文档

Constraints

General Disclaimer

  • This document may include third-party information covering products, services, software, components, and data ("third-party content"). Huawei does not control and assumes no responsibility for the third-party content, including but not limited to the content's accuracy, compatibility, reliability, availability, legitimacy, appropriateness, performance, non-infringement, and status update, unless otherwise specified in this document. Huawei does not provide any guarantee or authorization for the third-party content mentioned or referenced in this document.
  • If users need a third-party license, they should obtain it in an authorized or legal way, unless otherwise specified in this document.

AI-VAULT Constraints

  1. Only Ubuntu 18.04.1, Ubuntu 18.04.5, Ubuntu 20.04, KylinOS V10, and CentOS 8.2 are supported. Both the x86_64 and AArch64 architectures are supported.
  2. OpenSSL version later than 1.1.1n and earlier than 3.0.0 must be installed in the operating environment.
  3. The haveged 1.9.1 or later must be installed.
  4. The time of the tool operating environment must be calibrated to the correct UTC time.
  5. Related header information is required to access AI-VAULT.
  6. AI-VAULT uses TLS for external communication. Therefore, ISVs must have a certificate issuing system or use a certificate issuing authority that meets user security requirements to issue certificates.
  7. This document describes how to configure only AI-VAULT certificates. You need to prepare other certificates.
  8. The software versions mentioned in this document are the minimum requirements. You need to select the operating system, service, software, and versions that meet your security requirements. Install security patches or upgrade to the latest version in a timely manner.
  9. If the drive usage of the root directory is higher than 85%, the Kubelet resource eviction mechanism is triggered and the service is unavailable. Ensure that the root directory has sufficient disk space. For details about the eviction policy, see the Kubernetes official document.
  10. Run the AI-VAULT service with non-root permissions.
  11. A user cannot run multiple AI-VAULT instances at the same time.
  12. Ensure that the UIDs and GIDs of AI-VAULT users on all physical machines (management nodes and compute nodes) and containers are not occupied. If the UIDs and GIDs are occupied, services may be unavailable.
    1. The UID and GID of the user running AI-VAULT are consistent.
    2. The UID of the user running AI-VAULT in the container must be consistent with that of user created AI-VAULT on the physical machine. The UID 9001 is used as an example in this document. You can custom the UID.
  13. The default validity period of a Kubernetes certificate is 365 days. Update the certificate in a timely manner.
  14. AI-VAULT images used in the Arm architecture and x86 architecture are incompatible.
  15. The drive space for backing up the AI-VAULT database must be greater than 10 MB.

AI-GAURD Constraints

  1. This encryption tool supports only Ubuntu 18.04.1, Ubuntu 18.04.5, Ubuntu 20.04, and KylinOS V10 OSs and the x86_64 and AArch64 architectures.
  2. OpenSSL version later than 1.1.1n and earlier than 3.0.0 must be installed in the operating environment.
  3. The time of the encryption tool operating environment must be calibrated to the correct UTC time.
  4. Install the AI-GUARD as the root user. For common users, use the AI-GUARD CLI. To prevent the tool from being tampered with, ensure that the activated Python path is the same as the Python path used for installing the AI-GUARD as the root user.
  5. The earliest supported Python version is 3.7. During the installation, the dependency on the third-party library is declared and the earliest compatible version is verified. If the third-party library is incompatible due to subsequent upgrades, you can downgrade and install the specified third-party package. All software and services mentioned in this document are the earliest supported versions. Select Python, OS, and service versions, as well as related third-party dependency libraries that meet your security requirements.
  6. The encryption tool does not distinguish users. A non-root user is recommended for running the encryption tool.
  7. Upgrade the kernel version to the latest one to avoid vulnerabilities.
  8. AI-GUARD can encrypt a single file that is smaller than 10 GB. To encrypt a folder, ensure that the size of each single file in the folder is smaller than 10 GB.

KMSAgent Constraints

  1. When the driver is upgraded from Ascend HDK 22.0.RC5 to a later version, you need to reconfigure the KMSAgent.conf configuration file and certificate, and restart the service.
  2. Ensure that the driver containing KMSAgent has been installed. The KMSAgent service is available only after the driver is installed.
  3. OpenSSL version later than 1.1.1n and earlier than 3.0.0 must be installed in the operating environment.
  4. If you have configured KMSAgent and updated the driver, skip this section.
  5. Configure KMSAgent when it is installed for the first time. You only need to upgrade the driver during subsequent upgrades. Run the KMSAgent service with non-root permissions.
  6. If the running user of the inference container must be the root user, use the --install-for-all parameter when installing the driver. After the installation, all users will have the permission. This parameter has security risks. For details, see the driver and firmware installation guide.
  7. For details about KMSAgent-related parameters, see KMSAgent Related Parameters.

Crypto_fs Constraints

  1. Crypto_fs can be used in containers. Install, uninstall, and upgrade Crypto_fs in a container as a running user in the container.
  2. To use Crypto_fs in a container, decompress Crypto_fs, pack the Crypto_fs folder as an image into the container, and configure environment variables.
  3. OpenSSL version later than 1.1.1n and earlier than 3.0.0 must be installed in the operating environment.
  4. Change the user permission to the owner of the container running user.
  5. When configuring environment variables, ensure that all SO dynamic library files in the LD_LIBRARY_PATH directory are owned by the current user or root user, and the permission meets the security requirements of the organization to which the user belongs.
  6. Only the user who installs Crypto_fs can uninstall and upgrade Crypto_fs.
  7. Only Ubuntu 18.04.1, Ubuntu 18.04.5, Ubuntu 20.04, KylinOS V10, and CentOS 8.2 are supported. Both the x86_64 and AArch64 architectures are supported.
  8. If there are a large number of files or directories in the Crypto_fs directory, traversing the directory will occupy a large amount of memory. As running the ls command, the relationship is that every 1,000,000 files (or directories) occupy 400 MB memory.
  9. For a single running of Crypto_fs, a maximum of 1024 file handles can be operated currently, such as opening or creating files.