diff --git a/ansible/install_cenclave/tasks/main.yml b/ansible/install_cenclave/tasks/main.yml index 987dd83..84c53b8 100644 --- a/ansible/install_cenclave/tasks/main.yml +++ b/ansible/install_cenclave/tasks/main.yml @@ -20,7 +20,61 @@ - "/home/{{ ansible_user }}/.config/gramine/enclave-key.pem" - 3072 -- name: Install Cosmian Enclave CLI - pip: - name : cenclave - extra_args: --upgrade +- name: Check Ubuntu version + ansible.builtin.debug: + msg: "Ubuntu version is {{ ansible_distribution_version }}" + +- name: Print ansible_user + ansible.builtin.debug: + msg: "Ansible user is {{ ansible_user }}" + +- name: Install pipx and Cosmian Enclave CLI for Ubuntu 24.04 + block: + - name: Install pipx + ansible.builtin.apt: + name: pipx + state: latest + + - name: Install Cosmian Enclave CLI using pipx + become: false + community.general.pipx: + name: cenclave + state: latest + + - name: Ensure pipx is installed + become: false + ansible.builtin.command: + cmd: pipx ensurepath + + - name: Verify cenclave is available + become: false + ansible.builtin.command: + cmd: cenclave --version + register: cenclave_version + ignore_errors: false + + - name: Debug cenclave version + ansible.builtin.debug: + msg: "cenclave version: {{ cenclave_version.stdout }}" + + when: ansible_distribution_version == "24.04" + +- name: Install Cosmian Enclave CLI for Ubuntu 22.04 + block: + - name: Install Cosmian Enclave CLI using pip + ansible.builtin.pip: + name: cenclave + extra_args: --upgrade + + - name: Verify cenclave is available + become: false + ansible.builtin.command: + cmd: cenclave --version + register: cenclave_version + ignore_errors: false + + - name: Debug cenclave version + ansible.builtin.debug: + msg: "cenclave version: {{ cenclave_version.stdout }}" + + when: ansible_distribution_version == "22.04" diff --git a/ansible/install_pccs/default/main.yml b/ansible/install_pccs/default/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/install_pccs/handlers/main.yml b/ansible/install_pccs/handlers/main.yml new file mode 100644 index 0000000..3685473 --- /dev/null +++ b/ansible/install_pccs/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# handlers file for nginx_backend +- name: reload_nginx + systemd: + name: nginx + state: reloaded + +- name: Restart mysql + service: + name: mysql + state: restarted \ No newline at end of file diff --git a/ansible/install_pccs/tasks/main.yml b/ansible/install_pccs/tasks/main.yml new file mode 100644 index 0000000..5cd40dc --- /dev/null +++ b/ansible/install_pccs/tasks/main.yml @@ -0,0 +1,24 @@ +--- +# tasks file for pccs_deploy +- name: Create pccs.conf + template: + src: pccs.conf.j2 + dest: /home/{{ defined_user }}/pccs.conf + owner: "{{ defined_user }}" + group: "{{ defined_user }}" + mode: 0664 + +- name: Run PCCS docker container + # you first need to install community.docker collection : + # ansible-galaxy collection install community.docker + community.docker.docker_container: + name: pccs + image: ghcr.io/cosmian/pccs:1687279386 + pull: true + restart_policy: always + detach: true + state: started + ports: + - "8081:8081" + volumes: + - /home/{{ defined_user }}/pccs.conf:/opt/intel/sgx-dcap-pccs/config/default.json \ No newline at end of file diff --git a/ansible/install_pccs/templates/pccs.conf.j2 b/ansible/install_pccs/templates/pccs.conf.j2 new file mode 100644 index 0000000..1e591d0 --- /dev/null +++ b/ansible/install_pccs/templates/pccs.conf.j2 @@ -0,0 +1,33 @@ +{ + "HTTPS_PORT" : 8081, + "hosts" : "127.0.0.1", + "uri": "https://api.trustedservices.intel.com/sgx/certification/v4/", + "ApiKey" : "{{ pccs_apikey }}", + "proxy" : "", + "RefreshSchedule": "0 0 1 * * *", + "UserTokenHash" : "{{ pccs_usertoken_hash }}", + "AdminTokenHash" : "{{ pccs_admintoken_hash }}", + "CachingFillMode" : "REQ", + "LogLevel" : "info", + "DB_CONFIG" : "{{ pccs_db_config }}", + "sqlite" : { + "database" : "{{ pccs_sqlite_db_name }}", + "username" : "{{ pccs_sqlite_cr_usr }}", + "password" : "{{ pccs_sqlite_usr_psswd }}", + "options" : { + "host": "{{ pccs_sqlite_options_host }}", + "dialect": "{{ pccs_sqlite_port_dialect }}", + "pool": { + "max": {{ pccs_sqlite_port_pool_max }}, + "min": {{ pccs_sqlite_port_pool_min }}, + "acquire": {{ pccs_sqlite_port_pool_acquire }}, + "idle": {{ pccs_sqlite_port_pool_idle }} + }, + "define": { + "freezeTableName": {{ pccs_sqlite_define_freezeTableName }} + }, + "logging" : {{ pccs_sqlite_logging }}, + "storage": "{{ pccs_sqlite_storage }}" + } + } +} \ No newline at end of file diff --git a/ansible/install_sgx_deps/tasks/main.yml b/ansible/install_sgx_deps/tasks/main.yml index 6dfd84d..46c08c6 100644 --- a/ansible/install_sgx_deps/tasks/main.yml +++ b/ansible/install_sgx_deps/tasks/main.yml @@ -37,15 +37,26 @@ name: aesmd state: stopped -- name: Edit sgx_default_qcnl.conf +- name: Determine template based on environment ansible.builtin.template: - src: sgx_default_qcnl.conf.j2 + src: "{{ 'azure_sgx_default_qcnl.conf.j2' if ansible_facts['virtualization_role'] == 'guest' else 'baremetal_sgx_default_qcnl.conf.j2' }}" dest: /etc/sgx_default_qcnl.conf owner: root group: root mode: 0644 tags: qcnl +- name: "Edit network_setting.conf" + ansible.builtin.template: + src: network_setting.conf.j2 + dest: /opt/intel/sgx-pck-id-retrieval-tool/network_setting.conf + owner: root + group: root + mode: 0644 + notify: restart_aesmd + tags: netset + when: ansible_facts['virtualization_type'] == 'baremetal' + - name: Add aesmd user to sgx_prv group ansible.builtin.user: name: aesmd @@ -55,4 +66,4 @@ - name: Start AESMD ansible.builtin.systemd_service: name: aesmd - state: restarted + state: restarted \ No newline at end of file diff --git a/ansible/install_sgx_deps/templates/sgx_default_qcnl.conf.j2 b/ansible/install_sgx_deps/templates/azure_sgx_default_qcnl.conf.j2 similarity index 100% rename from ansible/install_sgx_deps/templates/sgx_default_qcnl.conf.j2 rename to ansible/install_sgx_deps/templates/azure_sgx_default_qcnl.conf.j2 diff --git a/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 b/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 new file mode 100644 index 0000000..a4e9cac --- /dev/null +++ b/ansible/install_sgx_deps/templates/baremetal_sgx_default_qcnl.conf.j2 @@ -0,0 +1,55 @@ +{ + // *** ATTENTION : This file is in JSON format so the keys are case sensitive. Don't change them. + + //PCCS server address + "pccs_url": "https://localhost:8081", + + // To accept insecure HTTPS certificate, set this option to false + "use_secure_cert": false, + + // You can use the Intel PCS or another PCCS to get quote verification collateral. Retrieval of PCK + // Certificates will always use the PCCS described in PCCS_URL. When COLLATERAL_SERVICE is not defined, both + // PCK Certs and verification collateral will be retrieved using PCCS_URL + //"collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/", + + // If you use a PCCS service to get the quote verification collateral, you can specify which PCCS API version is to be used. + // The legacy 3.0 API will return CRLs in HEX encoded DER format and the sgx_ql_qve_collateral_t.version will be set to 3.0, while + // the new 3.1 API will return raw DER format and the sgx_ql_qve_collateral_t.version will be set to 3.1. The PCCS_API_VERSION + // setting is ignored if COLLATERAL_SERVICE is set to the Intel PCS. In this case, the PCCS_API_VERSION is forced to be 3.1 + // internally. Currently, only values of 3.0 and 3.1 are valid. Note, if you set this to 3.1, the PCCS use to retrieve + // verification collateral must support the new 3.1 APIs. + //"pccs_api_version": "3.1", + + // Maximum retry times for QCNL. If RETRY is not defined or set to 0, no retry will be performed. + // It will first wait one second and then for all forthcoming retries it will double the waiting time. + // By using RETRY_DELAY you disable this exponential backoff algorithm + "retry_times": 6, + + // Sleep this amount of seconds before each retry when a transfer has failed with a transient error + "retry_delay": 10, + + // If LOCAL_PCK_URL is defined, the QCNL will try to retrieve PCK cert chain from LOCAL_PCK_URL first, + // and failover to PCCS_URL as in legacy mode. + //"local_pck_url": "http://localhost:8081", + + // If LOCAL_PCK_URL is not defined, the QCNL will cache PCK certificates in memory by default. + // The cached PCK certificates will expire after PCK_CACHE_EXPIRE_HOURS hours. + "pck_cache_expire_hours": 168, + + // To set cache expire time for quote verification collateral in hours + "verify_collateral_cache_expire_hours": 168 + + // You can add custom request headers and parameters to the get certificate API. + // But the default PCCS implementation just ignores them. + //,"custom_request_options" : { + // "get_cert" : { + // "headers": { + // "head1": "value1" + // }, + // "params": { + // "param1": "value1", + // "param2": "value2" + // } + // } + //} +} \ No newline at end of file diff --git a/ansible/install_sgx_deps/templates/network_setting.conf.j2 b/ansible/install_sgx_deps/templates/network_setting.conf.j2 new file mode 100644 index 0000000..028c704 --- /dev/null +++ b/ansible/install_sgx_deps/templates/network_setting.conf.j2 @@ -0,0 +1,28 @@ +# ############################################################# +# PCCS server address +# support V3 version PCCS +#PCCS_URL=https://localhost:8081/sgx/certification/v3/platforms +# support V4 version PCCS +PCCS_URL=https://{{ __pccs }}/sgx/certification/v4/platforms +# To accept insecure HTTPS cert, set this option to FALSE +#USE_SECURE_CERT=TRUE +############################################################### + + +############################################################### +# when access pccs, user need provide the token +user_token={{ __usertoken }} +############################################################### + + +############################################################### +# Proxy settings:proxy type could be the following three types +# direct: means no proxy used +# default: system default proxy will be used +# manual: when this type was selected, user need provide the proxy_url + +proxy_type=direct +#proxy_type = default +#proxy_type = manual +#proxy_url = http://proxy_url:proxy_port +############################################################### \ No newline at end of file diff --git a/ansible/main.yml b/ansible/main.yml index 361f550..6b1137f 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -1,9 +1,30 @@ + --- + - name: Cosmian Enclave installation on Ubuntu hosts: all become: true + pre_tasks: + - name: Check if the machine is bare-metal + ansible.builtin.set_fact: + is_baremetal: "{{ ansible_facts['virtualization_type'] == 'kvm' }}" + roles: - update_ubuntu - - install_sgx_deps - install_docker - - install_cenclave + - install_sgx_deps + + tasks: + + - name: Include role install_pccs for bare-metal only + ansible.builtin.include_role: + name: install_pccs + when: is_baremetal + + - name: Always include install_cenclave role + ansible.builtin.include_role: + name: install_cenclave + + - name: Run validation_test + ansible.builtin.include_role: + name: validation_test diff --git a/ansible/tasks/main.yml b/ansible/tasks/main.yml new file mode 100644 index 0000000..5d595d3 --- /dev/null +++ b/ansible/tasks/main.yml @@ -0,0 +1,41 @@ +--- +# tasks file for install_docker + +- name: Add official Docker APT repository + block: + - name: Download Docker GPG public key + ansible.builtin.apt_key: + state: present + url: https://download.docker.com/linux/ubuntu/gpg + keyring: /etc/apt/trusted.gpg.d/docker.gpg + + - name: Add Docker APT repository + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable" + state: present + filename: docker + update_cache: yes + +- name: Install Docker packages + apt: + name: "{{ item }}" + state: latest + update_cache: yes + loop: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + tags: dockinstall + +- name: Start Docker + service: + name: docker + state: started + enabled: yes + +- name: Add user to group docker + user: + name: "{{ ansible_user }}" + groups: docker + append: yes diff --git a/ansible/validation_test/tasks/main.yml b/ansible/validation_test/tasks/main.yml new file mode 100644 index 0000000..84a3748 --- /dev/null +++ b/ansible/validation_test/tasks/main.yml @@ -0,0 +1,49 @@ +--- +# roles/validation_test/tasks/main.yml + +- name: Set Docker socket + set_fact: + ansible_docker_extra_args: "-H unix:///var/run/docker.sock" + +- name: Pull Docker image + community.docker.docker_image: + name: ghcr.io/cosmian/gramine-minimal + tag: "20241202140525" + source: pull + +- name: Run Docker container + community.docker.docker_container: + name: gramine_minimal + image: ghcr.io/cosmian/gramine-minimal:20241202140525 + devices: + - /dev/sgx_enclave + - /dev/sgx_provision + volumes: + - /var/run/aesmd:/var/run/aesmd/ + state: started + interactive: yes + tty: yes + register: docker_container_info + +- name: Wait for the container to be ready + command: docker logs gramine_minimal + register: docker_logs + retries: 15 + delay: 3 + until: "'Hello World' in docker_logs.stdout" + +- name: Capture the output of the Docker container + debug: + msg: "Hello World found in the output" + +# Clean +- name: Stop and remove the container + community.docker.docker_container: + name: gramine_minimal + state: absent + +- name: Remove Docker image + community.docker.docker_image: + name: ghcr.io/cosmian/gramine-minimal + tag: "20241202140525" + state: absent