Running the Sharemind HI Server and Other Basic Operations
1. Running the server
The systemd service can be started by running:
sudo systemctl start sharemind-hi.serviceThe sharemind-hi-server log can be displayed by running:
sudo journalctl -u sharemind-hi.service1.1. Server State Reset
To reset the installed Sharemind HI server state (default configuration at /etc/sharemind-hi/server.yaml):
sudo sharemind-hi-server-state-resetThis scripts looks at the server configuration file, finds the paths of any data, state or temporary files and deletes them.
1.2. Killing Tasks
If you find that some task is stuck, e.g. in some infinite loop, you can kill the respective process through tools like htop.
Task processes are child processes of the Sharemind HI Server process and their command lines contain their respective task name.
When a task process dies, the Sharemind HI Server restarts that process.
2. Notes for usage within Docker
The Sharemind HI server can be run inside of a Docker container. The SGX driver still needs to be installed on the hostsystem.
Within a Docker container, the aesm daemon and the Sharemind HI server need to be started manually, as systemd is by default not available within the Ubuntu Bionic docker container.
The procedure shown below is a minimal example how to start the server.
The paths used in CoreEnclave.StateFile, CoreEnclave.AuditLogFile and all DataPath options should all point to some location mounted into the container, so they persist a server reboot.
You may want to tweak it to fit your needs, i.e. by running the aesm daemon inside of a separate container.
Additionally, you may need to change the ListenAddres in server.yaml to use 0.0.0.0 as the URL.
Dockerfile:
FROM ubuntu:bionic
RUN apt-get update && apt-get install -yq --no-install-recommends \
apt-transport-https \
ca-certificates \
debhelper \
gnupg \
software-properties-common
# Setup the apt repositories and install the packages
# as described above. Also install your task enclaves.
# Contains the socket opened by the aesm daemon
RUN mkdir /var/run/aesmd
# Copy the keys and certificates to the locations as specified in the config:
COPY /hostpath/server.key /guestpath/server.key
COPY /hostpath/server.crt /guestpath/server.crt
COPY /hostpath/deployment.crt /guestpath/deployment.crt
COPY /hostpath/server.yaml /guestpath/server.yaml
COPY /hostpath/dataflow-configuration-description.yaml /guestpath/dataflow-configuration-description.yaml
# Create the paths which are used in the `DataPath` and `TemporaryPath` options
# in your `server.yaml`:
RUN mkdir -p /guestpath/data /guestpath/tmp # ...
# entrypoint.sh is shown below.
COPY /hostpath/entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]entrypoint.sh:
#!/bin/bash
aesmd_path=/opt/intel/sgx-aesm-service/aesm/
export LD_LIBRARY_PATH=$aesmd_path
# Run the daemon in the backgrond with logging:
exec $aesmd_path/aesm_service --no-daemon &
# Give the daemon time to start:
sleep 3
# Run the server:
exec sharemind-hi-server -c /guestpath/server.yamlStarting the container can be done as follows:
tag="shi-server"
# The port as configured in server.yaml:
port="30000"
# Create the directories inside the host mount directory
# as required by your server.yaml (all `DataPath`s,
# `CoreEnclave.StateFile` and `CoreEnclave.AuditLogFile`):
mkdir -p /hostmountdir # ...
# Build the image:
docker build --tag "$tag" -f Dockerfile "."
# Start the container:
docker run \
--device /dev/isgx \
--publish "$port:$port" \
--mount "type=bind,source=/hostmountdir,destination=/guestmountdir"
"$tag"