forked from gramineproject/gramine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
redis-server.manifest.template
153 lines (122 loc) · 6.83 KB
/
redis-server.manifest.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# Redis manifest file example
################################## GRAMINE ####################################
# PAL entrypoint (points to the LibOS layer library of Gramine). There is
# currently only one implementation, so it is always set to libsysdb.so.
loader.entrypoint = "file:{{ gramine.libos }}"
# Entrypoint binary which Gramine invokes.
libos.entrypoint = "/redis-server"
# Verbosity of Gramine debug log (none/error/warning/debug/trace/all). Note
# that GRAMINE_LOG_LEVEL macro is expanded in the Makefile as part of the
# building process: the default is "error" for non-debug builds, and "debug"
# for debug builds.
loader.log_level = "{{ log_level }}"
################################# ARGUMENTS ###################################
# Hardcode application arguments. See README for explanations.
loader.argv = ["redis-server", "--save", ""]
################################# ENV VARS ####################################
# Specify paths to search for libraries. The usual LD_LIBRARY_PATH syntax
# applies. Paths must be in-Gramine visible paths, not host-OS paths (i.e.,
# paths must be taken from fs.mounts[...].path, not fs.mounts[...].uri).
#
# In case of Redis:
# - /lib is searched for Glibc libraries (ld, libc, libpthread)
# - {{ arch_libdir }} is searched for Name Service Switch (NSS) libraries
loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/{{ arch_libdir }}"
################################## SIGNALS ####################################
# Allow for injecting SIGTERM signal from the host. Without this option,
# pressing `Ctrl + C` wouldn't terminate Redis.
sys.enable_sigterm_injection = true
################################# MOUNT FS ####################################
# General notes:
# - There is only one supported type of mount points: 'chroot'.
# - Directory names are (somewhat confusingly) prepended by 'file:'.
# - Names of mount entries (lib, lib2, lib3) are irrelevant but must be unique.
# - In-Gramine visible path names may be arbitrary but we reuse host-OS URIs
# for simplicity (except for the first 'lib' case).
fs.mounts = [
# Mount host-OS directory to Gramine glibc/runtime libraries (in 'uri') into
# in-Gramine visible directory /lib (in 'path').
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
# Mount host-OS directory to Name Service Switch (NSS) libraries (in 'uri')
# into in-Gramine visible directory /lib/x86_64-linux-gnu (in 'path').
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ path = "/usr/{{ arch_libdir }}", uri = "file:/usr/{{ arch_libdir }}" },
# Mount host-OS directory to NSS files required by Glibc + NSS libs (in 'uri')
# into in-Gramine visible directory /etc (in 'path').
{ path = "/etc", uri = "file:/etc" },
# Mount redis-server executable (located in the current directory) under the
# in-Gramine visible root directory.
{ path = "/redis-server", uri = "file:redis-server" },
]
############################### SGX: GENERAL ##################################
# Create a debug SGX enclave (with SIGSTRUCT.ATTRIBUTES.DEBUG bit set to 1).
# This allows to debug Gramine with the application using GDB, read perf
# counters and enable SGX statistics. Note that this option is *insecure*!
sgx.debug = false
# Set enclave size (somewhat arbitrarily) to 1024MB. Recall that SGX v1 requires
# to specify enclave size at enclave creation time. If Redis exhausts these
# 1024MB then it will start failing with random errors. Greater enclave sizes
# result in longer startup times, smaller enclave sizes are not enough for
# typical Redis workloads.
sgx.enclave_size = "1024M"
# Enable Enclave Dynamic Memory Management (EDMM) feature based on EDMM
# environment variable. This allows for addition of pages to enclave in runtime,
# instead of allocating them upfront at startup. If this feature is enabled,
# `sgx.enclave_size` above describes a maximal enclave size and can usually be
# increased without negative consequences (it does not impact startup time).
sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }}
# Set maximum number of in-enclave threads (somewhat arbitrarily) to 8. Recall
# that SGX v1 requires to specify the maximum number of simultaneous threads at
# enclave creation time.
#
# Note that internally Gramine may spawn two additional threads, one for IPC
# and one for asynchronous events/alarms. Redis is technically single-threaded
# but spawns couple additional threads to do background bookkeeping. Therefore,
# specifying '8' allows to run a maximum of 6 Redis threads which is enough.
sgx.max_threads = 8
############################# SGX: TRUSTED FILES ###############################
# Specify all files used by Redis and its dependencies (including all libraries
# which can be loaded at runtime via dlopen), as well as other static read-only
# files (like configuration files).
#
# The paths to files are host-OS paths. These files will be searched for in
# in-Gramine visible paths according to mount points above.
#
# As part of the build process, Gramine-SGX script (`gramine-sgx-sign`) finds
# each specified file, measures its hash, and adds it to the manifest entry for
# that file (converting each entry to a table with "uri" and "sha256" keys).
# Note that this happens on the developer machine or a build server.
#
# At runtime, during loading of each "trusted file", Gramine-SGX measures its
# hash and compares with the "sha256" value in the corresponding manifest entry.
# If hashes match, this file is trusted and allowed to be loaded and used. Note
# that this happens on the client machine.
sgx.trusted_files = [
"file:{{ gramine.libos }}",
"file:redis-server",
"file:{{ gramine.runtimedir() }}/",
"file:{{ arch_libdir }}/",
"file:/usr/{{ arch_libdir }}/",
]
############################# SGX: ALLOWED FILES ###############################
# Specify all non-static files used by app. These files may be accessed by
# Gramine-SGX but their integrity is not verified (Gramine-SGX does not
# measure their hashes). This may pose a security risk!
sgx.allowed_files = [
# Name Service Switch (NSS) files. Glibc reads these files as part of name-
# service information gathering. For more info, see 'man nsswitch.conf'.
"file:/etc/nsswitch.conf",
"file:/etc/ethers",
"file:/etc/hosts",
"file:/etc/group",
"file:/etc/passwd",
# getaddrinfo(3) configuration file. Glibc reads this file to correctly find
# network addresses. For more info, see 'man gai.conf'.
"file:/etc/gai.conf",
]
############################# RAKIS CONFIG ###############################
rakis.enabled = true
rakis.net_threads_num = 1
rakis.netifs = [ { interface_name = "ens1f0", ip_addr = "10.50.0.1", gw_addr = "10.50.0.1", netmask = "255.255.0.0", mac_addr = "40:a6:b7:40:37:f8", xsks = [ { qid = 0, ctrl_prcs_path = "/tmp/rakis-xdp-def-ctrl" } ] }]
rakis.io_uring.io_urings_num = 8
rakis.arp_table = [ { ip_addr = "10.50.0.2", mac_addr = "40:a6:b7:40:37:f9" } ]