Problem: Nitro helper requires a separate enclave launching(#93) #109
Conversation
There was a problem hiding this comment.
given nitro-cli isn't yet exposed as a library properly, wouldn't be easier just call the shell command?
also: https://github.com/crypto-com/tmkms-light/pull/109/checks?check_run_id=2902100730#step:5:22
| let proxy_opt = VSockProxyOpt { | ||
| remote_addr: format!("kms.{}.amazonaws.com", aws_region), | ||
| ..Default::default() | ||
| }; | ||
| let all_config = Config { | ||
| sign_opt: nitro_sign_opt, | ||
| enclave: enclave_opt, | ||
| vsock_proxy: proxy_opt, | ||
| }; |
There was a problem hiding this comment.
given the "launch all" command is optional, I'm not sure if it makes sense to bundle the extra config to the global config?
| cmd.contains(&"tmkms-nitro-helper".to_string()) | ||
| && cmd.contains(&"enclave".to_string()) |
There was a problem hiding this comment.
won't this always fail? it'll only match a command that has all those 3 names in its name?
also the functional is called check_vsock_proxy, why does it check for tmkms-nitro-helper...?
| use crossbeam_channel::{bounded, Receiver, Sender}; | ||
| use std::thread::{self, sleep}; | ||
| use std::time::Duration; | ||
|
|
There was a problem hiding this comment.
for pub functions or struct, it'd be good to have some doc explaining what it does -- e.g. stop_enclave_sender isn't entirely obvious from the type
| use crate::command::nitro_enclave::run_vsock_proxy; | ||
| use crate::command::nitro_enclave::{describe_enclave, run_enclave}; | ||
| use crate::config::Config; | ||
| use crossbeam_channel::{bounded, Receiver, Sender}; |
There was a problem hiding this comment.
why is crossbeam used instead of std::sync::mpsc::channel? is it because the std one isn't deriving Sync or something like that?
There was a problem hiding this comment.
later, we can use crossbeam::select in a loop, process data from TCP stream or a stop signal.
| @@ -11,7 +11,9 @@ main = ["sysinfo", "reqwest"] | |||
| [dependencies] | |||
| anomaly = "0.2" | |||
| bytes = "= 0.5" | |||
| ctrlc = "3.1" | |||
There was a problem hiding this comment.
| ctrlc = "3.1" | |
| ctrlc = "3" |
| @@ -0,0 +1,29 @@ | |||
| use crate::config::VSockProxyOpt; | |||
There was a problem hiding this comment.
it seems this module is unused? (only launch_all and nitro_enclave are denoted "mod" in command?)
|
|
||
| #[derive(Serialize, Deserialize, Default, Debug)] | ||
| pub struct Config { | ||
| pub sign_opt: NitroSignOpt, |
There was a problem hiding this comment.
given only NitroSignOpt is used by the normal launch, perhaps separating the other two in a different struct? so it's still backwards-compatible and for "launch-all", one can have an extra config?
| #[structopt(name = "info", about = "get tmkms info")] | ||
| Info, | ||
| #[structopt(name = "run", about = "run enclave")] | ||
| RunEnclave { |
There was a problem hiding this comment.
quite useful to have these "shorthand" commands, so one doesn't need to repeat the args (it'd just be automatically read or taken from a config file) 👍
| @@ -37,49 +82,104 @@ enum TmkmsLight { | |||
| #[structopt(name = "start", about = "start tmkms process")] | |||
| /// start tmkms process (push config + start up proxy and state persistence) | |||
| Start { | |||
| #[structopt(short)] | |||
| config_path: Option<PathBuf>, | |||
| #[structopt(short, default_value = "tmkms.toml")] | |||
There was a problem hiding this comment.
this could potentially be done for Init too?
| pub fn run_vsock_proxy(opt: &VSockProxyOpt) -> Result<(), String> { | ||
| tracing::debug!("run vsock proxy with config: {:?}", opt); | ||
| let _ = Command::new("vsock-proxy") | ||
| .args(&["--num_workers", &format!("{}", opt.num_workers)]) | ||
| .args(&["--config", &opt.config_file]) | ||
| .arg(opt.local_port.to_string()) | ||
| .arg(&opt.remote_addr) | ||
| .arg(opt.remote_port.to_string()) | ||
| .output() | ||
| .map_err(|e| format!("execute nitro-cli error: {:?}", e))?; | ||
| Ok(()) | ||
| } |
There was a problem hiding this comment.
two questions or possible suggestions:
- should this also check if the vsock-proxy isn't already running in the background?
- what happens to this child process when the main process is ended? Given the
output()isn't used, maybe this could return.spawn()instead, so that one can haveChildand pass the signal to it when exiting?
There was a problem hiding this comment.
In my test, there is no output.
add
launch-allandenclavesubcommand:launch-all will start nitro enclave / enclave vsock-proxy / enclave helper all in one.
the enclave submand include the following:
move the enclave log server to command
tmkms-nitro-helper enclave runcommand.