DeTEE CLI
For obvious reasons, the CLI is the first end-user app developed as part of our product.
Installation
The DeTEE CLI is available as a container image. In order to use it, first make sure you install docker.
After that, download and run the DeTEE CLI docker image:
docker run --pull always -dt --name detee-cli \
--volume ~/.detee/container_volume/cli:/root/.detee/cli:rw \
--volume ~/.detee/container_volume/.ssh:/root/.ssh:rw \
--entrypoint /usr/bin/fish detee/detee-cli:latest
docker exec -it detee-cli fish
docker run --pull always --restart always --name detee-cli -dt `
--volume detee-cli-volume:/root/.detee/cli:rw `
--volume detee-ssh-volume:/root/.ssh:rw `
--entrypoint /usr/bin/fish detee/detee-cli:latest
docker exec -it detee-cli fish
Configure accounts
Inside the container, configure the SSH key that you want to use for VM access:
ssh-keygen
# Hit enter a few times.
detee-cli account ssh-pubkey-path /root/.ssh/id_ed25519.pub
Also, get your public key:
~ $ detee-cli account
The brain URL is: http://detee-build-1:31337
The SSH key used for VMs is: /root/.ssh/id_ed25519.pub
The address of your DeTEE wallet is x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK
Account Balance: 53.74022 LP
~ $ detee-cli --format yaml account
path: /root/.detee/cli/cli-config.yaml
brain_url: http://detee-build-1:31337
ssh_pubkey: /root/.ssh/id_ed25519.pub
account_balance: 53.74022
locked_funds: 0.0
wallet_address: x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK
wallet_path: /root/.detee/cli/secret_detee_wallet_key
~ $ detee-cli --format json account
{
"path": "/root/.detee/cli/cli-config.yaml",
"brain_url": "http://detee-build-1:31337",
"ssh_pubkey": "/root/.ssh/id_ed25519.pub",
"account_balance": 53.74022,
"locked_funds": 0.0,
"wallet_address": "x52w7jARC5erhWWK65VZmjdGXzBK6ZDgfv1A283d8XK",
"wallet_path": "/root/.detee/cli/secret_detee_wallet_key"
}
And send the wallet address to us on Discord so that we can give you your airdrop.
Assuming you have mounted the volumes, your secrets are saved to
~/.detee/container_volume/.
VM Engine
Deploy a VM
To see options for deploying a VM, just write detee-cli vm deploy -- and hit TAB.
Autocompletion will show available options:
~ $ detee-cli vm deploy --
--location (deploy to a specific location)
--disk (disk size in GB)
--distro (GNU/Linux distribution)
--from-yaml (allows extended config through yaml)
--help (Print help (see more with '--help'))
--hostname (hostname of you VM and OS)
--hours (for how many hours should the VM run)
--memory (memory in MB)
--price (price per unit per minute; check docs)
--public-ip (get a public IPv4 address for this VM)
--vcpus (the number of vCPUs)
--hours (default is 1 hour). If you delete
your VM before expiration, the unspent LPs are refunded back into your account.Deploying a VM looks like this:
~ $ detee-cli vm deploy --vcpus 2 --memory 5000 --hours 3 --distro ubuntu --location US
No hostname specified! Using random VM name: noble-scissors
Node price: 0.00002/unit/minute. Total Units for hardware requested: 47.Locking 0.1692 LP (offering the VM for 3 hours).
Injecting disk encryption key into VM. This will take a minute. Do not interrupt.
To SSH into noble-scissors (UUID: 35cdae77-6c42-478b-9f81-a4270b1580ac), run the following command:
ssh -i /root/.ssh/id_ed25519 -p 48132 root@149.36.48.99
In the background, the CLI will perform an attestation of the SNP server and also download the public SSH keys of the servers during the attestation. SSH will just work.
Now you can list VMs to get information:
~ $ detee-cli vm list
╭───────────────────────────┬──────────────────────────────────────┬─────────────────┬───────┬──────────┬──────┬────────┬───────────╮
│ Location │ UUID │ hostname │ Cores │ Mem (MB) │ Disk │ LP/h │ time left │
├───────────────────────────┼──────────────────────────────────────┼─────────────────┼───────┼──────────┼──────┼────────┼───────────┤
│ Paris, Île-de-France (FR) │ 252b2c4e-2b68-4445-bbd4-6c190e9e0311 │ primal-scissors │ 1 │ 1000 │ 10 │ 0.0324 │ 0h 5m │
│ San Jose, California (US) │ 35cdae77-6c42-478b-9f81-a4270b1580ac │ noble-scissors │ 2 │ 5000 │ 10 │ 0.0564 │ 2h 59m │
╰───────────────────────────┴──────────────────────────────────────┴─────────────────┴───────┴──────────┴──────┴────────┴───────────╯
~ $ FORMAT=YAML detee-cli vm list
- location: Paris, Île-de-France (FR)
uuid: 252b2c4e-2b68-4445-bbd4-6c190e9e0311
hostname: primal-scissors
vcpus: 1
mem: 1000
disk: 10
cost_h: 0.0324
time_left: 5
- location: San Jose, California (US)
uuid: 35cdae77-6c42-478b-9f81-a4270b1580ac
hostname: noble-scissors
vcpus: 2
mem: 5000
disk: 10
cost_h: 0.0564
time_left: 179
~ $ FORMAT=JSON detee-cli vm list
[
{
"location": "Paris, Île-de-France (FR)",
"uuid": "252b2c4e-2b68-4445-bbd4-6c190e9e0311",
"hostname": "primal-scissors",
"vcpus": 1,
"mem": 1000,
"disk": 10,
"cost_h": 0.0324,
"time_left": 4
},
{
"location": "San Jose, California (US)",
"uuid": "35cdae77-6c42-478b-9f81-a4270b1580ac",
"hostname": "noble-scissors",
"vcpus": 2,
"mem": 5000,
"disk": 10,
"cost_h": 0.0564,
"time_left": 178
}
]
FORMAT environment variable, or specify detee-cli --format to control this.
You can also enable extra logs by passing LOG_LEVEL=INFO or LOG_LEVEL=DEBUG as env var.In case you forgot SSH details for your VM, just use the SSH wrapper:
~ $ detee-cli vm ssh d51de633-640f-4b19-b372-b4197b321c8d
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.12.10-arch1-1 x86_64)
root@luminous-soap:~#
Update or delete VM
The update command will allow you to modify the hardware specification and also the number of hours that you want your VM to run. If both hardware and time are modified, the hardware modification is executed first and the LP are recalculated after that.
~ $ detee-cli vm update --vcpus 8 --memory 10000 --hours 10 35cdae77-6c42-478b-9f81-a4270b1580ac
The node accepted the hardware modifications for the VM.
Injecting disk encryption key into VM. This will take a minute. Do not interrupt.
VM successfully updated.
~ $ detee-cli vm list
╭───────────────────────────┬──────────────────────────────────────┬────────────────┬───────┬──────────┬──────┬────────┬───────────╮
│ Location │ UUID │ hostname │ Cores │ Mem (MB) │ Disk │ LP/h │ time left │
├───────────────────────────┼──────────────────────────────────────┼────────────────┼───────┼──────────┼──────┼────────┼───────────┤
│ San Jose, California (US) │ 35cdae77-6c42-478b-9f81-a4270b1580ac │ noble-scissors │ 8 │ 10000 │ 10 │ 0.1584 │ 9h 59m │
╰───────────────────────────┴──────────────────────────────────────┴────────────────┴───────┴──────────┴──────┴────────┴───────────╯
Please note that changing the number of CPUs or the kernel will rotate the hot decryption key of the server. This is why after these updates the CLI will use the backup key to start the VM.
Deletion works as expected:
~ $ detee-cli vm delete 35cdae77-6c42-478b-9f81-a4270b1580ac
VM successfully deleted.
Deployment Examples
In case you would like to test more complex setups, we have prepared a repo with examples at https://gitea.detee.cloud/general/examples.
Enhancing the examples can also bring you special LP rewards, that will allow you to run complex workloads on DeTEE.
App Engine (preview)
Deploy demo app
The DeTEE App engine is currently under development, however already available for preview in the testnet.
You can deploy a demo app as follows:
root@29aee556b6a2 /# detee-cli app deploy --package actix-app-info --port 8080
No app name specified! Using random app name: assertive-parakeet
Node price: 0.0002/unit/minute. Total Units for hardware requested: 7.6000. Locking 0.0912 LP (offering the App for 1 hours).
Deploying...
The application got deployed under the UUID: 4f64e698-bcfc-4aa4-8c00-3cefe605a9de
You can now list the apps to see your deployment:
root@29aee556b6a2 /# detee-cli app list
╭───────────────────────────────┬──────────┬────────────────────┬───────┬──────────┬───────────┬────────┬───────────┬───────────────┬─────────────────────────────╮
│ Location │ UUID pfx │ name │ Cores │ Mem (MB) │ Disk (MB) │ LP/h │ time left │ Node IP │ Exposed ports │
├───────────────────────────────┼──────────┼────────────────────┼───────┼──────────┼───────────┼────────┼───────────┼───────────────┼─────────────────────────────┤
│ Frankfurt am Main, Hesse (DE) │ 4f64e698 │ assertive-parakeet │ 1 │ 500 │ 1000 │ 0.0912 │ 1h 0m │ 212.95.45.139 │ (32120:34500), (45987:8080) │
╰───────────────────────────────┴──────────┴────────────────────┴───────┴──────────┴───────────┴────────┴───────────┴───────────────┴─────────────────────────────╯
And you can grab the server IP and the port that forwards to 8080 in order to
access the actual webserver that got deployed:
root@29aee556b6a2 /# curl 212.95.45.139:45987
Hello world!
Deploy your own Rust app
Compiling for the App Engine
In order to enable Intel SGX support, applications must be compiled with tools optimized for this type of TEE. This process will get simplified with a future release of DeTEE.
If you would like to deploy your own app, you first have to compile it for Intel
SGX. This can be done easily using the occlum/occlum:latest-ubuntu22.04 docker
image. Let's take for example this simple Actix web server:
use actix_web::{web, App, HttpResponse, HttpServer, Responder};
async fn hello() -> impl Responder {
HttpResponse::Ok().body("Hello from DeTEE!")
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| App::new().route("/", web::get().to(hello)))
.bind("0.0.0.0:8080")?
.run()
.await
}
In order to compile it, we can create a builder container:
docker run -di --volume .:/opt/my_app --name occlum-builder --entrypoint /bin/bash occlum/occlum:latest-ubuntu22.04
and after that we can hop into the container with docker exec -it occlum-builder /bin/bash and upgrade the Rust stack:
rustup install stable-x86_64-unknown-linux-gnu
rustup default stable
rustup target add x86_64-unknown-linux-musl
and switch to our app and compile it:
cd /opt/my_app
occlum-cargo build --release
Now exit the occlum-builder container and create a DeTEE application config:
filesystems:
- path: /bin/actix-hello-world
content: !path "./target/x86_64-unknown-linux-musl/release/rust_test"
environments:
child_processes:
- path: /bin/actix-hello-world
arguments:
restart:
max_retries: 2
delay_seconds: 2
policy: !OnNonZeroExit true
You can now deploy an app using the base-package and update the config using
detee-cli app config update --from-yaml PATH_TO_CONFIG.yaml APP_UUID, as
follows:
root@29aee556b6a2 /# detee-cli app deploy --package base-package --port 8080
No app name specified! Using random app name: witty-hamster
Node price: 0.0002/unit/minute. Total Units for hardware requested: 7.6000. Locking 0.0912 LP (offering the App for 1 hours).
Deploying...
The application got deployed under the UUID: e8013931-56c5-4683-8761-38a35f870789
root@29aee556b6a2 /# detee-cli app config update --from-yaml my_app_config.yml e8013931-56c5-4683-8761-38a35f870789
App launch config updated successfully
root@29aee556b6a2 /# detee-cli app list
╭───────────────────────────────┬──────────┬───────────────┬───────┬──────────┬───────────┬────────┬───────────┬───────────────┬─────────────────────────────╮
│ Location │ UUID pfx │ name │ Cores │ Mem (MB) │ Disk (MB) │ LP/h │ time left │ Node IP │ Exposed ports │
├───────────────────────────────┼──────────┼───────────────┼───────┼──────────┼───────────┼────────┼───────────┼───────────────┼─────────────────────────────┤
│ Frankfurt am Main, Hesse (DE) │ e8013931 │ witty-hamster │ 1 │ 500 │ 1000 │ 0.0912 │ 1h 0m │ 212.95.45.139 │ (43028:34500), (43541:8080) │
╰───────────────────────────────┴──────────┴───────────────┴───────┴──────────┴───────────┴────────┴───────────┴───────────────┴─────────────────────────────╯
root@29aee556b6a2 /# curl 212.95.45.139:43541
Hello from DeTEE!⏎
The app engine supports (in theory) any programming language. Stay tuned, as we upgrade docs, provide more examples and enhance the app engine to simplify deployment and management of more complex workloads!