scontain / sh Goto Github PK

Scripts to install SCONE related software

Shell 100.00%

sh's Introduction

Scontain Helper Scripts

Helper script to install Intel SGX driver

Usage

Usage: install_sgx_driver.sh [COMMAND] [OPTIONS]...
Helper script to install Intel SGX driver.

The script supports the following commands:
  check                checks the current SGX driver status
                       (requires 'version' patch)
  install              installs the SGX driver

The following options are supported by 'install' command:
  -d, --dcap           installs the DCAP driver

  -a, --auto           select the driver according to the machine capabilities (DCAP or OOT)

  -p, --patch=[PATCH]  apply patches to the SGX driver. The valid values for PATCH
                       are: 'version', 'metrics', 'page0'.
      -p version       installs the version patch (recommended)
      -p metrics       installs the metrics patch
      -p page0         installs the page0 patch (not available for DCAP)
      -p fsgsbase      installs the fsgsbase patch

  -k, --dkms           installs the driver with DKMS (default for DCAP)

  -l, --latest         installs the latest upstream driver (not recommended)

  -f, --force          replaces existing SGX driver, if installed

The following options are supported by 'check' command:
  -p, --patch=[PATCH]  check the status of patch on current installed driver.
                       The valid values for PATCH are: 'metrics', 'page0'.
      -p metrics       check the status of 'metrics' patch
      -p page0         check the status of 'page0' patch (not available for DCAP)

Note: In case of absence or outdated driver, or absence or outdated patch, this command
will return error.

The following options are supported by both commands:
  -h, --help           display this help and exit

Usage examples

To install the driver with both `metrics` and `page0` patch, run:

$ curl -fsSL https://raw.githubusercontent.com/scontain/SH/master/install_sgx_driver.sh | bash -s - install -p metrics -p page0

To check the status of driver installation and 'metrics' patch, run:

$ curl -fsSL https://raw.githubusercontent.com/scontain/SH/master/install_sgx_driver.sh | bash -s - check -p metrics

sh's People

Contributors

Stargazers

Watchers

Forkers

sbellem schwarzstein sarnautov kaireichart

sh's Issues

Yaml identation for namespace in operator_controller.sh needs to be fixed

Running operator-controller fails when creating the namespace.

5.8.0-rc.1 [master] ⚡  ./operator_controller --namespace osc-scone-system --plugin --create osc-scone-system --username osc.saas --access-token HwR4Ph6q9JNAzKj7Ve_y --email volker.kozlowskigooglemail.com --reconcile --verbose
- Checking that we have access to kubectl
- Checking that we have access to helm
- Checking that we have access to jq
- Checking that you have access to a Kubernetes cluster.
- Checking that we have local access to the container images.
- Checking cert-manager
-   cert-manager is running (found '3' running pods)
- Checking that operator namespace 'osc-scone-system' exists
-   Checking namespace osc-scone-system
WARNING:   Namespace 'osc-scone-system' does not exist.
-  Creating namespace 'osc-scone-system' - enabling automatic pull secret injection
-    Creating manifest '.ns.yaml'
error: error validating ".ns.yaml": error validating data: [ValidationError(Namespace): unknown field "annotations" in io.k8s.api.core.v1.Namespace, ValidationError(Namespace): unknown field "labels" in io.k8s.api.core.v1.Namespace, ValidationError(Namespace): unknown field "name" in io.k8s.api.core.v1.Namespace]; if you choose to ignore these errors, turn validation off with --validate=false
"verbose "Checking that operator namespace '$NAMESPACE' exists"" command failed - exiting.

Line 195 of operator_controller.sh and following needs to be fixed to:

apiVersion: v1
kind: Namespace
metadata:
  name: $NAMESPACE
  labels:
    name: scone-system
  annotations:
    scone-operator/inject-pull-secret:  "true"
    sconeapps/inject-pull-secret:  "true"
EOF

Ability to not run check_image_signatures

Hello!

In kubectl-provision plugin 5.8.0-rc.8 we can run --local-backup without docker installed. In kubectl-provision plugin 5.8.0-rc.20 we got an error because the function check_image_signatures always run.
We run the kubectl-provision plugin to create backup in a container and --local-backup don't use docker images, so we would like an option to disable image checks.

Thanks,
Marton

delete operator deployment during upgrade

kubectl delete deployment.apps/scone-controller-manager

to avoid

Error: UPGRADE FAILED: failed to replace object: Deployment.apps "scone-controller-manager" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"scone-controller", "app.kubernetes.io/name":"scone-controller", "control-plane":"controller-manager"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable
"helm upgrade --install scone-operator ./scone-operator --force --namespace $NAMESPACE --version $VERSION --set image=$PULL_IMAGE" command failed - exiting.

noticed with

rc.2. to rc.3

Vault Image Repository and Vault Image Tag are currently hardcoded

Vault Image Repository and Vault Image Tag are currently hard coded.

Please allow to configure this values.

VAULT_IMAGE_REPO
VAULT_IMAGE_TAG

Thanks, Volker

Prefix for images

Since we mirror the scone images to MTR with a prefix "osc" we need a way to tell the kube-provision to look for images -:.

For example osc-cas:5.8.0-rc.1

Do you think you can add an argument or environment variable ÌMAGE_PREFIX?

Add new command to install_sgx_driver.sh

add command "check" in addition to "install":

check prints the following:

- version installed driver: DCAP, OOT and commit 
  - the commit and how far this is behind origin
  - the commit of applied patches (if any) and how far behind origin, i.e., scontain/SH

- patches installed
   - version
   - metric
   - ... 

Options:
 -q   do not print diagnostics
 -e   fail with error in case driver or patch is out of date
 -p patch  required patch

Example:

install_sgx_driver.sh  check -q -e -p metrics

Fails if metrics patch is not installed or the driver or the patch is not up to date.

We can update the system on demand as follows:

 install_sgx_driver.sh  check -q -e -p metrics || install_sgx_driver.sh install --force --latest -p metrics

kubectl-provision fails to provision CAS

Provisioning cas failed. Running on MacOS using kubectl-provision 5.8.0-rc.1

Find the CAS resource and the log attached.

Any ideas would be highly appreciated.

Thanks, Volker

kubectl-provision.log
cas.yaml.txt

Usage message for --debug flag is weird

kubectl-provision:5.8.0-rc.1

Debug flag does not differntiate between production and debug image as the help message suggests.
Current help for --debug is:

 --debug | debug_short_flag
                  Create debug image instead of a production image

Acutally it just does set -x.