Add deployment demo

.github/workflows/hw_mode_test.yml

@@ -769,3 +769,53 @@ jobs:
     - name: Clean the environment
       if: ${{ always() }}
       run: docker stop $gvisor_test
+
+
+  Test_rpm_deploy:
+    if: github.event_name == 'push'
+    runs-on: [self-hosted, SGX1-HW]
+
+    steps:
+    - name: Clean before running
+      run: |
+        sudo chown -R ${{ secrets.CI_ADMIN }} "${{ github.workspace }}"
+
+    - name: Checkout code
+      if: github.event_name == 'push'
+      uses: actions/checkout@v2
+      with:
+        submodules: false
+
+    - name: Test deployment
+      run: |
+        cd demos/deployment
+        ./deploy_image_test.sh centos8.2
+
+    - name: Clean the environment
+      if: ${{ always() }}
+      run: docker stop centos8.2_deploy_test
+
+
+  Test_deb_deploy:
+    if: github.event_name == 'push'
+    runs-on: [self-hosted, SGX1-HW]
+
+    steps:
+    - name: Clean before running
+      run: |
+        sudo chown -R ${{ secrets.CI_ADMIN }} "${{ github.workspace }}"
+
+    - name: Checkout code
+      if: github.event_name == 'push'
+      uses: actions/checkout@v2
+      with:
+        submodules: false
+
+    - name: Test deployment
+      run: |
+        cd demos/deployment
+        ./deploy_image_test.sh ubuntu18.04
+
+    - name: Clean the environment
+      if: ${{ always() }}
+      run: docker stop ubuntu18.04_deploy_test

demos/deployment/Dockerfile_template.centos8.2

@@ -0,0 +1,56 @@
+# base stage:
+# Install dependencies for deployment to get minimum size for deployer.
+# For deployment environment, only occlum-runtime and sgx-psw are needed.
+FROM centos:8.2.2004 as base
+LABEL maintainer="Chunyang Hui <sanqian.hcy@antgroup.com>"
+
+ADD https://download.01.org/intel-sgx/sgx-linux/2.13.3/distro/centos8.2-server/sgx_rpm_local_repo.tgz /tmp/
+RUN cd /tmp && tar -xvzf sgx_rpm_local_repo.tgz && \
+    yum install -y jq yum-utils && \
+    yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    echo -e '[occlum]\n\
+name=occlum\n\
+enabled=1\n\
+baseurl=https://occlum.io/occlum-package-repos/rpm-repo/\n\
+gpgcheck=1\n\
+repo_gpgcheck=1\n\
+gpgkey=https://occlum.io/occlum-package-repos/rpm-repo/RPM-GPG-KEY-rpm-sign\n\
+gpgcakey=https://occlum.io/occlum-package-repos/rpm-repo/RPM-GPG-KEY-rpm-sign-ca'\
+>> /etc/yum.repos.d/occlum.repo && \
+    yum install --nogpgcheck -y occlum-runtime && \
+    yum clean all && \
+    yum-config-manager --disable tmp_sgx_rpm_local_repo && \
+    rm -rf /tmp/* /etc/yum.repos.d/tmp_sgx_rpm_local_repo.repo
+ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
+
+
+# packager stage:
+# Users can build their own applications and put to occlum instance. And then use "occlum package"
+# to get a minimum subset of files to run in deployment environment.
+FROM base as packager
+RUN yum install -y fuse-libs libtool make gdb git && \
+    cd /root && \
+    git clone https://github.com/occlum/occlum.git && \
+    cp -r /root/occlum/demos /root/demos && \
+    yum install --nogpgcheck -y occlum && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    rm -rf /root/occlum && \
+    cd /root && \
+    occlum new occlum-instance && \
+    cd /root/demos/hello_c && \
+    make && cp hello_world /root/occlum-instance/image/bin && \
+    cd /root/occlum-instance && occlum build && \
+    occlum package
+
+
+# deployer stage:
+# Unpack the package from packager
+FROM base as deployer
+WORKDIR /root
+COPY --from=packager /root/occlum-instance/occlum-instance.tar.gz .
+RUN tar -xvzf occlum-instance.tar.gz && \
+    mkdir -p /var/run/aesmd && \
+    echo "LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm nohup /opt/intel/sgx-aesm-service/aesm/aesm_service --no-daemon >/dev/null 2>&1 &" > /root/.bashrc
+
+WORKDIR /root

demos/deployment/Dockerfile_template.ubuntu18.04

@@ -0,0 +1,50 @@
+# base stage:
+# Install dependencies for deployment to get minimum size for deployer.
+# For deployment environment, only occlum-runtime and sgx-psw are needed.
+FROM ubuntu:18.04 as base
+LABEL maintainer="Chunyang Hui <sanqian.hcy@antgroup.com>"
+
+ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
+RUN apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends gnupg wget ca-certificates jq && \
+    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
+    echo 'deb [arch=amd64] https://occlum.io/occlum-package-repos/debian bionic main' | tee /etc/apt/sources.list.d/occlum.list && \
+    wget -qO - https://occlum.io/occlum-package-repos/debian/public.key | apt-key add - && \
+    apt-get update && \
+    apt-get install -y occlum libsgx-uae-service libsgx-dcap-ql&& \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
+
+
+# packager stage:
+# Users can build their own applications and put to occlum instance. And then use "occlum package"
+# to get a minimum subset of files to run in deployment environment.
+FROM base as packager
+WORKDIR /root
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends make gdb git libfuse-dev libtool tzdata && \
+    git clone https://github.com/occlum/occlum.git && \
+    cp -r /root/occlum/demos /root/demos && \
+    apt-get install -y occlum && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -rf /root/occlum && \
+    cd /root && \
+    occlum new occlum-instance && \
+    cd /root/demos/hello_c && \
+    make && cp hello_world /root/occlum-instance/image/bin && \
+    cd /root/occlum-instance && occlum build && \
+    occlum package
+
+
+# deployer stage:
+# Unpack the package from packager
+FROM base as deployer
+WORKDIR /root
+COPY --from=packager /root/occlum-instance/occlum-instance.tar.gz .
+RUN tar -xvzf occlum-instance.tar.gz && \
+    mkdir -p /var/run/aesmd && \
+    echo "LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm nohup /opt/intel/sgx-aesm-service/aesm/aesm_service --no-daemon >/dev/null 2>&1 &" > /root/.bashrc
+
+WORKDIR /root

demos/deployment/README.md

@@ -0,0 +1,17 @@
+# Docker Image for Deployment
+
+For deployment purpose, we would like to see the image as small as possible. However, Occlum has a variaty of dependencies which is not friendly if users want to deploy the application. 
+
+With the help of [docker multistage build](https://docs.docker.com/develop/develop-images/multistage-build/) and `occlum package` command, we provide dockerfile templates to build a image with the smallest size for deployment environment.
+
+Checkout the dockerfile templates for [Ubuntu](./Dockerfile_template.ubuntu18.04) and [CentOS](./Dockerfile_template.centos8.2). There are three stages in each dockerfile:
+
+    - base stage: This stage configures the package management systems of specific OS and intall required packages for deployment, including `occlum-runtime` and sgx-psw packages. If users want to install specific version of packages, modification should be done in this stage.
+
+    - packager stage: This stage is to build and package the application for deployment. User should also finish the enclave signing in this stage.Users can build your own applications and put to occlum instance. And then use "occlum build" and "occlum package" commands to get a minimum subset of files to run in deployment environment. To support full Occlum commands, extra dependencies are installed.
+
+    - deployer stage: This stage directly inherits environment from "base stage" and unpack the package from "builder stage".
+
+Users can run a quick test with `./deploy_image_test.sh <ubuntu18.04/centos8.2>`.
+
+For different platform, users should modify the `DEVICE_OPTION` variable in the [script](./deploy_image_test.sh) accordingly.

demos/deployment/deploy_image_test.sh

@@ -0,0 +1,16 @@
+#! /bin/bash
+set -xe
+
+if [[ $1 != "ubuntu18.04" && $1 != "centos8.2" ]]; then
+    echo "Must choose between <ubuntu18.04/centos8.2>."
+    exit 1
+fi
+
+OS=$1
+DEVICE_OPTION="--device /dev/isgx"
+
+docker build -f Dockerfile_template."$OS" -t test-package:"$OS" .
+name="$OS"_deploy_test
+
+docker rm -f $name || true
+docker run --name="$name" --hostname="$name" --net="host" --privileged $DEVICE_OPTION test-package:"$OS" bash -c "source /root/.bashrc; cd /root/occlum-instance; occlum run /bin/hello_world"