зеркало из https://github.com/microsoft/CCF.git
Ansible playbook simplification around SGX drivers (#2868)
This commit is contained in:
Родитель
eb82ab0117
Коммит
438218e4b2
|
@ -7,7 +7,7 @@ trigger:
|
|||
|
||||
jobs:
|
||||
- job: build_and_publish_docs
|
||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
pool:
|
||||
vmImage: ubuntu-20.04
|
||||
|
||||
|
|
|
@ -27,11 +27,11 @@ schedules:
|
|||
resources:
|
||||
containers:
|
||||
- container: nosgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
||||
|
||||
- container: sgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
||||
|
||||
variables:
|
||||
|
|
|
@ -23,11 +23,11 @@ schedules:
|
|||
resources:
|
||||
containers:
|
||||
- container: nosgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
|
||||
|
||||
- container: sgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -9,7 +9,7 @@ on:
|
|||
jobs:
|
||||
checks:
|
||||
runs-on: ubuntu-20.04
|
||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
|
|
|
@ -16,7 +16,7 @@ pr:
|
|||
resources:
|
||||
containers:
|
||||
- container: sgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -21,7 +21,7 @@ schedules:
|
|||
resources:
|
||||
containers:
|
||||
- container: sgx
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||
|
||||
jobs:
|
||||
|
|
|
@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to build CCF itself and CCF a
|
|||
.. code-block:: bash
|
||||
|
||||
$ cd <ccf_path>/getting_started/setup_vm
|
||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
||||
$ ./run.sh ccf-dev.yml
|
||||
|
||||
Once this is complete, you can proceed to :doc:`/build_apps/build_app`.
|
||||
|
|
|
@ -22,7 +22,6 @@ These dependencies can be conveniently installed using the ``ansible`` playbooks
|
|||
.. code-block:: bash
|
||||
|
||||
$ cd <ccf_path>/getting_started/setup_vm/
|
||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
||||
$ ./run.sh app-dev.yml
|
||||
|
||||
Install
|
||||
|
|
|
@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to start CCF applications, si
|
|||
.. code-block:: bash
|
||||
|
||||
$ cd <ccf_path>/getting_started/setup_vm
|
||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
||||
$ ./run.sh app-run.yml
|
||||
|
||||
Runtime Container
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
# Docker images for CCF
|
||||
|
||||
- `app_run`: Builds the image containing all runtime dependencies for CCF, as well as the latest release of CCF (as per https://github.com/microsoft/CCF/releases/latest). To be used by CCF operators.
|
||||
- `app_ci`: Builds the image containing all build dependencies for CCF applications. To be used by CCF application developers.
|
||||
- `ccf_ci`: Builds the image containing all build dependencies for CCF itself. To be used by CCF contributors. It is also used by CCF Continuous Integration pipeline.
|
||||
|
||||
To build a given image, run:
|
||||
|
||||
```bash
|
||||
$ cd CCF/
|
||||
$ docker build -t <tag> -f docker/<app_run|app_ci|ccf_ci> .
|
||||
```
|
|
@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
|
|||
|
||||
COPY getting_started/setup_vm/ /setup_vm/
|
||||
RUN apt update \
|
||||
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \
|
||||
&& apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
|
||||
&& cd setup_vm \
|
||||
&& ansible-playbook app-dev.yml $extra_vars \
|
||||
&& rm -rf /tmp/* \
|
||||
&& apt remove -y ansible software-properties-common \
|
||||
&& apt remove -y ansible software-properties-common curl \
|
||||
&& apt -y autoremove \
|
||||
&& apt -y clean
|
|
@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
|
|||
|
||||
COPY getting_started/setup_vm/ /setup_vm/
|
||||
RUN apt update \
|
||||
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \
|
||||
&& apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
|
||||
&& cd setup_vm \
|
||||
&& ansible-playbook app-run.yml $extra_vars \
|
||||
&& rm -rf /tmp/* \
|
||||
&& apt remove -y ansible software-properties-common \
|
||||
&& apt remove -y ansible software-properties-common curl \
|
||||
&& apt -y autoremove \
|
||||
&& apt -y clean
|
|
@ -8,9 +8,6 @@
|
|||
- import_role:
|
||||
name: az_dcap
|
||||
tasks_from: install.yml
|
||||
- import_role:
|
||||
name: openenclave
|
||||
tasks_from: binary_install.yml
|
||||
- import_role:
|
||||
name: ccf_install
|
||||
tasks_from: deb_install.yml
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
- hosts: localhost
|
||||
tasks:
|
||||
- import_role:
|
||||
name: intel
|
||||
tasks_from: sgx-driver.yml
|
|
@ -25,8 +25,6 @@ debs:
|
|||
- iptables # partition test infra
|
||||
- libclang1-9 # required by doxygen
|
||||
- libclang-cpp9 # required by doxygen
|
||||
- flex # required to build doxygen
|
||||
- bison # required to build doxygen
|
||||
|
||||
mbedtls_ver: "2.16.10"
|
||||
mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
if [ "{{ ccf_ver }}" = "latest" ]; then
|
||||
curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4
|
||||
else
|
||||
echo "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
|
||||
echo "https://github.com/microsoft/CCF/releases/download/ccf-{{ ccf_ver }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
|
||||
fi
|
||||
register: ccf_deb_url
|
||||
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
- name: Include vars
|
||||
include_vars: common.yml
|
||||
|
||||
- name: Download CCF release
|
||||
get_url:
|
||||
url: "{{ ccf_url }}"
|
||||
dest: "{{ workspace }}"
|
||||
|
||||
- name: Create directory
|
||||
file:
|
||||
path: "/opt/ccf"
|
||||
state: directory
|
||||
become: true
|
||||
|
||||
- name: Expand CCF release
|
||||
unarchive:
|
||||
src: "/tmp/{{ ccf_tarball }}"
|
||||
dest: "/opt/ccf"
|
||||
extra_opts:
|
||||
- --strip-components=1
|
||||
become: true
|
||||
|
||||
- name: Copy cchost
|
||||
copy:
|
||||
src: "/opt/ccf/bin/cchost"
|
||||
dest: "/usr/bin/cchost"
|
||||
remote_src: true
|
||||
mode: a=rx
|
||||
become: true
|
||||
when: run_only|bool
|
||||
|
||||
- name: Remove release
|
||||
file:
|
||||
path: "/opt/ccf"
|
||||
state: absent
|
||||
become: true
|
||||
when: run_only|bool
|
|
@ -1,6 +1 @@
|
|||
workspace: "/tmp/"
|
||||
ccf_ver: "latest"
|
||||
ccf_tarball: "ccf.tar.gz"
|
||||
ccf_suffix: "{{ 'latest/download' if ccf_ver == 'latest' else 'download/ccf-' + ccf_ver }}"
|
||||
ccf_url: "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/{{ ccf_tarball }}"
|
||||
ccf_prefix: "/opt/openenclave"
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
# Copyright (c) Open Enclave SDK contributors.
|
||||
# Licensed under the MIT License.
|
||||
|
||||
---
|
||||
- name: Include distribution vars
|
||||
include_vars:
|
||||
file: common.yml
|
||||
|
||||
- name: Install the dkms package
|
||||
apt:
|
||||
name:
|
||||
- "dkms"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
become: true
|
||||
|
||||
- name: Populate service facts
|
||||
service_facts:
|
||||
|
||||
- name: Ensure aesmd service stopped
|
||||
service:
|
||||
name: aesmd
|
||||
state: stopped
|
||||
when: "'aesmd.service' in ansible_facts.services"
|
||||
become: true
|
||||
|
||||
- name: Download Intel SGX DCAP Driver
|
||||
get_url:
|
||||
url: "{{intel_sgx_w_flc_driver_url}}"
|
||||
dest: /tmp/sgx_linux_x64_driver.bin
|
||||
mode: 0755
|
||||
timeout: 120
|
||||
retries: 3
|
||||
when: flc_enabled|bool
|
||||
become: true
|
||||
|
||||
- name: Download Intel SGX1 Driver
|
||||
get_url:
|
||||
url: "{{intel_sgx1_driver_url}}"
|
||||
dest: /tmp/sgx_linux_x64_driver.bin
|
||||
mode: 0755
|
||||
timeout: 120
|
||||
retries: 3
|
||||
when: not flc_enabled|bool
|
||||
become: true
|
||||
|
||||
- name: Install the Intel SGX DCAP Driver
|
||||
command: /tmp/sgx_linux_x64_driver.bin
|
||||
become: true
|
||||
|
||||
- name: Remove the Intel SGX DCAP Driver installer
|
||||
file:
|
||||
path: /tmp/sgx_linux_x64_driver.bin
|
||||
state: absent
|
||||
become: true
|
||||
|
||||
- name: Ensure aesmd service running
|
||||
service:
|
||||
name: aesmd
|
||||
state: started
|
||||
enabled: yes
|
||||
when: "'aesmd.service' in ansible_facts.services"
|
||||
become: true
|
|
@ -1,39 +0,0 @@
|
|||
- name: Include distribution vars
|
||||
include_vars:
|
||||
file: common.yml
|
||||
|
||||
- name: Install apt-transport-https APT package
|
||||
apt:
|
||||
name: apt-transport-https
|
||||
state: latest
|
||||
become: true
|
||||
|
||||
- name: Add APT repository key
|
||||
apt_key:
|
||||
url: "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key"
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: Add APT repository
|
||||
apt_repository:
|
||||
repo: "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu {{ ansible_distribution_release }} main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
become: true
|
||||
|
||||
- name: Install the Intel libsgx packages
|
||||
apt:
|
||||
name: "{{ intel_sgx_dev_packages }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
become: true
|
||||
|
||||
- name: Install the Intel DCAP packages
|
||||
apt:
|
||||
name: "{{ intel_dcap_dev_packages }}"
|
||||
state: latest
|
||||
update_cache: yes
|
||||
install_recommends: no
|
||||
when: flc_enabled|bool
|
||||
become: true
|
|
@ -3,8 +3,6 @@
|
|||
|
||||
---
|
||||
flc_enabled: true
|
||||
intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin"
|
||||
intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin"
|
||||
|
||||
intel_sgx_packages:
|
||||
- "libsgx-enclave-common"
|
||||
|
@ -14,14 +12,7 @@ intel_sgx_packages:
|
|||
- "libsgx-qe3-logic"
|
||||
- "libsgx-pce-logic"
|
||||
|
||||
intel_sgx_dev_packages:
|
||||
- "libsgx-enclave-common-dev"
|
||||
|
||||
intel_dcap_packages:
|
||||
- "libsgx-dcap-ql"
|
||||
- "libsgx-urts"
|
||||
- "libsgx-quote-ex"
|
||||
|
||||
intel_dcap_dev_packages:
|
||||
- "libsgx-dcap-ql-dev"
|
||||
- "sgx-aesm-service"
|
||||
|
|
|
@ -4,6 +4,11 @@
|
|||
|
||||
set -ex
|
||||
|
||||
# Install ansible-base rather than ansible because service_facts
|
||||
# is broken on Ubuntu 20.04 with the default apt package.
|
||||
# See https://github.com/ansible/ansible/issues/68536 (fixed in ansible >= 2.10)
|
||||
sudo apt-get update
|
||||
sudo apt install ansible -y
|
||||
ansible-playbook "$@"
|
||||
sudo apt install software-properties-common
|
||||
sudo add-apt-repository -y --update ppa:ansible/ansible
|
||||
sudo apt install ansible-base -y
|
||||
ansible-playbook "$@"
|
Загрузка…
Ссылка в новой задаче