0e2025b67c
Signed-off-by: Daniel Weiße <dw@edgeless.systems> |
||
---|---|---|
.github/workflows | ||
3rdparty/aws-nitro-enclaves-ffi | ||
cli | ||
coordinator | ||
debugd | ||
images/fcos | ||
internal | ||
kms | ||
mount | ||
state | ||
test | ||
util/pcr-reader | ||
.dockerignore | ||
.gitignore | ||
.golangci.yml | ||
CMakeLists.txt | ||
CONTRIBUTING.md | ||
Dockerfile.build | ||
Dockerfile.e2e | ||
go.mod | ||
go.sum | ||
README.md |
constellation-coordinator
Prerequisites
- Go 1.18
Ubuntu 20.04
sudo apt install build-essential cmake libssl-dev pkg-config libcryptsetup12 libcryptsetup-dev
curl https://sh.rustup.rs -sSf | sh
Amazon Linux
sudo yum install cmake3 gcc make
curl https://sh.rustup.rs -sSf | sh
Build
mkdir build
cd build
cmake ..
make -j`nproc`
CMake build options:
Release build
This options leaves out debug symbols and turns on more compiler optimizations.
cmake -DCMAKE_BUILD_TYPE=Release ..
Static build (coordinator as static binary, no dependencies on libc or other libraries)
Install the musl-toolchain
Ubuntu / Debian:
sudo apt install -y musl-tools
rustup target add x86_64-unknown-linux-musl
From source (Amazon-Linux):
wget https://musl.libc.org/releases/musl-1.2.2.tar.gz
tar xfz musl-1.2.2.tar.gz
cd musl-1.2.2
./configure
make -j `nproc`
sudo make install
rustup target add x86_64-unknown-linux-musl
Add musl-gcc
to your PATH:
export PATH=$PATH:/usr/loca/musl/bin/
Compile the coordinator
cmake -DCOORDINATOR_STATIC_MUSL=ON ..
Cloud credentials
Using the CLI or debug-CLI requires the user to make authorized API calls to the AWS or GCP API.
Google Cloud Platform (GCP)
If you are running from within a Google VM, and the VM is allowed to access the necessary APIs, no further configuration is needed.
Otherwise you have a couple options:
-
Use the
gcloud
CLI toolgcloud auth application-default login
This will ask you to log into your Google account, and then create your credentials. The Constellation CLI will automatically load these credentials when needed.
-
Set up a service account and pass the credentials manually
Follow Google's guide for setting up your credentials.
Amazon Web Services (AWS)
To use the CLI with an Constellation cluster on AWS configure the following files:
$ cat ~/.aws/credentials
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
$ cat ~/.aws/config
[default]
region = us-east-2
Azure
To use the CLI with an Constellation cluster on Azure execute:
az login
Deploying a locally compiled coordinator binary
By default, constellation create ...
will spawn cloud provider instances with a pre-baked coordinator binary.
For testing, you can use the constellation debug daemon (debugd) to upload your local coordinator binary to running instances and to obtain SSH access.
Follow this introduction on how to install and setup cdbg
debug daemon (debugd)
debugd Prerequisites
- Go 1.18
Build debugd
mkdir -p build
go build -o build/debugd debugd/debugd/cmd/debugd/debugd.go
Build & install cdbg
The go install command for cdbg only works inside the checked out repository due to replace directives in the go.mod
file.
git clone https://github.com/edgelesssys/constellation && cd constellation
go install github.com/edgelesssys/constellation/debugd/cdbg
debugd & cdbg usage
With cdbg
installed in your path:
- Run
constellation --dev-config /path/to/dev-config create […]
while specifying a cloud-provider image with the debugd already included. See Configuration for a dev-config with a custom image and firewall rules to allow incoming connection on the debugd default port 4000. - Run
cdbg deploy --dev-config /path/to/dev-config
- Run
constellation init […]
as usual
debugd GCP image
For GCP, run the following command to get a list of all constellation images, sorted by their creation date:
gcloud compute images list --filter="name~'constellation-.+'" --sort-by=~creationTimestamp
Choose the newest debugd image with the naming scheme constellation-coreos-debugd-<timestamp>
.
debugd Azure Image
For Azure, run the following command to get a list of all constellation debugd images, sorted by their creation date:
az sig image-version list --resource-group constellation-images --gallery-name Constellation --gallery-image-definition constellation-coreos-debugd --query "sort_by([], &publishingProfile.publishedDate)[].id" -o table
Choose the newest debugd image and copy the full URI.
debugd Configuration
You should first locate the newest debugd image for your cloud provider (GCP, Azure).
This tool uses the dev-config file from constellation-coordinator
and extends it with more fields.
See this example on what the possible settings are and how to setup the constellation cli to use a cloud-provider image and firewall rules with support for debugd:
{
"cdbg":{
"authorized_keys":[
{
"user":"my-username",
"pubkey":"ssh-rsa AAAAB…LJuM="
}
],
"coordinator_path":"/path/to/coordinator",
"systemd_units":[
{
"name":"some-custom.service",
"contents":"[Unit]\nDescription=…"
}
]
},
"provider": {
"gcpconfig": {
"image": "constellation-coreos-debugd-TIMESTAMP",
"firewallinput": {
"Ingress": [
{
"Name": "coordinator",
"Description": "Coordinator default port",
"Protocol": "tcp",
"Port": 9000
},
{
"Name": "wireguard",
"Description": "WireGuard default port",
"Protocol": "udp",
"Port": 51820
},
{
"Name": "ssh",
"Description": "SSH",
"Protocol": "tcp",
"Port": 22
},
{
"Name": "debugd",
"Description": "debugd default port",
"Protocol": "tcp",
"Port": 4000
}
]
}
},
"azureconfig": {
"image": "/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/CONSTELLATION-IMAGES/providers/Microsoft.Compute/galleries/Constellation/images/constellation-coreos-debugd/versions/0.0.TIMESTAMP",
"networksecuritygroupinput": {
"Ingress": [
{
"Name": "coordinator",
"Description": "Coordinator default port",
"Protocol": "tcp",
"IPRange": "0.0.0.0/0",
"Port": 9000
},
{
"Name": "wireguard",
"Description": "WireGuard default port",
"Protocol": "udp",
"IPRange": "0.0.0.0/0",
"Port": 51820
},
{
"Name": "ssh",
"Description": "SSH",
"Protocol": "tcp",
"IPRange": "0.0.0.0/0",
"Port": 22
},
{
"Name": "debugd",
"Description": "debugd default port",
"Protocol": "tcp",
"IPRange": "0.0.0.0/0",
"Port": 4000
}
]
}
}
}
}