Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nethsm development #242

Merged
merged 3 commits into from
May 7, 2024
Merged

Nethsm development #242

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8e6e5c1
Add container unikernel instructions
mmerklinger May 6, 2024
52097eb
Move chapter REST-API to the top of the document
mmerklinger May 6, 2024
6017219
Change wording in REST-API chapter
mmerklinger May 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 21 additions & 7 deletions nethsm/integration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@ Integration

The chapter describes processes for various tasks and aims at all user groups.

REST-API
~~~~~~~~

NetHSM's primary interface is a modern REST-API that guarantees best performance and functionality.
The API specification is available in `OpenAPI format <https://nethsmdemo.nitrokey.com/api_docs/nethsm-api.yaml>`_,
and can be inspected and tested in the `API browser <https://nethsmdemo.nitrokey.com/api_docs/index.html>`_.

PKCS#11
-------

Expand Down Expand Up @@ -31,7 +38,20 @@ The container can be executed as follows.

$ podman run --rm -ti -p8443:8443 docker.io/nitrokey/nethsm:testing

This will provide the REST API on the port `8443` via the HTTPS protocol.
This will run NetHSM as a Unix process inside the container and expose the REST API on the port `8443` via the HTTPS protocol.

Additionaly to running the NetHSM as a Unix process it can be run as a unikernel supported by KVM.

The container can be executed as follows.

.. tabs::
.. tab:: Docker
.. code-block:: bash

$ docker run -ti --rm -p 8443:8443 --device /dev/net/tun --device /dev/kvm --cap-add=NET_ADMIN nitrokey/nethsm:testing

This will run NetHSM as a unikernel inside a KVM virtual machine.
The container will expose the REST API, via the HTTPS protocol, on the interface `tap200` with the IP address `192.168.1.100` and port `8443`.

.. important::
The container uses a self-signed TLS certificate.
Expand Down Expand Up @@ -77,9 +97,3 @@ This folder also contains the necessary documentation how to use it.
The mode of SELinux can be requested with ``sestatus |grep "Current mode"``.
If the mode is set to ``enforcing``, a change to the context is required.
In this case the volume mount must be postfixed with ``:z``, resulting in ``-v "${PWD}/out:/out:z"``.

REST-API
~~~~~~~~

NetHSM's API specification is available in `OpenAPI format <https://nethsmdemo.nitrokey.com/api_docs/nethsm-api.yaml>`_,
and can be inspected and tested in the `API browser <https://nethsmdemo.nitrokey.com/api_docs/index.html>`_.
Loading