问题求助-CapsuleManager无法运行

[zhuyifeiRuichuang]

操作与日志如下所示，按照文档https://www.secretflow.org.cn/zh-CN/docs/trustflow/0.4.0b0/quick_start/step1#sgxcapsulemanager ，操作后无法正确启动服务。
应如何进行排查和调整。

root@sgx4:/opt/trustflow# cat /etc/sgx_default_qcnl.conf
{
  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
  "user_token": "user@123",
  "use_secure_cert": false,
  "pccs_api_version": "3.0",
  "retry_times": 6,
  "retry_delay": 10,
  "pck_cache_expire_hours": 168,
  "verify_collateral_cache_expire_hours": 168,
  "local_cache_only": false
}
root@sgx4:/opt/trustflow# docker run -it --name capsule-manager-sgx --network=host -v /dev/sgx_enclave:/dev/sgx/enclave -v /dev/sgx_provision:/dev/sgx/provision --privileged=true secretflow/capsule-manager-sgx-ubuntu22.04:latest bash
(base) root@sgx4:/home/admin/occlum_instance# docker cp /etc/sgx_default_qcnl.conf capsule-manager-sgx:/home/admin/occlum_instance/
bash: docker: command not found
(base) root@sgx4:/home/admin/occlum_instance# ll
total 36
drwxr-xr-x  1 root root 4096 Mar 16 02:23 ./
drwxr-xr-x  1 root root 4096 Dec 13  2024 ../
-rw-r--r--  1 root root   12 Dec 13  2024 .__occlum_status
-rw-r--r--  1 root root 1669 Dec 13  2024 Occlum.json
-rw-r--r--  1 root root 1281 Dec 13  2024 config.yaml
drwxr-xr-x 13 root root 4096 Dec 13  2024 image/
drwxr-xr-x  7 root root 4096 Dec 13  2024 initfs/
-rw-r--r--  1 root root  300 Mar 16 02:09 sgx_default_qcnl.conf
(base) root@sgx4:/home/admin/occlum_instance# cp sgx_default_qcnl.conf ./image/etc/sgx_default_qcnl.conf
(base) root@sgx4:/home/admin/occlum_instance# cat /home/admin/occlum_instance/image/etc/sgx_default_qcnl.conf
{
  "pccs_url": "https://localhost:8081/sgx/certification/v4/",
  "user_token": "user@123",
  "use_secure_cert": false,
  "pccs_api_version": "3.0",
  "retry_times": 6,
  "retry_delay": 10,
  "pck_cache_expire_hours": 168,
  "verify_collateral_cache_expire_hours": 168,
  "local_cache_only": false
}
(base) root@sgx4:/home/admin/occlum_instance# openssl genrsa -3 -out private_key.pem 3072
(base) root@sgx4:/home/admin/occlum_instance# occlum build -f --sign-key private_key.pem
Enclave sign-tool: /opt/occlum/sgxsdk-tools/bin/x64/sgx_sign
Enclave sign-key: private_key.pem
SGX mode: HW
rm -rf /home/admin/occlum_instance/build
Building the initfs...
[+] Home dir is /root
[-] Open token file /root/enclave.token error! Will create one.
[+] Saved updated launch token!
[+] Init Enclave Successful 382252089346!
Generate the SEFS image successfully
Building new image...
[+] Home dir is /root
[+] Open token file success! 
[+] Token file valid!
[+] Init Enclave Successful 399431958530!
Generate the SEFS image successfully
Build on platform WITHOUT EDMM support
Building libOS...
Signing the enclave...
<EnclaveConfiguration>
    <ProdID>1200</ProdID>
    <ISVSVN>0</ISVSVN>
    <StackMaxSize>1048576</StackMaxSize>
    <StackMinSize>1048576</StackMinSize>
    <HeapInitSize>536870912</HeapInitSize>
    <HeapMaxSize>536870912</HeapMaxSize>
    <HeapMinSize>536870912</HeapMinSize>
    <TCSNum>256</TCSNum>
    <TCSMaxNum>256</TCSMaxNum>
    <TCSMinPool>256</TCSMinPool>
    <TCSPolicy>1</TCSPolicy>
    <DisableDebug>1</DisableDebug>
    <MiscSelect>0</MiscSelect>
    <MiscMask>0</MiscMask>
    <ReservedMemMaxSize>4194304000</ReservedMemMaxSize>
    <ReservedMemMinSize>4194304000</ReservedMemMinSize>
    <ReservedMemInitSize>4194304000</ReservedMemInitSize>
    <ReservedMemExecutable>1</ReservedMemExecutable>
    <EnableKSS>0</EnableKSS>
    <ISVEXTPRODID_H>0</ISVEXTPRODID_H>
    <ISVEXTPRODID_L>0</ISVEXTPRODID_L>
    <ISVFAMILYID_H>0</ISVFAMILYID_H>
    <ISVFAMILYID_L>0</ISVFAMILYID_L>
    <PKRU>0</PKRU>
    <AMX>0</AMX>
</EnclaveConfiguration>
tcs_num 256, tcs_max_num 256, tcs_min_pool 256
INFO: SGX1 only enclave, which will run on all platforms.
The required memory is 5010006016B.
The required memory is 0x12a9ea000, 4892584 KB.
handle_compatible_metadata: Overwrite with metadata version 0x100000004
Succeed.
Built the Occlum image and enclave successfully
(base) root@sgx4:/home/admin/occlum_instance# occlum run /bin/capsule_manager_grpc --tls_config.enable_tls false
[2026-03-16 02:24:32.535] [info] [sgx2_generator.cc:102] Start generating sgx2 report
[get_platform_quote_cert_data ../qe_logic.cpp:388] Error returned from the p_sgx_get_quote_config API. 0xe065
thread 'main' panicked at bin/grpc-as/src/main.rs:108:6:
capsule_manager init error: Error { code: InternalErr, details: Some("runified_attestation_generate_auth_report err: \"[Enforce fail at trustflow/attestation/generation/sgx2/sgx2_generator.cc:114] ioctl(sgx_fd, SGXIOC_GET_DCAP_QUOTE_SIZE, &quote_size) == 0. -1 vs 0.Fail to get quote size, errno = 22\\0\""), location: Some(ErrorLocation { line: 266, file: "capsule-manager/src/server.rs" }) }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
(base) root@sgx4:/home/admin/occlum_instance# 

对PCCS服务的的检查，

root@sgx4:/opt# PCKIDRetrievalTool

Intel(R) Software Guard Extensions PCK Cert ID Retrieval Tool Version 1.25.100.1

the pccs_url setting coming from network_setting.conf, and the value is: https://localhost:8081/sgx/certification/v4/platforms.
the use_secure_cert setting coming from network_setting.conf, and the value is: FALSE.
the user_token setting coming from network_setting.conf, and the value is: *** (actual value hidden).
the proxy_type setting coming from network_setting.conf, and the value is: DIRECT.
Registration status has been set to completed status.
the data has been sent to cache server successfully and pckid_retrieval.csv has been generated successfully!
root@sgx4:/opt# systemctl status pccs.service 
● pccs.service - Provisioning Certificate Caching Service (PCCS)
     Loaded: loaded (/lib/systemd/system/pccs.service; disabled; vendor preset: enabled)
     Active: active (running) since Fri 2026-03-13 10:17:12 CST; 3 days ago
       Docs: https://github.com/intel/confidential-computing.tee.dcap.pccs/blob/main/service/README.md
   Main PID: 4273 (MainThread)
      Tasks: 11 (limit: 613692)
     Memory: 60.1M
        CPU: 3.276s
     CGroup: /system.slice/pccs.service
             └─4273 /usr/bin/node /opt/intel/sgx-dcap-pccs/pccs_server.js

Mar 16 10:25:48 sgx4 node[4273]: 2026-03-16 10:25:48.659 [debug] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] Request URL https://api.trust>
Mar 16 10:25:48 sgx4 node[4273]: 2026-03-16 10:25:48.931 [info] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] [Request-ID=c7f2404624f84b9aa1>
Mar 16 10:25:48 sgx4 node[4273]: 2026-03-16 10:25:48.931 [debug] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] Request URL https://api.trust>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.194 [info] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] [Request-ID=abe78a0e27d0456cbf>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.194 [debug] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] Request URL https://api.trust>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.541 [info] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] [Request-ID=9ec3dd118de54325a1>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.541 [debug] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] Request URL https://api.trust>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.875 [info] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] [Request-ID=9acf227450a4477f99>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.876 [debug] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] Request URL https://api.trust>
Mar 16 10:25:49 sgx4 node[4273]: 2026-03-16 10:25:49.947 [info] [Client Request-ID=866d66e2862c4b15861473b6955c35b6] [URL=/sgx/certification/v4/pla>
root@sgx4:/opt# 

对设备检查

root@sgx4:/opt# ll /dev/ | grep sgx
drwxr-xr-x  2 root root          80 Mar 13 09:44 sgx/
crw-rw----  1 root sgx      10, 125 Mar 13 09:44 sgx_enclave
crw-rw----  1 root sgx_prv  10, 126 Mar 13 09:44 sgx_provision
crw-rw----  1 root sgx      10, 124 Mar 13 09:44 sgx_vepc
root@sgx4:/opt# 

对aesm检查

root@sgx4:/opt# systemctl status aesmd.service 
● aesmd.service - Intel(R) Architectural Enclave Service Manager
     Loaded: loaded (/lib/systemd/system/aesmd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2026-03-16 10:09:20 CST; 27min ago
    Process: 18835 ExecStartPre=/opt/intel/sgx-aesm-service/aesm/linksgx.sh (code=exited, status=0/SUCCESS)
    Process: 18850 ExecStartPre=/bin/mkdir -p /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 18852 ExecStartPre=/bin/chown -R aesmd:aesmd /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 18855 ExecStartPre=/bin/chmod 0755 /var/run/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 18857 ExecStartPre=/bin/chown -R aesmd:aesmd /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 18859 ExecStartPre=/bin/chmod 0750 /var/opt/aesmd/ (code=exited, status=0/SUCCESS)
    Process: 18862 ExecStart=/opt/intel/sgx-aesm-service/aesm/aesm_service (code=exited, status=0/SUCCESS)
   Main PID: 18864 (aesm_service)
      Tasks: 4 (limit: 613692)
     Memory: 6.5M
        CPU: 103ms
     CGroup: /system.slice/aesmd.service
             └─18864 /opt/intel/sgx-aesm-service/aesm/aesm_service

Mar 16 10:09:19 sgx4 systemd[1]: Starting Intel(R) Architectural Enclave Service Manager...
Mar 16 10:09:20 sgx4 aesm_service[18862]: aesm_service: warning: Turn to daemon. Use "--no-daemon" option to execute in foreground.
Mar 16 10:09:20 sgx4 systemd[1]: Started Intel(R) Architectural Enclave Service Manager.
Mar 16 10:09:20 sgx4 aesm_service[18864]: The server sock is 0x56515b89eff0
root@sgx4:/opt# 

对软件包检查

root@sgx4:/opt# dpkg -l libsgx-dcap-default-qpl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                    Version           Architecture Description
+++-=======================-=================-============-=================================================================
ii  libsgx-dcap-default-qpl 1.25.100.1-jammy1 amd64        Intel(R) Software Guard Extensions Default Quote Provider Library
root@sgx4:/opt#