TEE Cgroups
(Optional) Configuring a Trustlist for Cgroups
By default only the root user can configure cgroup resources in the TEE. To assign this permission to other users who are authorized to create containers, perform the following steps to add other users to the trustlist. Skip this section if you do not have such a requirement.
- Obtain the IDs of the users you want to add to the trustlist.
id test
The ID of the test user is 1000.
- Create a trustlist file and name it uid.txt.
vim uid.txt
Enter the IDs of the users who require the TEE cgroup configuration permission into the file. Each user occupies a line.
1000
- Compress the uid.txt file into an SEC file. The certificate must be a special TA certificate that contains manager_type.
pip3 install pycryptodome defusedxml git clone https://gitee.com/openeuler/itrustee_sdk.git cd itrustee_sdk/build/pack-App/ mkdir whitelist cp uid.txt whitelist
Copy the TA certificate ta_cert.der and private key private_key.pem to the pack_tools directory. For details about how to apply for a TA certificate, see Applying for a TA Developer Certificate in a Debugging Environment. Run the following command to compress the trustlist directory and generate an SEC file:
python3 pack.py whitelist
- Import the configuration using the tee_teleport tool.
tee_teleport -s whitelist.sec -t cfg
- Run the tlogcat command to view the configuration success information:
tlogcat
Configuring Cgroups for Confidential Containers
To better manage resources in the TEE, the TEE allows using cgroups to configure memory and CPU resources for confidential containers.
- Download the Docker hook tool package for the REE from itrustee_sdk. The tool is used during container startup to configure TEE resources for containers through the hook mechanism.
git clone https://gitee.com/openeuler/itrustee_sdk.git cd itrustee_sdk/build/tools/docker_config_tools
- Copy the hook scripts to the /var/lib/docker/hooks directory. These scripts are used to automatically configure and release TEE resources during container startup and destruction.
cp start.sh stop.sh prestart_container.sh poststop_container.sh /var/lib/docker/hooks
- Use the script to generate the cgroup resource configuration file for containers in the TEE.
python3 gen_config.py <config_dir> --memory=200M --cpus=10000 --cpuset-cpus="0,1" --disk-size=300M
In the preceding command, config_dir must be an absolute path. A config.json file that complies with the hook mechanism will be generated in the config_dir directory. This file specifies additional operations to be performed during container generation and destruction in the REE.
The TEE supports the following cgroup configuration items:
- --memory: specifies the upper limit of the memory space that can be used by all TAs of the group in the TEE.
- --cpus: specifies the upper limit of the CPU usage occupied by all TAs of the group in the TEE.
- --cpuset-cpus: specifies the IDs of the CPUs that can be used by all TAs of the group in the TEE.
To query the ID of an online CPU in the TEE, run the following command:
tee_teleport --config-resource --nsid=$(lsns -t pid | grep systemd | awk '{print $1}') - --disk-size: specifies the upper limit of the file system space that can be used by all TAs of the group in the TEE. Because file systems in the TEE are temporary file systems (tmpfs), the files deployed and generated in the TEE are included in the memory and file system quotas.
- Start the container. Cgroup resources are then automatically configured for the container in the TEE.
docker run --hook-spec=<config_dir>/config.json -it --mount type=bind,source=/var/itrustee/teecd,target=/var/itrustee/teecd,readonly --device /dev/teelog:/dev/teelog:wr --device /dev/tc_ns_cvm:/dev/tc_ns_cvm:wr -d <docker_image>
- Destroy the container. When the docker rm or docker stop command is executed, the resources occupied by the container in the TEE are automatically released.
By default, the cgroup feature is automatically enabled after the OS is upgraded to the confidential OS. If you do not configure memory and CPU resources in the TEE for a confidential container, the resources in the TEE are not restricted for the corresponding group. All resource configuration parameters are optional.