Updated on 2024-10-18 GMT+08:00

Introduction to qt enclave Subcommands

qt is a level-1 command. It contains a level-2 subcommand enclave.

[root@localhost ~]# qt 
  ____  _          _______ _ 
 / __ \(_)        |__   __(_) 
| |  | |_ _ __   __ _| |   _  __ _ _ __ 
| |  | | | '_ \ / _` | |  | |/ _` | '_ \ 
| |__| | | | | | (_| | |  | | (_| | | | | 
 \___\_\_|_| |_|\__, |_|  |_|\__,_|_| |_| 
                 __/ | 
                |___/ 
 
Welcome to the cool QingTian new CLI! 
 
    enclave : Enclave life-circle management.

qt enclave contains subcommands for building QingTian Enclave image files, and starting, stopping, and querying QingTian Enclave instances.

[root@localhost ~]# qt enclave
usage: qt enclave [-h] {make-img,start,stop,query,console} ...
qt enclave: error: the following arguments are required: _subcommand
enclave command line interface
[root@localhost ~]# qt enclave -h

Group
  qt enclave : Enclave life-circle management.

Commands:
  console  : Console an enclave via the enclave-id while debugging.
  make-img : Make an eif image from a docker image.
  query   : Query an enclave via the enclave-id or query all enclaves.
  start   : Start an enclave via an eif image.
  stop   : Stop an enclave via the enclave-id.

qt enclave make-img

This command is used to convert a Docker image to a QingTian Enclave image file. The command format is as follows:

[root@localhost ~]# qt enclave make-img -h

Command
    qt enclave make-img : Make an eif image from a docker image.

Arguments
    --docker-uri [Required]
    --eif        [Required]
    --private-key
    --signing-certificate

Global Arguments
    --debug                 : Increase logging verbosity to show all debug logs.
    --help -h               : Show this help message and exit.
    --only-show-errors      : Only show errors, suppressing warnings.
    --output -o             : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml,
                              yamlc.  Default: json.
    --query                 : JMESPath query string. See http://jmespath.org/ for more information
                              and examples.
    --verbose               : Increase logging verbosity. Use --debug for full debug logs.

Examples
    Given docker-uri and eif to make an eif image
        qt enclave make-img --docker-uri [DOCKER-URI] --eif [EIF]

    Make an eif image with private-key and signing-certificate
        qt enclave make-img --docker-uri [DOCKER-URI] --eif [EIF] --private-key [PRIVATE-KEY]
        --signing-certificate [SIGNING-CERTIFICATE]

Mandatory: --docker-uri, which specifies the Uniform Resource Identifier (URI) of the Docker image in a Docker repository. You can run the docker image ls command to query the URI of the current local image.

Mandatory: --eif, which specifies the path used to store the generated EIF.

Optional: --private-key, which specifies the absolute path of the private key used to sign the QingTian Enclave image. If you specify PRIVATE-KEY, you must also specify SIGNING-CERTIFICATE.

Optional: --signing-certificate, which specifies the absolute path of the certificate used to sign the QingTian Enclave image. If you specify SIGNING-CERTIFICATE, you must also specify PRIVATE-KEY.

Returned value: If the preceding two optional parameters are configured, ensure that the certificates are valid. If the certificates are valid, the command output contains additional PCR0 and PCR8, which is used for measuring the QingTian Enclave image and signature certificate. If the certificates are invalid, the QingTian Enclave image fails to be built.

Example command of building an image:

[root@localhost docker]# qt enclave make-img --docker-uri ubuntu --eif /home/docker/ubuntu.eif --private-key  /home/docker/private-key.pem --signing-certificate /home/docker/server.pem
{
    "digest":       "SHA384",
    "PCR0": "b8c59692da8a5bcb739a83d15a0ceca670bd78da06cb2250ec70548f72254e674419e9888db9c0364a9b88dd58017a62"  
    "PCR8": "dbf4a7f9fab7f18619b5899c407081981ad6762fb9a809da78548821b5021965423181584acd7b201703376f1133a546"
}

qt enclave start

This command is used to launch a QingTian Enclave instance. The command format is as follows:

[root@localhost ~]# qt enclave start -h

Command
  qt enclave start : Start an enclave via an eif image.

Arguments
  --cid        : Default: 4.
  --eif        [Required] 
  --cpus       : Default: 2. 
  --debug-mode 
  --mem        : Default: 1024. 

Global Arguments
  --debug       : Increase logging verbosity to show all debug logs.
  --help -h      : Show this help message and exit.
  --only-show-errors : Only show errors, suppressing warnings.
  --output -o     : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
             Default: json.
  --query       : JMESPath query string. See http://jmespath.org/ for more information and
             examples.
  --verbose      : Increase logging verbosity. Use --debug for full debug logs.

Examples
  Given an eif image, an unused cid, the number of cpus and memory needed
    qt enclave start  [--cpus CPUS] [--mem MEM] --eif EIF [--cid CID]

Optional: --cpus, which specifies the number of vCPUs to be allocated to the QingTian Enclave instance. The value cannot be greater than the number of isolated vCPUs. If this parameter is not specified, the default value is 2.

Optional: --mem, which specifies the memory size (MiB) allocated to the QingTian Enclave instance. The value cannot be greater than the isolated memory size and must be greater than the QingTian Enclave image size. If this parameter is not specified, the default value is 1024 MiB.

Mandatory: --eif, which specifies the path of the EIF.

Optional: --cid, which specifies the context identifier (CID) of the QingTian Enclave instance. The CID is the socket IP address for communication between the parent instance and the QingTian Enclave instance using vsock. The available CID range is from 4 to 4294967294. If this parameter is not specified, the default value is 4.

Optional: --debug-mode, which specifies whether to start the QingTian Enclave instance in debug mode. If you enable debug mode, PRCs that are made up entirely of zeros can be used to collect and print internal logs of QingTian Enclave instances.

Returned value: Details of the created QingTian Enclave instance

Example command of launching a QingTian Enclave instance:

qt enclave start --cpus 2 --mem 1024 --eif /home/docker/ubuntu.eif --cid 4

qt enclave query

This command is used to query information about the QingTian Enclave instance on a parent instance. The command format is as follows:

[root@localhost ~]# qt enclave query -h

Command
  qt enclave query : Query an enclave via the enclave-id or query all enclaves.

Arguments
  --enclave-id

Global Arguments
  --debug       : Increase logging verbosity to show all debug logs.
  --help -h      : Show this help message and exit.
  --only-show-errors : Only show errors, suppressing warnings.
  --output -o     : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml, yamlc.
             Default: json.
  --query       : JMESPath query string. See http://jmespath.org/ for more information and
             examples.
  --verbose      : Increase logging verbosity. Use --debug for full debug logs.

Examples
  Given an enclave-id to query an enclave
      qt enclave query --enclave-id [ENCLAVE-ID]

  Query all enclaves without enclave-id
    qt enclave query

Optional: --enclave-id. If this parameter is specified, information about the specified QingTian Enclave instance is queried. If this parameter is not specified, information about all existing QingTian Enclave instances is queried.

Returned value: Information about the queried QingTian Enclave instance

  • EnclaveID: specifies the ID of the QingTian Enclave instance.
  • ProcessID: specifies the process identifier (PID) of the process holding the QingTian Enclave instance's resources in the parent instance.
  • EnclaveCID: specifies the vsock socket ID used for communication between the QingTian Enclave instance and the parent instance.
  • NumberOfCPUs: specifies the number of vCPUs allocated from the parent instance to the QingTian Enclave instance.
  • MemoryMiB: specifies the memory size (MiB) allocated from the parent specifies to the QingTian Enclave instance.

Example command of querying a QingTian Enclave instance:

[root@localhost ~]#qt enclave query
[{
        "EnclaveID":    0,
        "ProcessID":    29990,
        "EnclaveCID":   4,
        "NumberOfCPUs": 2,
        "MemoryMiB":    1024,
        "LaunchMode":   "debug"
    }]

If there are no QingTian Enclave instances available, the command output is blank.

If the --enclave-id parameter is specified but the QingTian Enclave instance with the specified --enclave-id, the command output is empty.

qt enclave stop

This command is used to stop a QingTian Enclave instance. The command format is as follows:

[root@localhost ~]# qt enclave stop -h

Command
  qt enclave stop : Stop an enclave via the enclave-id.

Arguments
  --enclave-id [Required]

Global Arguments
  --debug         : Increase logging verbosity to show all debug logs.
  --help -h        : Show this help message and exit.
  --only-show-errors    : Only show errors, suppressing warnings.
  --output -o       : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml,
               yamlc.  Default: json.
  --query         : JMESPath query string. See http://jmespath.org/ for more information
               and examples.
  --verbose        : Increase logging verbosity. Use --debug for full debug logs.

Examples
  Given an enclave-id to stop an enclave
   qt enclave stop --enclave-id [ENCLAVE-ID]

Mandatory: --enclave-id, which specifies the --enclave-id of the QingTian Enclave instance to be stopped.

Returned value: If a successful message is returned, the instance is stopped. If no message is returned, the instance failed to be stopped.

Example command of stopping a QingTian Enclave instance:

[root@localhost ~]# qt enclave stop --enclave-id 1
stop 1 success

qt enclave console

This command is used to view the read-only console output of the QingTian Enclave instance in the parent instance when the instance is started in debug mode. The command format is as follows:

[root@localhost ~]# qt enclave console -h

Command
    qt enclave console : Console an enclave via the enclave-id while debugging.

Arguments
    --enclave-id [Required]

Global Arguments
    --debug                 : Increase logging verbosity to show all debug logs.
    --help -h               : Show this help message and exit.
    --only-show-errors      : Only show errors, suppressing warnings.
    --output -o             : Output format.  Allowed values: json, jsonc, none, table, tsv, yaml,
                              yamlc.  Default: json.
    --query                 : JMESPath query string. See http://jmespath.org/ for more information
                              and examples.
    --verbose               : Increase logging verbosity. Use --debug for full debug logs.

Examples
    Given an enclave-id to console an enclave
        qt enclave console --enclave-id [ENCLAVE-ID]

Mandatory: --enclave-id, which specifies the enclave-id of the QingTian Enclave instance whose read-only console output is to be obtained.

After the command is executed successfully, the read-only console output of the QingTian Enclave instance is displayed as follows:

hello enclave! 
hello enclave! 
hello enclave! 
hello enclave!

You can press Ctrl+C to exit the command. Note that the qt enclave console command can be executed on only one specified QingTian Enclave instance at a time.