Preinstall Occlum in Docker
This commit is contained in:
Tate, Hongliang Tian
parent
ebd3608e4a
commit
6dc9906c8e
51
README.md
51
README.md
@ -10,7 +10,7 @@ Occlum has the following salient features:
|
|||||||
* **Memory safety.** Occlum is the _first_ SGX LibOS written in a memory-safe programming language ([Rust](https://www.rust-lang.org/)). Thus, Occlum is much less likely to contain low-level, memory-safety bugs and more trustworthy to host security-critical applications.
|
* **Memory safety.** Occlum is the _first_ SGX LibOS written in a memory-safe programming language ([Rust](https://www.rust-lang.org/)). Thus, Occlum is much less likely to contain low-level, memory-safety bugs and more trustworthy to host security-critical applications.
|
||||||
* **Ease-of-use.** Occlum provides user-friendly build and command-line tools. Running applications on Occlum inside SGX enclaves can be as simple as only typing several shell commands (see the next section).
|
* **Ease-of-use.** Occlum provides user-friendly build and command-line tools. Running applications on Occlum inside SGX enclaves can be as simple as only typing several shell commands (see the next section).
|
||||||
|
|
||||||
## How to Use?
|
## Introduction
|
||||||
|
|
||||||
### Hello Occlum
|
### Hello Occlum
|
||||||
|
|
||||||
@ -90,51 +90,52 @@ Occlum can be configured easily via a config file named `Occlum.json`, which is
|
|||||||
```
|
```
|
||||||
(Limitation: the `mount` key should not be modified at the moment. We will support the configuration of mount points in future version.)
|
(Limitation: the `mount` key should not be modified at the moment. We will support the configuration of mount points in future version.)
|
||||||
|
|
||||||
## How to Build and Install?
|
## How to Use
|
||||||
|
|
||||||
We have built and tested Occlum on Ubuntu 16.04 with hardware SGX support. We recommend using the Occlum Docker image to set up the development environment. To build and test Occlum with Docker container, follow the steps listed below.
|
We have built and tested Occlum on Ubuntu 16.04 with hardware SGX support. To give Occlum a quick try, one can use the Occlum Docker image by following the steps below:
|
||||||
|
|
||||||
Step 1-4 are to be done on the host OS:
|
Step 1-3 are to be done on the host OS (Linux):
|
||||||
|
|
||||||
1. Install [Intel SGX driver for Linux](https://github.com/intel/linux-sgx-driver), which is required by Intel SGX SDK.
|
1. Install [Intel SGX driver for Linux](https://github.com/intel/linux-sgx-driver), which is required by Intel SGX SDK.
|
||||||
|
|
||||||
2. Install [enable_rdfsbase kernel module](https://github.com/occlum/enable_rdfsbase), which enables Occlum to use `rdfsbase`-family instructions in enclaves.
|
2. Install [enable_rdfsbase kernel module](https://github.com/occlum/enable_rdfsbase), which enables Occlum to use `rdfsbase`-family instructions in enclaves.
|
||||||
|
|
||||||
3. Download the latest source code of Occlum
|
3. Run the Occlum Docker container, which has Occlum and its demos preinstalled:
|
||||||
```
|
```
|
||||||
cd /your/path/to/
|
docker run -it --device /dev/isgx occlum/occlum:0.6.0
|
||||||
git clone https://github.com/occlum/occlum
|
|
||||||
```
|
```
|
||||||
4. Run the Occlum Docker container
|
|
||||||
```
|
|
||||||
docker run -it \
|
|
||||||
--mount type=bind,source=/your/path/to/occlum,target=/root/occlum \
|
|
||||||
--device /dev/isgx \
|
|
||||||
occlum/occlum:0.5.0
|
|
||||||
```
|
|
||||||
Step 5-9 are to be done on the guest OS running inside the container:
|
|
||||||
|
|
||||||
5. (Optional) Try the sample code of Intel SGX SDK
|
Step 4-5 are to be done on the guest OS running inside the Docker container:
|
||||||
|
|
||||||
|
4. (Optional) Try the sample code of Intel SGX SDK to make sure that SGX is working
|
||||||
```
|
```
|
||||||
cd /opt/intel/sgxsdk/SampleCode/SampleEnclave && make && ./app
|
cd /opt/intel/sgxsdk/SampleCode/SampleEnclave && make && ./app
|
||||||
```
|
```
|
||||||
6. Prepare the submodules required by Occlum LiboS
|
5. Check out Occlum's demos preinstalled at `/root/occlum/demos`, whose README can be found [here](demo/README.md). Or you can try to build and run your own SGX-protected applications using Occlum like these demos.
|
||||||
|
|
||||||
|
## How to Build and Install
|
||||||
|
|
||||||
|
To build Occlum from the latest source code, do the following steps in an Occlum Docker container (which can be prepared as shown in the last section):
|
||||||
|
|
||||||
|
1. Download the latest source code of Occlum
|
||||||
```
|
```
|
||||||
cd /root/occlum/ && make submodule
|
mkdir occlum && cd occlum
|
||||||
|
git clone https://github.com/occlum/occlum .
|
||||||
```
|
```
|
||||||
7. Compile and test Occlum LibOS
|
2. Prepare the submodules required by Occlum
|
||||||
```
|
```
|
||||||
cd /root/occlum && make && make test
|
make submodule
|
||||||
```
|
```
|
||||||
8. Install Occlum LibOS
|
3. Compile and test Occlum
|
||||||
```
|
```
|
||||||
cd /root/occlum && sudo make install
|
make
|
||||||
|
make test
|
||||||
```
|
```
|
||||||
which will install the occlum command-line tool.
|
4. Install Occlum
|
||||||
9. Try the Hello World sample project
|
|
||||||
```
|
```
|
||||||
cd /root/occlum/demo/hello_world && make test
|
make install
|
||||||
```
|
```
|
||||||
|
which will install the `occlum` command-line tool and other files at `/opt/occlum`.
|
||||||
|
|
||||||
The Occlum Dockerfile can be found at [here](tools/docker/Dockerfile). Use it to build the container directly or read it to see the dependencies of Occlum.
|
The Occlum Dockerfile can be found at [here](tools/docker/Dockerfile). Use it to build the container directly or read it to see the dependencies of Occlum.
|
||||||
|
|
||||||
|
|||||||
@ -43,7 +43,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
|||||||
apt-get clean && \
|
apt-get clean && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Install depend cpuid test tool
|
# Install cpuid tool for tests
|
||||||
WORKDIR /tmp
|
WORKDIR /tmp
|
||||||
RUN wget http://www.etallen.com/cpuid/cpuid-20180519.x86_64.tar.gz && \
|
RUN wget http://www.etallen.com/cpuid/cpuid-20180519.x86_64.tar.gz && \
|
||||||
tar -xf ./cpuid-20180519.x86_64.tar.gz && \
|
tar -xf ./cpuid-20180519.x86_64.tar.gz && \
|
||||||
@ -72,6 +72,16 @@ WORKDIR /tmp/gcc
|
|||||||
RUN ./build.sh
|
RUN ./build.sh
|
||||||
ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
|
ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
|
||||||
|
|
||||||
|
# Install the latest version of Occlum
|
||||||
|
WORKDIR /root
|
||||||
|
RUN git clone https://github.com/occlum/occlum && \
|
||||||
|
cd occlum && \
|
||||||
|
make submodule && \
|
||||||
|
make RELEASE=1 && \
|
||||||
|
make install && \
|
||||||
|
cp -r demos /root/demos && \
|
||||||
|
rm -rf /root/occlum
|
||||||
|
|
||||||
# Start AESM service automatically
|
# Start AESM service automatically
|
||||||
#
|
#
|
||||||
# To do so, we add the script to ~/.bashrc. We cannot use systemd to run AESM
|
# To do so, we add the script to ~/.bashrc. We cannot use systemd to run AESM
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user