Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Container Deployment

To enable confidential containers, you need to upgrade the TEE OS to the confidential OS. For upgrade details, see (Optional) Upgrading the TEE OS. After the upgrade is complete, perform the following steps to deploy containers.

  1. Install Docker on the server.
    1
    		 
    yum install docker
  2. Prepare a CA and a TA.
    You can develop your own CA and TA by following instructions in Setting Up the TA and CA Development Environment. This demo uses helloworld provided in iTrustee SDK as an example.
    1. To obtain the source code, download itrustee_sdk and libboundscheck from the Gitee official website and move libboundscheck to thirdparty/open_source/. 
      1
2
3
      		 
      git clone https://gitee.com/openeuler/itrustee_sdk.git
git clone https://gitee.com/openeuler/libboundscheck.git
mv libboundscheck itrustee_sdk/thirdparty/open_source/
    2. Prepare TA compilation resources.
      Obtain the config and private_key.pem files by following instructions in Applying for a TA Developer Certificate in a Debugging Environment and move the two files to signed_config/ and TA_cert/, respectively. 
      1
2
3
4
5
      		 
      cd itrutee_sdk/build/signtools/
mkdir signed_config
mkdir TA_cert
cp /path/to/config ./signed_config/    
cp /path/to/private_key.pem ./TA_cert/
    3. Compile the CA of the helloworld demo.
      1. Open ca_demo.c. 
        1
2
        		 
        cd ../../test/CA/helloworld/
vim ca_demo.c
      2. Press i to enter the insert mode. Modify the UUID of the TA and add the TA path.

      3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
      4. Generate the demo_hello application (CA). 
        1
        		 
        make
    4. Compile the TA of the helloworld demo.
      1. Open manifest.txt. 
        1
2
        		 
        cd ../../TA/helloworld/
vim manifest.txt
      2. Press i to enter the insert mode. Modify the corresponding variables in manifest.txt based on the content of the configs.xml file used to apply for the config file.

      3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
      4. Generate the < UUID >.sec file (for the TA). 
        1
        		 
        make
  3. Download an openEuler image and import it.
    1
2
    		 
    wget https://mirrors.huaweicloud.com/openeuler/openEuler-22.03-LTS-SP1/docker_img/aarch64/openEuler-docker.aarch64.tar.xz
docker load -i openEuler-docker.aarch64.tar.xz

  4. Copy the CA and TA and the dependency files to a directory for building images.
    1
2
3
4
5
6
7
    		 
    mkdir build && cd build
cp ../itrustee_sdk/test/CA/helloworld/demo_hello ./
cp ../itrustee_sdk/test/TA/helloworld/*.sec ./
cp /usr/lib64/libboundscheck.so ./
cp /usr/lib64/libteec.so ./
cp /usr/bin/tlogcat ./
cp /usr/bin/agentd ./

    The image build directory contains the following files:

    • You can run the ldd command to view the dependency files. For example, to view the dependency files of agentd: 
      1
      		 
      ldd agentd

      The basic image of openEuler contains all the SO libraries except libboundscheck.so and libteec.so. Therefore, in this example, only the two SO libraries are copied to the image. For other OS images, copy all the missing libraries.

    • The version of the REE patch copied to the container must be the same as that on the host. Otherwise, the TEE OS in the container is unavailable.
  5. Create a Dockerfile.
    1. Create a file. 
      1
      		 
      vim Dockerfile
    2. Press i to enter the insert mode and add the following content: 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      		 
      FROM openeuler-22.03-lts-sp1

RUN mkdir -p /vendor/bin && mkdir -p /data

COPY *.so /usr/lib64/
COPY tlogcat agentd /usr/bin/
COPY *.sec /data/
COPY demo_hello /vendor/bin/

RUN chmod +x /vendor/bin/demo_hello

CMD /usr/bin/agentd & /vendor/bin/demo_hello
    3. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
  6. Run the following command to build the image:
    1
    		 
    docker build -t demo_hello .

  7. Start the container based on the image and obtain the run logs of the container.
    1
2
    		 
    docker run -it --mount type=bind,source=/var/itrustee/teecd,target=/var/itrustee/teecd,readonly --device /dev/teelog:/dev/teelog:wr --device /dev/tc_ns_cvm:/dev/tc_ns_cvm:wr -d demo_hello
docker logs -f <container_id>

  • If the container requires TA2TA or trusted storage, start agentd in the container before executing the CA.
  • If the container fails to be started, perform the following steps:
    1. Ensure that teecd and tzdriver have been loaded on the host.
    2. Ensure that the /var/itrustee/teecd/teecd.sock, /dev/teelog, and /dev/tc_ns_cvm files exist on the host.
    3. Ensure that libteec.so and tlogcat used to build the image are the same as those on the host.
    4. Ensure that the mounted files used to start the container are the same as those in 7.
    5. If the container requires TA2TA or trusted storage, start the agentd daemon in the container.
Parent topic: Confidential Containers