Skip to content

Dockerfile

We show how to generate a first secure container image with the help of a Dockerfile.

Prerequisites

Ensure that the sgx driver is installed

> ls /dev/isgx 
/dev/isgx

If the driver is not installed, read Section Installation of SGX driver to learn how to install the SGX driver.

Install the tutorial

Clone the tutorial:

> git clone https://github.com/christoffetzer/SCONE_TUTORIAL.git

Access to SCONE Curated Images

Right now, access to the curated images is still restricted. Please, send email to scontain.ceo@gmail.com to request access.

Generate HelloAgain image (dynamically-linked)

We first generate a hello again container image with a dynamically-linked secure program:

> cd SCONE_TUTORIAL/DLDockerFile

The Dockerfile to generate the new image looks like this:

FROM sconecuratedimages/crosscompilers:runtime

RUN mkdir /hello

COPY dyn_hello_again /hello/


CMD SCONE_MODE=HW SCONE_ALPINE=1 SCONE_VERSION=1 /hello/dyn_hello_again

This assumes that we already generated the dynamically linked binary with an appropriately configured gcc. We generate this with the provided gcc image:

> docker run --rm  -v "$PWD":/usr/src/myapp -w /usr/src/myapp sconecuratedimages/muslgcc gcc  hello_again.c -o dyn_hello_again

We provide a little script that generates the image and pushes it to Docker hub (which should fail since you should not have the credentials):

> ./generate.sh

You can run this program inside of enclave (with the output of debug messages):

> docker run -it sconecuratedimages/helloworld:dynamic
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
Configure parameters: 
1.1.15
Hello Again

This image is nicely small (only 11MB) since it only contains the runtime environment and no development environment.

Running on a docker engine without access to SGX, we get an error message:

> docker run -it sconecuratedimages/helloworld:dynamic
[Error] Could not create enclave: Error opening SGX device 

Screencast

asciicast

Generate HelloAgain image (statically-linked)

We generate a hello again container image.

> cd SCONE_TUTORIAL/DockerFile

The Dockerfile is quite straight forward:

FROM sconecuratedimages/crosscompilers

MAINTAINER Christof Fetzer "christof.fetzer@gmail.com"

RUN mkdir /hello

COPY hello_again.c /hello/

RUN cd /hello && scone-gcc hello_again.c -o again

CMD ["/hello/again"]

You can either execute all step manually (see below) or you can just execute

> docker login
./generate.sh

and watch the outputs. The push of the image should fail since you should not have the access rights to push the image to Docker hub.

We define the image name and tag that we want to generate:

export TAG="again"
export FULLTAG="sconecuratedimages/helloworld:$TAG"

We build the image:

> docker build --pull -t $FULLTAG .
> docker run -it $FULLTAG

We push it to docker hub (will fail unless you have the right to push $FULLTAG):

> docker push $FULLTAG

Please change the image name to a repository on docker hub to which you can write:

> export TAG="latest"
> export IMAGE_NAME="myrepository/helloAgain"

Screencast

asciicast

© scontain.com, November 2017. Questions or Suggestions?