NOISSUE - Add cvm management docs #28
Conversation
SammyOina
left a comment
SammyOina
left a comment
There was a problem hiding this comment.
include screenshots of buildroot configuration for HAL image, also this guide needs to state it is for HAL and keep it separate from public cloud/cloud init which should be documented as well
SammyOina
left a comment
SammyOina
left a comment
There was a problem hiding this comment.
please go through your changes
docs/developer-guide/hal.md
Outdated
| Clone the Cube HAL repository and its Buildroot submodule: | ||
|
|
||
| ```bash | ||
| git clone https://github.com/ultravioletrs/cube-hal.git |
docs/developer-guide/hal.md
Outdated
| ```bash | ||
| git clone https://github.com/ultravioletrs/cube-hal.git | ||
| cd cube-hal | ||
| git submodule update --init --recursive |
There was a problem hiding this comment.
we don't have submodules
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
WashingtonKK
force-pushed
the
cube-cvm
branch
from
df0af1b to
52cc7af
Compare
SammyOina
left a comment
SammyOina
left a comment
There was a problem hiding this comment.
please go through the chnages and verify accuracy of the info
|
|
||
| ## Managing Confidential VMs | ||
|
|
||
| This guide explains how to start, monitor, and manage Confidential Virtual Machines (CVMs) for Cube AI using the Hardware Abstraction Layer (HAL) with Buildroot-based images and the provided management scripts. It is written as a practical, step-by-step reference so you can move from initial launch to ongoing operations without having to infer script behavior. |
There was a problem hiding this comment.
if this is HAL only we'll need a section for cloud init
| This guide explains how to start, monitor, and manage Confidential Virtual Machines (CVMs) for Cube AI using the Hardware Abstraction Layer (HAL) with Buildroot-based images and the provided management scripts. It is written as a practical, step-by-step reference so you can move from initial launch to ongoing operations without having to infer script behavior. | ||
|
|
||
| :::info | ||
| This guide is specifically for HAL-based CVM deployments using Buildroot images. It assumes you are running the HAL tooling locally and that your VM images follow the Buildroot layout. For public cloud deployments using cloud-init, please refer to the separate cloud deployment documentation instead. |
There was a problem hiding this comment.
HAL tooling? what does that mean
| - 6190 → 22 (SSH) | ||
| - 6191 → 80 (HTTP) | ||
| - 6192 → 443 (HTTPS) | ||
| - 6193 → 7001 (Cube Agent) | ||
| - 6194 → 11434 (Ollama) | ||
| - 6195 → 8000 (vLLM) |
There was a problem hiding this comment.
only forwarded port to cvm should be agent and ssh, remove all others make sure this reflects in the cube repo as well
|
|
||
| ### Certificate Management | ||
|
|
||
| Certificates are embedded in the filesystem image at build time. This means certificate rotation happens by rebuilding the image, not by editing a running VM. |
There was a problem hiding this comment.
we can rotate certs by ssh into the cvm and restart services
docs/developer-guide/hal.md
Outdated
| Load the Cocos HAL configuration using the BR2_EXTERNAL mechanism: | ||
|
|
||
| ```bash | ||
| make BR2_EXTERNAL=../cocos/hal/linux cocos_defconfig |
docs/developer-guide/hal.md
Outdated
| - **Server CA Certificates File** - Path to CA certificate file (default: `/etc/cube/certs/ca.pem`) | ||
| - **Server Certificate File** - Path to server certificate (default: `/etc/cube/certs/server.crt`) | ||
| - **Server Key File** - Path to server private key (default: `/etc/cube/certs/server.key`) | ||
| - **Client CA Certificates File** - Path to client CA certificates (default: `/etc/cube/certs/client_ca.pem`) |
There was a problem hiding this comment.
this is not env, it is actual file uploaded to build
docs/developer-guide/hal.md
Outdated
| **Ollama Configuration:** | ||
|
|
||
| - **ollama** - Ollama package dependency (automatically required when selected as LLM backend) | ||
| - **Install default models** - Pre-install common models during build |
There was a problem hiding this comment.
we have specific ones, should be listed
|
|
||
| **Important Notes:** | ||
|
|
||
| - If **Agent CA URL** is configured, the agent will fetch certificates from the CA at runtime using the **Certs Token** for authentication |
There was a problem hiding this comment.
reference which CA we actually use
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
|
|
||
| ## Managing Confidential VMs | ||
|
|
||
| This guide explains how to start, monitor, and manage Confidential Virtual Machines (CVMs) for Cube AI using the Hardware Abstraction Layer (HAL) with Buildroot-based images and the provided management scripts. It is written as a practical, step-by-step reference so you can move from initial launch to ongoing operations without having to infer script behavior. |
There was a problem hiding this comment.
| This guide explains how to start, monitor, and manage Confidential Virtual Machines (CVMs) for Cube AI using the Hardware Abstraction Layer (HAL) with Buildroot-based images and the provided management scripts. It is written as a practical, step-by-step reference so you can move from initial launch to ongoing operations without having to infer script behavior. | |
| This guide explains how to start, monitor, and manage Confidential Virtual Machines (CVMs) for Cube AI using the Hardware Abstraction Layer (HAL) with Buildroot-based images and the provided management scripts. |
| For AMD Secure Encrypted Virtualization, use the SEV-SNP launch path. This mode enables hardware-backed memory protection for the guest. | ||
|
|
||
| ```bash | ||
| ./qemu.sh start_cvm |
There was a problem hiding this comment.
if the other is start_tdx this should be start_sev or start_snp, but auto detect would be be better. make the change in cube as well
| Monitor the CVM interactively. Ctrl+C stops monitoring but leaves the CVM running, which makes this mode convenient for temporary observation. | ||
|
|
||
| ```bash | ||
| ./cvm-monitor.sh daemon |
| Production mode - monitor runs detached in background. Use this when you want the monitor to persist across terminal sessions. | ||
|
|
||
| ```bash | ||
| ./cvm-monitor.sh background |
There was a problem hiding this comment.
daemon is a process that runs in the background, so this clashes with the previous section, daemon should be a flag (set or not set) reflect on cube
| ssh -p 6190 user@localhost | ||
|
|
||
| # Access Ollama API | ||
| curl http://localhost:6194/api/tags |
There was a problem hiding this comment.
ollama should not be exposed through port forwarding, fix in cube too
docs/developer-guide/hal.md
Outdated
| Load the Cube HAL configuration using the BR2_EXTERNAL mechanism: | ||
|
|
||
| ```bash | ||
| make BR2_EXTERNAL=../cube/hal/linux cube_defconfig |
There was a problem hiding this comment.
cube does not have such a file path, please review the changes and test
docs/developer-guide/hal.md
Outdated
| ### 5. Boot Inside an SEV-SNP CVM | ||
|
|
||
| Use the provided scripts to launch a CVM with your HAL image: | ||
|
|
||
| ```bash | ||
| # For AMD SEV-SNP | ||
| ./qemu.sh start_cvm | ||
|
|
||
| # For Intel TDX | ||
| ./qemu.sh start_tdx | ||
| ``` |
There was a problem hiding this comment.
duplicate of the other doc, make references instead
docs/developer-guide/hal.md
Outdated
| # SSH into the CVM | ||
| ssh -p 6190 root@localhost | ||
|
|
||
| # Check Cube Agent status | ||
| systemctl status cube-agent | ||
|
|
||
| # Verify Ollama is running | ||
| curl http://localhost:11434/api/tags |
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
2 participants
What type of PR is this?
What does this do?
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Did you document any new/modified features?
Notes