New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: provide a guide for how to use IBM Secure Execution #7146
Conversation
Hey Choi this is failing with the error: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a thought - I wonder if the CoCo operator section would be better off in the coco documentation. Maybe as a new entry in https://github.com/confidential-containers/documentation/tree/main/guides like sev has? It might be more appropriate to document/link to the kata-deploy in this doc?
Yeah, I will let you know after discussing what you mentioned with @hbrueckner . Thanks! 😉 |
16e74af
to
bcc1487
Compare
@hbrueckner I have relocated the section for CC operator in confidential-containers/documentation#133 and made this document refer to the kata-deploy. |
bcc1487
to
5819968
Compare
5819968
to
aca7d7b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @BbolroC ,
thanks for this excellent documentation. I have only a few edits and remarks to follow-up. Thanks a lot!
aca7d7b
to
5cb8fec
Compare
5cb8fec
to
9ecd65d
Compare
9ecd65d
to
db8d18d
Compare
db8d18d
to
174ad9c
Compare
174ad9c
to
4fe283e
Compare
4fe283e
to
76d723a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides one small nit, LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just two minor edits
9943080
to
9ff825a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
9ff825a
to
d88af8e
Compare
d88af8e
to
88d1b01
Compare
For reviewers, you can find the referred documentation in the section |
metadata: | ||
name: nginx-kata | ||
spec: | ||
runtimeClassName: kata-qemu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Choi, this is probably a stupid question, but where does kata-qemu-se
runtimeClass come into use over kata-qemu
. Is it just when using kata-deploy rather than the manual approach as the other runtime class hasn't been created?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The document starts with an assumption that kata container is installed. It would be good to have how to generate a new runtime class like kata-qemu-se
to the doc, but I just wanted to make it focus on explaining how to run a kata container on IBM Z SE based on the basic setup.
And yes, you are right, a runtime class kata-qemu-se
is introduced in the doc for confidential containers. 😉
https://github.com/kata-containers/kata-containers/actions/runs/7585438489/job/20661329265?pr=7146 will be resolved when confidential-containers/operator#329 is merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a spare z16 LPAR to test on, but I've read through the documentation and it looks good to me. Thanks!
If any of the results are not identifiable, please reach out to the responsible cloud | ||
provider to enable the Secure Execution capability. Alternatively, if you possess | ||
administrative privileges and the facility bit is set, you can enable the Secure Execution | ||
capability by adding `prot_virt=1` to the kernel parameters and performing a system reboot with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: ...performing a system reboot_, for example,_ with:....
The example is using the zipl.conf
directly... there are meanwhile zipl support for BLS which need to be differently configured. So just make this as an example, as distros might vary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback. The document has been updated.
resource `ccruntime` for confidential containers, enabling the operator to install Kata | ||
binary artifacts such as kernel, shim-v2, and more. | ||
|
||
In this section, we will specifically guide you on building a payload image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: remove "we" and use "you will learn" or "This section explains how" / "This section guides you through....."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback. The document has been updated.
## Considerations for CI | ||
|
||
If you intend to integrate the aforementioned procedure with a CI system, it is | ||
recommended to configure the following setup for an environment variable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor: remove "it is recommended" and simply use "configure"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the feedback. The document has been updated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Choi,
thanks a lot for pulling this excellent guide together. I have only really minor remarks/edits that should not hold back any approval.
/approve
3c5e691
to
3d8c07e
Compare
This PR is to add a document for how to run kata containers under IBM Secure Execution environment. Fixes: kata-containers#7025 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
3d8c07e
to
25ecca9
Compare
/test |
This PR is to add a document for how to run kata containers under IBM Secure Execution environment.
Fixes: #7025
Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com