Comments (15)
- provision a server in public cloud
- setup Jenkins
- setup enclave-cc dependencies
- integrate with github actions as runner and prepare basic scripts
- run e2e case
- run operator CI case
from enclave-cc.
operator is one item we definitely should take care of, but we need also let developers have a 'quick' integration path without Kubernets precondition for component test
from enclave-cc.
I'll follow the CI pipeline PR (confidential-containers/operator#133) discussed in the slack channel about monitoring the enclave-cc operator CI state and future extension work.
from enclave-cc.
@stevenhorsman is this issue still relevant or can be closed?
If it's still relevant to what release do you think we should map it to (mid-November, end-December, mid-February etc...)?
from enclave-cc.
I believe this is still relevant. It's up to the enclave-cc team as to when they plan to do it, I don't have any input.
from enclave-cc.
I believe this is still relevant. It's up to the enclave-cc team as to when they plan to do it, I don't have any input.
It's relevant and important. I've proposed it to be part of CC-V0.2.0
Drop.
from enclave-cc.
Cool, I've changed the priority to high since you feel it's important :-).
from enclave-cc.
@hairongchen-intel what are the "enclave-cc dependencies"?
from enclave-cc.
@hairongchen-intel what are the "enclave-cc dependencies"?
everything necessary to ensure we can run a component level cases in a host, like the SGX lib, runc/rune, Occlum, containerd/k8s etc.
from enclave-cc.
We should be testing using the operator so the only pre-condition is "kubernetes cluster" and that's not enclave-cc specific
from enclave-cc.
fine but we should not have occlum/rune/sgxsdk pre-installed
from enclave-cc.
For CI pipeline, a simple flowchart is shown below:
build CI payload image -> run CI test cases -> tag release payload image
Some cases are defined for running CI test:
- [runtime]
- Install enclave-cc runtime
- Uninstall enclave-cc runtime
- [feature]
- [positive sample] Pull an unencrypted signed image (eaa + verdictd + cosign)
- [positive sample] Pull an encrypted unsigned image (eaa + verdictd)
- [positive sample] Pull an encrypted signed image (eaa + verdictd + cosign)
- [negative sample] Unencrypted signed image with unknown signature is rejected
- [negative sample] Encrypted unsigned image with wrong key is rejected
- [workload]
- Deploy a hello-world workload with encrypted signed image
- Remove hello-world workload
from enclave-cc.
Some cases are defined for running CI test:
@huliucheng1 thanks, I think this is a good set of cases. do you have any plans where to maintain/publish these test images (e.g., are they being built before the tests or are they something we get to share with Kata-CI)?
from enclave-cc.
making sure using same set of testing images and testing artifacts(policy files, keys, etc..) with kata-cc CI according to https://github.com/kata-containers/tests/tree/CCv0/integration/containerd/confidential/fixtures , Thanks @fidencio for the info
from enclave-cc.
In order to integrate Enclave-CC into the CC operator it needs to build it's own payload image and to demonstrate that Enclave-CC and 'Kata-CC' offer similar levels of functionality the Kata CC tests (or as close as possible) should be run on the Enclave-CC.
Some of the steps have been implemented earlier and after #123 I believe we can meet the original request.
- enclave-cc payloads are published automatically, and tested by operator CI for each PR and in nightly builds. the tests setup a
kind
cluster and deploys "simulated" enclave-cc on Github runners - enclave-cc repository builds payloads for both SIM and HW SGX modes, HW mode is tested on an SGX VM w/ eaa_kbc image decryption and cosign based signature verification
from enclave-cc.
Related Issues (20)
- enable dependabot updates for rust dependencies HOT 1
- image pull failures with multi-layer images
- Get rid of eaa-kbc & verdictd HOT 4
- update to combined image-rs+ocicrypt+AA repo HOT 1
- Update Quickstart for v0.8 HOT 2
- CI failed because of key not found HOT 4
- enable signature checks for sample_kbc in CI
- update operator flows for NFD and Debug
- Operator tests are currently failing
- specify rust version used in builds
- Replace apt yum repos for installing Kubernetes HOT 1
- RFC: enclave-cc improvement ideas HOT 4
- Failed to create agent enclave - Invalid enclave metadata. (line 152, file src/pal_enclave.c) HOT 27
- [ERROR] occlum-pal: Failed to create enclave with error code 0x2006: Invalid SGX device. Please make sure SGX module is enabled in the BIOS, and install SGX driver afterwards. (line 152, file src/pal_enclave.c) HOT 5
- Error while creating enclave-cc in HW mode with encrypted image which requires attestation HOT 10
- shim: RPC protos and dependencies need rework
- Attestation: Verifier evaluate failed: SGX Verifier: REPORT_DATA is different from that in SGX Quote HOT 24
- setup cargo workspace
- deploy enclave-cc failed HOT 5
- how to configure image decryption keys HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enclave-cc.