Fixed: #96
The current quick start is relatively lengthy,
this commit make the technology stacks for special HW separate markdown pages:
- Use simple-kbs to encrypt container image and deploy it on SEV: `guides/sev-guide.md`
- Use Verdictd to encrypt container image and deploy it on TDX: `guides/eaa-verdictd-guide.md`
Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
The patch includes number of fixes for the architecture doc.
Fixes the logical flow between the attestation agent and relying party
for all the diagrams.
Fixes the architecture diagram for process-based TEEs and replaces
references to inclavare with enclave-cc.
Added the architecture diagram for peer-pods approach.
Finally updated the markdown to use relative paths for the images to make
it easier for viewing during reviews and editors.
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Let's add a small piece of documentation about what the users should do
in case they want to try enclave-cc with a different KBC.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
While preparing the `v0.3.0` release, we've noticed that using a VM with
2 vCPUs would lead to:
```
Name: cc-operator-controller-manager-79797456f6-spmss
Namespace: confidential-containers-system
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 4m12s default-scheduler 0/1 nodes are available: 1 Insufficient cpu. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod.
```
And this is *NOT* something introduced between `v0.2.0` and `v0.3.0`, as
it also happen with the previous release.
For now, let's update the documentation accordingly and revisit this
after the release in case we need to really rely on deploying in nodes
with 2 vCPUs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're about to release v0.3.0, let's update the quickstart guide so
it's easier for folks to try it out using the correct latest release.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's adapt the instructions to using kustomize for deploying the sample
ccruntime custom resource.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The operator does not work(**) with SELinux enabled and enforced. Added
a note about it on the prequisites section.
(**) https://github.com/confidential-containers/operator/issues/115
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The CoCo Pod might fail when *IfNotPresent* policy is set. Add some
words about that on the troubleshoot section.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
skopeo can leave the image unencrypted without any notice. Added a
comment about checking it is not the case for an image built by the
user.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Mentioned that the encryption key for SEV offline KBC should have 32
bytes and be base64 encoded.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
There is a bug(**) on sevctl affecting some versions of the package on RHEL
and Fedora. Added a note mentioning it might be needed to build the tool
from the sources.
(**) https://bugzilla.redhat.com/show_bug.cgi?id=2037963
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
sevctl repository at enarx organization is now read-only as the development moved to
https://github.com/virtee/sevctl. The URL was updated in the quickstart.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Add new feature for authenticated registry support and point to
the design docs. We might have more info on how to set it up in future
but that is probably linked to configuration the guest image for
offline_fs_kbc configuration in non-TEE scenario and separated for
other confidential hardware, so we might need the quickstart guide
to be broken down into separate topics first
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Adding extra information about the flag in skopeo copy command.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Fixing newline change.
Fixing the newline change.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Removing sudo for docker commands
Assuming user has setup the docker correctly, we do not need to use sudo for docker commands.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
quickstart: Filling gaps in the SEV documentation.
Fixing a couple of permission issues and command line parameters for skopeo.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Enclave CC requires the Kind cluster to be prepared with
`/opt/confidential-containers` to **not** be mounted on an overlayfs,
but rather being part of the `hostPath` mount.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
It's a known limitation that QEMU based runtime classes will not work
with Kind or Minikube, leading to:
```
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 42s default-scheduler Successfully assigned default/nginx-kata-qemu to minikube
Warning FailedCreatePodSandBox 9s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim task: Failed to Check if grpc server is working: rpc error: code = DeadlineExceeded desc = timed out connecting to vsock 3189232285:1024: unknown
```
This needs further debug in order to get to the root cause of the issue,
and potentially to a fix. However, for now, we should make sure that we
document such limitation.
One issue already reported about this is
https://github.com/confidential-containers/operator/issues/124, and
that's also been observed by Pradipta during the early tests of v0.1.0.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
