Help Center/ Elastic Cloud Server/ User Guide/ QingTian Enclave Management/ FAQs About QingTian/ Development and Deployment Questions
Updated on 2025-05-21 GMT+08:00
View PDF
Share

Development and Deployment Questions

How Many QingTian Enclave Instances Can I Create from an ECS?

You can create a maximum of two QingTian Enclave instances from an ECS.

What Is Vsock and How Can I Use it to Communicate With a QingTian Enclave Instance?

Vsock is a type of socket interface defined by a context identifier (CID) and port number. The CID is the same as the IP address in a TCP/IP connection.

Vsock communicates with a QingTian Enclave instance using standard and well-defined POSIX Socket APIs (for example, connect, listen, and accept). You can develop your own QingTian Enclave applications using vsock. For details, see QingTian Enclave Application Development on Linux. Applications can also send HTTP requests using vsock through a proxy.

Why Does the Vsock Performance Deteriorate After QingTian Enclave Instances Are Launched from kC2 Instances?

For kC2 instances, if all isolated vCPUs are used to launch QingTian Enclave instances, the vsock performance will deteriorate.

When enabling the qt-enclave-env service, you are advised to isolate two more vCPUs for QingTian Enclave. Some vCPUs are used to launch QingTian Enclave instances and some are used to forward data through the vsock channel. This helps prevent the vsock performance deterioration.

  1. Modify the /etc/qingtian/enclave/qt-enclave-env.conf configuration file of the qt-enclave-env service.

    vim /etc/qingtian/enclave/qt-enclave-env.conf

    • Method 1: Change the value of cpu_count to the number of the QingTian Enclave's vCPUs plus 2.
    • Method 2: Change the number of vCPUs in cpu_list to the number of the QingTian Enclave's vCPUs plus 2.
  2. Restart the qt-enclave-env service.

    systemctl restart qt-enclave-env

  3. Restart the QingTian Enclave instance.

    qt enclave start --cpus ${isolated_cpus_count-2} --mem ${wanted_mem} --eif ${eif_file_location} --cid ${wanted_cid}

    Where:

    • isolated_cpus_count-2 indicates the number of isolated vCPUs minus 2.
    • wanted_mem indicates the expected memory size.
    • eif_file_location indicates the eif file location.
    • wanted_cid indicates the expected CID value.

    Restart the QingTian Enclave instance and check the vsock performance.

Why Does the qt-enclave-env Service Fail to Be Started After SELinux Is Enabled on an ECS?

Symptom: After SELinux is enabled on an ECS, the qt-enclave-env service fails to be started. The message "insmod virtio-qtbox.ko Permission denied" is displayed in the qt-enclave-env service logs.

Possible Cause: SELinux provides powerful security mechanisms including mandatory access control, fine-grained access control, policy enforcement, type enforcement, security context, and auditing to protect the Linux system from malicious attacks and data leakage threats. As a result, the qt-enclave-env service cannot directly use the insmod virtio-qtbox.ko command to insert the kernel module.

Solution: Run the insmod /opt/qingtian/enclave/virtio-qtbox.ko command or disable SELinux first and then restart the qt-enclave-env service.

What Do I Need to Do If I Use an Ubuntu Image?

  1. Use the huawei-qingtian source code to compile the virtio-qtbox and qingtian-tools packages.
  2. Create the qt-enclave-boostrap package required by the image.

    You can download the latest qt-enclave-bootstrap package and decompress it to the specified directory. The download URL is https://repo.huaweicloud.com/hce/2.0/updates/x86_64/Packages/.

    /usr/local/share/qingtian/enclave/init

    /usr/local/share/qingtian/enclave/qtsm.ko

    /usr/local/share/qingtian/enclave/vmlinux.bin

    /usr/local/share/qingtian/enclave/vmlinux.bin.bz2

Parent Topic: FAQs About QingTian