Skip to content

sc2-sys/deploy

Repository files navigation

sc2-deploy

Deployment and build scripts for Serverless Confidential Containers (SC2)

Integration Tests


SC2 is a system to run serverless functions in confidential containers. It is deployed on a Kubernetes cluster on top of Knative, and builds on the Confidential Containers project.

SC2 currently supports AMD SEV-SNP and Intel TDX as underlying TEE, and requires deployment on a bare-metal host. Before moving forward, make sure you have a correct installation. For SEV-SNP you may use snphost ok.

Lastly, make sure you are using the exact host kernel:

SEV-SNP TDX
6.8.0-rc5-next-20240221-snp-host-cc2568386 6.8.0-1004-intel

Quick Start

To get started with SC2, clone this repository and run:

# This shell script will auto-detect the installed TEE (TDX or SNP)
source ./bin/workon.sh

# The following will call `sudo` under the hood
inv sc2.deploy [--debug] [--clean]

the previous command will: install a single-node k8s cluster with CoCo, install Knative, and install SC2.

Warning

Deploying SC2 will patch many components of the system like containerd, docker, nydus-snapshotter, and kata. We recommend installing on a fresh host and, potentially, using the --clean flag.

You can now check that everything is running by running a simple hello world:

# Use qemu-tdx-sc2 for TDX
export SC2_RUNTIME_CLASS=qemu-snp-sc2

# Knative demo
envsubst < ./demo-apps/helloworld-knative/service.yaml | kubectl apply -f -
curl $(kubectl get ksvc helloworld-knative  --output=custom-columns=URL:.status.url --no-headers)

# Non-Knative demo
envsubst < ./demo-apps/helloworld-py/deployment.yaml | kubectl apply -f -
curl $(kubectl get services -o jsonpath='{.items[?(@.metadata.name=="coco-helloworld-py-node-port")].spec.clusterIP}'):8080

for more complex applications and workloads, please check our applications and experiments.

After you are done using SC2, you may completely remove the cluster by running:

inv sc2.destroy [--debug]

Further Reading

For further documentation, you may want to check these other documents:

  • Attestation - instructions to set-up remote attestation in SC2.
  • CoCo Upgrade - upgrade the current CoCo version.
  • Guest Components - instructions to patch components inside SC2 guests.
  • Host Kernel - bump the kernel version in the host.
  • K8s - documentation about configuring a single-node Kubernetes cluster.
  • Kata - instructions to build our custom Kata fork and initrd images.
  • Key Broker Service - docs on using and patching the KBS.
  • Knative - documentation about Knative, our serverless runtime of choice.
  • Local Registry - configuring a local registry to store OCI images.
  • OVMF - notes on building OVMF and CoCo's OVMF boot process.
  • SEV - speicifc documentation to get the project working with AMD SEV machines.
  • Troubleshooting - tips to debug when things go sideways.