Need more details on docker

[Ramya Boggaram]

Hello!

I am currently working on docker version of keystone and having memory issues inorder to work with vgg16 I need more details on few queries.

Can someone please help me with these questions:

1. Is docker version of keystone up to date?

2. What are the limitations of memory in docker versions and how to achieve large memory to run neural networks?

3. Which is the best version of keystone to use docker or non-docker?

4. How to build a new package similar to hello.ke inside non-docker version of keystone?

Thanks in advance!!

Ramya Boggaram.

[Paul Heath]

Ramya, 

1. the Dockerfile under keystone/docker will make a container from whatever is in GitHub.com/keystone-enclave/keystone

  it uses the master branch as default. So in that sense it is up to date. 

2. When you start a container with docker, you can tell -m=12g or whatever makes sense for your system. 

    an additional important factor is that once you have the container made, you are ultimately going to have to start a qemu based virtual guest to run the RISCV64 native code. That happens under one of the run targets in the makefile. Those targets can be found 

under keystone/mkutils/plat/generic/run.mk. In there, you see an environment var Calle QEMU_MEM, that will specify how large a virtual machine to start up. Common sense applies in allocating memory both for the container and for the virtual instance relative to how much your machine actually has. 

3. We have been using a docker based instance because it is way more repeatable to get a container built the same way each time. 

4. You can add things to the CMakeLists.txt file under keystone/examples, including a properly formed subdirectory for each thing you add. 

I find this a little cumbersome. So I build all my riscv based enclave and host support code externally to the keystone tree and then copy it in to the keystone/build-generic/overlay tree somewhere that makes sense for me. Then I do a 'make' under /keystone, and a 'make run' to get the machine started. 

Hope this was helpful. 

Paul

[Ramya Boggaram]

hello Paul, Thanks for such a valuable information!

I am currently working on the docker version of keystone and I have a neural network of size 110MB and I am not able to achieve the complete implementation of it since it is giving me page fault can you please elaborate more on how to achieve  large memory to run neural networks inside the docker version of keystone because  keystone/mkutils/plat/generic/run.mk is available in the non-docker and I dont have any such file.

I have these files with me:

Thanks for your time and efforts,

Ramya.

[Paul Heath]

Hi Ramya, 

It looks like you are running the container that is at keystoneenclaveorg/keystone:master. 

That one is an earlier container, and uses the older build mechanism. That build uses 

cmake, and is somewhat different. 

If you check out the current keystone at GitHub, and use the keystone/docker/Dockerfile to make a container, you will get 

one using the new build. 

A word of caution: If you are used to the old style build, and move to the new one, there are some things to get used to.

The old build uses cmake, so you do, under /keystone 

source source.sh

mkdir build

cd build

cmake ..

make

With the new system, you just do, under /keystone 

make

It is somewhat confusing since most of the build instruction documentation that comes up will refer to the new build, while 

the prebuilt container uses the old system. 

Now as to your page fault, it seems like you are getting that when you hit Enclave.run() or Enclave().init. That means you probably 

don't have the enclave build memory set high enough. Those things are found in sdk/include/host/Params.hpp. 

You will have to experiment with those constants,  I am doing a similar exercise at the moment, so if I get any insight, I will let you know. 

Paul

[Ramya Boggaram]

Hello Paul,

I have cloned the repository and did make -j(nproc) now How Can I start my docker Can you elaborate me in detail?

Thanks,

Ramya.

[Paul Heath]

Ramya, 

If you clone the repo and do a make, you will end up with keystone being built right there on your machine. 

If that works, you can run the qemu image by doing 'make run'

If what you want is a container, go into keystone/docker and run a local build

docker build -t keystone-local . 

should do it. Then you should be able to start the container and exec a shell into it as you normally would

[Ramya Boggaram]

Hello Paul,

I am getting this error and I am using Ubuntu 22.04 Can you please help me out with this.

Thanks,

Ramya.

[Paul Heath]

Oh - ok, I see the issue. The docker file they have defined there goes with the older build technique. Sorry for the

misinformation. 

The Dockerfile needs to be updated to the new build style. 

So something like: (make your Dockerfile look like the following - and try again)

 

FROM ubuntu:20.04

RUN apt update

RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata 

RUN apt -y install autoconf automake autotools-dev bc \

  bison build-essential curl expat libexpat1-dev flex gawk gcc git \

  gperf libgmp-dev libmpc-dev libmpfr-dev libtool texinfo tmux \

  patchutils zlib1g-dev wget bzip2 patch vim-common lbzip2 python \

  pkg-config libglib2.0-dev libpixman-1-dev libssl-dev screen \

  device-tree-compiler expect makeself unzip cpio rsync cmake ninja-build p7zip-full

 

RUN apt-get update && apt-get install --reinstall ca-certificates

RUN git clone https://github.com/keystone-enclave/keystone /keystone

RUN cd /keystone

RUN make -j$(nproc)

[Ramya Boggaram]

Hello Paul,

I tried the above dockerfile and again facing issue with the make can you please have a look on it and this is for Ubuntu 20.04. Please help me to fix it.

Awaiting for your reply!!

Thanks,

Ramya.

[Paul Heath]

Did your build result in a container being on your machine ? 

Looks like the cd /keystone command somehow didn't work prior to the make 

Just go into the container and see what happened. You can manually change into the keystone directory and see what's there. 

If it looks ok,  just do a make. 

[Ramya Boggaram]

Hello Paul,

I don't see any container being build in machine as of now Can you suggest me some other approach to achieve this?

Thanks,

Ramya.

[Paul Heath]

Hi Ramya,

yes - looks like it didn't build. You could try removing the command from the docker file that caused it to fail, and re run it.  So just have the docker file to the clone into keystone and leave it at that. Then exec a shell into that container and do a build. 

Sorry that my suggestions are not working first try. I do all my keystone docker work on my office machine, through to a server. And it's on a different, and inaccessible network to this one. My home machine is an arm based Mac, and I don't have an appropriate docker set up. So, unfortunately I cannot test things, nor can I send my work based docker file to you.

Paul