Set up and deploy your first confidential application using Dstack TEE infrastructure.
dstack-vmm
: A service running in bare TDX host to manage CVMsdstack-gateway
: A reverse proxy to forward TLS connections to CVMsdstack-kms
: A KMS server to generate keys for CVMsdstack-guest-agent
: A service running in CVM to serve containersβ key derivation and attestation requestsmeta-dstack
: A Yocto meta layer to build CVM guest imagesdstack-gateway
for Zero Trust HTTPSbuild-config.sh
configuration file according to your environment requirements. The file contains network ports, domain settings, and other important parameters. Once configured, run the build script again to generate the necessary artifacts:
./dstack-kms -c kms.toml
sudo ./dstack-gateway -c gateway.toml
./dstack-vmm -c vmm.toml
docker-compose.yaml
file:
dstack-vmm web interface
dstack guest agent status
dstack gateway dashboard
dstack secret management
<id>[s].<base_domain>
maps to port 80
or 443
if with s
in the CVM.<id>-<port>[s].<base_domain>
maps to port <port>
in the CVM.3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang
maps to port 8080
in the CVM.
Where the <id>
can be either the app id or the instance id. If the app id is used, one of the instances will be selected by the load balancer.id-port
part ends with s
, it means the TLS connection will be passthrough to the app rather than terminating at dstack-gateway.
You can also ssh into the CVM to inspect more information, if your deployment uses the image dstack-x.x.x-dev
:
/var/run/tappd.sock
to the target container in docker-compose.yaml
dashboard
page or by curl:
<appid>
and <container name>
with actual values. Available parameters:
build-config.sh
:
build/
and you will see the following log:
https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853
certbot CAA record configuration
sudo ./dstack-gateway -c gateway.toml
, then access the web portal to check the dstack-gateway CVM managed Letβs Encrypt account. The accountβs private key remains securely sealed within the TEE.
dstack gateway account ID
ct_monitor
tracks Certificate Transparency logs via https://crt.sh, comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway:
dstack-vmm
may throw this error when creating a new VM if the Unix Socket CID is occupied. To solve the problem, first, you should list the occupied CID:
build/vmm.toml
file and restart dstack-vmm
. This error should disappear. For example, you may find 33000-34000 free to use:
build-config.sh
instead, because vmm.toml
file is generated by build.sh
. Its content is derived from build-config.sh
.
You may encounter this problem when upgrading from an older version of dstack, because CID was introduced in build-config.sh
in later versions. In such case, please follow the docs to add the missing entries in build-config.sh
and rebuild dstack.
../build.sh guest
, you might encounter this error: