-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Docs] Change "GSC" page to "Container integration" #749
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @dimakuv)
Documentation/container-integration.rst
line 20 at r1 (raw file):
applications under Gramine. The only currently available Gramine image is based on Ubuntu 20.04. The only requirement on the host system is a Linux kernel version 5.11 or higher (with the in-kernel SGX driver).
I would remove parens, this is actually the most important part - if somebody had in-kernel SGX driver in 5.0 (e.g. manual port) that would work too.
Or even rephrase to: The only requirement on the host system is a Linux kernel with in-kernel SGX driver (available from version 5.11 onward).
Documentation/container-integration.rst
line 30 at r1 (raw file):
docker run --device /dev/sgx_enclave \ --security-opt seccomp=unconfined \
Recommended way is to download our seccomp profile and use it.
And if users do not intend to use Linux PAL (non SGX), then they can just use default docker seccomp profile.
Documentation/container-integration.rst
line 31 at r1 (raw file):
docker run --device /dev/sgx_enclave \ --security-opt seccomp=unconfined \ -it --entrypoint /bin/bash gramineproject/gramine
You can remove --entrypoint /bin/bash
it's default in this image.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @dimakuv)
Suggestion:
a Gramine Docker image
82244dd
to
ff1f2c2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 2 of 3 files reviewed, 5 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @boryspoplawski and @mkow)
a discussion (no related file):
Let me block this PR until we have a proper Gramine Docker image available.
-- commits
line 4 at r1:
Done.
Documentation/container-integration.rst
line 20 at r1 (raw file):
Previously, boryspoplawski (Borys Popławski) wrote…
I would remove parens, this is actually the most important part - if somebody had in-kernel SGX driver in 5.0 (e.g. manual port) that would work too.
Or even rephrase to:The only requirement on the host system is a Linux kernel with in-kernel SGX driver (available from version 5.11 onward).
Done.
Documentation/container-integration.rst
line 30 at r1 (raw file):
Previously, boryspoplawski (Borys Popławski) wrote…
Recommended way is to download our seccomp profile and use it.
And if users do not intend to use Linux PAL (non SGX), then they can just use default docker seccomp profile.
Done. Not sure if giving a link is the best way here.
Documentation/container-integration.rst
line 31 at r1 (raw file):
Previously, boryspoplawski (Borys Popławski) wrote…
You can remove
--entrypoint /bin/bash
it's default in this image.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @dimakuv and @mkow)
Documentation/container-integration.rst
line 35 at r2 (raw file):
See https://gramine.readthedocs.io/projects/gsc/en/latest/#execute-with-linux-pal-instead-of-linux-sgx-pal for details.
This is link to GSC which talks about some GSC specific details. I would just put:
If you want to run :program:`gramine-direct` in addition to command:`gramine-sgx`,
then you should run Docker with a our custom seccomp profile using `--security-opt seccomp=<profile_file>`.
You can download the profile file from https://github.com/gramineproject/gramine/blob/master/scripts/docker_seccomp.json.
Alternatively you can disable seccomp completely (`--security-opt seccomp=unconfined`).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 2 of 3 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @boryspoplawski, @dimakuv, and @mkow)
Documentation/container-integration.rst
line 35 at r2 (raw file):
Previously, boryspoplawski (Borys Popławski) wrote…
This is link to GSC which talks about some GSC specific details. I would just put:
If you want to run :program:`gramine-direct` in addition to command:`gramine-sgx`, then you should run Docker with a our custom seccomp profile using `--security-opt seccomp=<profile_file>`. You can download the profile file from https://github.com/gramineproject/gramine/blob/master/scripts/docker_seccomp.json. Alternatively you can disable seccomp completely (`--security-opt seccomp=unconfined`).
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (1 more required, approved so far: Intel), "fixup! " found in commit messages' one-liners (waiting on @dimakuv and @mkow)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r3, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), "fixup! " found in commit messages' one-liners (waiting on @dimakuv)
We now have not only GSC, but also a Gramine Docker image hosted on DockerHub. Update our documentation to mention both tools and prepare for more tools/workflows in the future. Also, GSC was split from the core repository a long time ago and there is no need to emphasize that, so we rephrase its description. Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii@intel.com>
ec5b143
to
57eaa9d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 2 of 3 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: Intel) (waiting on @boryspoplawski and @mkow)
a discussion (no related file):
Previously, dimakuv (Dmitrii Kuvaiskii) wrote…
Let me block this PR until we have a proper Gramine Docker image available.
And the proper Gramine Docker image is publicly available: https://hub.docker.com/r/gramineproject/gramine. Rebased, ready for merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r4, all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved
Description of the changes
We now have not only GSC, but also the Gramine Docker image hosted on DockerHub. Update our documentation to mention both tools and prepare for more tools/workflows in the future. Also, GSC was split from the core repository a long time ago and there is no need to emphasize that, so we rephrase its description.
How to test this PR?
N/A.
This change is