From b27c0af69ee9b04afa3b3bdd07fd8e02805bec19 Mon Sep 17 00:00:00 2001 From: Shale Xiong Date: Thu, 7 Dec 2023 13:42:50 +0000 Subject: [PATCH 1/3] Update readme and deploy script. --- README.md | 2 +- deploy_linux_pnm.sh | 44 +++++++++++++------------------------------- deploy_linux_wasm.sh | 42 +++++++++++------------------------------- deploy_nitro_pnm.sh | 40 +++++++++++----------------------------- deploy_nitro_wasm.sh | 40 +++++++++++----------------------------- 5 files changed, 47 insertions(+), 121 deletions(-) diff --git a/README.md b/README.md index 49c68e3..dca85e0 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ Trick: To run VOD faster, replace the big YOLO model (`yolov3.*`) with the tiny $ mkdir -p program && \ cp detector.wasm program && \ mkdir -p output && \ - RUST_LOG=info RUST_BACKTRACE=1 freestanding-execution-engine -i video_input program program_data -o output -r program/detector.wasm -x jit -c -d -e + RUST_LOG=info RUST_BACKTRACE=1 freestanding-execution-engine -i video_input -i program -i program_data -i output -r program/detector.wasm ``` ## End-to-end Veracruz deployment diff --git a/deploy_linux_pnm.sh b/deploy_linux_pnm.sh index 64b8bda..df41f4a 100755 --- a/deploy_linux_pnm.sh +++ b/deploy_linux_pnm.sh @@ -32,20 +32,20 @@ PROGRAM_DATA_DIR="${PROGRAM_DATA_DIR:-program_data}" VIDEO_INPUT_DIR="${VIDEO_INPUT_DIR:-video_input}" OUTPUT_DIR="${OUTPUT_DIR:-output}" PROGRAM_BASENAME="detector" -PROGRAM_PATH_LOCAL="${PROGRAM_PATH_LOCAL:-./$PROGRAM_BASENAME}" -PROGRAM_PATH_REMOTE="${PROGRAM_PATH_REMOTE:-/$PROGRAM_DIR/$PROGRAM_BASENAME}" +PROGRAM_PATH_LOCAL="${PROGRAM_PATH_LOCAL:-$PROGRAM_BASENAME}" +PROGRAM_PATH_REMOTE="${PROGRAM_PATH_REMOTE:-./$PROGRAM_DIR/$PROGRAM_BASENAME}" COCO_BASENAME="coco.names" COCO_PATH_LOCAL="${COCO_PATH_LOCAL:-$PROGRAM_DATA_DIR/$COCO_BASENAME}" -COCO_PATH_REMOTE="${COCO_PATH_REMOTE:-/$PROGRAM_DATA_DIR/$COCO_BASENAME}" +COCO_PATH_REMOTE="${COCO_PATH_REMOTE:-./$PROGRAM_DATA_DIR/$COCO_BASENAME}" YOLOV3_CFG_BASENAME="yolov3.cfg" YOLOV3_CFG_PATH_LOCAL="${YOLOV3_CFG_PATH_LOCAL:-$PROGRAM_DATA_DIR/$YOLOV3_CFG_BASENAME}" -YOLOV3_CFG_PATH_REMOTE="${YOLOV3_CFG_PATH_REMOTE:-/$PROGRAM_DATA_DIR/$YOLOV3_CFG_BASENAME}" +YOLOV3_CFG_PATH_REMOTE="${YOLOV3_CFG_PATH_REMOTE:-./$PROGRAM_DATA_DIR/$YOLOV3_CFG_BASENAME}" YOLOV3_WEIGHTS_BASENAME="yolov3.weights" YOLOV3_WEIGHTS_PATH_LOCAL="${YOLOV3_WEIGHTS_PATH_LOCAL:-$PROGRAM_DATA_DIR/$YOLOV3_WEIGHTS_BASENAME}" -YOLOV3_WEIGHTS_PATH_REMOTE="${YOLOV3_WEIGHTS_PATH_REMOTE:-/$PROGRAM_DATA_DIR/$YOLOV3_WEIGHTS_BASENAME}" +YOLOV3_WEIGHTS_PATH_REMOTE="${YOLOV3_WEIGHTS_PATH_REMOTE:-./$PROGRAM_DATA_DIR/$YOLOV3_WEIGHTS_BASENAME}" INPUT_VIDEO_BASENAME="in.h264" INPUT_VIDEO_PATH_LOCAL="${INPUT_VIDEO_PATH_LOCAL:-$VIDEO_INPUT_DIR/$INPUT_VIDEO_BASENAME}" -INPUT_VIDEO_PATH_REMOTE="${INPUT_VIDEO_PATH_REMOTE:-/$VIDEO_INPUT_DIR/$INPUT_VIDEO_BASENAME}" +INPUT_VIDEO_PATH_REMOTE="${INPUT_VIDEO_PATH_REMOTE:-./$VIDEO_INPUT_DIR/$INPUT_VIDEO_BASENAME}" # PKI CA_CERT_CONF_PATH="${CA_CERT_CONF_PATH:-$VERACRUZ_PATH/workspaces/ca-cert.conf}" @@ -132,16 +132,11 @@ $POLICY_GENERATOR_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ --certificate-expiry "$(date --rfc-2822 -d 'now + 100 days')" \ --css-file $RUNTIME_MANAGER_PATH \ - --certificate $PROGRAM_CLIENT_CERT_PATH \ - --capability "/$PROGRAM_DIR/:w" \ - --certificate $DATA_CLIENT_CERT_PATH \ - --capability "/$PROGRAM_DATA_DIR/:w" \ - --certificate $VIDEO_CLIENT_CERT_PATH \ - --capability "/$VIDEO_INPUT_DIR/:w" \ - --certificate $RESULT_CLIENT_CERT_PATH \ - --capability "/$PROGRAM_DIR/:x,/$OUTPUT_DIR/:r,stdout:r,stderr:r" \ - --program-binary $PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL \ - --capability "/$PROGRAM_DIR/:r,/$PROGRAM_DATA_DIR/:r,/$VIDEO_INPUT_DIR/:r,/program_internal/:rw,/$OUTPUT_DIR/:w,stdout:w,stderr:w" \ + --certificate "$PROGRAM_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:w" \ + --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ + --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ + --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,./$OUTPUT_DIR/:r" \ + --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DIR/:r,./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1 @@ -193,7 +188,7 @@ echo "=============Provisioning program" RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ --program $PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL \ --identity $PROGRAM_CLIENT_CERT_PATH \ - --key $PROGRAM_CLIENT_KEY_PATH || exit + --key $PROGRAM_CLIENT_KEY_PATH || exit 1 echo "=============Provisioning data" RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ @@ -215,22 +210,9 @@ RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ --identity $RESULT_CLIENT_CERT_PATH \ --key $RESULT_CLIENT_KEY_PATH || exit 1 -echo "=============Querying results (stdout and stderr)" -dump=$(RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ - --result stdout=- \ - --result stderr=- \ - --identity $RESULT_CLIENT_CERT_PATH \ - --key $RESULT_CLIENT_KEY_PATH \ - -n) -echo "$dump" -frame_count=$(echo "$dump" | grep "^Frames:" | awk '{print $2}') - echo "=============Querying results (predictions)" -for ((i=0;i ./$PROGRAM_DIR/:w" \ + --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ + --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ + --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,./$OUTPUT_DIR/:r" \ + --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1 @@ -208,22 +201,9 @@ RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ --identity $RESULT_CLIENT_CERT_PATH \ --key $RESULT_CLIENT_KEY_PATH || exit 1 -echo "=============Querying results (stdout and stderr)" -dump=$(RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ - --result stdout=- \ - --result stderr=- \ - --identity $RESULT_CLIENT_CERT_PATH \ - --key $RESULT_CLIENT_KEY_PATH \ - -n) -echo "$dump" -frame_count=$(echo "$dump" | grep "^Frames:" | awk '{print $2}') - echo "=============Querying results (predictions)" -for ((i=0;i ./$PROGRAM_DIR/:w" \ + --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ + --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ + --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,/$OUTPUT_DIR/:r" \ + --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DIR/:r,./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1 @@ -219,22 +214,9 @@ RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ --identity $RESULT_CLIENT_CERT_PATH \ --key $RESULT_CLIENT_KEY_PATH || exit 1 -echo "=============Querying results (stdout and stderr)" -dump=$(RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ - --result stdout=- \ - --result stderr=- \ - --identity $RESULT_CLIENT_CERT_PATH \ - --key $RESULT_CLIENT_KEY_PATH \ - -n) -echo "$dump" -frame_count=$(echo "$dump" | grep "^Frames:" | awk '{print $2}') - echo "=============Querying results (predictions)" -for ((i=0;i ./$PROGRAM_DIR/:w" \ + --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ + --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ + --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,./$OUTPUT_DIR/:r" \ + --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1 @@ -217,22 +212,9 @@ RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ --identity $RESULT_CLIENT_CERT_PATH \ --key $RESULT_CLIENT_KEY_PATH || exit 1 -echo "=============Querying results (stdout and stderr)" -dump=$(RUST_LOG=error $CLIENT_PATH $POLICY_PATH \ - --result stdout=- \ - --result stderr=- \ - --identity $RESULT_CLIENT_CERT_PATH \ - --key $RESULT_CLIENT_KEY_PATH \ - -n) -echo "$dump" -frame_count=$(echo "$dump" | grep "^Frames:" | awk '{print $2}') - echo "=============Querying results (predictions)" -for ((i=0;i Date: Mon, 29 Jan 2024 13:23:28 +0000 Subject: [PATCH 2/3] Fix the deploy script, removing flags no longer used. --- deploy_linux_pnm.sh | 4 +--- deploy_nitro_pnm.sh | 2 -- deploy_nitro_wasm.sh | 2 -- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/deploy_linux_pnm.sh b/deploy_linux_pnm.sh index df41f4a..0beb331 100755 --- a/deploy_linux_pnm.sh +++ b/deploy_linux_pnm.sh @@ -125,8 +125,6 @@ done echo "=============Generating policy" $POLICY_GENERATOR_PATH \ --max-memory-mib 2000 \ - --enclave-debug-mode \ - --enable-clock \ --proxy-attestation-server-ip $PAS_ADDRESS:$PAS_PORT \ --proxy-attestation-server-cert $CA_CERT_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ @@ -165,7 +163,7 @@ curl -X POST -H 'Content-Type: application/corim-unsigned+cbor; profile=http://a if [ -z $SERVERLESS ]; then echo "=============Running veracruz server" - RUST_LOG=error RUNTIME_ENCLAVE_BINARY_PATH=$RUNTIME_MANAGER_PATH $SERVER_PATH $POLICY_PATH &> $SERVER_LOG & + RUST_LOG=info RUNTIME_ENCLAVE_BINARY_PATH=$RUNTIME_MANAGER_PATH $SERVER_PATH $POLICY_PATH &> $SERVER_LOG & fi diff --git a/deploy_nitro_pnm.sh b/deploy_nitro_pnm.sh index 462caaa..556a52f 100755 --- a/deploy_nitro_pnm.sh +++ b/deploy_nitro_pnm.sh @@ -129,8 +129,6 @@ done echo "=============Generating policy" $POLICY_GENERATOR_PATH \ --max-memory-mib 2000 \ - --enclave-debug-mode \ - --enable-clock \ --proxy-attestation-server-ip $PAS_ADDRESS:$PAS_PORT \ --proxy-attestation-server-cert $CA_CERT_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ diff --git a/deploy_nitro_wasm.sh b/deploy_nitro_wasm.sh index 8c50915..d157c83 100755 --- a/deploy_nitro_wasm.sh +++ b/deploy_nitro_wasm.sh @@ -127,8 +127,6 @@ done echo "=============Generating policy" $POLICY_GENERATOR_PATH \ --max-memory-mib 2000 \ - --enclave-debug-mode \ - --enable-clock \ --proxy-attestation-server-ip $PAS_ADDRESS:$PAS_PORT \ --proxy-attestation-server-cert $CA_CERT_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ From 31c5d9d9bb74feb2e3f68cf3834610fb35efe326 Mon Sep 17 00:00:00 2001 From: Shale Xiong Date: Fri, 5 Apr 2024 16:05:07 +0100 Subject: [PATCH 3/3] update suggested by Guilhem Bryant --- deploy_linux_pnm.sh | 2 +- deploy_linux_wasm.sh | 2 +- deploy_nitro_pnm.sh | 8 ++++---- deploy_nitro_wasm.sh | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy_linux_pnm.sh b/deploy_linux_pnm.sh index 0beb331..abfb105 100755 --- a/deploy_linux_pnm.sh +++ b/deploy_linux_pnm.sh @@ -63,7 +63,7 @@ RESULT_CLIENT_KEY_PATH="result_client_key.pem" POLICY_PATH="${POLICY_PATH:-policy.json}" -PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/proxy_cleanup.sh}" +PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/sdk/proxy_cleanup.sh}" SERVER_LOG="${SERVER_LOG:-server.log}" SERVER_ATTEMPTS="${SERVER_ATTEMPTS:-60}" diff --git a/deploy_linux_wasm.sh b/deploy_linux_wasm.sh index b2ca748..a249b02 100755 --- a/deploy_linux_wasm.sh +++ b/deploy_linux_wasm.sh @@ -62,7 +62,7 @@ RESULT_CLIENT_KEY_PATH="result_client_key.pem" POLICY_PATH="${POLICY_PATH:-policy.json}" -PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/proxy_cleanup.sh}" +PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/sdk/proxy_cleanup.sh}" SERVER_LOG="${SERVER_LOG:-server.log}" SERVER_ATTEMPTS="${SERVER_ATTEMPTS:-60}" diff --git a/deploy_nitro_pnm.sh b/deploy_nitro_pnm.sh index 556a52f..6effbd7 100755 --- a/deploy_nitro_pnm.sh +++ b/deploy_nitro_pnm.sh @@ -11,7 +11,7 @@ VERACRUZ_PATH="${VERACRUZ_PATH:-$HOME/veracruz}" POLICY_GENERATOR_PATH="${POLICY_GENERATOR_PATH:-$VERACRUZ_PATH/workspaces/host/target/$PROFILE/generate-policy}" CLIENT_PATH="${CLIENT_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-host/target/$PROFILE/veracruz-client}" SERVER_PATH="${SERVER_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-host/target/$PROFILE/$BACKEND-veracruz-server}" -EIF_PATH="${EIF_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/runtime_manager.eif}" +EIF_PATH="${EIF_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/nitro_runtime_manager.eif}" PCR0_PATH="${PCR0_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/PCR0}" NATIVE_MODULE_SANDBOXER_PATH="${NATIVE_MODULE_SANDBOXER_PATH:-$VERACRUZ_PATH/native-module-sandboxer/build/native-module-sandboxer}" @@ -65,7 +65,7 @@ RESULT_CLIENT_KEY_PATH="result_client_key.pem" POLICY_PATH="${POLICY_PATH:-policy.json}" -PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/proxy_cleanup.sh}" +PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/sdk/proxy_cleanup.sh}" NITRO_LOG="${NITRO_LOG:-nitro.log}" SERVER_LOG="${SERVER_LOG:-server.log}" @@ -133,11 +133,11 @@ $POLICY_GENERATOR_PATH \ --proxy-attestation-server-cert $CA_CERT_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ --certificate-expiry "$(date --rfc-2822 -d 'now + 100 days')" \ - --pcr-file $PCR0_PATH \ + --pcr0-file $PCR0_PATH \ --certificate "$PROGRAM_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:w" \ --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ - --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,/$OUTPUT_DIR/:r" \ + --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,./$OUTPUT_DIR/:r" \ --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DIR/:r,./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1 diff --git a/deploy_nitro_wasm.sh b/deploy_nitro_wasm.sh index d157c83..e7fa7c0 100755 --- a/deploy_nitro_wasm.sh +++ b/deploy_nitro_wasm.sh @@ -10,7 +10,7 @@ VERACRUZ_PATH="${VERACRUZ_PATH:-$HOME/veracruz}" POLICY_GENERATOR_PATH="${POLICY_GENERATOR_PATH:-$VERACRUZ_PATH/workspaces/host/target/$PROFILE/generate-policy}" CLIENT_PATH="${CLIENT_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-host/target/$PROFILE/veracruz-client}" SERVER_PATH="${SERVER_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-host/target/$PROFILE/$BACKEND-veracruz-server}" -EIF_PATH="${EIF_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/runtime_manager.eif}" +EIF_PATH="${EIF_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/nitro_runtime_manager.eif}" PCR0_PATH="${PCR0_PATH:-$VERACRUZ_PATH/workspaces/$BACKEND-runtime/PCR0}" # Attestation @@ -63,7 +63,7 @@ RESULT_CLIENT_KEY_PATH="result_client_key.pem" POLICY_PATH="${POLICY_PATH:-policy.json}" -PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/proxy_cleanup.sh}" +PROXY_CLEANUP_SCRIPT_PATH="${PROXY_CLEANUP_SCRIPT_PATH:-$VERACRUZ_PATH/sdk/proxy_cleanup.sh}" NITRO_LOG="${NITRO_LOG:-nitro.log}" SERVER_LOG="${SERVER_LOG:-server.log}" @@ -131,12 +131,12 @@ $POLICY_GENERATOR_PATH \ --proxy-attestation-server-cert $CA_CERT_PATH \ --veracruz-server-ip $VC_SERVER_ADDRESS:$VC_SERVER_PORT \ --certificate-expiry "$(date --rfc-2822 -d 'now + 100 days')" \ - --pcr-file $PCR0_PATH \ + --pcr0-file $PCR0_PATH \ --certificate "$PROGRAM_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:w" \ --certificate "$DATA_CLIENT_CERT_PATH => ./$PROGRAM_DATA_DIR/:w" \ --certificate "$VIDEO_CLIENT_CERT_PATH => ./$VIDEO_INPUT_DIR/:w" \ --certificate "$RESULT_CLIENT_CERT_PATH => ./$PROGRAM_DIR/:x,./$OUTPUT_DIR/:r" \ - --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ + --program-binary "$PROGRAM_PATH_REMOTE=$PROGRAM_PATH_LOCAL => ./$PROGRAM_DIR/:r,./$PROGRAM_DATA_DIR/:r,./$VIDEO_INPUT_DIR/:r,./program_internal/:rw,./$OUTPUT_DIR/:w" \ --output-policy-file $POLICY_PATH || exit 1