зеркало из https://github.com/microsoft/CCF.git
Ansible playbook simplification around SGX drivers (#2868)
This commit is contained in:
Родитель
eb82ab0117
Коммит
438218e4b2
|
@ -7,7 +7,7 @@ trigger:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
- job: build_and_publish_docs
|
- job: build_and_publish_docs
|
||||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
pool:
|
pool:
|
||||||
vmImage: ubuntu-20.04
|
vmImage: ubuntu-20.04
|
||||||
|
|
||||||
|
|
|
@ -27,11 +27,11 @@ schedules:
|
||||||
resources:
|
resources:
|
||||||
containers:
|
containers:
|
||||||
- container: nosgx
|
- container: nosgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
||||||
|
|
||||||
- container: sgx
|
- container: sgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
|
|
|
@ -23,11 +23,11 @@ schedules:
|
||||||
resources:
|
resources:
|
||||||
containers:
|
containers:
|
||||||
- container: nosgx
|
- container: nosgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
|
||||||
|
|
||||||
- container: sgx
|
- container: sgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
|
@ -9,7 +9,7 @@ on:
|
||||||
jobs:
|
jobs:
|
||||||
checks:
|
checks:
|
||||||
runs-on: ubuntu-20.04
|
runs-on: ubuntu-20.04
|
||||||
container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
|
|
|
@ -16,7 +16,7 @@ pr:
|
||||||
resources:
|
resources:
|
||||||
containers:
|
containers:
|
||||||
- container: sgx
|
- container: sgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
|
@ -21,7 +21,7 @@ schedules:
|
||||||
resources:
|
resources:
|
||||||
containers:
|
containers:
|
||||||
- container: sgx
|
- container: sgx
|
||||||
image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
|
image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
|
||||||
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|
|
@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to build CCF itself and CCF a
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ cd <ccf_path>/getting_started/setup_vm
|
$ cd <ccf_path>/getting_started/setup_vm
|
||||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
|
||||||
$ ./run.sh ccf-dev.yml
|
$ ./run.sh ccf-dev.yml
|
||||||
|
|
||||||
Once this is complete, you can proceed to :doc:`/build_apps/build_app`.
|
Once this is complete, you can proceed to :doc:`/build_apps/build_app`.
|
||||||
|
|
|
@ -22,7 +22,6 @@ These dependencies can be conveniently installed using the ``ansible`` playbooks
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ cd <ccf_path>/getting_started/setup_vm/
|
$ cd <ccf_path>/getting_started/setup_vm/
|
||||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
|
||||||
$ ./run.sh app-dev.yml
|
$ ./run.sh app-dev.yml
|
||||||
|
|
||||||
Install
|
Install
|
||||||
|
|
|
@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to start CCF applications, si
|
||||||
.. code-block:: bash
|
.. code-block:: bash
|
||||||
|
|
||||||
$ cd <ccf_path>/getting_started/setup_vm
|
$ cd <ccf_path>/getting_started/setup_vm
|
||||||
$ ./run.sh driver.yml # Only on SGX-enabled hardware
|
|
||||||
$ ./run.sh app-run.yml
|
$ ./run.sh app-run.yml
|
||||||
|
|
||||||
Runtime Container
|
Runtime Container
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
# Docker images for CCF
|
||||||
|
|
||||||
|
- `app_run`: Builds the image containing all runtime dependencies for CCF, as well as the latest release of CCF (as per https://github.com/microsoft/CCF/releases/latest). To be used by CCF operators.
|
||||||
|
- `app_ci`: Builds the image containing all build dependencies for CCF applications. To be used by CCF application developers.
|
||||||
|
- `ccf_ci`: Builds the image containing all build dependencies for CCF itself. To be used by CCF contributors. It is also used by CCF Continuous Integration pipeline.
|
||||||
|
|
||||||
|
To build a given image, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ cd CCF/
|
||||||
|
$ docker build -t <tag> -f docker/<app_run|app_ci|ccf_ci> .
|
||||||
|
```
|
|
@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
|
||||||
|
|
||||||
COPY getting_started/setup_vm/ /setup_vm/
|
COPY getting_started/setup_vm/ /setup_vm/
|
||||||
RUN apt update \
|
RUN apt update \
|
||||||
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \
|
&& apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
|
||||||
&& cd setup_vm \
|
&& cd setup_vm \
|
||||||
&& ansible-playbook app-dev.yml $extra_vars \
|
&& ansible-playbook app-dev.yml $extra_vars \
|
||||||
&& rm -rf /tmp/* \
|
&& rm -rf /tmp/* \
|
||||||
&& apt remove -y ansible software-properties-common \
|
&& apt remove -y ansible software-properties-common curl \
|
||||||
&& apt -y autoremove \
|
&& apt -y autoremove \
|
||||||
&& apt -y clean
|
&& apt -y clean
|
|
@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
|
||||||
|
|
||||||
COPY getting_started/setup_vm/ /setup_vm/
|
COPY getting_started/setup_vm/ /setup_vm/
|
||||||
RUN apt update \
|
RUN apt update \
|
||||||
&& apt install -y ansible software-properties-common bsdmainutils dnsutils \
|
&& apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
|
||||||
&& cd setup_vm \
|
&& cd setup_vm \
|
||||||
&& ansible-playbook app-run.yml $extra_vars \
|
&& ansible-playbook app-run.yml $extra_vars \
|
||||||
&& rm -rf /tmp/* \
|
&& rm -rf /tmp/* \
|
||||||
&& apt remove -y ansible software-properties-common \
|
&& apt remove -y ansible software-properties-common curl \
|
||||||
&& apt -y autoremove \
|
&& apt -y autoremove \
|
||||||
&& apt -y clean
|
&& apt -y clean
|
|
@ -8,9 +8,6 @@
|
||||||
- import_role:
|
- import_role:
|
||||||
name: az_dcap
|
name: az_dcap
|
||||||
tasks_from: install.yml
|
tasks_from: install.yml
|
||||||
- import_role:
|
|
||||||
name: openenclave
|
|
||||||
tasks_from: binary_install.yml
|
|
||||||
- import_role:
|
- import_role:
|
||||||
name: ccf_install
|
name: ccf_install
|
||||||
tasks_from: deb_install.yml
|
tasks_from: deb_install.yml
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
- hosts: localhost
|
|
||||||
tasks:
|
|
||||||
- import_role:
|
|
||||||
name: intel
|
|
||||||
tasks_from: sgx-driver.yml
|
|
|
@ -25,8 +25,6 @@ debs:
|
||||||
- iptables # partition test infra
|
- iptables # partition test infra
|
||||||
- libclang1-9 # required by doxygen
|
- libclang1-9 # required by doxygen
|
||||||
- libclang-cpp9 # required by doxygen
|
- libclang-cpp9 # required by doxygen
|
||||||
- flex # required to build doxygen
|
|
||||||
- bison # required to build doxygen
|
|
||||||
|
|
||||||
mbedtls_ver: "2.16.10"
|
mbedtls_ver: "2.16.10"
|
||||||
mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"
|
mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
if [ "{{ ccf_ver }}" = "latest" ]; then
|
if [ "{{ ccf_ver }}" = "latest" ]; then
|
||||||
curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4
|
curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4
|
||||||
else
|
else
|
||||||
echo "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
|
echo "https://github.com/microsoft/CCF/releases/download/ccf-{{ ccf_ver }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
|
||||||
fi
|
fi
|
||||||
register: ccf_deb_url
|
register: ccf_deb_url
|
||||||
|
|
||||||
|
|
|
@ -1,37 +0,0 @@
|
||||||
- name: Include vars
|
|
||||||
include_vars: common.yml
|
|
||||||
|
|
||||||
- name: Download CCF release
|
|
||||||
get_url:
|
|
||||||
url: "{{ ccf_url }}"
|
|
||||||
dest: "{{ workspace }}"
|
|
||||||
|
|
||||||
- name: Create directory
|
|
||||||
file:
|
|
||||||
path: "/opt/ccf"
|
|
||||||
state: directory
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Expand CCF release
|
|
||||||
unarchive:
|
|
||||||
src: "/tmp/{{ ccf_tarball }}"
|
|
||||||
dest: "/opt/ccf"
|
|
||||||
extra_opts:
|
|
||||||
- --strip-components=1
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Copy cchost
|
|
||||||
copy:
|
|
||||||
src: "/opt/ccf/bin/cchost"
|
|
||||||
dest: "/usr/bin/cchost"
|
|
||||||
remote_src: true
|
|
||||||
mode: a=rx
|
|
||||||
become: true
|
|
||||||
when: run_only|bool
|
|
||||||
|
|
||||||
- name: Remove release
|
|
||||||
file:
|
|
||||||
path: "/opt/ccf"
|
|
||||||
state: absent
|
|
||||||
become: true
|
|
||||||
when: run_only|bool
|
|
|
@ -1,6 +1 @@
|
||||||
workspace: "/tmp/"
|
|
||||||
ccf_ver: "latest"
|
ccf_ver: "latest"
|
||||||
ccf_tarball: "ccf.tar.gz"
|
|
||||||
ccf_suffix: "{{ 'latest/download' if ccf_ver == 'latest' else 'download/ccf-' + ccf_ver }}"
|
|
||||||
ccf_url: "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/{{ ccf_tarball }}"
|
|
||||||
ccf_prefix: "/opt/openenclave"
|
|
||||||
|
|
|
@ -1,64 +0,0 @@
|
||||||
# Copyright (c) Open Enclave SDK contributors.
|
|
||||||
# Licensed under the MIT License.
|
|
||||||
|
|
||||||
---
|
|
||||||
- name: Include distribution vars
|
|
||||||
include_vars:
|
|
||||||
file: common.yml
|
|
||||||
|
|
||||||
- name: Install the dkms package
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- "dkms"
|
|
||||||
state: latest
|
|
||||||
update_cache: yes
|
|
||||||
install_recommends: no
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Populate service facts
|
|
||||||
service_facts:
|
|
||||||
|
|
||||||
- name: Ensure aesmd service stopped
|
|
||||||
service:
|
|
||||||
name: aesmd
|
|
||||||
state: stopped
|
|
||||||
when: "'aesmd.service' in ansible_facts.services"
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Download Intel SGX DCAP Driver
|
|
||||||
get_url:
|
|
||||||
url: "{{intel_sgx_w_flc_driver_url}}"
|
|
||||||
dest: /tmp/sgx_linux_x64_driver.bin
|
|
||||||
mode: 0755
|
|
||||||
timeout: 120
|
|
||||||
retries: 3
|
|
||||||
when: flc_enabled|bool
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Download Intel SGX1 Driver
|
|
||||||
get_url:
|
|
||||||
url: "{{intel_sgx1_driver_url}}"
|
|
||||||
dest: /tmp/sgx_linux_x64_driver.bin
|
|
||||||
mode: 0755
|
|
||||||
timeout: 120
|
|
||||||
retries: 3
|
|
||||||
when: not flc_enabled|bool
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install the Intel SGX DCAP Driver
|
|
||||||
command: /tmp/sgx_linux_x64_driver.bin
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Remove the Intel SGX DCAP Driver installer
|
|
||||||
file:
|
|
||||||
path: /tmp/sgx_linux_x64_driver.bin
|
|
||||||
state: absent
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Ensure aesmd service running
|
|
||||||
service:
|
|
||||||
name: aesmd
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
||||||
when: "'aesmd.service' in ansible_facts.services"
|
|
||||||
become: true
|
|
|
@ -1,39 +0,0 @@
|
||||||
- name: Include distribution vars
|
|
||||||
include_vars:
|
|
||||||
file: common.yml
|
|
||||||
|
|
||||||
- name: Install apt-transport-https APT package
|
|
||||||
apt:
|
|
||||||
name: apt-transport-https
|
|
||||||
state: latest
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add APT repository key
|
|
||||||
apt_key:
|
|
||||||
url: "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key"
|
|
||||||
state: present
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Add APT repository
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu {{ ansible_distribution_release }} main"
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install the Intel libsgx packages
|
|
||||||
apt:
|
|
||||||
name: "{{ intel_sgx_dev_packages }}"
|
|
||||||
state: latest
|
|
||||||
update_cache: yes
|
|
||||||
install_recommends: no
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: Install the Intel DCAP packages
|
|
||||||
apt:
|
|
||||||
name: "{{ intel_dcap_dev_packages }}"
|
|
||||||
state: latest
|
|
||||||
update_cache: yes
|
|
||||||
install_recommends: no
|
|
||||||
when: flc_enabled|bool
|
|
||||||
become: true
|
|
|
@ -3,8 +3,6 @@
|
||||||
|
|
||||||
---
|
---
|
||||||
flc_enabled: true
|
flc_enabled: true
|
||||||
intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin"
|
|
||||||
intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin"
|
|
||||||
|
|
||||||
intel_sgx_packages:
|
intel_sgx_packages:
|
||||||
- "libsgx-enclave-common"
|
- "libsgx-enclave-common"
|
||||||
|
@ -14,14 +12,7 @@ intel_sgx_packages:
|
||||||
- "libsgx-qe3-logic"
|
- "libsgx-qe3-logic"
|
||||||
- "libsgx-pce-logic"
|
- "libsgx-pce-logic"
|
||||||
|
|
||||||
intel_sgx_dev_packages:
|
|
||||||
- "libsgx-enclave-common-dev"
|
|
||||||
|
|
||||||
intel_dcap_packages:
|
intel_dcap_packages:
|
||||||
- "libsgx-dcap-ql"
|
- "libsgx-dcap-ql"
|
||||||
- "libsgx-urts"
|
- "libsgx-urts"
|
||||||
- "libsgx-quote-ex"
|
- "libsgx-quote-ex"
|
||||||
|
|
||||||
intel_dcap_dev_packages:
|
|
||||||
- "libsgx-dcap-ql-dev"
|
|
||||||
- "sgx-aesm-service"
|
|
||||||
|
|
|
@ -4,6 +4,11 @@
|
||||||
|
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
|
# Install ansible-base rather than ansible because service_facts
|
||||||
|
# is broken on Ubuntu 20.04 with the default apt package.
|
||||||
|
# See https://github.com/ansible/ansible/issues/68536 (fixed in ansible >= 2.10)
|
||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
sudo apt install ansible -y
|
sudo apt install software-properties-common
|
||||||
ansible-playbook "$@"
|
sudo add-apt-repository -y --update ppa:ansible/ansible
|
||||||
|
sudo apt install ansible-base -y
|
||||||
|
ansible-playbook "$@"
|
Загрузка…
Ссылка в новой задаче