Skip to content

CAS for Development and Production

We explain how to start a SCONE CAS instance.

  • for development on your local machine, and
  • production in case you do not use Kubernetes.

Production CAS using Kubernetes

For running CAS in a Kubernetes Cluster in production, please set up SCONE Operator.

Public CAS for development

We have set up a public CAS instance at domain scone-cas.cf for testing and development. This public CASinstance runs in pre-release mode, i.e., do not use the public instance for production.

Pulling CAS Image

To start CAS, you first pull the CAS Docker image to your local registry. To be able to do so, please ask us via email for access to CAS. We will give you access to a private Docker repository, and we will send you the name of the private repository For this tutorial, please set the environment variable CAS to the name of the Docker repository - typically, this might look something like this:

export CAS=registry.scontain.com/scone.cloud/cas

Pull the CAS image like this:

docker pull $CAS

If this fails, ensure that you are logged into docker (via docker login) and that you set environment variable CAS properly.

Determining the SGX device

Depending on the platform, the SGX device is named /dev/sgx_enclave, /dev/sgx/sgx_enclave (legacy), /dev/isgx (legacy) or /dev/sgx (legacy). To write generic software, you could use the bash function determine_sgx_device. It sets the environment variable SGXDEVICE to the device that needs to be mounted.

Starting and Stopping CAS

The easiest way to start CAS is to use a simple Docker compose file. To do so, create a new directory for the Docker compose file:

mkdir -p CAS
cd CAS

Create a compose file that exposes the ports of CAS to the host:

determine_sgx_device
cat > docker-compose.yml <<EOF
version: '3.2'
services:
    cas:
        command: cas -c /etc/cas/cas.toml
        environment:
         - SCONE_LOG=info
         - SCONE_MODE=HW
         - SCONE_LAS_ADDR=172.17.0.1
        image: $CAS
        privileged: true
        working_dir: /etc/cas
        devices:
          - "$SGXDEVICE:$SGXDEVICE"
        volumes:
          - "$PWD/cas:/etc/cas/"
        restart: on-failure
        ports:
          - target: 8081
            published: 8081
            protocol: tcp
            mode: host
          - target: 18765
            published: 18765
            protocol: tcp
            mode: host
EOF

We need a default configuration file - please set your work subscription keys for EPID or DCAP. You can retrieve these keys from the Intel website.

mkdir cas
cat > cas/cas-default-owner-config.toml <<EOF
[ias]
spid            = "00000000000000000000000000000000"
linkable_quotes = true
sp_key          = "00000000000000000000000000000000"

[dcap]
subscription_key = "00000000000000000000000000000000"
EOF

cat > cas/cas.toml <<EOF
[database]
path = "/etc/cas/cas.db"

[api]
api_listen = "0.0.0.0:8081"
enclave_listen = "0.0.0.0:18765"
EOF

You need to provision the CAS first:

docker run -v $PWD/cas:/etc/cas -it --network host --rm --device $SGXDEVICE  registry.scontain.com/scone.cloud/cas sh -c "set -m ; cd /etc/cas; export SCONE_LAS_ADDR=127.0.0.1:18766 ;  cas provision --owner-config /etc/cas/cas-default-owner-config.toml "

Now start CAS in the background as follows:

docker-compose up -d cas

By executing

docker-compose logs cas

You will see the output of CAS.

You can check if CAS is still running by executing the following:

docker-compose up -d cas

This will result in an output like

cas_cas_1 is up-to-date

You can stop CAS by executing the following:

docker-compose stop cas