Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto-mount documentation issues #1331

Open
jxyang opened this issue May 18, 2022 · 4 comments
Open

Auto-mount documentation issues #1331

jxyang opened this issue May 18, 2022 · 4 comments
Assignees
@asvrada
Labels
area/kernel Area: Kernel severity/moderate Severity: Moderate status/triaged Status: Triaged

Comments

@jxyang
Copy link
Contributor

jxyang commented May 18, 2022

  1. The target directory inside the enclave has to be explicitly created within appdir
  2. The target directory cannot be on tmpfs or ramfs such as /var/run
@jupacaza
Copy link

jupacaza commented May 23, 2022
edited

To support this issue, here is an example dockerfile from my team that works around this issue by doing mkdir for the mount paths and avoids using /var/* as destination folder for the mount:

FROM mystikos.azurecr.io/mystikos-bionic:v0.8.0 AS build

WORKDIR /home
RUN apt-get update && apt-get install -y cryptsetup-bin

COPY tokenservice.tar ./
COPY config.tokenservice.json config.json

# The following commands imitate what myst-appbuilder does, but without the need of having docker installed.
RUN mkdir -p appdir-tokenservice/tmp && \
    tar xvf tokenservice.tar -C appdir-tokenservice/tmp && \
    find appdir-tokenservice/tmp -name layer.tar -exec sh -c 'tar xvf {} -C appdir-tokenservice' \;
RUN rm -rf appdir-tokenservice/tmp

# Create folder for mounts
RUN mkdir -p appdir-tokenservice/mnt/secrets
RUN mkdir -p appdir-tokenservice/mnt/mdsd

RUN myst mkext2 appdir-tokenservice rootfs

RUN myst fssig --roothash rootfs > roothash

RUN openssl genrsa -out private.pem -3 3072

RUN myst package-sgx --roothash=roothash private.pem config.json

FROM mystikos.azurecr.io/mystikos-bionic:v0.8.0 AS final
WORKDIR /home
COPY --from=build /home/myst/bin/dotnet /home/myst/bin/dotnet
COPY --from=build /home/rootfs /home/rootfs
ENV MYST_ROOTFS_PATH=/home/rootfs

CMD [ "/home/myst/bin/dotnet", "--mount", "/mnt/secrets=/mnt/secrets", \
"--mount", "/mnt/mdsd=/mnt/mdsd", \
"--host-to-enc-uid-map", "0:0", \
"--host-to-enc-gid-map", "0:0,106:106" ]

My opinion:

  • I think for problem number 1 the fix should be that when the app inside enclave gets executed it should create the directory if it doesn't exist, i.e. create the directory in execution time.

@paulcallen paulcallen added status/triaged Status: Triaged area/kernel Area: Kernel severity/moderate Severity: Moderate labels Jun 13, 2022
@paulcallen
Copy link
Member

we should output an error if the target directory is not present.
we should also look to see what the order of mounting is in relation to starting up the various filesystems to see if we can accommodate the mounting things like /var/run

@asvrada
Copy link
Collaborator

asvrada commented Jun 16, 2022
edited

Currently, we have updated the documentation regarding the mount feature (91d59fa from #1307 ) to reflect the fact that the target directory has to exist inside TEE.

Next step would be to create the directory used as a mounting point if they do not exist.

@asvrada
Copy link
Collaborator

asvrada commented Jun 28, 2022

#1378

@asvrada asvrada mentioned this issue Jun 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asvrada asvrada

Labels
area/kernel Area: Kernel severity/moderate Severity: Moderate status/triaged Status: Triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jxyang @jupacaza @asvrada @paulcallen