Moving the contents of the SNP documentation to the CoCo website and removing the SEV documentation to be deprecated soon. Pointing to the website in quickstart guide and coco-dev guide.
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
Updating the SEV and SNP guides to include instructions on launching CoCo with SEV and SNP memory encryption.
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
Reorganizing the quickstart guide and adding a new guide page for CoCo-dev instructions for testing CoCo without the use of memory encryption or attestation.
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
The non-tee guide predates the sample attester, which
allows us to use the attestation flow without hardware
support.
Before that we had a workaround in the operator
that would provision a guest image with certain
keys already baked into that.
This is known as the ssh-demo in the operator,
but it shoudn't be confused with the ssh-demo
that we have in this repo, which is just a container
that ships with an ssh daemon inside of it.
The ssh-demo in this repo doesn't necessarily require
attestation and is unrelated.
We are removing the ssh-demo operator CRD so the nontee
guide should go as well.
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This PR updates the docker compose command to avoid failures while
running `docker-compose` which is not a valid command.
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Fixes: https://github.com/confidential-containers/enclave-cc/issues/181
- Add the content of deploy KBS cluster and create encrypted image in enclave-cc.md
- Delete verdictd in enclave-cc.md and add cc-kbc and sample-kbc content, and give examples of usage
- Modify the creation of enclave-cc custom resource in quickstart.md
Signed-off-by: Huiting Hou <huiting.hou@linux.alibaba.com>
Simplify quickstart guide to cover installation,
basic usage, encryption/signing, attestation.
Focus on the generic KBS.
Everything else is moved to other files. Pointers
to the relevant files are included where needed.
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
Fixed: #96
The current quick start is relatively lengthy,
this commit make the technology stacks for special HW separate markdown pages:
- Use simple-kbs to encrypt container image and deploy it on SEV: `guides/sev-guide.md`
- Use Verdictd to encrypt container image and deploy it on TDX: `guides/eaa-verdictd-guide.md`
Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
Let's add a small piece of documentation about what the users should do
in case they want to try enclave-cc with a different KBC.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
While preparing the `v0.3.0` release, we've noticed that using a VM with
2 vCPUs would lead to:
```
Name: cc-operator-controller-manager-79797456f6-spmss
Namespace: confidential-containers-system
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 4m12s default-scheduler 0/1 nodes are available: 1 Insufficient cpu. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod.
```
And this is *NOT* something introduced between `v0.2.0` and `v0.3.0`, as
it also happen with the previous release.
For now, let's update the documentation accordingly and revisit this
after the release in case we need to really rely on deploying in nodes
with 2 vCPUs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're about to release v0.3.0, let's update the quickstart guide so
it's easier for folks to try it out using the correct latest release.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's adapt the instructions to using kustomize for deploying the sample
ccruntime custom resource.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The CoCo Pod might fail when *IfNotPresent* policy is set. Add some
words about that on the troubleshoot section.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
skopeo can leave the image unencrypted without any notice. Added a
comment about checking it is not the case for an image built by the
user.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Mentioned that the encryption key for SEV offline KBC should have 32
bytes and be base64 encoded.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
There is a bug(**) on sevctl affecting some versions of the package on RHEL
and Fedora. Added a note mentioning it might be needed to build the tool
from the sources.
(**) https://bugzilla.redhat.com/show_bug.cgi?id=2037963
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
sevctl repository at enarx organization is now read-only as the development moved to
https://github.com/virtee/sevctl. The URL was updated in the quickstart.
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Adding extra information about the flag in skopeo copy command.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Fixing newline change.
Fixing the newline change.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Removing sudo for docker commands
Assuming user has setup the docker correctly, we do not need to use sudo for docker commands.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
quickstart: Filling gaps in the SEV documentation.
Fixing a couple of permission issues and command line parameters for skopeo.
Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
Enclave CC requires the Kind cluster to be prepared with
`/opt/confidential-containers` to **not** be mounted on an overlayfs,
but rather being part of the `hostPath` mount.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
It's a known limitation that QEMU based runtime classes will not work
with Kind or Minikube, leading to:
```
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 42s default-scheduler Successfully assigned default/nginx-kata-qemu to minikube
Warning FailedCreatePodSandBox 9s kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim task: Failed to Check if grpc server is working: rpc error: code = DeadlineExceeded desc = timed out connecting to vsock 3189232285:1024: unknown
```
This needs further debug in order to get to the root cause of the issue,
and potentially to a fix. However, for now, we should make sure that we
document such limitation.
One issue already reported about this is
https://github.com/confidential-containers/operator/issues/124, and
that's also been observed by Pradipta during the early tests of v0.1.0.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The operator dropped the deploy/deploy.yaml based deployment and moved
to a kustomize based one so update the docs to reflect that change.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Add instructions for how to set-up, create and validate creating a
workload from the sample encrypted container image
Fixes: #confidential-containers/operator#77
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
We have a script that does most of the gruntwork as part of the CI, but can be
used locally on a machine to quickly setup a single-node test cluster. Let's
document that option.
Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
Suggested-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
