{"id":20436715,"url":"https://github.com/amiller/dstack-replicatoor","last_synced_at":"2025-07-04T18:04:48.947Z","repository":{"id":261318946,"uuid":"883817729","full_name":"Dstack-TEE/dstack-replicatoor","owner":"Dstack-TEE","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-27T03:06:33.000Z","size":44,"stargazers_count":1,"open_issues_count":4,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-12-27T04:17:55.455Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dstack-TEE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-05T16:15:10.000Z","updated_at":"2024-12-27T03:06:38.000Z","dependencies_parsed_at":"2024-11-05T22:39:39.757Z","dependency_job_id":"abe829fa-af97-458a-9473-af5c4d7f4403","html_url":"https://github.com/Dstack-TEE/dstack-replicatoor","commit_stats":null,"previous_names":["amiller/dstack-replicatoor"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dstack-TEE%2Fdstack-replicatoor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dstack-TEE%2Fdstack-replicatoor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dstack-TEE%2Fdstack-replicatoor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dstack-TEE%2Fdstack-replicatoor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dstack-TEE","download_url":"https://codeload.github.com/Dstack-TEE/dstack-replicatoor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234083956,"owners_count":18777130,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T08:45:26.760Z","updated_at":"2025-01-15T18:37:48.619Z","avatar_url":"https://github.com/Dstack-TEE.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"This is a self contained docker image for handling key migration in Dstack.\n======\n\nRemote attestation\n===================\nIt makes use of the low level remote attestation provided by Dstack:\n```\n/var/run/tappd.sock\n```\n\nIt does not make use of the KMS. This is important while the KMS is still in a \"mock\" state.\n\nIt also does not require special support from the base image, although this might be a source of future proposals to the base image.\n\nUpgradeOperator Contract\n========================\nThis contract has an owner. This can be a multisig wallet. It accepts proposals to change the \"current docker compose\" and \"current base image hash\".\nA time limit is imposed, upgrades are pending for a minimum of 48 hours.\n\nInteract with the Replicatoor from untrusted host\n========\nSee `test.sh` for an example.\nYou will need to change the IP address to match the one\n\nYou can send GET/POST to the IP running this service:\n- GET  /status/ gives an indication how it's going, can be used to retrieve quotes and public parameters\n```bash\ncurl http://$GUEST/status\n```\n\n- POST /configure/  used to provide API keys\n```bash\ncurl -X POST -H \"Content-Type: text/plain\" -d @private.env http://172.20.0.2:4001/configure\n```\n\n- POST /requestKey/  used to request a key \n```\ncurl -s -X POST http://$GUEST/requestKey \u003e request.out\nPUBK=$(cat request.out | jq -r .pubk)\nQUOTE=$(cat request.out | jq -r .quote)\n```\nReturns a json containg $PUBK and $QUOTE\n\n- POST /onboard/ {pubk} {quote} produces an encrypted state file\n```\ncurl -s -X POST -d \"pubk=$PUBK\" -d \"quote=$QUOTE\"  http://$GUEST/onboard \u003e onboard.out\n```\n\n- POST /receiveKey  {encrypted_message}\n```bash\ncurl -X POST -H \"Content-Type: text/plain\" --data-binary @onboard.out http://$GUEST/receiveKey\n```\n\nGetting the reference value for the rtmr3\n=======\nAssuming we already have the hash of the base image, we just need to provide the docker-compose as input.\n\nProviding private reference values\n===============\nThe app can receive untrusted private inputs from, such as API keys, by listening.\n\nHow to interact with the replicatoor from guest application\n========\n- POST /getkey/\n   Returns a unique derived key to your container\n\nHow to include in dstack:\n===========\nIn your \"docker-compose.yml\" file, just drop this in there\n\n```\nservices:\n  replicatoor:\n    image: amiller/dstack-replicatoor\n    volumes:\n      - /var/run/tappd.sock:/var/run/tappd.sock\n      - untrustedhost:/var/run/untrustedhost\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Familler%2Fdstack-replicatoor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Familler%2Fdstack-replicatoor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Familler%2Fdstack-replicatoor/lists"}