We show how to generate a first secure container image with the help of a Dockerfile.
Ensure that the sgx driver is installed
> ls /dev/isgx /dev/isgx
If the driver is not installed, read Section Installation of SGX driver to learn how to install the SGX driver.
Install the tutorial
Clone the tutorial:
> git clone https://github.com/christoffetzer/SCONE_TUTORIAL.git
Access to SCONE Curated Images
Right now, access to the curated images is still restricted. Please, send email to firstname.lastname@example.org to request access.
Generate HelloAgain image (dynamically-linked)
We first generate a hello again container image with a dynamically-linked secure program:
> cd SCONE_TUTORIAL/DLDockerFile
The Dockerfile to generate the new image looks like this:
FROM sconecuratedimages/crosscompilers:runtime RUN mkdir /hello COPY dyn_hello_again /hello/ CMD SCONE_MODE=HW SCONE_ALPINE=1 SCONE_VERSION=1 /hello/dyn_hello_again
This assumes that we already generated the dynamically linked binary with an appropriately configured gcc. We generate this with the provided gcc image:
> docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp sconecuratedimages/muslgcc gcc hello_again.c -o dyn_hello_again
We provide a little script that generates the image and pushes it to Docker hub (which should fail since you should not have the credentials):
You can run this program inside of enclave (with the output of debug messages):
> docker run -it sconecuratedimages/helloworld:dynamic export SCONE_QUEUES=4 export SCONE_SLOTS=256 export SCONE_SIGPIPE=0 export SCONE_MMAP32BIT=0 export SCONE_SSPINS=100 export SCONE_SSLEEP=4000 export SCONE_KERNEL=0 export SCONE_HEAP=67108864 export SCONE_CONFIG=/etc/sgx-musl.conf export SCONE_MODE=hw Configure parameters: 1.1.15 Hello Again
This image is nicely small (only 11MB) since it only contains the runtime environment and no development environment.
Running on a docker engine without access to SGX, we get an error message:
> docker run -it sconecuratedimages/helloworld:dynamic [Error] Could not create enclave: Error opening SGX device
Generate HelloAgain image (statically-linked)
We generate a hello again container image.
> cd SCONE_TUTORIAL/DockerFile
The Dockerfile is quite straight forward:
FROM sconecuratedimages/crosscompilers MAINTAINER Christof Fetzer "email@example.com" RUN mkdir /hello COPY hello_again.c /hello/ RUN cd /hello && scone-gcc hello_again.c -o again CMD ["/hello/again"]
You can either execute all step manually (see below) or you can just execute
> docker login ./generate.sh
and watch the outputs. The push of the image should fail since you should not have the access rights to push the image to Docker hub.
We define the image name and tag that we want to generate:
export TAG="again" export FULLTAG="sconecuratedimages/helloworld:$TAG"
We build the image:
> docker build --pull -t $FULLTAG .
> docker run -it $FULLTAG
We push it to docker hub (will fail unless you have the right to push $FULLTAG):
> docker push $FULLTAG
Please change the image name to a repository on docker hub to which you can write:
> export TAG="latest" > export IMAGE_NAME="myrepository/helloAgain"