Skip to content

Dockerfile

We show how to generate a first secure container image with the help of a Dockerfile.

Install the tutorial

Clone the tutorial:

git clone https://github.com/christoffetzer/SCONE_TUTORIAL.git

Access to SCONE Curated Images

Right now, access to the curated images is still restricted. Please, send email to info@scontain.com to request access.

Generate HelloAgain image (dynamically-linked)

We first generate a hello again container image with a dynamically-linked secure program:

cd SCONE_TUTORIAL/DLDockerFile

The Dockerfile to generate the new image looks like this:

FROM registry.scontain.com/sconecuratedimages/crosscompilers:runtime

RUN mkdir /hello

COPY dyn_hello_again /hello/


CMD SCONE_MODE=HW SCONE_ALPINE=1 SCONE_VERSION=1 /hello/dyn_hello_again

This assumes that we already generated the dynamically linked binary with an appropriately configured gcc. We generate this with the provided gcc image:

docker run --rm  -v "$PWD":/usr/src/myapp -w /usr/src/myapp registry.scontain.com/sconecuratedimages/muslgcc gcc  hello_again.c -o dyn_hello_again

We provide a little script that generates the image and pushes it to Docker hub (which should fail since you should not have the credentials):

./generate.sh

Ensure that you have the newest SCONE cross compiler image and determine which SGX device to mount with function determine_sgx_device. You can run this program inside of enclave (with the output of debug messages):

determine_sgx_device
docker run $MOUNT_SGXDEVICE -it registry.scontain.com/sconecuratedimages/helloworld:dynamic
export SCONE_QUEUES=4
export SCONE_SLOTS=256
export SCONE_SIGPIPE=0
export SCONE_MMAP32BIT=0
export SCONE_SSPINS=100
export SCONE_SSLEEP=4000
export SCONE_KERNEL=0
export SCONE_HEAP=67108864
export SCONE_CONFIG=/etc/sgx-musl.conf
export SCONE_MODE=hw
Configure parameters: 
1.1.15
Hello Again

This image is nicely small (only 11MB) since it only contains the runtime environment and no development environment.

Screencast

asciicast

Generate HelloAgain image (statically-linked)

We generate a hello again container image.

> cd SCONE_TUTORIAL/DockerFile

The Dockerfile is quite straight forward:

FROM registry.scontain.com/sconecuratedimages/crosscompilers

MAINTAINER Christof Fetzer "christof.fetzer@gmail.com"

RUN mkdir /hello

COPY hello_again.c /hello/

RUN cd /hello && scone-gcc hello_again.c -o again

CMD ["/hello/again"]

You can either execute all step manually (see below) or you can just execute

> docker login
./generate.sh

and watch the outputs. The push of the image should fail since you should not have the access rights to push the image to Docker hub.

We define the image name and tag that we want to generate:

export TAG="again"
export FULLTAG="registry.scontain.com/sconecuratedimages/helloworld:$TAG"

We build the image:

> docker build --pull -t $FULLTAG .
> docker run  $MOUNT_SGXDEVICE -it $FULLTAG

We push it to docker hub (will fail unless you have the right to push $FULLTAG):

> docker push $FULLTAG

Please change the image name to a repository on docker hub to which you can write:

> export TAG="latest"
> export IMAGE_NAME="myrepository/helloAgain"

Screencast

asciicast