switchboard_container_utils/
config.rs

1use crate::*;
2
3use bollard::container::Config;
4use bollard::service::{
5    DeviceMapping, HostConfig, Mount, MountTypeEnum, RestartPolicy, RestartPolicyNameEnum,
6};
7
8pub fn get_default_docker_config() -> Config<String> {
9    Config {
10        open_stdin: Some(true),
11        host_config: Some(HostConfig {
12            // Possibly exposes metrics daemon
13            network_mode: Some("bridge".to_string()),
14            restart_policy: Some(RestartPolicy {
15                name: Some(RestartPolicyNameEnum::NO),
16                maximum_retry_count: None,
17            }),
18            auto_remove: Some(true),
19            // oom_kill_disable: Some(true),
20            readonly_rootfs: Some(true),
21            security_opt: Some(vec!["no-new-privileges".to_string()]),
22            memory: Some(128 * 1024 * 1024), // 128 MB
23            nano_cpus: Some((0.2 * 10f64.powf(9.0)).floor() as i64),
24            mounts: Some(vec![Mount {
25                target: Some("/var/run/aesmd/aesm.socket".to_owned()),
26                source: Some("/var/run/aesmd/aesm.socket".to_owned()),
27                typ: Some(MountTypeEnum::BIND),
28                read_only: Some(true),
29                ..Default::default()
30            }]),
31            devices: Some(vec![
32                DeviceMapping {
33                    path_on_host: Some("/dev/sgx_provision".to_string()),
34                    path_in_container: Some("/dev/sgx_provision".to_string()),
35                    cgroup_permissions: Some("rw".to_string()),
36                },
37                DeviceMapping {
38                    path_on_host: Some("/dev/sgx_enclave".to_string()),
39                    path_in_container: Some("/dev/sgx_enclave".to_string()),
40                    cgroup_permissions: Some("rw".to_string()),
41                },
42            ]),
43            ..Default::default()
44        }),
45        ..Default::default()
46    }
47}
48
49pub fn get_default_qvn_config(
50    image_name: &str,
51    env: Vec<String>,
52    default_config: Option<Config<String>>,
53    volume_mounts: Option<Vec<Mount>>,
54) -> Config<String> {
55    let config = default_config.unwrap_or(get_default_docker_config());
56    let host_config = config.host_config.unwrap_or_default();
57    let mut mounts = host_config.mounts.unwrap_or_default();
58    mounts.push(Mount {
59        target: Some("/data/protected_files".to_string()),
60        source: Some("/data/protected_files".to_string()),
61        typ: Some(bollard::service::MountTypeEnum::BIND),
62        read_only: Some(false),
63        ..Default::default()
64    });
65    // mounts.push(Mount {
66    //     target: Some("/home/credentials".to_string()),
67    //     source: Some("/home/credentials".to_string()),
68    //     typ: Some(bollard::service::MountTypeEnum::BIND),
69    //     read_only: Some(true),
70    //     ..Default::default()
71    // });
72    if let Some(volume_mounts) = volume_mounts {
73        for mount in volume_mounts {
74            if mount.target.as_ref().unwrap() == "/data/protected_files"
75                || mount.target.as_ref().unwrap() == "/var/run/aesmd/aesm.socket"
76            {
77                continue;
78            }
79            mounts.push(mount);
80        }
81    }
82    Config {
83        image: Some(image_name.to_string()),
84        env: Some(env),
85        host_config: Some(HostConfig {
86            mounts: Some(mounts),
87            network_mode: Some("host".to_string()),
88            auto_remove: Some(false), // cant be set if restart policy is set
89            // TODO: assess whether we should give it more resources
90            memory: Some(256 * 1024 * 1024),
91            nano_cpus: Some((0.3 * 10f64.powf(9.0)).floor() as i64),
92            // QVN should always be running until shut down
93            restart_policy: Some(RestartPolicy {
94                name: Some(bollard::service::RestartPolicyNameEnum::UNLESS_STOPPED),
95                maximum_retry_count: None,
96            }),
97            ..host_config
98        }),
99        ..config
100    }
101}