dstack-gateway can be deployed as a dstack app in the same host as the KMS or in a different host.

Add OS Image Hash to KMS Whitelist

In order to run user workloads that use the KMS, the OS image hash must be added to the KMS whitelist.

The os_image_hash is generated during the image build process and stored in digest.txt:

cd dstack/kms/auth-eth
npx hardhat kms:add-image --network phala --mr <os-image-hash>

Register dstack-gateway in KMS

cd dstack/kms/auth-eth
npx hardhat app:deploy --network phala

Expected Output:

Deploying proxy…
Waiting for deployment…
AppAuth Proxy deployed to: 0x539D0d59D1742780De41b85b2c3674b24369e292
Implementation deployed to: 0x5aC1671E1Df54994D023F0B05806821d6D84e086
Deployment completed successfully
Transaction hash: 0xceac2ac6d56a40fef903b947d3a05df42ccce66da7f356c5d54afda68277f9a9
Waiting for transaction 0xe144e9007208079e5e82c04f727d2383c58184e74d4f860e62557b5f330ab832 to be confirmed…
App registered in KMS successfully
Registered AppId: 0x31884c4b7775affe4c99735f6c2aff7d7bc6cfcd

Configure and Deploy Gateway

Initialize Gateway Deployment

cd ../../gateway/dstack-app/
./deploy-to-vmm.sh

Configure Environment Variables

Edit the .env file with required variables:

# .env
VMM_RPC=unix:../../vmm-data/vmm.sock

# Cloudflare API token for DNS challenge used to get the SSL certificate.
CF_API_TOKEN=your_cloudflare_api_token
CF_ZONE_ID=your_zone_id

# Service domain
SRV_DOMAIN=test2.dstack.phala.network

# Public IP address
PUBLIC_IP=$(curl -s ifconfig.me)

# Gateway application ID. Register the app in KmsAuth first to get the app ID.
GATEWAY_APP_ID=0x31884c4b7775affe4c99735f6c2aff7d7bc6cfcd

# Whether to use ACME staging (yes/no)
ACME_STAGING=yes

# Subnet index. 0~15
SUBNET_INDEX=0

# My URL. The URL will be synced to other nodes in the cluster so that each node can discover other nodes.
MY_URL=https://gateway.test2.dstack.phala.network:9202

# Bootnode URL. If you want to deploy a multi-node dstack-gateway cluster, set the bootnode URL to the URL of another node already deployed or planed to be deployed later.
BOOTNODE_URL=https://gateway.test2.dstack.phala.network:9202

# DStack OS image name
OS_IMAGE=dstack-0.5.2

# Set defaults for variables that might not be in .env
GIT_REV=HEAD

# Port configurations
GATEWAY_RPC_ADDR=0.0.0.0:9202
GATEWAY_ADMIN_RPC_ADDR=127.0.0.1:9203
GATEWAY_SERVING_ADDR=0.0.0.0:9204
GUEST_AGENT_ADDR=127.0.0.1:9206
WG_ADDR=0.0.0.0:9202

Deployment Confirmation

After running the script again, you’ll see a confirmation prompt:

App compose file created at: .app-compose.json
Compose hash: 700a50336df7c07c82457b116e144f526c29f6d8f4a0946b3e88065c9beba0f4
Configuration:
VMM_RPC: unix:../../build/vmm.sock
SRV_DOMAIN: test5.dstack.phala.network
PUBLIC_IP: 66.220.6.113
GATEWAY_APP_ID: 31884c4b7775affe4c99735f6c2aff7d7bc6cfcd
MY_URL: https://gateway.test5.dstack.phala.network:9202
BOOTNODE_URL: https://gateway.test2.dstack.phala.network:9202
SUBNET_INDEX: 0
WG_ADDR: 0.0.0.0:9202
GATEWAY_RPC_ADDR: 0.0.0.0:9202
GATEWAY_ADMIN_RPC_ADDR: 127.0.0.1:9203
GATEWAY_SERVING_ADDR: 0.0.0.0:9204
GUEST_AGENT_ADDR: 127.0.0.1:9206
Continue? [y/N]

Important: Don’t press ‘y’ yet! First add the compose hash to the AppAuth contract.

Add Compose Hash to Contract

npx hardhat app:add-hash --network phala --app-id 0x31884c4b7775affe4c99735f6c2aff7d7bc6cfcd 0x700a50336df7c07c82457b116e144f526c29f6d8f4a0946b3e88065c9beba0f4

After the transaction is confirmed, you can press ‘y’ to continue the deployment.