Example: Using GuestOS debos
The GuestOS debos provides a basic integrity protected debian installer base image. This GuestOS type provides the ability to setup a confidential debian system inside a container. In order to achieve that, we use the setup mode for running a container instance of debos.
Prerequisites
- a running (deployed) GyroidOS system.
- configured internet access in core0 (default is dhcp on eth0)
- we assume a standard password for initial usertoken “trustme”
- an installed debos image in that system
You can verify that debos is installed by:
root@gyroidos-core:~# control list_guestos | grep debos
name: "debos"
Creating container and installing debian
create a new container config skeleton file debian1.skel for the container e.g.:
name: "debian1"
guest_os: "debos"
color: 0
vnet_configs {
if_name: "eth0"
configure: true
}
image_sizes {
image_name: "enc_root"
image_size: 4096
}
The image_sizes argument overwrites the standard size of the encrypted writable data image which is mounted as rootfs in case of normal boot.
Create and start the container in setup mode:
control create debian1.skel
control change_pin debian1 # use trustme as nurrent password
control start debian1 --setup # use your just set password
You can verify that the container has reached setup state by:
control state debian1
Now you can run commands inside the container to install
a standard Linux system to /setup inside the container.
The debos image contains a debootstrap util inside the container to
setup a debian system. However, you could also try to run any other
bootstrapping tool for another distribution, e.g., emerge. In that case,
you have to download the bootstrapper first, loosing integrity protection
of the installer. We proceed with debootstrap.
Remember that control run is somewhat experimental and not all characters, especially control characters like [Ctrl]+C, may work as expected.
control run debian1 bash
Now we are inside the container “debian1”.
You can check if the encrypted root is mounted on setup by calling mount
Install debian as follows:
debootstrap trixie /setup --include=ssh
exit
Now stop the container and start it normally:
control stop debian1 # use your just set password
control start debian1 # use your just set password
Example: Using docker-convertos
Experimental, the converter may not work for every image on dockerhub!
Prerequisites
- a running (deployed) GyroidOS system.
-
an installed docker-convertos image in that system
You can verify this by checking:root@cml:~# control list_guestos | grep docker-convertos name: "docker-convertos" - configured internet access in core0 (default is dhcp on eth0)
- enabled
localy_signed_images: truein device.conf (this is the case for binary evaluation releases) - we assume a standard password for usertoken “trustme”
Creating converter container
Create a new container config skeleton file docker2.skel for the container e.g.:
name: "docker2"
guest_os: "docker-convertos"
color: 0
vnet_configs {
if_name: "eth0"
configure: true
}
image_sizes {
image_name: "tmp"
image_size: 4096
}
control create docker2.skel
control change_pin docker2 # use trustme as current Password
control start docker2 # use your just set password
control state docker2 # wait for state RUNNING
control run docker2 bash
Inside container:
/etc/init.d/lighttpd start
converter pull <dockerhub image> <tag>
/etc/init.d/lighttpd stop
exit
Creating instance of converted image
control list_guestos
Should show new GuestOS created from Dockerhub image
with a name like “<image>_<tag>_<timestamp>”
Create a new config skeleton /etc/templates/converted.skel for the image:
name: "converted3"
guest_os: "<image>_<tag>_<timestamp>"
color: 0
vnet_configs {
if_name: "eth0"
configure: true
}
control create converted.skel
Run it.
control change_pin converted3 # use trustme as current password
control start converted3 # use your just set password