diff --git a/.github/workflows/build_and_push_aliyunlinux_image.yml b/.github/workflows/build_and_push_aliyunlinux_image.yml index 9180000c..b7904d5d 100644 --- a/.github/workflows/build_and_push_aliyunlinux_image.yml +++ b/.github/workflows/build_and_push_aliyunlinux_image.yml @@ -18,13 +18,6 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - # Because "Build and push" step `context` field can't be subdir, - # we need to copy files needed by dockerfile to root dir of the project - - name: Copy context for docker build - run: | - cp -r tools/toolchains . - cp -r tools/docker . - - name: Get Occlum release version run: echo "RELEASE_VERSION=$(grep 'Version =' src/pal/include/occlum_version.h | awk '{print $4}')" >> $GITHUB_ENV; diff --git a/.github/workflows/build_and_push_docker_image.yml b/.github/workflows/build_and_push_docker_image.yml index f7221561..7c72dfc4 100644 --- a/.github/workflows/build_and_push_docker_image.yml +++ b/.github/workflows/build_and_push_docker_image.yml @@ -23,13 +23,6 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - # Because "Build and push" step `context` field can't be subdir, - # we need to copy files needed by dockerfile to root dir of the project - - name: Copy context for docker build - run: | - cp -r tools/toolchains . - cp -r tools/docker . - - name: Get Occlum release version run: echo "RELEASE_VERSION=$(grep 'Version =' src/pal/include/occlum_version.h | awk '{print $4}')" >> $GITHUB_ENV; diff --git a/tools/docker/Dockerfile.aliyunlinux3 b/tools/docker/Dockerfile.aliyunlinux3 index 867c613e..d7007ce7 100644 --- a/tools/docker/Dockerfile.aliyunlinux3 +++ b/tools/docker/Dockerfile.aliyunlinux3 @@ -120,32 +120,27 @@ RUN wget http://www.etallen.com/cpuid/cpuid-20200211.x86_64.tar.gz && \ cp ./cpuid-20200211/cpuid /usr/bin/ && \ rm -rf /tmp/cpuid-20200211* + +# Download the Occlum source +ARG OCCLUM_BRANCH +WORKDIR /root +RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ + cp -r /root/occlum/tools/toolchains/* /tmp/ && mkdir -p /opt/occlum/ && \ + cp /root/occlum/tools/docker/start_aesm.sh /opt/occlum/ + # Install Occlum toolchain -COPY toolchains/musl-gcc /tmp/musl-gcc WORKDIR /tmp RUN cd musl-gcc && ./build.sh && ./install_zlib.sh && rm -rf /tmp/musl-gcc ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" # Install glibc -COPY toolchains/glibc /tmp/glibc WORKDIR /tmp RUN cd glibc && ./build.sh && rm -rf /tmp/glibc # Install Occlum Golang toolchain -COPY toolchains/golang /tmp/golang WORKDIR /tmp -RUN yum install -y go && cd golang && ./build.sh && rm -rf /tmp/golang -ENV PATH="/usr/local/occlum/golang/bin:$PATH" - -# Install Occlum Java toolchain (JDK 11) -ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk -COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH -RUN rm $JDK11_PATH/lib/security/cacerts -COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts -COPY toolchains/java /tmp/java -WORKDIR /tmp -RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java -ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" +RUN cd golang && ./build.sh && rm -rf /tmp/golang +ENV PATH="/opt/occlum/toolchains/golang/bin:$PATH" # Install Rust ENV PATH="/root/.cargo/bin:$PATH" @@ -156,18 +151,24 @@ RUN curl https://sh.rustup.rs -sSf | \ cargo -V # Install Occlum Rust toolchain -COPY toolchains/rust /tmp/rust WORKDIR /tmp RUN cd rust && ./build.sh && rm -rf /tmp/rust ENV PATH="/opt/occlum/toolchains/rust/bin:$PATH" -ARG OCCLUM_BRANCH +# Install Occlum Java toolchain (JDK 11) +ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk +COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH +RUN rm $JDK11_PATH/lib/security/cacerts +COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts +WORKDIR /tmp +RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java +ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" + + ENV LD_LIBRARY_PATH="/opt/intel/sgxpsw/aesm:/usr/lib64/:/usr/local/lib:/opt/intel/sgxsdk/sdk_libs:/usr/lib:$LD_LIBRARY_PATH" -# Install the latest version of Occlum -WORKDIR /root/occlum -RUN rm -rf occlum && \ - git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ - cd occlum && \ +# Build and install Occlum +WORKDIR /root +RUN cd occlum && \ source /opt/intel/sgxsdk/environment && \ make submodule && \ OCCLUM_RELEASE_BUILD=1 make install && \ @@ -179,7 +180,6 @@ RUN rm -rf occlum && \ # To do so, we add the script to ~/.bashrc. We cannot use systemd to run AESM # as a "real" service since the pid 1 is not systemd in Docker. So we start # up AESM service when an user login with an interative shell. -COPY docker/start_aesm.sh /opt/occlum/ -RUN mkdir -p /var/run/aesmd && echo 'sudo /opt/occlum/start_aesm.sh' >> /root/.bashrc +RUN mkdir -p /var/run/aesmd && echo '/opt/occlum/start_aesm.sh' >> /root/.bashrc WORKDIR /root diff --git a/tools/docker/Dockerfile.centos8.2 b/tools/docker/Dockerfile.centos8.2 index dbe6d788..21da8cbd 100644 --- a/tools/docker/Dockerfile.centos8.2 +++ b/tools/docker/Dockerfile.centos8.2 @@ -68,40 +68,6 @@ RUN curl https://sh.rustup.rs -sSf | \ rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git && \ cargo -V -# Install Occlum toolchain -COPY toolchains/musl-gcc /tmp/musl-gcc -WORKDIR /tmp -RUN cd musl-gcc && ./build.sh && ./install_zlib.sh && rm -rf /tmp/musl-gcc -ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" - -# Install glibc -COPY toolchains/glibc /tmp/glibc -WORKDIR /tmp -RUN cd glibc && ./build.sh && rm -rf /tmp/glibc - -# Install Occlum Golang toolchain -COPY toolchains/golang /tmp/golang -WORKDIR /tmp -RUN cd golang && ./build.sh && rm -rf /tmp/golang -ENV PATH="/opt/occlum/toolchains/golang/bin:$PATH" - -# Install Occlum Rust toolchain -COPY toolchains/rust /tmp/rust -WORKDIR /tmp -RUN cd rust && ./build.sh && rm -rf /tmp/rust -ENV PATH="/opt/occlum/toolchains/rust/bin:$PATH" -ENV LD_LIBRARY_PATH="/opt/intel/sgxsdk/sdk_libs" - -# Install Occlum Java toolchain (JDK 11) -ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk -COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH -RUN rm $JDK11_PATH/lib/security/cacerts -COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts -COPY toolchains/java /tmp/java -WORKDIR /tmp -RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java -ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" - # Install SGX PSW WORKDIR /tmp RUN echo "ca_directory=/etc/ssl/certs" >> /etc/wgetrc && \ @@ -145,12 +111,46 @@ RUN git clone -b sgx_2.13.3_for_occlum https://github.com/occlum/linux-sgx && \ echo 'source /opt/intel/sgxsdk/environment' >> /root/.bashrc && \ rm -rf /tmp/linux-sgx -# Install the latest version of Occlum +# Download the Occlum source ARG OCCLUM_BRANCH WORKDIR /root RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ - cd occlum && \ - source /root/.bashrc && \ + cp -r /root/occlum/tools/toolchains/* /tmp/ && mkdir -p /opt/occlum/ && \ + cp /root/occlum/tools/docker/start_aesm.sh /opt/occlum/ + +# Install Occlum toolchain +WORKDIR /tmp +RUN cd musl-gcc && ./build.sh && ./install_zlib.sh && rm -rf /tmp/musl-gcc +ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" + +# Install glibc +WORKDIR /tmp +RUN cd glibc && ./build.sh && rm -rf /tmp/glibc + +# Install Occlum Golang toolchain +WORKDIR /tmp +RUN cd golang && ./build.sh && rm -rf /tmp/golang +ENV PATH="/opt/occlum/toolchains/golang/bin:$PATH" + +# Install Occlum Rust toolchain +WORKDIR /tmp +RUN cd rust && ./build.sh && rm -rf /tmp/rust +ENV PATH="/opt/occlum/toolchains/rust/bin:$PATH" +ENV LD_LIBRARY_PATH="/opt/intel/sgxsdk/sdk_libs" + +# Install Occlum Java toolchain (JDK 11) +ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk +COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH +RUN rm $JDK11_PATH/lib/security/cacerts +COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts +WORKDIR /tmp +RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java +ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" + +# Build and install Occlum +WORKDIR /root +RUN cd occlum && \ + source /opt/intel/sgxsdk/environment && \ make submodule && \ OCCLUM_RELEASE_BUILD=1 make && \ make install && \ @@ -162,7 +162,6 @@ RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ # To do so, we add the script to ~/.bashrc. We cannot use systemd to run AESM # as a "real" service since the pid 1 is not systemd in Docker. So we start # up AESM service when an user login with an interative shell. -COPY docker/start_aesm.sh /opt/occlum/ RUN mkdir -p /var/run/aesmd && echo '/opt/occlum/start_aesm.sh' >> /root/.bashrc WORKDIR /root diff --git a/tools/docker/Dockerfile.ubuntu18.04 b/tools/docker/Dockerfile.ubuntu18.04 index 98956790..5b993fd6 100644 --- a/tools/docker/Dockerfile.ubuntu18.04 +++ b/tools/docker/Dockerfile.ubuntu18.04 @@ -83,40 +83,6 @@ RUN curl https://sh.rustup.rs -sSf | \ rm -rf /root/.cargo/registry && rm -rf /root/.cargo/git && \ cargo -V -# Install Occlum toolchain -COPY toolchains/musl-gcc /tmp/musl-gcc -WORKDIR /tmp -RUN cd musl-gcc && ./build.sh && ./install_zlib.sh && rm -rf /tmp/musl-gcc -ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" - -# Install glibc -COPY toolchains/glibc /tmp/glibc -WORKDIR /tmp -RUN cd glibc && ./build.sh && rm -rf /tmp/glibc - -# Install Occlum Golang toolchain -COPY toolchains/golang /tmp/golang -WORKDIR /tmp -RUN cd golang && ./build.sh && rm -rf /tmp/golang -ENV PATH="/opt/occlum/toolchains/golang/bin:$PATH" - -# Install Occlum Rust toolchain -COPY toolchains/rust /tmp/rust -WORKDIR /tmp -RUN cd rust && ./build.sh && rm -rf /tmp/rust -ENV PATH="/opt/occlum/toolchains/rust/bin:$PATH" -ENV LD_LIBRARY_PATH="/opt/intel/sgxsdk/sdk_libs" - -# Install Occlum Java toolchain (JDK 11) -ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk -COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH -RUN rm $JDK11_PATH/lib/security/cacerts -COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts -COPY toolchains/java /tmp/java -WORKDIR /tmp -RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java -ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" - # Install SGX PSW ARG PSW_VERSION=2.13.103.1 ARG DCAP_VERSION=1.10.103.1 @@ -162,11 +128,44 @@ RUN git clone -b sgx_2.13.3_for_occlum https://github.com/occlum/linux-sgx && \ echo 'source /opt/intel/sgxsdk/environment' >> /root/.bashrc && \ rm -rf /tmp/linux-sgx -# Install the latest version of Occlum +# Download the Occlum source ARG OCCLUM_BRANCH WORKDIR /root RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ - cd occlum && \ + cp -r /root/occlum/tools/toolchains/* /tmp/ && mkdir -p /opt/occlum/ && \ + cp /root/occlum/tools/docker/start_aesm.sh /opt/occlum/ + +# Install Occlum toolchain +WORKDIR /tmp +RUN cd musl-gcc && ./build.sh && ./install_zlib.sh && rm -rf /tmp/musl-gcc +ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" + +# Install glibc +WORKDIR /tmp +RUN cd glibc && ./build.sh && rm -rf /tmp/glibc + +# Install Occlum Golang toolchain +WORKDIR /tmp +RUN cd golang && ./build.sh && rm -rf /tmp/golang +ENV PATH="/opt/occlum/toolchains/golang/bin:$PATH" + +# Install Occlum Rust toolchain +WORKDIR /tmp +RUN cd rust && ./build.sh && rm -rf /tmp/rust +ENV PATH="/opt/occlum/toolchains/rust/bin:$PATH" +ENV LD_LIBRARY_PATH="/opt/intel/sgxsdk/sdk_libs" + +# Install Occlum Java toolchain (JDK 11) +ARG JDK11_PATH=/opt/occlum/toolchains/jvm/java-11-openjdk +COPY --from=alpine /usr/lib/jvm/java-11-openjdk $JDK11_PATH +RUN rm $JDK11_PATH/lib/security/cacerts +COPY --from=alpine /etc/ssl/certs/java/cacerts $JDK11_PATH/lib/security/cacerts +WORKDIR /tmp +RUN cd java && ./install_dragonwell.sh && rm -rf /tmp/java +ENV PATH="/opt/occlum/toolchains/jvm/bin:$PATH" + +WORKDIR /root +RUN cd occlum && \ source /opt/intel/sgxsdk/environment && \ make submodule && \ OCCLUM_RELEASE_BUILD=1 make && \ @@ -179,7 +178,6 @@ RUN git clone -b $OCCLUM_BRANCH https://github.com/occlum/occlum && \ # To do so, we add the script to ~/.bashrc. We cannot use systemd to run AESM # as a "real" service since the pid 1 is not systemd in Docker. So we start # up AESM service when an user login with an interative shell. -COPY docker/start_aesm.sh /opt/occlum/ RUN mkdir -p /var/run/aesmd && echo '/opt/occlum/start_aesm.sh' >> /root/.bashrc WORKDIR /root diff --git a/tools/docker/README.md b/tools/docker/README.md index f541c986..559ac24a 100644 --- a/tools/docker/README.md +++ b/tools/docker/README.md @@ -4,19 +4,21 @@ This folder contains scripts and Dockerfiles for users to build the Docker image for Occlum. An Occlum Docker image sets up the development environment for Occlum and also gets Occlum preinstalled. -Currently, three Linux OS distributions are supported: Ubuntu 18.04, CentOS 7.5 and CentOS 8.1. +Currently, three Linux OS distributions are supported: Ubuntu 18.04, CentOS 8.2 and aliyunlinux3. ## How to Build To build an Occlum Docker image, run the following command ``` -./build_image.sh +./build_image.sh ``` where `` is an arbitrary string chosen by the user to describe the version of Occlum preinstalled in the Docker image -(e.g., "latest", "0.15.0", and "prerelease") and `` is the +(e.g., "latest", "0.24.0", and "prerelease") and `` is the name of the OS distribution that the Docker image is based on. Currently, `` must be one of the following values: -`ubuntu18.04` and `centos8.2`. +`ubuntu18.04`, `centos8.2` and `aliyunlinux3`. +`` indicates which the docker image is built on, e.g "0.24.0". +It is optional, if not provided, "master" branch will be used. The resulting Docker image will have `occlum/occlum:-` as its label. diff --git a/tools/docker/build_image.sh b/tools/docker/build_image.sh index 5a3b14ef..04d3a366 100755 --- a/tools/docker/build_image.sh +++ b/tools/docker/build_image.sh @@ -12,7 +12,7 @@ build_image Build an Occlum Docker image for a specific OS USAGE: - build_image.sh + build_image.sh : An arbitrary string chosen by the user to describe the version of Occlum preinstalled in the Docker image, e.g., "latest", "0.12.0", "prerelease", and etc. @@ -23,6 +23,10 @@ USAGE: centos8.2 Use CentOS 8.2 as the base image aliyunlinux3 Use AliyunLinux 3 as the base image +: + The Occlum branch which the docker image is built on, e.g "0.24.0". + It is optional, if not provided, "master" branch will be used. + The resulting Docker image will have "occlum/occlum:-" as its label. EOF exit 1 @@ -34,9 +38,9 @@ if [[ ( "$#" < 2 ) ]] ; then report_error fi -occlum_branch=master occlum_label=$1 os_name=$2 +occlum_branch=${3:-master} function check_item_in_list() { item=$1