bool {
|
||||||
self.integrity_only
|
self.integrity_only
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn clear(&self) -> DevResult<()> {
|
||||||
|
for child in fs::read_dir(&self.path).expect("faild to read dir") {
|
||||||
|
let child = child.expect("faild to get dir entry");
|
||||||
|
remove(&child.path()).expect("failed to remove SgxFile");
|
||||||
|
}
|
||||||
|
// clear cache
|
||||||
|
let mut caches = self.file_cache.lock().unwrap();
|
||||||
|
caches.clear();
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
|
|||||||
@ -57,7 +57,10 @@
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/tmp",
|
"target": "/tmp",
|
||||||
"type": "ramfs"
|
"type": "sefs",
|
||||||
|
"options": {
|
||||||
|
"temporary": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@ -236,6 +236,7 @@ cmd_build() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p "$context_dir/run/mount/__ROOT"
|
mkdir -p "$context_dir/run/mount/__ROOT"
|
||||||
|
mkdir -p "$context_dir/run/mount/tmp"
|
||||||
|
|
||||||
ln -s $occlum_dir/build/bin/occlum_exec_client $context_dir/build/bin/occlum_exec_client
|
ln -s $occlum_dir/build/bin/occlum_exec_client $context_dir/build/bin/occlum_exec_client
|
||||||
ln -s $occlum_dir/build/bin/occlum_exec_server $context_dir/build/bin/occlum_exec_server
|
ln -s $occlum_dir/build/bin/occlum_exec_server $context_dir/build/bin/occlum_exec_server
|
||||||
|
|||||||
@ -44,7 +44,11 @@ cat <<EOF
|
|||||||
},
|
},
|
||||||
{
|
{
|
||||||
"target": "/tmp",
|
"target": "/tmp",
|
||||||
"type": "ramfs"
|
"type": "sefs",
|
||||||
|
"source": "$OCCLUM_INSTANCE_DIR/run/mount/tmp",
|
||||||
|
"options": {
|
||||||
|
"temporary": true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"env": $OCCLUM_CONF_ENV,
|
"env": $OCCLUM_CONF_ENV,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user