From 7e614326b199d350c24f83dd27ac08d878f105cb Mon Sep 17 00:00:00 2001
From: johntaiko <john@taiko.xyz>
Date: Mon, 30 Sep 2024 23:02:50 +0800
Subject: [PATCH] fix: add cgroup&mountinfo for docker env (#383)

* fix: add cgroup&mountinfo for docker env

* fix: all mount info comes from /sys/fs/cgroup/

* feat(sgx): update sgx-guest.docker.manifest.template

Add mount info for /proc/self/mountinfo and /proc/self/cgroup, and /sys/fs/cgroup/ to the allowed files in the sgx-guest.docker.manifest.template file. Also, increase the maximum threads to 512.
---
 Dockerfile                                            | 2 +-
 provers/sgx/config/sgx-guest.docker.manifest.template | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3dcc313bd..cd6beb146 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,7 +12,7 @@ WORKDIR /opt/raiko
 COPY . .
 RUN cargo build --release ${BUILD_FLAGS} --features "sgx" --features "docker_build"
 
-FROM gramineproject/gramine:1.6-jammy AS runtime
+FROM gramineproject/gramine:1.7-jammy AS runtime
 ENV DEBIAN_FRONTEND=noninteractive
 WORKDIR /opt/raiko
 
diff --git a/provers/sgx/config/sgx-guest.docker.manifest.template b/provers/sgx/config/sgx-guest.docker.manifest.template
index 17e0bbb19..8ec9eb11f 100644
--- a/provers/sgx/config/sgx-guest.docker.manifest.template
+++ b/provers/sgx/config/sgx-guest.docker.manifest.template
@@ -18,10 +18,16 @@ fs.mounts = [
   { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
   { path = "/usr/lib/ssl/certs/", uri = "file:/usr/lib/ssl/certs/" },
   { path = "/root/.config/raiko/config", uri = "file:/root/.config/raiko/config" },
+  { path = "/proc/self/mountinfo", uri = "file:/proc/self/mountinfo" },
+  { path = "/proc/self/cgroup", uri = "file:/proc/self/cgroup" },
+  { path = "/sys/fs/cgroup/", uri = "file:/sys/fs/cgroup/" },
   { path = "/root/.config/raiko/secrets", uri = "file:/root/.config/raiko/secrets", type = "encrypted", key_name = "_sgx_mrenclave" },
 ]
 sgx.allowed_files = [
   "file:/root/.config/raiko/config",
+  "file:/proc/self/mountinfo",
+  "file:/proc/self/cgroup",
+  "file:/sys/fs/cgroup/",
 ]
 sgx.debug = false
 sgx.edmm_enable = {{ 'true' if env.get('EDMM', '1') == '1' else 'false' }}
@@ -34,7 +40,7 @@ sgx.trusted_files = [
   "file:/usr/lib/ssl/certs/",
   "file:sgx-guest",
 ]
-sgx.max_threads = 32
+sgx.max_threads = 512
 sgx.remote_attestation = "dcap"
 sys.enable_extra_runtime_domain_names_conf = true
 sys.insecure__allow_eventfd = true