libos.entrypoint = "{{ tee_ratls_preexec }}" [loader] entrypoint = "file:{{ gramine.libos }}" argv = [ "{{ tee_ratls_preexec }}", "--", "{{ vault_exec }}", "server", "-config=/opt/vault/config.hcl", "-log-level=trace", ] # set a log level for gramine log_level = "{{ log_level }}" [loader.env] LD_LIBRARY_PATH = "/lib" SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt" PATH = "{{ execdir }}" HOME = "/opt/vault" VAULT_CLUSTER_ADDR.passthrough = true VAULT_API_ADDR.passthrough = true VAULT_RAFT_NODE_ID.passthrough = true DNS_NAMES = "vault-1,vault-2,vault-3" # otherwise vault will lock a lot of unused EPC memory VAULT_RAFT_INITIAL_MMAP_SIZE = "0" # possible tweak option, if problems with raft # VAULT_RAFT_DISABLE_MAP_POPULATE = "true" [fs] root.uri = "file:/" start_dir = "/opt/vault" mounts = [ { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" }, { path = "{{ gramine.runtimedir() }}/libdcap_quoteprov.so", uri = "file:/lib/libdcap_quoteprov.so" }, { type = "tmpfs", path = "/var/tmp" }, { type = "tmpfs", path = "/tmp" }, { type = "tmpfs", path = "/opt/vault/tls" }, { type = "tmpfs", path = "/opt/vault/.dcap-qcnl" }, { type = "tmpfs", path = "/opt/vault/.az-dcap-client" }, { type = "encrypted", path = "/opt/vault/.cache", uri = "file:/opt/vault/.cache", key_name = "_sgx_mrsigner" }, { type = "encrypted", path = "/opt/vault/data", uri = "file:/opt/vault/data", key_name = "_sgx_mrsigner" }, ] [sgx] debug = false edmm_enable = false enclave_size = "8G" max_threads = 64 nonpie_binary = true remote_attestation = "dcap" trusted_files = [ "file:/bin/", "file:/etc/gai.conf", "file:/etc/ssl/certs/ca-bundle.crt", "file:/lib/", "file:/nix/", "file:/opt/vault/plugins/", "file:/opt/vault/config.hcl", "file:/opt/vault/cacert.pem", "file:/opt/vault/cakey.pem", "file:{{ gramine.libos }}", "file:{{ gramine.runtimedir() }}/", ] [sys] stack.size = "1M" enable_extra_runtime_domain_names_conf = true enable_sigterm_injection = true # vault needs flock experimental__enable_flock = true