general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
acc3eb019f
occlum/docs/rune_quick_start.md
Tate, Hongliang Tian d91014b417 Add RunE Quick Start doc
2020-05-15 11:32:44 +00:00

3.8 KiB
Raw Blame History

Quick Start: rune on Occlum

Rune is a set of tools for running trusted applications in containers with the hardware-assisted enclave technology.

Hardware requirements

Build and install rune

rune is a CLI tool for spawning and running enclaves in containers according to the OCI specification.

Please refer to this guide to build rune from scratch.

Build Occlum application bundle

Download Occlum sdk image

yum install -y libseccomp-devel
mkdir "$HOME/rune_workdir"
docker pull occlum/occlum:0.12.0-centos7.2
docker run -it --device /dev/isgx \
  -v $HOME/rune_workdir:/root/rune_workdir \
  occlum/occlum:0.12.0-centos7.2

You can then build a hello world demo program or your product code using an Occlum CentOS Docker image.

This guide can help you to create your first occlum build.

Prepare the materials

After your Occlum build, execute the following commands in Occlum sdk container environment:

cp -a .occlum /root/rune_workdir
cd /root/rune_workdir
mkdir lib
cp /usr/lib64/libseccomp.so.2 lib
cp /usr/lib64/libprotobuf.so.8 lib
cp /usr/lib64/libsgx_u*.so* lib
cp /usr/lib64/libsgx_enclave_common.so.1 lib
cp /usr/lib64/libsgx_launch.so.1 lib

Build occlum application image

Now you can build your occlum application image in the $HOME/rune_workdir directory of your host system.

Type the following commands to create a Dockerfile:

cat >Dockerfile <<EOF
FROM centos:7.2.1511

RUN mkdir -p /run/rune/.occlum
WORKDIR /run/rune

COPY lib /lib
COPY .occlum .occlum

RUN ln -sfn .occlum/build/lib/libocclum-pal.so liberpal-occlum.so
RUN ldconfig

ENTRYPOINT ["/bin/hello_world"]
EOF

and then build it with the command:

docker build . -t occlum-app

Create bundle

In order to use rune you must have your container in the format of an OCI bundle. If you have Docker installed you can use its export method to acquire a root filesystem from an existing Docker container.

# create the top most bundle directory
cd "$HOME/rune_workdir"
mkdir rune-container
cd rune-container

# create the rootfs directory
mkdir rootfs

# export occlum-app via Docker into the rootfs directory
docker export $(docker create occlum-app) | sudo tar -C rootfs -xvf -

After a root filesystem is populated you just generate a spec in the format of a config.json file inside your bundle. rune provides a spec command which is similar to runc to generate a template file that you are then able to edit.

rune spec

To find features and documentation for fields in the spec please refer to the specs repository.

In order to run the hello world demo program in Occlum with rune, you need to change the entrypoint from sh to /bin/hello_world

  "process": {
      "args": [
          "/bin/hello_world"
      ],
  }

and then configure enclave runtime as following:

  "annotations": {
      "enclave.type": "intelSgx",
      "enclave.runtime.path": "/run/rune/liberpal-occlum.so",
      "enclave.runtime.args": ".occlum"
  }

Run Occlum application

Assuming you have an OCI bundle from the previous step you can execute the container in this way.

cd "$HOME/rune_workdir/rune-container"
sudo rune run rune-container