mystikos icon indicating copy to clipboard operation
mystikos copied to clipboard

Published 20 hours ago verified publisher icon deislabs

Auto-mount documentation issues

Open jxyang opened this issue 2 years ago • 4 comments

  1. The target directory inside the enclave has to be explicitly created within appdir
  2. The target directory cannot be on tmpfs or ramfs such as /var/run

jxyang avatar May 18 '22 18:05 jxyang

To support this issue, here is an example dockerfile from my team that works around this issue by doing mkdir for the mount paths and avoids using /var/* as destination folder for the mount:

FROM mystikos.azurecr.io/mystikos-bionic:v0.8.0 AS build

WORKDIR /home
RUN apt-get update && apt-get install -y cryptsetup-bin

COPY tokenservice.tar ./
COPY config.tokenservice.json config.json

# The following commands imitate what myst-appbuilder does, but without the need of having docker installed.
RUN mkdir -p appdir-tokenservice/tmp && \
    tar xvf tokenservice.tar -C appdir-tokenservice/tmp && \
    find appdir-tokenservice/tmp -name layer.tar -exec sh -c 'tar xvf {} -C appdir-tokenservice' \;
RUN rm -rf appdir-tokenservice/tmp

# Create folder for mounts
RUN mkdir -p appdir-tokenservice/mnt/secrets
RUN mkdir -p appdir-tokenservice/mnt/mdsd

RUN myst mkext2 appdir-tokenservice rootfs

RUN myst fssig --roothash rootfs > roothash

RUN openssl genrsa -out private.pem -3 3072

RUN myst package-sgx --roothash=roothash private.pem config.json

FROM mystikos.azurecr.io/mystikos-bionic:v0.8.0 AS final
WORKDIR /home
COPY --from=build /home/myst/bin/dotnet /home/myst/bin/dotnet
COPY --from=build /home/rootfs /home/rootfs
ENV MYST_ROOTFS_PATH=/home/rootfs

CMD [ "/home/myst/bin/dotnet", "--mount", "/mnt/secrets=/mnt/secrets", \
"--mount", "/mnt/mdsd=/mnt/mdsd", \
"--host-to-enc-uid-map", "0:0", \
"--host-to-enc-gid-map", "0:0,106:106" ]

My opinion:

  • I think for problem number 1 the fix should be that when the app inside enclave gets executed it should create the directory if it doesn't exist, i.e. create the directory in execution time.

jupacaza avatar May 23 '22 23:05 jupacaza

we should output an error if the target directory is not present. we should also look to see what the order of mounting is in relation to starting up the various filesystems to see if we can accommodate the mounting things like /var/run

paulcallen avatar Jun 13 '22 20:06 paulcallen

Currently, we have updated the documentation regarding the mount feature (https://github.com/deislabs/mystikos/commit/91d59fac150c49a38d8a44237c7646bfbaec779c from #1307 ) to reflect the fact that the target directory has to exist inside TEE.

Next step would be to create the directory used as a mounting point if they do not exist.

asvrada avatar Jun 16 '22 23:06 asvrada

https://github.com/deislabs/mystikos/pull/1378

asvrada avatar Jun 28 '22 16:06 asvrada