As we mentioned in the context of the dockerfile example, that you should not include the SCONE platform in the images you build - at least if you intent to push you images to public repositories. The easiest way to achieve this, is to use multi-stage builds.
The idea is to build you application with the scone cross-compiler image (i.e., sconecuratedimages/crosscompilers) image and then copy the application to another container with a different base image.
You must ensure that you copy all parts of your application are included. If you use static linking, this can be easier than using dynamic linking. We show how to generate a Docker image of a dynamically linked application: we show this for groupcache.
You need access to a private docker hub repository sconecuratedimages/crosscompilers to execute this example. Send us your docker hub ID to get access to this repository.
We do want to make sure that the image is as small as possible and in particular, that the image must not contain the SCONE crosscompilers. Hence, we use a multi-stage build during which we copy all dependencies of groupcache:
cat > Dockerfile << EOF FROM sconecuratedimages/crosscompilers RUN apk update \ && apk add git curl go \ && go get -compiler gccgo -u github.com/golang/groupcache \ && curl -fsSL --output groupcache.go https://gist.githubusercontent.com/fiorix/816117cfc7573319b72d/raw/797d2ed5b567dcffb8ebd8896a3d7671b1a44b31/groupcache.go \ && export SCONE_HEAP=1G \ && go build -compiler gccgo -buildmode=exe groupcache.go FROM alpine:latest COPY --from=0 /groupcache / COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgo.so.13 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgo.so.13 COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgcc_s.so.1 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libgcc_s.so.1 COPY --from=0 /opt/scone/lib/ld-scone-x86_64.so.1 /opt/scone/lib/ld-scone-x86_64.so.1 COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libc.scone-x86_64.so.1 /opt/scone/cross-compiler/x86_64-linux-musl/lib/libc.scone-x86_64.so.1 COPY --from=0 /etc/sgx-musl.conf /etc/sgx-musl.conf CMD sh -c "SCONE_HEAP=1G /groupcache" EOF
Note that one can figure out the libraries to copy with command ldd groupcache.
Let's generate an image groupcache with this Dockerfile:
docker build --pull -t groupcache .
The size of the groupcache image is about 65MB.
You can run this container by executing:
docker run --rm --publish 8080:8080 groupcache
You can now query this service from a different terminal on the host this service, e.g.,:
This service has multiple security issues: we show how to address these with the help of the SCONE shields in a later section.