Ansible playbook simplification around SGX drivers (#2868)

This commit is contained in:
Julien Maffre 2021-08-05 17:06:54 +01:00 коммит произвёл GitHub
Родитель eb82ab0117
Коммит 438218e4b2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
22 изменённых файлов: 32 добавлений и 182 удалений

Просмотреть файл

@ -7,7 +7,7 @@ trigger:
jobs: jobs:
- job: build_and_publish_docs - job: build_and_publish_docs
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
pool: pool:
vmImage: ubuntu-20.04 vmImage: ubuntu-20.04

Просмотреть файл

@ -27,11 +27,11 @@ schedules:
resources: resources:
containers: containers:
- container: nosgx - container: nosgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
- container: sgx - container: sgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
variables: variables:

Просмотреть файл

@ -23,11 +23,11 @@ schedules:
resources: resources:
containers: containers:
- container: nosgx - container: nosgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
- container: sgx - container: sgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
jobs: jobs:

2
.github/workflows/ci-checks.yml поставляемый
Просмотреть файл

@ -9,7 +9,7 @@ on:
jobs: jobs:
checks: checks:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
steps: steps:
- name: Checkout repository - name: Checkout repository

Просмотреть файл

@ -16,7 +16,7 @@ pr:
resources: resources:
containers: containers:
- container: sgx - container: sgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
jobs: jobs:

Просмотреть файл

@ -21,7 +21,7 @@ schedules:
resources: resources:
containers: containers:
- container: sgx - container: sgx
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10 image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
jobs: jobs:

Просмотреть файл

@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to build CCF itself and CCF a
.. code-block:: bash .. code-block:: bash
$ cd <ccf_path>/getting_started/setup_vm $ cd <ccf_path>/getting_started/setup_vm
$ ./run.sh driver.yml # Only on SGX-enabled hardware
$ ./run.sh ccf-dev.yml $ ./run.sh ccf-dev.yml
Once this is complete, you can proceed to :doc:`/build_apps/build_app`. Once this is complete, you can proceed to :doc:`/build_apps/build_app`.

Просмотреть файл

@ -22,7 +22,6 @@ These dependencies can be conveniently installed using the ``ansible`` playbooks
.. code-block:: bash .. code-block:: bash
$ cd <ccf_path>/getting_started/setup_vm/ $ cd <ccf_path>/getting_started/setup_vm/
$ ./run.sh driver.yml # Only on SGX-enabled hardware
$ ./run.sh app-dev.yml $ ./run.sh app-dev.yml
Install Install

Просмотреть файл

@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to start CCF applications, si
.. code-block:: bash .. code-block:: bash
$ cd <ccf_path>/getting_started/setup_vm $ cd <ccf_path>/getting_started/setup_vm
$ ./run.sh driver.yml # Only on SGX-enabled hardware
$ ./run.sh app-run.yml $ ./run.sh app-run.yml
Runtime Container Runtime Container

12
docker/README.md Normal file
Просмотреть файл

@ -0,0 +1,12 @@
# Docker images for CCF
- `app_run`: Builds the image containing all runtime dependencies for CCF, as well as the latest release of CCF (as per https://github.com/microsoft/CCF/releases/latest). To be used by CCF operators.
- `app_ci`: Builds the image containing all build dependencies for CCF applications. To be used by CCF application developers.
- `ccf_ci`: Builds the image containing all build dependencies for CCF itself. To be used by CCF contributors. It is also used by CCF Continuous Integration pipeline.
To build a given image, run:
```bash
$ cd CCF/
$ docker build -t <tag> -f docker/<app_run|app_ci|ccf_ci> .
```

Просмотреть файл

@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
COPY getting_started/setup_vm/ /setup_vm/ COPY getting_started/setup_vm/ /setup_vm/
RUN apt update \ RUN apt update \
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \ && apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
&& cd setup_vm \ && cd setup_vm \
&& ansible-playbook app-dev.yml $extra_vars \ && ansible-playbook app-dev.yml $extra_vars \
&& rm -rf /tmp/* \ && rm -rf /tmp/* \
&& apt remove -y ansible software-properties-common \ && apt remove -y ansible software-properties-common curl \
&& apt -y autoremove \ && apt -y autoremove \
&& apt -y clean && apt -y clean

Просмотреть файл

@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
COPY getting_started/setup_vm/ /setup_vm/ COPY getting_started/setup_vm/ /setup_vm/
RUN apt update \ RUN apt update \
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \ && apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
&& cd setup_vm \ && cd setup_vm \
&& ansible-playbook app-run.yml $extra_vars \ && ansible-playbook app-run.yml $extra_vars \
&& rm -rf /tmp/* \ && rm -rf /tmp/* \
&& apt remove -y ansible software-properties-common \ && apt remove -y ansible software-properties-common curl \
&& apt -y autoremove \ && apt -y autoremove \
&& apt -y clean && apt -y clean

Просмотреть файл

@ -8,9 +8,6 @@
- import_role: - import_role:
name: az_dcap name: az_dcap
tasks_from: install.yml tasks_from: install.yml
- import_role:
name: openenclave
tasks_from: binary_install.yml
- import_role: - import_role:
name: ccf_install name: ccf_install
tasks_from: deb_install.yml tasks_from: deb_install.yml

Просмотреть файл

@ -1,5 +0,0 @@
- hosts: localhost
tasks:
- import_role:
name: intel
tasks_from: sgx-driver.yml

Просмотреть файл

@ -25,8 +25,6 @@ debs:
- iptables # partition test infra - iptables # partition test infra
- libclang1-9 # required by doxygen - libclang1-9 # required by doxygen
- libclang-cpp9 # required by doxygen - libclang-cpp9 # required by doxygen
- flex # required to build doxygen
- bison # required to build doxygen
mbedtls_ver: "2.16.10" mbedtls_ver: "2.16.10"
mbedtls_dir: "mbedtls-{{ mbedtls_ver }}" mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"

Просмотреть файл

@ -7,7 +7,7 @@
if [ "{{ ccf_ver }}" = "latest" ]; then if [ "{{ ccf_ver }}" = "latest" ]; then
curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4 curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4
else else
echo "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb" echo "https://github.com/microsoft/CCF/releases/download/ccf-{{ ccf_ver }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
fi fi
register: ccf_deb_url register: ccf_deb_url

Просмотреть файл

@ -1,37 +0,0 @@
- name: Include vars
include_vars: common.yml
- name: Download CCF release
get_url:
url: "{{ ccf_url }}"
dest: "{{ workspace }}"
- name: Create directory
file:
path: "/opt/ccf"
state: directory
become: true
- name: Expand CCF release
unarchive:
src: "/tmp/{{ ccf_tarball }}"
dest: "/opt/ccf"
extra_opts:
- --strip-components=1
become: true
- name: Copy cchost
copy:
src: "/opt/ccf/bin/cchost"
dest: "/usr/bin/cchost"
remote_src: true
mode: a=rx
become: true
when: run_only|bool
- name: Remove release
file:
path: "/opt/ccf"
state: absent
become: true
when: run_only|bool

Просмотреть файл

@ -1,6 +1 @@
workspace: "/tmp/"
ccf_ver: "latest" ccf_ver: "latest"
ccf_tarball: "ccf.tar.gz"
ccf_suffix: "{{ 'latest/download' if ccf_ver == 'latest' else 'download/ccf-' + ccf_ver }}"
ccf_url: "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/{{ ccf_tarball }}"
ccf_prefix: "/opt/openenclave"

Просмотреть файл

@ -1,64 +0,0 @@
# Copyright (c) Open Enclave SDK contributors.
# Licensed under the MIT License.
---
- name: Include distribution vars
include_vars:
file: common.yml
- name: Install the dkms package
apt:
name:
- "dkms"
state: latest
update_cache: yes
install_recommends: no
become: true
- name: Populate service facts
service_facts:
- name: Ensure aesmd service stopped
service:
name: aesmd
state: stopped
when: "'aesmd.service' in ansible_facts.services"
become: true
- name: Download Intel SGX DCAP Driver
get_url:
url: "{{intel_sgx_w_flc_driver_url}}"
dest: /tmp/sgx_linux_x64_driver.bin
mode: 0755
timeout: 120
retries: 3
when: flc_enabled|bool
become: true
- name: Download Intel SGX1 Driver
get_url:
url: "{{intel_sgx1_driver_url}}"
dest: /tmp/sgx_linux_x64_driver.bin
mode: 0755
timeout: 120
retries: 3
when: not flc_enabled|bool
become: true
- name: Install the Intel SGX DCAP Driver
command: /tmp/sgx_linux_x64_driver.bin
become: true
- name: Remove the Intel SGX DCAP Driver installer
file:
path: /tmp/sgx_linux_x64_driver.bin
state: absent
become: true
- name: Ensure aesmd service running
service:
name: aesmd
state: started
enabled: yes
when: "'aesmd.service' in ansible_facts.services"
become: true

Просмотреть файл

@ -1,39 +0,0 @@
- name: Include distribution vars
include_vars:
file: common.yml
- name: Install apt-transport-https APT package
apt:
name: apt-transport-https
state: latest
become: true
- name: Add APT repository key
apt_key:
url: "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key"
state: present
become: true
- name: Add APT repository
apt_repository:
repo: "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu {{ ansible_distribution_release }} main"
state: present
update_cache: yes
become: true
- name: Install the Intel libsgx packages
apt:
name: "{{ intel_sgx_dev_packages }}"
state: latest
update_cache: yes
install_recommends: no
become: true
- name: Install the Intel DCAP packages
apt:
name: "{{ intel_dcap_dev_packages }}"
state: latest
update_cache: yes
install_recommends: no
when: flc_enabled|bool
become: true

Просмотреть файл

@ -3,8 +3,6 @@
--- ---
flc_enabled: true flc_enabled: true
intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin"
intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin"
intel_sgx_packages: intel_sgx_packages:
- "libsgx-enclave-common" - "libsgx-enclave-common"
@ -14,14 +12,7 @@ intel_sgx_packages:
- "libsgx-qe3-logic" - "libsgx-qe3-logic"
- "libsgx-pce-logic" - "libsgx-pce-logic"
intel_sgx_dev_packages:
- "libsgx-enclave-common-dev"
intel_dcap_packages: intel_dcap_packages:
- "libsgx-dcap-ql" - "libsgx-dcap-ql"
- "libsgx-urts" - "libsgx-urts"
- "libsgx-quote-ex" - "libsgx-quote-ex"
intel_dcap_dev_packages:
- "libsgx-dcap-ql-dev"
- "sgx-aesm-service"

Просмотреть файл

@ -4,6 +4,11 @@
set -ex set -ex
# Install ansible-base rather than ansible because service_facts
# is broken on Ubuntu 20.04 with the default apt package.
# See https://github.com/ansible/ansible/issues/68536 (fixed in ansible >= 2.10)
sudo apt-get update sudo apt-get update
sudo apt install ansible -y sudo apt install software-properties-common
ansible-playbook "$@" sudo add-apt-repository -y --update ppa:ansible/ansible
sudo apt install ansible-base -y
ansible-playbook "$@"