We show how to generate a first secure container image with the help of a Dockerfile.
Install the tutorial
Clone the tutorial:
git clone https://github.com/christoffetzer/SCONE_TUTORIAL.git
Access to SCONE Curated Images
Right now, access to the curated images is still restricted. Please, send email to firstname.lastname@example.org to request access.
Generate HelloAgain image (dynamically-linked)
We first generate a hello again container image with a dynamically-linked secure program:
The Dockerfile to generate the new image looks like this:
FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:runtime RUN mkdir /hello COPY dyn_hello_again /hello/ CMD SCONE_MODE=HW SCONE_ALPINE=1 SCONE_VERSION=1 /hello/dyn_hello_again
This assumes that we already generated the dynamically linked binary with an appropriately configured gcc. We generate this with the provided gcc image:
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp registry.scontain.com:5050/sconecuratedimages/muslgcc gcc hello_again.c -o dyn_hello_again
We provide a little script that generates the image and pushes it to Docker hub (which should fail since you should not have the credentials):
Ensure that you have the newest SCONE cross compiler image and determine which SGX device to mount with function determine_sgx_device. You can run this program inside of enclave (with the output of debug messages):
determine_sgx_device docker run $MOUNT_SGXDEVICE -it registry.scontain.com:5050/sconecuratedimages/helloworld:dynamic export SCONE_QUEUES=4 export SCONE_SLOTS=256 export SCONE_SIGPIPE=0 export SCONE_MMAP32BIT=0 export SCONE_SSPINS=100 export SCONE_SSLEEP=4000 export SCONE_KERNEL=0 export SCONE_HEAP=67108864 export SCONE_CONFIG=/etc/sgx-musl.conf export SCONE_MODE=hw Configure parameters: 1.1.15 Hello Again
This image is nicely small (only 11MB) since it only contains the runtime environment and no development environment.
Generate HelloAgain image (statically-linked)
We generate a hello again container image.
> cd SCONE_TUTORIAL/DockerFile
The Dockerfile is quite straight forward:
FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers MAINTAINER Christof Fetzer "email@example.com" RUN mkdir /hello COPY hello_again.c /hello/ RUN cd /hello && scone-gcc hello_again.c -o again CMD ["/hello/again"]
You can either execute all step manually (see below) or you can just execute
> docker login ./generate.sh
and watch the outputs. The push of the image should fail since you should not have the access rights to push the image to Docker hub.
We define the image name and tag that we want to generate:
export TAG="again" export FULLTAG="registry.scontain.com:5050/sconecuratedimages/helloworld:$TAG"
We build the image:
> docker build --pull -t $FULLTAG .
> docker run $MOUNT_SGXDEVICE -it $FULLTAG
We push it to docker hub (will fail unless you have the right to push $FULLTAG):
> docker push $FULLTAG
Please change the image name to a repository on docker hub to which you can write:
> export TAG="latest" > export IMAGE_NAME="myrepository/helloAgain"