Currently, Benefice workloads are executed via Docker, which means that they're essentially executed as root (and benefice user also has privileged access to the system, since it has to be in docker group)
Naturally, we want to avoid this and using podman could be a way to do that. Unfortunately I was unable to make podman work for this use case with TEEs, on SGX I'd get "OCI permission denied" on AESMD socket and SEV execution would fail with "system miconfigured" reported by Enarx. Refs https://github.com/profianinc/nixpkgs/pull/18
Currently, Benefice workloads are executed via Docker, which means that they're essentially executed as
root(andbeneficeuser also has privileged access to the system, since it has to be indockergroup) Naturally, we want to avoid this and usingpodmancould be a way to do that. Unfortunately I was unable to makepodmanwork for this use case with TEEs, on SGX I'd get "OCI permission denied" on AESMD socket and SEV execution would fail with "system miconfigured" reported by Enarx. Refs https://github.com/profianinc/nixpkgs/pull/18