-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: problems setting up Marblerun Quickstart SGX on local machine #327
Comments
Hey there When running with the Intel QPL you will probably also need to set the You can try running the PCCS as a Pod in minikube and configure the Coordinator to use the Pod as its PCCS. The reason why the Coordinator is able to start when using the Azure qpl is that you can use the Azure qpl to generate quotes. However, you will not be able to verify any as long as you are not running inside a VM provided by Azure. |
Hi @daniel-weisse, thank you for your reply. You were correct, the PCCS was not reachable from inside the minikube cluster. I reinstalled the PCCS and used this setting during installation:
After that the PCCS was reachable using Now the Coordinator starts when using the intel qpl ( The error seems to be similar to what happens when not setting the intel qpl when installing marblerun. Also, after installing emojivoto using helm, the coordinator starts crashing and restarting. The following snippets are the logs of the Coordinator and a Marble. Coordinator log:
Marble log:
Do I have to configure the marbles to use intel qpl when installing the emojivoto example? I already tried two things: The emojivoto manifest contains an
I also tried setting the DCAP library in the Marbles helm chart: In marble helm charts:
In sgx-values.yaml (since oe-config seems to parse this block
But this didn't do anything, either. |
I think this happens because the emojivoto container images were not built with the Intel QPL.
Can you check why this is happening? Could be due to resource exhaustion on the host. |
Thank you very much.
Resource exhaustion seems to be a plausible cause. The Coordinator starts crashing when the Cluster constantly tries to restart the three emojivoto pods and stops crashing, when the CrashLoopBackoff Intervals of the emojivoto pods get larger. I have attached the full logs of a crashed coordinator instance and the full pod description:
Edit: It seems to crash (almost) every time when emojivoto starts, during those restarts CPU Utilization is at 100%. I will keep this running for a while and check again later.
Edit2: I kept the cluster running, the coordinator does not crash every time emojivoto restarts. But since CPU Utilization hits 100% whenever emojivoto restarts and the system I'm testing on has a pretty weak CPU (Intel NUC) resource exhaustion is probably the most plausible cause for this.
|
I have uploaded new container images for emojivoto that were successfully verified by a Coordinator configured to use the Intel QPL. As for the crashes, I was not able to find anything in the logs. Maybe a For reference this is how I started my cluster: # Start minikube with 4 cpus, 8GB memory, and create the /dev/sgx sym links
# emojivoto and MarbleRun do not need the /var/run/aesmd socket, so it can be skipped
minikube start --cpus=4 --memory=8G --mount --mount-string=/dev/sgx:/dev/sgx
# Install cert-manager v1.10.1
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.10.1/cert-manager.yaml
# Install sgx webhook
kubectl apply -k https://github.com/intel/intel-device-plugins-for-kubernetes/deployments/sgx_plugin/overlays/epc-nfd/?ref=v0.23.0 |
Thank you for your help! With the changes made in the
Unfortunately the node description does not provide any helpul information about the reason why the coordinator was crashing. The Coordinator still crashes when emojivoto is starting, but it is able to reload the state after its restarts. After all Marbles are registered everything is working and the coordinator doesn't restart anymore. Like before, the coordinator logs don't really provide information about why this is happening. For the sake of completeness i have attached the coordinators full log. |
Hello, edgelessys team,
I'm having problems trying to set up sgx enabled marblerun in a local minikube cluster for running the emojivoto example.
My System runs Ubuntu LTS 20.04 and supports SGX and FLC (output from Gramines is-sgx-available tool):
Local Intel PCCS and AESMD services (sgx-aesm-service and sgx-dcap-pccs from intel sgx apt repo) are running and all other libsgx-* packages from apt are installed. “USE_SECURE_CERT”=FALSE is set in
/etc/sgx_default_qcnl.conf
. System is on the latest BIOS, so the TCB should not be a Problem.The minikube cluster is set up like the one from your tf-training repo:
When checking with kubectl the sgx device plugin is running, and
marblerun precheck
validates this:I tried both, starting marblerun using the
--dcap-qpl intel
flag, and without:When running
marblerun install --dcap-secure-cert FALSE --dcap-qpl intel
the coordinator fails when invoking main:When running
marblerun install --dcap-secure-cert FALSE
(so it should be using the azure qpl) the coordinator starts, but the marbles fail:Coordinator log:
When marble tries to register:
Marble log:
To check the qpl I tried running Intels QuoteGenerationSample and it's working, but this is running on the host os and not in the minikube cluster.
The ego remote attestation sample is working locally, too (using the ego snap).
Do you have any ideas what could cause these problems?
Looking forward to your reply.
The text was updated successfully, but these errors were encountered: