CAS for Development and Production
We explain how to start a SCONE CAS instance.
- for development on your local machine, and
- production in case you do not use Kubernetes.
Production CAS using Kubernetes
For running CAS in a Kubernetes Cluster in production, please set up SCONE Operator.
Public CAS for development
We have set up a public CAS instance at domain
scone-cas.cf for testing and development. This public CASinstance runs in pre-release mode, i.e., do not use the public instance for production.
Pulling CAS Image
To start CAS, you first pull the CAS Docker image to your local registry. To be able to do so, please ask us via email for access to CAS. We will give you access to a private Docker repository, and we will send you the name of the private repository
For this tutorial, please set the environment variable
CAS to the name of the Docker repository - typically, this might look something like this:
Pull the CAS image like this:
docker pull $CAS
If this fails, ensure that you are logged into docker (via
docker login) and that you set environment variable
Determining the SGX device
Depending on the platform, the SGX device is named
/dev/isgx (legacy) or
/dev/sgx (legacy). To write generic
software, you could use the bash function determine_sgx_device.
It sets the environment variable
SGXDEVICE to the device that needs to be mounted.
Starting and Stopping CAS
The easiest way to start CAS is to use a simple Docker compose file. To do so, create a new directory for the Docker compose file:
mkdir -p CAS cd CAS
Create a compose file that exposes the ports of CAS to the host:
determine_sgx_device cat > docker-compose.yml <<EOF version: '3.2' services: cas: command: cas -c /etc/cas/cas.toml environment: - SCONE_LOG=info - SCONE_MODE=HW - SCONE_LAS_ADDR=172.17.0.1 image: $CAS privileged: true working_dir: /etc/cas devices: - "$SGXDEVICE:$SGXDEVICE" volumes: - "$PWD/cas:/etc/cas/" restart: on-failure ports: - target: 8081 published: 8081 protocol: tcp mode: host - target: 18765 published: 18765 protocol: tcp mode: host EOF
We need a default configuration file - please set your work subscription keys for EPID or DCAP. You can retrieve these keys from the Intel website.
mkdir cas cat > cas/cas-default-owner-config.toml <<EOF [ias] spid = "00000000000000000000000000000000" linkable_quotes = true sp_key = "00000000000000000000000000000000" [dcap] subscription_key = "00000000000000000000000000000000" EOF cat > cas/cas.toml <<EOF [database] path = "/etc/cas/cas.db" [api] api_listen = "0.0.0.0:8081" enclave_listen = "0.0.0.0:18765" EOF
You need to
provision the CAS first:
docker run -v $PWD/cas:/etc/cas -it --network host --rm --device $SGXDEVICE registry.scontain.com/scone.cloud/cas sh -c "set -m ; cd /etc/cas; export SCONE_LAS_ADDR=127.0.0.1:18766 ; cas provision --owner-config /etc/cas/cas-default-owner-config.toml "
Now start CAS in the background as follows:
docker-compose up -d cas
docker-compose logs cas
You will see the output of CAS.
You can check if CAS is still running by executing the following:
docker-compose up -d cas
This will result in an output like
cas_cas_1 is up-to-date
You can stop CAS by executing the following:
docker-compose stop cas