-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
container ENV variables passing and parsing #46
Comments
From LibOS (Occlum, perhaps also same for Gramine) perpective, to run the workloads successfully, below information needs to be parsed first ( perhaps some component required here?) then pass to application agent (by LA channel?).
|
Environment variables can be viewed and set by any root process (or with sudo access) on the bare metal or VM node in the Kubernetes cluster. It might even be the case that between container launch request and when the variable is actually read to create the application enclave it could have been changed or post launch. This is a security concern when we are trying to keep the CSP outside of the trusted compute base. Further, this sort of pattern defeats approaches where we keep all config information in a git repo so human errors by administrators/devops are eliminated. Using config maps at least ensures that it could be signed and possibly even encrypted by the end-user, and is a record of what was used. See https://gramine.readthedocs.io/en/stable/manifest-syntax.html loader.insecure__use_cmdline_argv = true |
Oct 20, 2022 enclave-cc meeting -- Occulum allows the passing in of environment variables, no restrictions on name or number and cannot guarantee that they are what they should be. |
The traffic between kubectl and Pod is still untrusted because k8s infra still doesn't provide peer-to-peer trustworthy protection for CoCo. In Kata-CC, the construction and consumption of ENV always happen in TEE Pod. This is what Enclave-CC currently can inherit from Kata-CC. For example, the construction of oci spec (config.json) for app container could be done by enclave-agent, and the ENV with FUSE key can be transferred via LA channel established between app enclave and agent enclave . The resulting config.json will be used by runc hosting app container but it is not trusted. LibOS running inside app enclave only accepts the ENV retrieved from the established LA channel. |
is this referring to ENV variables defined in the image? |
At this point, the ENV variables defined by pod yaml and the ones defined in dockerfile/image are all combined together already. |
This is a good issue to follow: confidential-containers/confidential-containers#124 |
In enclave-cc meeting Nov 3, 2022 the main use case mentioned was for some actions like enable/disable image signature check etc, for debug/prototyping efforts. Would it make sense to support a debug flag to kubectl to pass through environment variables? |
This issue addresses the integrity of signature verification flag using measured and attested kernel command. However, it is not a general approach. From a long-term, CoCo and K8s ecosystem need to provide a general solution for securing ENV variables to allow both enclave-cc and kata-cc to re-use ENV variables to control the configurable settings. From a short-term, the protection problem of ENV variables is just triggered by "how to securely dynamically configure the signature verification flag. So we have several options for enclave-cc specific:
|
By discussing with hairong, Huaiqing,haokun, from the perspective of short-term goals, maybe we can use the following method to support complex applications,such as Redis. User information (env, entrypont, cwd etc) configured by users in K8S YAML can be passed to The specific implementation is as follows
|
Is there a reason this needs to go through |
efforts needed:
|
one idea is if the secure channel is established in k8s control plane, then the information can directly flow into agent with this design, another idea is even the k8s control plane is not secured, we can always ask agent to check the integrity of the value against future implemented RVPS(confidential-containers/confidential-containers#122) before sending to app enclave. |
before we start any implementation work I think we should explore the option of not going via enclave-agent. |
there's also a proposal discussed at confidential-containers/confidential-containers#126 with a wider scope. After study the issue, I have following comments:
|
hi,mikko. The reason why we go through
Thank you very much! |
"runtime-boot" (or |
hi, mikko. shim in enclave-cc generates the In occlum libos, it is actually passed in through the following interface. In libos, for safety, it will further check whether these environment variables are pre-defined in the In runtime boot, init needs to obtain information ( env, entrypoint, fuse key) before mounting the encrypted fuse file system. How does occlum We chose 2, because enclave-agent needs to send If choose option 1,
Do you have any other good ways? thanks very much! |
is "occlum init" same as our runtime-boot? |
Yes. Sorry for my unclear statement, "occlum init" refers to the init process of occlum in the runtime-boot phase. In runtime-boot, an init process is started first, and then the actual application process is started, such as the app enclave container in enclave-cc. For Occlum's default Thank you! |
The runtime env is already supported. The user can pass the struct Details please refer to https://github.com/qzheng527/occlum/tree/enclave-cc/demos/runtime_boot. |
We don't have the LA functionality anytime soon and also that |
I agree. With the envs information, we can try boot complicated container image, such as redis. |
updates after community meeting:
|
@qzheng527 a question about:
how do I use this value? Can I set it to "/" to cover paths like |
For complicated workloads, the tenant will set some specific ENV variables in config file. In order to run the workload successfully in Libos, The ENV variables should be passed.
Shim and enclave-agent will work together to parse and combine the environment variables, and eventually pass them to the app enclave.
The text was updated successfully, but these errors were encountered: