Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

container_runner does not support devices during docker.create_container() #226

Open
CSpyridakis opened this issue Nov 20, 2024 · 0 comments
Open

container_runner does not support devices during docker.create_container() #226

CSpyridakis opened this issue Nov 20, 2024 · 0 comments
Labels
edgeless_node

Comments

@CSpyridakis
Copy link
Contributor

Regarding the execution of functions in Trusted Execution Environments (TEEs) when the container runtime is utilized (using either Python or Rust APIs), it is also necessary to pass the SGX driver to the container for proper functionality.

For instance, if we were to run the container manually from a terminal, the following command would be required:

docker run --device=/dev/<sgxdriver> function_image

Hence, in the docker_utils.rs, the start_container() function could me modified like this (these are the actual modifications for our PoC):

...
let mut devices = vec![];    // This has been added.

// For now only SGX driver could be needed
let sgx_nuc_driver = rs_docker::container::DeviceStruct{
          CgroupPermissions: "rwm".to_string(),
          PathOnHost: "/dev/isgx".to_string(), 
          PathInContainer: "/dev/isgx".to_string(),
      };
devices.push(sgx_nuc_driver); //  More drivers could be included in this vector in the future if needed.

let id = match docker.create_container(
    name.to_string(),
    rs_docker::container::ContainerCreate {
        Image: image_name.clone(),
        Labels: None,
        ExposedPorts: None,
        HostConfig: Some(rs_docker::container::HostConfigCreate {
            NetworkMode: None,
            PublishAllPorts: Some(true),
            PortBindings: None,
            Devices: Some(devices),     // This is also an addition
        }),
    },
)
...

However, to achieve this, there are some concerns:

  1. The latest version of rs-docker is v0.0.60, which does not support Devices out of the box. We have submitted a PR, but we do not know if or when it will be accepted, allowing us to use a newer version of rs-docker from crates.io (It could be possible however, until then, to use the code of a fork that contains the needed modifications).

  2. From where we will take these devices?
    For our PoC only the SGX driver was used, therefore, it is hardcoded inside the function.

Other thoughts:
Perhaps,in the future, would it make sense for functions that utilize container runtime to support other device drivers (as an example other specialized hardware)?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
edgeless_node
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CSpyridakis