docs: provide a guide for how to use IBM Secure Execution #7146
Conversation
|
Hey Choi this is failing with the error: |
There was a problem hiding this comment.
Just a thought - I wonder if the CoCo operator section would be better off in the coco documentation. Maybe as a new entry in https://github.com/confidential-containers/documentation/tree/main/guides like sev has? It might be more appropriate to document/link to the kata-deploy in this doc?
Yeah, I will let you know after discussing what you mentioned with @hbrueckner . Thanks! 😉 |
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
16e74af
to
bcc1487
Compare
|
@hbrueckner I have relocated the section for CC operator in confidential-containers/documentation#133 and made this document refer to the kata-deploy. |
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
bcc1487
to
5819968
Compare
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
5819968
to
aca7d7b
Compare
There was a problem hiding this comment.
Hi @BbolroC ,
thanks for this excellent documentation. I have only a few edits and remarks to follow-up. Thanks a lot!
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
aca7d7b
to
5cb8fec
Compare
BbolroC
changed the title
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
5cb8fec
to
9ecd65d
Compare
katacontainersbot
added
size/tiny
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
9ecd65d
to
db8d18d
Compare
katacontainersbot
added
size/large
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
db8d18d
to
174ad9c
Compare
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
174ad9c
to
4fe283e
Compare
katacontainersbot
added
size/tiny
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
4fe283e
to
76d723a
Compare
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
5 times, most recently
from
9943080
to
9ff825a
Compare
BbolroC
changed the title
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
9ff825a
to
d88af8e
Compare
katacontainersbot
added
size/large
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
d88af8e
to
88d1b01
Compare
|
For reviewers, you can find the referred documentation in the section |
| metadata: | ||
| name: nginx-kata | ||
| spec: | ||
| runtimeClassName: kata-qemu |
There was a problem hiding this comment.
Hi Choi, this is probably a stupid question, but where does kata-qemu-se runtimeClass come into use over kata-qemu. Is it just when using kata-deploy rather than the manual approach as the other runtime class hasn't been created?
There was a problem hiding this comment.
The document starts with an assumption that kata container is installed. It would be good to have how to generate a new runtime class like kata-qemu-se to the doc, but I just wanted to make it focus on explaining how to run a kata container on IBM Z SE based on the basic setup.
And yes, you are right, a runtime class kata-qemu-se is introduced in the doc for confidential containers. 😉
|
https://github.com/kata-containers/kata-containers/actions/runs/7585438489/job/20661329265?pr=7146 will be resolved when confidential-containers/operator#329 is merged. |
| If any of the results are not identifiable, please reach out to the responsible cloud | ||
| provider to enable the Secure Execution capability. Alternatively, if you possess | ||
| administrative privileges and the facility bit is set, you can enable the Secure Execution | ||
| capability by adding `prot_virt=1` to the kernel parameters and performing a system reboot with: |
There was a problem hiding this comment.
minor: ...performing a system reboot_, for example,_ with:....
The example is using the zipl.conf directly... there are meanwhile zipl support for BLS which need to be differently configured. So just make this as an example, as distros might vary.
There was a problem hiding this comment.
Thanks for the feedback. The document has been updated.
| resource `ccruntime` for confidential containers, enabling the operator to install Kata | ||
| binary artifacts such as kernel, shim-v2, and more. | ||
|
|
||
| In this section, we will specifically guide you on building a payload image |
There was a problem hiding this comment.
minor: remove "we" and use "you will learn" or "This section explains how" / "This section guides you through....."
There was a problem hiding this comment.
Thanks for the feedback. The document has been updated.
| ## Considerations for CI | ||
|
|
||
| If you intend to integrate the aforementioned procedure with a CI system, it is | ||
| recommended to configure the following setup for an environment variable. |
There was a problem hiding this comment.
minor: remove "it is recommended" and simply use "configure"
There was a problem hiding this comment.
Thanks for the feedback. The document has been updated.
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
2 times, most recently
from
3c5e691
to
3d8c07e
Compare
This PR is to add a document for how to run kata containers under IBM Secure Execution environment. Fixes: kata-containers#7025 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
BbolroC
force-pushed
the
ibm-se-howto-doc
branch
from
3d8c07e
to
25ecca9
Compare
|
/test |
This PR is to add a document for how to run kata containers under IBM Secure Execution environment.
Fixes: #7025
Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com