Skip to content

Multi-Stage Build

As we mentioned in the context of the dockerfile example, that you should not include the SCONE platform in the images you build - at least if you intent to push you images to public repositories. The easiest way to achieve this, is to use multi-stage builds.

SCONE Hardware Mode

The idea is to build you application with the scone cross-compiler image (i.e., image and then copy the application to another container with a different base image.

You must ensure that you copy all parts of your application are included. If you use static linking, this can be easier than using dynamic linking. We show how to generate a Docker image of a dynamically linked application: we show this for groupcache.

Getting access

You need access to a private docker hub repository to execute this example. Just register a free account on

We do want to make sure that the image is as small as possible and in particular, that the image must not contain the SCONE crosscompilers. Hence, we use a multi-stage build during which we copy all dependencies of groupcache:

cat > Dockerfile << EOF
RUN apk update \
&& apk add git curl go \
&& go get -compiler gccgo -u \
&& curl  -fsSL --output  groupcache.go \
&& export SCONE_HEAP=1G \
&& go build -compiler gccgo -buildmode=exe groupcache.go

FROM alpine:latest
COPY --from=0 /groupcache /
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/ /opt/scone/cross-compiler/x86_64-linux-musl/lib/
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/ /opt/scone/cross-compiler/x86_64-linux-musl/lib/
COPY --from=0 /opt/scone/lib/ /opt/scone/lib/
COPY --from=0 /opt/scone/cross-compiler/x86_64-linux-musl/lib/ /opt/scone/cross-compiler/x86_64-linux-musl/lib/
COPY --from=0 /etc/sgx-musl.conf /etc/sgx-musl.conf
CMD sh -c "SCONE_HEAP=1G /groupcache"

Note that one can figure out the libraries to copy with command ldd groupcache.

Let's generate an image groupcache with this Dockerfile:

docker build --pull -t groupcache .

The size of the groupcache image is about 65MB.

You can run this container by executing:

docker run --rm --publish 8080:8080  groupcache

You can now query this service from a different terminal on the host this service, e.g.,:

curl localhost:8080/color?name=green


This service has multiple security issues: we show how to address these with the help of the SCONE shields in a later section.