kbs: improvements to quickstart and misc #324
Conversation
kbs/tools/client/README.md
Outdated
|
|
||
| As an alternative, you can build it with the `sample_only` feature which allow | ||
| to mock attestation, thus, you will be able to perform some operations (e.g. | ||
| get resources) even by running outside of an TEE: |
There was a problem hiding this comment.
To be clear, the sample attester is always enabled and you can always use the kbs-client outside of a TEE. This flag means that no other attesters are available so you cannot do a real TEE attestation, but you don't have to worry about the dependencies that some of the hw attesters have.
Btw if we build the kbs-client in the CI we probably want to use this feature (or add a new one that disables the resource endpoint completely).
There was a problem hiding this comment.
If I understand correctly, we do not need CLI_FEATURES flag. And we can always build the client-tool with feature default. This will support both TEE and non-TEE cases. Right?
There was a problem hiding this comment.
The default features support all the use cases on all the platforms. For the tests in the CoCo CI, we only use the client for configuration. So we will use the sample_only feature there so that we don't have to install the SGX dependencies.
So yes, no need for any additional feature, although maybe at some point we could introduce features to enable/disable the config and resource endpoints separately. Not a high priority.
There was a problem hiding this comment.
hi @Xynnn007 @fitzthum , sorry, I misunderstood it completely. I built the default feature and run kbs-client on a non-TEE environment, and I was getting a attester related error (unfortunately I didn't save the logs). Then I built the client with sample_only feature and it magically worked out. Thus, I assumed (wrongly) sample_only feature should be used on non-TEE environments.
Now I updated my main branch and I no longer see the error with kbs-client built with default...probably I was hitting a bug solved recently.
I will re-phrase the sentences.
It seems obvious to mentioning on quickstart that rust is required to build the kbs. Not so obvious is the dependency to Golang in order to compile the OPA engine. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
The `make install-kbs` should have admin priviledges to write to /usr/local/bin. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
Added the `cli` and `install-cli` Make targets to, respectively, build the kbs-client and install into the system. If you want to build it with alternative features then you should overwrite the `CLI_FEATURES` variable, for example: $ make cli CLI_FEATURES=sample_only Some documents were update to mention the new targets. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
Update the instruction to start the kbs binary with sudo as it requires higher priviledges and in background. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
By default kbs listen at port 8080. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
wainersm
force-pushed
the
quickstart_improvements
branch
from
51aee2c to
2334ce9
Compare
|
Updated with following changes:
|
The Rego engine is really finicky about this sort of thing. In theory I don't think this should be required, but for now it is. |
Good idea. Let me do it. |
Created the sample_policies directory to hold exampe of policy files. An allow_all.rego and deny_all.rego files are added. Signed-off-by: Wainer dos Santos Moschetta <[email protected]>
wainersm
force-pushed
the
quickstart_improvements
branch
from
2334ce9 to
7556827
Compare
|
@fitzthum added the deny_all.rego policy. Oddly this policy requires no empty line at the end of the file... :D I tested it here, I could apply but didn't check it was really denying all. |
Yeah we sort of have an issue for this actually. We will probably switch to regorus (rust OPA engine soon) and hopefully that will resolve. |
fitzthum
merged commit 6c32b58
into
confidential-containers:main
I'm trying to catch up with latest changes of KBS project by following the quickstart. From within a fresh Ubuntu 22.04 VM (non TEE), I could run the instructions for the KBS on background check mode but not before fixing some instructions. I took that opportunity to have some improvements to the doc.