Run `benefice` workloads via rootless OCI engine #131

rvolosatovs · 2022-08-31T11:52:05Z

Currently, Benefice workloads are executed via Docker, which means that they're essentially executed as root (and benefice user also has privileged access to the system, since it has to be in docker group)
Naturally, we want to avoid this and using podman could be a way to do that. Unfortunately I was unable to make podman work for this use case with TEEs, on SGX I'd get "OCI permission denied" on AESMD socket and SEV execution would fail with "system miconfigured" reported by Enarx. Refs profianinc/nixpkgs#18

The text was updated successfully, but these errors were encountered:

rvolosatovs assigned puiterwijk Aug 31, 2022

dpal added this to Profian Board Nov 23, 2022

dpal moved this to New in Profian Board Nov 23, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Run `benefice` workloads via rootless OCI engine #131

Run `benefice` workloads via rootless OCI engine #131

rvolosatovs commented Aug 31, 2022

Run benefice workloads via rootless OCI engine #131

Run benefice workloads via rootless OCI engine #131

Comments

rvolosatovs commented Aug 31, 2022

Run `benefice` workloads via rootless OCI engine #131

Run `benefice` workloads via rootless OCI engine #131