Multi-Stage Build
As we mentioned in the context of the dockerfile example, that you should not include the SCONE platform in the images you build - at least if you intent to push you images to public repositories. The easiest way to achieve this, is to use multi-stage builds.
The idea is to build you application with the scone cross-compiler image (i.e., registry.scontain.com/sconecuratedimages/crosscompilers) image and then copy the application to another container with a different base image.
You must ensure that you copy all parts of your application are included. If you use static linking, this can be easier than using dynamic linking. We show how to generate a Docker image of a dynamically linked application: we show this for groupcache.
Getting access
You need access to a private docker hub repository registry.scontain.com/sconecuratedimages/crosscompilers to execute this example. Just register a free account on gitlab.scontain.com
.
We do want to make sure that the image is as small as possible and in particular, that the image must not contain the SCONE crosscompilers. Hence, we use a multi-stage build during which we copy all dependencies of groupcache:
cat > Dockerfile << EOF
FROM registry.scontain.com/sconecuratedimages/crosscompilers
RUN apk update \
&& apk add git curl go \
&& go get -compiler gccgo -u github.com/golang/groupcache \
&& curl -fsSL --output groupcache.go https://gist.githubusercontent.com/fiorix/816117cfc7573319b72d/raw/797d2ed5b567dcffb8ebd8896a3d7671b1a44b31/groupcache.go \
&& export SCONE_HEAP=1G \
&& go build -compiler gccgo -buildmode=exe groupcache.go
FROM alpine:latest
COPY --from=0 /groupcache /
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgo.so.13 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgo.so.13
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgcc_s.so.1 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgcc_s.so.1
COPY --from=0 /opt/scone/lib/ld-scone-x86_64.so.1 /opt/scone/lib/ld-scone-x86_64.so.1
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libc.scone-x86_64.so.1 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libc.scone-x86_64.so.1
COPY --from=0 /etc/sgx-musl.conf /etc/sgx-musl.conf
CMD sh -c "SCONE_HEAP=1G /groupcache"
EOF
Note that one can figure out the libraries to copy with command ldd groupcache.
Let's generate an image groupcache with this Dockerfile:
docker build --pull -t groupcache .
The size of the groupcache image is about 65MB.
You can run this container by executing:
docker run --rm --publish 8080:8080 groupcache
You can now query this service from a different terminal on the host this service, e.g.,:
curl localhost:8080/color?name=green
Warning
This service has multiple security issues: we show how to address these with the help of the SCONE shields in a later section.