TNG

中文文档

What is TNG?

TNG (Trusted Network Gateway) is a tool for establishing secure communication tunnels, supporting various inbound and outbound traffic methods. It also provides secure session capabilities based on remote attestation (Remote Attestation). By configuring different ingress (Ingress) and egress (Egress) endpoints, users can flexibly control the encryption and decryption of traffic without modifying existing applications.

Usage

The main part of TNG is the launch subcommand. Here is the usage:

Usage: tng launch [OPTIONS]

Options:
  -c, --config-file <CONFIG_FILE>
      --config-content <CONFIG_CONTENT>
  -h, --help                             Print help

You have to provide a JSON config file, or provide configuration content in JSON directly from the command line arguments, which will be used to configure the TNG instance.

The simplest way to launch a TNG instance is using our pre-built Docker image:

docker run -it --rm --privileged --network host --cgroupns=host ghcr.io/inclavare-containers/tng:latest tng launch --config-content='<your config json string>'

Check the reference document for the configuration.

Build

TNG has two common deployment forms: you can deploy and run TNG as a container, or you can build and deploy TNG as an RPM package. If you need to modify and compile TNG, please refer to the developer documentation.

Build and run as a container image

It is recommended to build TNG using Docker. Here are the steps:

1. Clone the code

git clone [email protected]:inclavare-containers/tng.git --branch <tag-name>
cd tng
git submodule update --init

2. Build with Docker

This will completely recompile TNG and its dependencies from the source code.

docker build -t tng:latest --target release -f Dockerfile .

Now we have got the Docker image tng:latest, which you can directly deploy and run.

3. Run TNG as a container

docker run -it --rm --privileged --network host --cgroupns=host tng:latest tng launch --config-content='<your config json string>'

Build and run as an RPM package

This section describes how to build an RPM package from the source code and install it. This is only applicable to distributions that use yum as the package manager.

1. Clone the code

git clone [email protected]:inclavare-containers/tng.git --branch <tag-name>
cd tng
git submodule update --init

2. Install the Rust toolchain and Docker (or Podman)

3. Create the source tarball required for RPM building

make create-tarball

4. Build the RPM package

You can choose to build the RPM package in a fresh Anolis8 Docker container, which is compatible with both Anolis8 and ALinux3 distributions.

make rpm-build-in-docker

Or, you can build the RPM package directly in your current distribution environment:

make rpm-build

The build artifacts will be located in the ~/rpmbuild/RPMS/x86_64/ directory.

5. Install the RPM package

First, uninstall the old version of TNG:

yum remove trusted-network-gateway -y

Then, install the new version:

yum install -y <path-to-rpm-package-on-target-environment>

Now, you can directly use the tng command to start a TNG instance.

Example

You can get some examples from the integration test cases.

Version Compatibility

Although we strive to maintain behavioral compatibility with older versions during development, compatibility changes are sometimes unavoidable. We recommend deploying the same latest stable version of TNG on both the client and server sides. The table below outlines version compatibility between two TNG instances.

Compatible Version Range	Description
>= 1.0.0, < 2.0.0	These versions use Envoy as the data plane
>= 2.0.0, <= 2.2.4	Starting from version 2.0.0, TNG switched to a data plane implemented using rustls and hyper
2.2.5	Starting from this version, TNG uses OHTTP instead of the previous combination of rats-tls over HTTP CONNECT, and introduces support for the Passport model
2.2.6	Starting from this version, TNG adjusted the OHTTP protocol used to address design issues present in version 2.2.5 when used in HTTP routing scenarios

Minimal Supported Rust Version (MSRV)

There are two versions of Rust toolchain required by this project:

• 1.75.0: This is the minimal supported Rust version for building TNG binary or RPM package (from the source code or the released source code tar ball).
• nightly-2025-07-07: This is the requiestd Rust toolchain for:
  • Build the TNG Javascript SDK. See ./tng-wasm/README_zh.md for details.
  • Create the source code tar ball with make create-tarball command. That is because Some of our crate dependencies require a newer Rust toolchain to resolve.

Contribution

We welcome community contributions to make TNG a better tool for confidential computing scenarios! If you have any questions or suggestions, feel free to submit an Issue or Pull Request.

License

Apache-2.0