Merge pull request #5 from kailun-qin/dev-aesm

stormgbs · web-flow · commit 61891187ae97 · 2020-01-06T11:10:09.000+08:00
[Feature] Add AESM socket attachment support
diff --git a/README.md b/README.md
@@ -143,7 +143,9 @@ spec:
         alibabacloud.com/sgx_epc_MiB: 20
 ```
 
-If you want a remote attestation, you should mount `/var/run/aesmd/aesm.socket` in your container, maybe like this:
+If you want a remote attestation, aesm.socket MUST BE mounted inside application containers. There are two ways to achieve it:
+
+Way 1: Mount aesm.socket (i.e. /var/run/aesmd/aesm.socket) inside your application containers manually, maybe like this:
 
 ```yaml
 apiVersion: v1
@@ -172,6 +174,8 @@ spec:
 
 ```
 
+Way 2: Enable AESM socket attachment of sgx-device-plugin (via --enable-aesm-socket-attach=true) which will help you mount ASEM socket inside your application containers automatically. See deploy/sgx-device-plugin-enable-aesm.yml.
+
 ## FAQ
 
 * **Can I deploy this SGX device plugin in my own self-hosting Kubernetes?**  
diff --git a/cmd/sgx-device-plugin/main.go b/cmd/sgx-device-plugin/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"syscall"
 
 	"github.com/fsnotify/fsnotify"
@@ -12,7 +13,13 @@ import (
 	"github.com/AliyunContainerService/sgx-device-plugin/pkg/utils"
 )
 
+func init() {
+	flag.BoolVar(&sgx.EnableAESMSocketAttach, "enable-aesm-socket-attach", false, "Enables attachment of AESM service socket")
+}
+
 func main() {
+	flag.Parse()
+
 	klog.Infof("Detecting SGX devices ...")
 	if len(sgx.GetDevices()) == 0 {
 		panic("No Device Found.")
diff --git a/deploy/sgx-device-plugin-enable-aesm.yml b/deploy/sgx-device-plugin-enable-aesm.yml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: sgx-device-plugin-ds
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      k8s-app: sgx-device-plugin
+  template:
+    metadata:
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ""
+      labels:
+        k8s-app: sgx-device-plugin
+    spec:
+      containers:
+        - image: registry.cn-hangzhou.aliyuncs.com/acs/sgx-device-plugin:v1.0.0-fb467e2-aliyun
+          imagePullPolicy: IfNotPresent
+          name: sgx-device-plugin
+          args: ["--enable-aesm-socket-attach"]
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - mountPath: /var/lib/kubelet/device-plugins
+              name: device-plugin
+            - mountPath: /var/run/aesmd
+              name: aesm
+            - mountPath: /dev
+              name: dev
+      tolerations:
+        - effect: NoSchedule
+          key: alibabacloud.com/sgx_epc_MiB
+          operator: Exists
+      volumes:
+        - hostPath:
+            path: /var/lib/kubelet/device-plugins
+            type: DirectoryOrCreate
+          name: device-plugin
+        - hostPath:
+            path: /var/run/aesmd
+            type: Directory
+          name: aesm
+        - hostPath:
+            path: /dev
+            type: Directory
+          name: dev
diff --git a/pkg/device_plugin/device_plugin.go b/pkg/device_plugin/device_plugin.go
@@ -53,8 +53,26 @@ func (m *SGXDevicePlugin) ListAndWatch(e *devicepluginapi.Empty, s deviceplugina
 // Allocate which return list of devices.
 // Allocate implements DevicePluginServer interface.
 func (m *SGXDevicePlugin) Allocate(ctx context.Context, reqs *devicepluginapi.AllocateRequest) (*devicepluginapi.AllocateResponse, error) {
+	var mounts []*devicepluginapi.Mount
 	var devices []*devicepluginapi.DeviceSpec
 
+	if sgx.EnableAESMSocketAttach {
+		for path, exist := range sgx.AllMountPoints() {
+			if path != sgx.AESMSocketDir {
+				continue
+			}
+			if exist {
+				mounts = append(mounts, &devicepluginapi.Mount{
+					ContainerPath: path,
+					HostPath:      path,
+					ReadOnly:      true,
+				})
+			} else {
+				klog.Warningf("WARNING: Mount point %s not found", path)
+			}
+		}
+	}
+
 	for dev, exist := range sgx.AllDeviceDrivers() {
 		if exist {
 			devices = append(devices, &devicepluginapi.DeviceSpec{
@@ -74,6 +92,7 @@ func (m *SGXDevicePlugin) Allocate(ctx context.Context, reqs *devicepluginapi.Al
 				"SGX_VISIBLE_DEVICES": strings.Join(req.DevicesIDs, ","),
 			},
 			Devices: devices,
+			Mounts: mounts,
 		}
 
 		klog.Infof("[Allocate] %s", req.String())
diff --git a/pkg/sgx/sgx.go b/pkg/sgx/sgx.go
@@ -10,8 +10,24 @@ import (
 	devicepluginapi "k8s.io/kubernetes/pkg/kubelet/apis/deviceplugin/v1beta1"
 )
 
+var EnableAESMSocketAttach bool
+var AESMSocketDir string = "/var/run/aesmd"
+
 var initOnce = &sync.Once{}
 
+var allMountPoints = map[string]bool{
+	AESMSocketDir: false, // optional
+}
+
+// AllMountPoints lists all mount points.
+func AllMountPoints() map[string]bool {
+	ret := make(map[string]bool)
+	for k, v := range allMountPoints {
+		ret[k] = v
+	}
+	return ret
+}
+
 var allDeviceDrivers = map[string]bool{
 	"/dev/isgx": false, // required
 	"/dev/gsgx": false, // optional
@@ -28,6 +44,12 @@ func AllDeviceDrivers() map[string]bool {
 
 func init() {
 	initOnce.Do(func() {
+		// Detecting mount points.
+		for mp := range allMountPoints {
+			if fi, err := os.Stat(mp); err == nil && fi.IsDir() {
+				allMountPoints[mp] = true
+			}
+		}
 		// Detecting device drivers.
 		for driver := range allDeviceDrivers {
 			if fi, err := os.Stat(driver); err == nil && !fi.IsDir() {
