version: '3.7'
services:
# Database for WordPress
db:
image: mysql:5.7
volumes:
- db_data:/var/lib/mysql
UDS
: Unique Device Secret. This is a per-device hardware-level secret accessible to the DICE but not accessible after the DICE runs.CDI
: Compound Device Identifier. This value represents the hardware/software combination measured by the DICE. This is the DICE output and is passed to the software which has been measured. This is a secret.
A hash function (e.g. SHA2-384):
func (k *kataAgent) createContainer
- No sandbox cgroup manager is created
- Cgroup for sandbox container is created
- Takes
linux:cgroup_parent
as the cgroup root - Creates v1 cgroup hierearchy:
/sys/fs/cgroup/memory/vc/<linux:cgroup_parent>/kata_<sandbox_id>/
, etc - Add the process linked to the sandbox container to the cgroups.
- Only adds the
CPU
resources at first
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"ociVersion": "1.0.0", | |
"process": { | |
"terminal": true, | |
"user": { | |
"uid": 0, | |
"gid": 0 | |
}, | |
"args": [ | |
"/docker-entrypoint.sh", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"ociVersion": "1.0.0", | |
"process": { | |
"terminal": true, | |
"user": { | |
"uid": 0, | |
"gid": 0 | |
}, | |
"args": [ | |
"/docker-entrypoint.sh", |
bpftrace -e 'kprobe:nested_vmx_failInvalid { printf("sleep by %d\n", tid); }'
containerd
defines a simple runtime shim API (v2) for container runtimes (kata, runc, etc) to interface with.
The goal of this API is to abstract container operations from the actual runtime operations, and e.g. avoid assumptions on how containers are going to run (inside a VM vs as a bare metal process for example).
With that architecture, a container runtime becomes a shim v2 implementation, which is a binary that:
- Implements the gRPC shim service
- Supports 2 commands:
delete
andstart
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#[derive(Clone, Debug, Default)] | |
struct Account { | |
transactions: Vec<i32>, | |
balance: i32, | |
} | |
impl Account { | |
fn new() -> Self { | |
Account { | |
balance: 0, |
3 MSRs array:
msrs_to_save
reflects the capabilities of the host cpu, built on top of the constantmsrs_to_save_all
array.emulated_msrs
MSRs that are kvm-specific are put inemulated_msrs_all
; filtering of emulated_msrs may depend on host virtualization features rather than host cpu features.msr_based_features
List of msr numbers which are used to expose MSR-based features that can be used by a hypervisor to validate requested CPU features. Built as a filter on top ofmsr_based_features_all
NewerOlder