-
Notifications
You must be signed in to change notification settings - Fork 2
PortainerCC Full Guide
Make sure you installed Docker and your machine is SGX ready (with FLC).
In this tutorial i will use two confidential VMs (Standard DC2s v2 (2 vcpus, 8 GiB memory)) hosted at Microsoft Azure. How to set up VM
Make sure your Ports are open. (Server: 9443, Agent: 9001)
You will need on the PCCS running on all machines you are interacting with (Portainer.cc Host VM and Portainer.cc Agent VM).
First you need to register yourself at Intel and subscribe to retrieve your personal API Key.
After that you can start the PCCS as Docker Containers:
docker run -e APIKEY=<your-API-key> -p 8081:8081 --name pccs -d ghcr.io/edgelesssys/pccs
Connect to your Server VM and start the Portainer.cc Server instance.
docker run -d -p 8000:8000 -p 9000:9000 -p 9443:9443 \
-v /var/run/docker.sock:/var/run/docker.sock:z \
-v /var/run/docker.sock:/var/run/alternative.sock:z \
-v /tmp:/tmp \
-v pccdata:/data \
--name portainerCC \
marcely0/pcc
Open https://yourserver:9443, trust the self signed certificate and set up a password / log in.
The first thing we need to do is so generate a signing key under PortainerCC->SGX Signing Keys. Choose a name for your key. (We don't need to select/create any teams since we are the only user for now.)
After that we hit PortainerCC->Coordinator and create a new Coordinator Image with our generated signing key. This will take some time (approx. 5 minutes)
I will use a second VM for demonstration purpose, but you can also use one VM for both (Server and Agent)
In the Portainer.cc Webinterface hit Environments and click Add environment on the top right.
We will use Docker Standalone. Start the wizard and select Agent.
Copy the presented command and run it on your desired Agent VM.
docker run -d \
-p 9001:9001 \
--name portainercc_agent \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /var/lib/docker/volumes:/var/lib/docker/volumes \
marcely0/pccagent
For now we need a little extra step / workarround: Create a docker network, add the agent and leave the default network.
docker network create --driver bridge --subnet 172.20.0.0/16 coordinator
docker network connect coordinator portainercc_agent
docker network disconnect bridge portainercc_agent
After you started the Container, add a name and set your environment address. (if you use the same machine, use the acutal ip/domain and not localhost). A popup should tell you it was successfull.
After that hit the Home button and select your newly created environment. You will get a new navigation menu added to your sidebar.
Make sure your Agent is in the coordinator network and your pccs services are up and running!
Hit Coordinator and select your created coordinator image. This step can also take some time.
Your status should be verified and the Manifest should be empty. (if the verification fails, its most likely caused of no running pccs or the agent is not in the coordinator network)
If we look ahead into App Templates->Confidential Templates we can see that MongoDB is using two encrypted volumes, so lets set them up first.
Hit PortainerCC->File Encryption Keys under Settings and create two keys.
After that we hit Volumes (always the agent environment selected) and create two volumes for data and logs. Add a new volume and toggle the Encrypt files button. Select one key and repeat this process.
Lets go to App Templates->Confidential Templates and fill out the required fields. (Unluckily there is a Bug for now: if you want to use the preselected Volume, you have to change it once and set it back, otherwise the request is missing the value)
Hit Deploy service and check your Container tab afterwards.
Check the log of the newly created container and wait for the container to boot up until you can connect to your secure mongodb.
🥇 You just deployed your first confidential container using Portainer.cc 🥇