For context: I want to automatically enable Intel SGX for every VM and LXC in Proxmox, but it doesn’t seem like there’s a way to do it using APIs AFAIK (so Terraform is out of the question unless I’ve missed something) other than editing the template for the individual LXC/VM.
I’d like to know if there’s a tool that can automate this. I could potentially write a shell script but I’d like to know if there’s something that’s mature software before I go do this. I have been reading about Packer, Vagrant and cloud-init but I don’t think this is something in their scope of usage.
Thanks!
I was under the impression that cloud-init could only really be used to run commands inside the guest? Well, I could technically use Ansible and edit the file every time I provision something - this was just an example of however much the community tries, there might be something missing in the provider because proxmox doesn’t take this on directly.
I should have worded that better. In using MAC, AppArmor effectively reduces access to files that would be essential for the VM to run. That is the sense in which I mentioned “security enclave” but I can see now that that isn’t quite correct.
Either way, that is my philosophical reasoning for complaining this much. Ansible is pretty decent and has decent Proxmox integration, but Terraform is, in my opinion, superior when it comes to deploying infrastructure. That might be a bias from my side, of course. For now, I’m also going through the OpenStack documentation to see if the things I want to achieve can be done there, because they have an official Ansible project alongside their version of Cloudformation - Heat.
Thanks
Yes that’s correct, I didn’t realize you had something to do outside the guest to enable it. What exactly? How do you solve it manually for now?
Intel SGX requires for me to set a CPU flag in the .conf file. For now, it’s a shell script and I can do it with Ansible, but I’d like to not have to do such half-baked measures
I see, agree with you that it should be supported by the terraform provider if it is at the VM
.conf
level… maybe a new attribute in https://registry.terraform.io/providers/Telmate/proxmox/latest/docs/resources/vm_qemu#smbios-block? I would start by requesting this feature in https://github.com/Telmate/terraform-provider-proxmox/issues, and maybe try to add it yourself? (scratch your own itch, fix it for everyone in the process). Good luck