Getting Started with QingTian Enclave

This section guides you through the process of understanding and using the QingTian Enclave feature. It shows you how to launch a parent instance, build a QingTian Enclave image file, query a running QingTian Enclave instance, and stop a QingTian Enclave instance.

1. Prepare an instance that supports the QingTian Enclave feature.
   • When purchasing an instance, select QingTian Enclave in the advanced settings and select a Linux OS image. Huawei Cloud EulerOS 2.0 is recommended.
   • Connect to the parent instance. For details, see the Huawei Cloud Elastic Cloud Server User Guide.
   • Install the qt CLI on the parent instance, set parameters for resource isolation in the configuration file as required, and enable resource isolation. To use qt CLI, you must install Python libraries. For details, see QingTian CLI (qt CLI).
     • Install the qt CLI and other necessary RPM packages.

       yum install qt-enclave-bootstrap
       yum install virtio-qtbox
       yum install qingtian-tool

     • Set parameters for resource isolation in the configuration file and enable resource isolation. In this tutorial, 1 GiB of memory and 2 vCPUs are used by default.

       systemctl start qt-enclave-env

2. Use the binary mode to install Docker on the parent instance. You can download the required Docker version from the official website of Docker. Here we use docker-18.09.9.tgz as an example.

   wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.9.tgz

   Decompress the downloaded package.

   tar zxf docker-18.09.9.tgz

   After the decompression is complete, copy all the files in the Docker directory to the /usr/bin directory.

   cp docker/* /usr/bin

   Start the Docker service and set the log level to error.

   dockerd -l error &

   Verify the Docker version.

   docker version

   Run the hello-world container to check whether Docker is installed.

   docker run hello-world

3. Build a QingTian Enclave image file.

   Here we use the following hello_enclave.sh script as the QingTian Enclave application.

   #!/bin/bash
   while true
   do
       echo "hello enclave!"
       sleep 2
   done

   The Dockerfile content is as follows:

   FROM ubuntu:latest
   COPY hello_enclave.sh /root/hello_enclave.sh
   CMD ["/root/hello_enclave.sh"]

   Check that the script has execution permissions.

   chmod +x hello_enclave.sh 

   Build a Docker image named hello-enclave.

   docker build -f Dockerfile -t hello-enclave . 

   Run the qt enclave make-img command to convert the Docker image to a QingTian Enclave image file named hello-enclave.eif.

   qt enclave make-img --docker-uri hello-enclave --eif hello-enclave.eif

   The output is as follows:

   # qt enclave make-img --docker-uri hello-enclave --eif hello-enclave.eif
   {
       "digest":   "SHA384",
       "PCR0": "63bf78ece7d2388ff773d0cad2ebc9a3070359db46d567ba271ff8adfb8b0b091be4ff4d5dda3f1c83109096e3656f3b",
       "PCR8": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
   }

   The QingTian Enclave image file named hello-enclave.eif has now been built. The command contains a set of PCR values, including PCR0 and PCR8. (In this example, no certificates or keys are specified during image creation, so PCR8 is 0.) These hash values are measurements of QingTian Enclave images and they are generally used as expected measurements (compared with the measurements in the attestation document during the boot-up process).

   • Run a QingTian Enclave instance.

     You can now run the QingTian Enclave image using the following command:

   qt enclave start --mem 1024 --cpus 2 --eif hello-enclave.eif --cid 4 --debug-mode

   The QingTian Enclave instance runs in debug mode. For details about debug mode, see Introduction to qt enclave Subcommands.

   The output is as follows:

   # qt enclave start --cpus 2 --mem 1024 --eif hello-enclave.eif --cid 4 --debug-mode
   Started enclave with EnclaveID : 0, EnclaveCID : 4, NumberOfCPUs : 2, MemoryMiB : 1024
   {
       "EnclaveID":    0,
       "EnclaveCID":   4,
       "NumberOfCPUs": 2,
       "MemoryMiB":    1024,
       "LaunchMode":   "debug"
   }

   In this tutorial, 2 vCPUs and 1024 MiB of memory are allocated to the QingTian Enclave instance, and the EnclaveCID is set to 4. The EnclaveCID can be used as the IP address of the local socket between the QingTian Enclave instance and the parent instance.

   • Query a running QingTian Enclave instance.

   After the QingTian Enclave instance is created, run the following command to check whether the instance is running:

   qt enclave query --enclave-id 0
   # qt enclave query --enclave-id 0
   [{
           "EnclaveID":    0,
           "ProcessID":    29990,
           "EnclaveCID":   4,
           "NumberOfCPUs": 2,
           "MemoryMiB":    1024,
           "LaunchMode":   "debug"
       }]

   The command can query information about the QingTian Enclave instance, including EnclaveID, ProcessID, EnclaveCID, number of vCPUs, memory size, and its running mode. You can run the qt enclave console command to view the read-only console output of the QingTian Enclave instance because the instance is launched in debug mode.

   hello enclave!
   hello enclave!
   hello enclave!
   hello enclave!

   You can see that the hello enclave! is printed to the console every two seconds.

   • Stop a QingTian Enclave instance.

   If you want to stop a QingTian Enclave instance, run the following commands:

   # qt enclave stop --enclave-id 0
   stop enclave 0 successfully
   {
       "EnclaveID":    0
   }