User Commands

Work Flow Overview

_images/flow_overview.png Workflow Overview

General Commands

Occlum provides easy user commands as below.

occlum new <path>

Create a new directory at and initialize as the Occlum instance.

occlum init

Initialize a directory as the Occlum instance.

occlum build [--sign-key <key_path>] [--sign-tool <tool_path>] [--image-key <key_path>] [-f/--force]

Build and sign an Occlum SGX enclave (.so) and generate its associated secure FS image according to the user-provided image directory and Occlum.json config file. The whole building process is incremental: the building artifacts are built only when needed. To force rebuilding all artifacts, give the [-f/–force] flag.

occlum run [--cpus <num_of_cpus>] <program_name> <program_args>

Run the user program inside an SGX enclave.

occlum package [<package_name>.tar.gz]

Generate a minimal, self-contained package (.tar.gz) for the Occlum instance. The resulting package can then be copied to a deployment environment and unpacked as a runnable Occlum instance.

All runtime dependencies required by the Occlum instance, except Intel SGX driver and Intel SGX PSW, are included in the package.

If package_name is not specified, the directory name of Occlum instance will be used. In default only HW release mode package is supported. Debug or simulation mode package could be supported by adding “–debug” flag.

occlum gdb <program_name> <program_args>

Debug the program running inside an SGX enclave with GDB.

occlum mount [--sign-key <key_path>] [--sign-tool <tool_path>] [--image-key <key_path>] <path>

Mount the secure FS image of the Occlum instance as a Linux FS at an existing . This makes it easy to access and manipulate Occlum’s secure FS for debug purpose.

occlum gen-image-key <key_path>

Generate a file consists of a randomly generated 128-bit key for encryption of the FS image.

Container-like Commands

Occlum has added several new experimental commands, which provide a more container-like experience to users, as shown below:

occlum start

Start an Occlum instance, completing all the initialization including LibOS boots, Init FS and application root FS mount. A background service is started to listen which application is going to be executed.

occlum exec [cmd1] [args1]

Actually start executing the application.

occlum exec [cmd2] [args2]
occlum exec [cmd3] [args3]

If there are more executable application binaries in the Occlum instance entrypoint, users could start executing them in parallel.

occlum stop

Stop the Occlum instance including the background listening service.