Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove loader.entrypoint from manifest template #225

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

kailun-qin
Copy link
Contributor

@kailun-qin kailun-qin commented Nov 13, 2024

Description of the changes

This is a commit corresponding to commit 87c752f "[PAL] Drop deprecated syntax of loader.entrypoint" in core Gramine repository.

Fixes #224.

How to test this PR?

Manual testing.


This change is Reviewable

This is a commit corresponding to commit 87c752f "[PAL] Drop deprecated
syntax of loader.entrypoint" in core Gramine repository.

Signed-off-by: Kailun Qin <[email protected]>
Copy link
Member

@mkow mkow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required)

@anjalirai-intel
Copy link
Contributor

@kailun-qin

I additionally tested the PR in Gramine-Direct mode, and found that the fix works only for Gramine-SGX but causes issues in Gramine-Direct. I've attached both manifest files for your reference. You'll notice that entrypoint.manifest.sgx includes loader.entrypoint, whereas entrypoint.manifest does not. Could you please investigate this further?

manifest.zip

Logs:

$ docker run --device=/dev/sgx_enclave --env GRAMINE_MODE=direct -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket --security-opt seccomp=unconfined   gsc-ubuntu22.04-bash -c "echo hello"
error: PAL failed No 'loader.entrypoint.uri' is specified in the manifest



$ docker run --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket   gsc-ubuntu22.04-bash -c "echo hello"
Gramine is starting. Parsing TOML manifest file, this may take some time...
-----------------------------------------------------------------------------------------------------------------------
Gramine detected the following insecure configurations:

  - loader.insecure__use_cmdline_argv = true   (forwarding command-line args from untrusted host to the app)

Gramine will continue application execution, but this configuration must not be used in production!
-----------------------------------------------------------------------------------------------------------------------

hello

Copy link
Contributor Author

@kailun-qin kailun-qin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, not enough approvals from maintainers (1 more required)


a discussion (no related file):
Thanks @anjalirai-intel, good catch!

I think the issue lies in the manifest preprocessing (which auto-fills loader.entrypoint.uri, see here) implemented in core Gramine is not invoked when generating entrypoint.manifest in gsc (which is used by gramine-direct). Note that this is implicitly called during gsc sign-image/gramine-sgx-sign (see here), so it works fine in gramine-sgx mode.

I think the simplest solution would be to keep loader.entrypoint.uri (w/ the updated name) in the manifest templates. Alternatively, we could implement/call similar logic in gsc.

@DukeDavis12
Copy link

@kailun-qin Please review PR #223 ; includes loader.entrypoint.uri changes.

@anjalirai-intel
Copy link
Contributor

@kailun-qin Please review PR #223 ; includes loader.entrypoint.uri changes.

@DukeDavis12 PR #223 is also not fixing the issue in gramine-direct. I am getting below error when running with Gramine-Direct

Error:

error: Invalid trusted file in manifest at index 0 (not a TOML table)
error: libos_init() failed in init_trusted_allowed_files: Invalid argument (EINVAL)

@anjalirai-intel
Copy link
Contributor

@kailun-qin Any updates on the PR?

Copy link
Contributor Author

@kailun-qin kailun-qin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anjalirai-intel: I think @DukeDavis12 would want to introduce a fix which is somewhat tangled w/ #223?

Reviewable status: all files reviewed, 1 unresolved discussion

@aneessahib
Copy link
Contributor

@kailun-qin please go ahead merge this fix. @DukeDavis12 will rebase after.

@adarshan-intel
Copy link
Contributor

Can we merge this?
PR #228 depends on this

Copy link
Member

@mkow mkow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @anjalirai-intel)


a discussion (no related file):

Previously, kailun-qin (Kailun Qin) wrote…

Thanks @anjalirai-intel, good catch!

I think the issue lies in the manifest preprocessing (which auto-fills loader.entrypoint.uri, see here) implemented in core Gramine is not invoked when generating entrypoint.manifest in gsc (which is used by gramine-direct). Note that this is implicitly called during gsc sign-image/gramine-sgx-sign (see here), so it works fine in gramine-sgx mode.

I think the simplest solution would be to keep loader.entrypoint.uri (w/ the updated name) in the manifest templates. Alternatively, we could implement/call similar logic in gsc.

So, this is still broken? What's the status of this issue?

Copy link
Member

@woju woju left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 3 of 3 files at r1, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @anjalirai-intel)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

GSC workloads are failing during the signing process with the error unknown loader.entrypoint.
8 participants