PortainerCC MariaDB Guide
The following shows the installation of a Gramine MariaDB instance with remote attestation and secret provisioning from the installation of Portainer to the deployment of the container. The environment in which MariaDB is installed is an Azure Confidential VM. This flow was tested in Firefox. In Chrome, some requests may abort.
First, an Azure Confidential VM must be created. To do this, click on Create Resource -> Virtual Machine under Services in the Azure home screen. The default settings can be left as they are, but a Confidential VM must be selected under Size. To do this, click on "See all sizes" and add a filter via "Add Filter", selecting Type -> Confidential. Now only virtual machines from the DC series should show up. From these you then select a suitable one (at least 8GB memory).
Now the VM can be created. Once this has been done, the next step is to open the port for the Portainer agent. To do this, click on "Networking" in the overview window of the VM on the left side. Here new firewall rules can be created. After clicking on "Add inbound port rule", a new port can now be released. Under "Destination Port Ranges" 9001 must be specified and under "Protocol" TCP.
If the port is enabled, you connect to the VM via SSH. To prepare the VM for PortainerCC and remote attestation, Docker and Intel-SGX including DCAP must be installed (IMPORTANT: If the installation does not work, try changing the repo name from intelsgx to intel-sgx (with a hyphen)).
Furthermore, a Provisional Certification Caching Service (PCCS) is needed so that the coordinator can retrieve PCK certificates for remote attestation. The PCCS requires an API key for Intel's Provisioning Certificate Service (PCS) API. The PCCS can be started as a Docker container by specifying the PCS API key.
Both Docker, Intel-SGX including DCAP and PCCS must also be installed in the local environment.
Next, Portainer server needs to be installed in the local environment. Portainer server runs as a Docker container. To start it, you must first create a Docker volume using the docker volume create portainer_data command and then start the Portainer container using the following command:
docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v sgxdcaprastuff/portainercc
When the container is running, you can log in to Portainer via https://localhost:9443.
The next step is to add the Azure VM as an environment to PortainerCC. To do this, click on "Environments" on the left side of PortainerCC. There, select "Docker Standalone" and click on "Start Wizard". Now PortainerCC presents a console command to run in the environment you want to connect. In this command, the last line (which specifies the Docker image for the PortainerCC agent) must be changed to sgxdcaprastuff/portainercc-agent:latest.
The customized command must now be executed in the Azure VM. This will cause a PortainerCC agent image to be loaded and executed, which will handle the communication to PortainerCC Server.
Once the command has been executed in the VM, the creation of an environment in PortainerCC Server can continue. The name can be any, in the "Environment Address" field the public IP address of the Azure VM together with port 9001 must be entered (e.g. 10.0.0.10:9001). After clicking "connect", the Azure VM should be available as an environment in PortainerCC.
In addition to that, the portainer agent needs to be in the "coordinator" docker network. To make that happen, you have to click on the portainer agent container in the container view of your azure environment in portainer. Then scroll down to "networks" and add the container to the "coordinator" network. After that, click on "leave network" on the right side of the "bridge" network.
The next step is to build a coordinator and install it on the Azure VM. First, a signing key must be created that will later be used to sign the coordinator. To do this, click on "PortainerCC" on the left side under "Settings" and then on "SGX Signing Keys". Here you can now create a signing key.
Once a signing key has been created, the coordinator image can be built. To do this, click on "PortainerCC" on the left side under "Settings" and then on "Coordinator". Here you can give the coordinator image a name and select a signing key. Once you have done this, click on "Build". Building the coordinator can take several minutes.
The next step is to get the coordinator running on the Azure VM. To do this, click on "Home" on the left side and then on the environment that represents the Azure VM. After that, click on "Coordinator" on the left side and you can now select a coordinator image to run in the environment. Now click on "Deploy" to install the coordinator on the Azure VM. Here you can also select whether the coordinator should be verified directly after deployment. The process may take a moment.
Once the deployment (and optional verification) is complete, a coordinator is now running in the Azure VM. This can be verified again at any time.
If the coordinator is running and verified, MariaDB can now be installed. To do this, click on "App Templates" on the left side and then on "Confidential Templates". Here you have the option to give the MariaDB instance a name and to set a username and password for the instance. Once you have done this, click on "Add & Deploy Service". In the background, MariaDB is added to the coordinator manifest with the specified options and a MariaDB container is started. This process can also take some time.
Once the container is started, it takes a moment for the Secrets to be injected and the Gramine application to be started. The progress can be traced via the logs of the MariaDB container (the line /app/mariadbd: ready for connections should show up in the logs).
To check if the secret provisioning worked, you can log in to the MariaDB instance via the MySQL CLI using the specified credentials.
