lingyuj
commented
5 months ago Is it possible to use Docker Bind Mounts? For example,
docker run -v /path/on/host/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf -d
Closed hu6360567 closed 5 months ago
lingyuj
commented
5 months ago Is it possible to use Docker Bind Mounts? For example,
docker run -v /path/on/host/sgx_default_qcnl.conf:/etc/sgx_default_qcnl.conf -d
Hi there,
I am attempting to run the attestation service in a Dockerized environment, following the instructions provided in the following link: https://github.com/confidential-containers/trustee/blob/main/attestation-service/Dockerfile.as-restful. This service depends on a PCCS to verify SGX/TDX related quotes.
The default QPL uses a hardcoded location, which specifies the URL to localhost. However, this is not suitable for a Docker container environment. https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/cd27223301e7c2bc80c9c5084ad6f5c2b9d24f5c/QuoteGeneration/qcnl/linux/qcnl_config_impl.cpp#L47
I am considering changing the PCCS URL to a fixed one in the Dockerfile, for example, "https://api.trustedservices.intel.com/sgx/certification/v4/". However, this may introduce additional latency, and there have been occasional conflicts with CSP configuration.
Therefore, when the container is deployed, there needs to be a proper way to update qncl config file to adjust the deployment. One potential solution is to change the entry point of the service to a shell script that updates the "hardcoded" config file and starts the server.
Alternatively, should we use an environment variable to configure the qncl.conf location? Are there any drawbacks to using a configurable config location?
Or, is there any best practice on using "libsgx-dcap-default-qpl" with a dockernized deployment?