From 63d2de104380d3e59ea058a7451235961eabd494 Mon Sep 17 00:00:00 2001
From: "Hui, Chunyang" <sanqian.hcy@antfin.com>
Date: Tue, 20 Jul 2021 04:02:41 +0000
Subject: [PATCH] Add deployment demo

---
 .github/workflows/hw_mode_test.yml            | 50 +++++++++++++++++
 .../deployment/Dockerfile_template.centos8.2  | 56 +++++++++++++++++++
 .../Dockerfile_template.ubuntu18.04           | 50 +++++++++++++++++
 demos/deployment/README.md                    | 17 ++++++
 demos/deployment/deploy_image_test.sh         | 16 ++++++
 5 files changed, 189 insertions(+)
 create mode 100644 demos/deployment/Dockerfile_template.centos8.2
 create mode 100644 demos/deployment/Dockerfile_template.ubuntu18.04
 create mode 100644 demos/deployment/README.md
 create mode 100755 demos/deployment/deploy_image_test.sh

diff --git a/.github/workflows/hw_mode_test.yml b/.github/workflows/hw_mode_test.yml
index 297c0c96..4f14c842 100644
--- a/.github/workflows/hw_mode_test.yml
+++ b/.github/workflows/hw_mode_test.yml
@@ -769,3 +769,53 @@ jobs:
     - name: Clean the environment
       if: ${{ always() }}
       run: docker stop $gvisor_test
+
+
+  Test_rpm_deploy:
+    if: github.event_name == 'push'
+    runs-on: [self-hosted, SGX1-HW]
+
+    steps:
+    - name: Clean before running
+      run: |
+        sudo chown -R ${{ secrets.CI_ADMIN }} "${{ github.workspace }}"
+
+    - name: Checkout code
+      if: github.event_name == 'push'
+      uses: actions/checkout@v2
+      with:
+        submodules: false
+
+    - name: Test deployment
+      run: |
+        cd demos/deployment
+        ./deploy_image_test.sh centos8.2
+
+    - name: Clean the environment
+      if: ${{ always() }}
+      run: docker stop centos8.2_deploy_test
+
+
+  Test_deb_deploy:
+    if: github.event_name == 'push'
+    runs-on: [self-hosted, SGX1-HW]
+
+    steps:
+    - name: Clean before running
+      run: |
+        sudo chown -R ${{ secrets.CI_ADMIN }} "${{ github.workspace }}"
+
+    - name: Checkout code
+      if: github.event_name == 'push'
+      uses: actions/checkout@v2
+      with:
+        submodules: false
+
+    - name: Test deployment
+      run: |
+        cd demos/deployment
+        ./deploy_image_test.sh ubuntu18.04
+
+    - name: Clean the environment
+      if: ${{ always() }}
+      run: docker stop ubuntu18.04_deploy_test
diff --git a/demos/deployment/Dockerfile_template.centos8.2 b/demos/deployment/Dockerfile_template.centos8.2
new file mode 100644
index 00000000..a3075ff5
--- /dev/null
+++ b/demos/deployment/Dockerfile_template.centos8.2
@@ -0,0 +1,56 @@
+# base stage:
+# Install dependencies for deployment to get minimum size for deployer.
+# For deployment environment, only occlum-runtime and sgx-psw are needed.
+FROM centos:8.2.2004 as base
+LABEL maintainer="Chunyang Hui <sanqian.hcy@antgroup.com>"
+
+ADD https://download.01.org/intel-sgx/sgx-linux/2.13.3/distro/centos8.2-server/sgx_rpm_local_repo.tgz /tmp/
+RUN cd /tmp && tar -xvzf sgx_rpm_local_repo.tgz && \
+    yum install -y jq yum-utils && \
+    yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    echo -e '[occlum]\n\
+name=occlum\n\
+enabled=1\n\
+baseurl=https://occlum.io/occlum-package-repos/rpm-repo/\n\
+gpgcheck=1\n\
+repo_gpgcheck=1\n\
+gpgkey=https://occlum.io/occlum-package-repos/rpm-repo/RPM-GPG-KEY-rpm-sign\n\
+gpgcakey=https://occlum.io/occlum-package-repos/rpm-repo/RPM-GPG-KEY-rpm-sign-ca'\
+>> /etc/yum.repos.d/occlum.repo && \
+    yum install --nogpgcheck -y occlum-runtime && \
+    yum clean all && \
+    yum-config-manager --disable tmp_sgx_rpm_local_repo && \
+    rm -rf /tmp/* /etc/yum.repos.d/tmp_sgx_rpm_local_repo.repo
+ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
+
+
+# packager stage:
+# Users can build their own applications and put to occlum instance. And then use "occlum package"
+# to get a minimum subset of files to run in deployment environment.
+FROM base as packager
+RUN yum install -y fuse-libs libtool make gdb git && \
+    cd /root && \
+    git clone https://github.com/occlum/occlum.git && \
+    cp -r /root/occlum/demos /root/demos && \
+    yum install --nogpgcheck -y occlum && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    rm -rf /root/occlum && \
+    cd /root && \
+    occlum new occlum-instance && \
+    cd /root/demos/hello_c && \
+    make && cp hello_world /root/occlum-instance/image/bin && \
+    cd /root/occlum-instance && occlum build && \
+    occlum package
+
+
+# deployer stage:
+# Unpack the package from packager
+FROM base as deployer
+WORKDIR /root
+COPY --from=packager /root/occlum-instance/occlum-instance.tar.gz .
+RUN tar -xvzf occlum-instance.tar.gz && \
+    mkdir -p /var/run/aesmd && \
+    echo "LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm nohup /opt/intel/sgx-aesm-service/aesm/aesm_service --no-daemon >/dev/null 2>&1 &" > /root/.bashrc
+
+WORKDIR /root
diff --git a/demos/deployment/Dockerfile_template.ubuntu18.04 b/demos/deployment/Dockerfile_template.ubuntu18.04
new file mode 100644
index 00000000..816bffa1
--- /dev/null
+++ b/demos/deployment/Dockerfile_template.ubuntu18.04
@@ -0,0 +1,50 @@
+# base stage:
+# Install dependencies for deployment to get minimum size for deployer.
+# For deployment environment, only occlum-runtime and sgx-psw are needed.
+FROM ubuntu:18.04 as base
+LABEL maintainer="Chunyang Hui <sanqian.hcy@antgroup.com>"
+
+ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
+RUN apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y --no-install-recommends gnupg wget ca-certificates jq && \
+    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
+    echo 'deb [arch=amd64] https://occlum.io/occlum-package-repos/debian bionic main' | tee /etc/apt/sources.list.d/occlum.list && \
+    wget -qO - https://occlum.io/occlum-package-repos/debian/public.key | apt-key add - && \
+    apt-get update && \
+    apt-get install -y occlum libsgx-uae-service libsgx-dcap-ql&& \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
+
+
+# packager stage:
+# Users can build their own applications and put to occlum instance. And then use "occlum package"
+# to get a minimum subset of files to run in deployment environment.
+FROM base as packager
+WORKDIR /root
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends make gdb git libfuse-dev libtool tzdata && \
+    git clone https://github.com/occlum/occlum.git && \
+    cp -r /root/occlum/demos /root/demos && \
+    apt-get install -y occlum && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -rf /root/occlum && \
+    cd /root && \
+    occlum new occlum-instance && \
+    cd /root/demos/hello_c && \
+    make && cp hello_world /root/occlum-instance/image/bin && \
+    cd /root/occlum-instance && occlum build && \
+    occlum package
+
+
+# deployer stage:
+# Unpack the package from packager
+FROM base as deployer
+WORKDIR /root
+COPY --from=packager /root/occlum-instance/occlum-instance.tar.gz .
+RUN tar -xvzf occlum-instance.tar.gz && \
+    mkdir -p /var/run/aesmd && \
+    echo "LD_LIBRARY_PATH=/opt/intel/sgx-aesm-service/aesm nohup /opt/intel/sgx-aesm-service/aesm/aesm_service --no-daemon >/dev/null 2>&1 &" > /root/.bashrc
+
+WORKDIR /root
diff --git a/demos/deployment/README.md b/demos/deployment/README.md
new file mode 100644
index 00000000..bfeed9ce
--- /dev/null
+++ b/demos/deployment/README.md
@@ -0,0 +1,17 @@
+# Docker Image for Deployment
+
+For deployment purpose, we would like to see the image as small as possible. However, Occlum has a variaty of dependencies which is not friendly if users want to deploy the application. 
+
+With the help of [docker multistage build](https://docs.docker.com/develop/develop-images/multistage-build/) and `occlum package` command, we provide dockerfile templates to build a image with the smallest size for deployment environment.
+
+Checkout the dockerfile templates for [Ubuntu](./Dockerfile_template.ubuntu18.04) and [CentOS](./Dockerfile_template.centos8.2). There are three stages in each dockerfile:
+
+    - base stage: This stage configures the package management systems of specific OS and intall required packages for deployment, including `occlum-runtime` and sgx-psw packages. If users want to install specific version of packages, modification should be done in this stage.
+
+    - packager stage: This stage is to build and package the application for deployment. User should also finish the enclave signing in this stage.Users can build your own applications and put to occlum instance. And then use "occlum build" and "occlum package" commands to get a minimum subset of files to run in deployment environment. To support full Occlum commands, extra dependencies are installed.
+
+    - deployer stage: This stage directly inherits environment from "base stage" and unpack the package from "builder stage".
+
+Users can run a quick test with `./deploy_image_test.sh <ubuntu18.04/centos8.2>`.
+
+For different platform, users should modify the `DEVICE_OPTION` variable in the [script](./deploy_image_test.sh) accordingly.
diff --git a/demos/deployment/deploy_image_test.sh b/demos/deployment/deploy_image_test.sh
new file mode 100755
index 00000000..693b183f
--- /dev/null
+++ b/demos/deployment/deploy_image_test.sh
@@ -0,0 +1,16 @@
+#! /bin/bash
+set -xe
+
+if [[ $1 != "ubuntu18.04" && $1 != "centos8.2" ]]; then
+    echo "Must choose between <ubuntu18.04/centos8.2>."
+    exit 1
+fi
+
+OS=$1
+DEVICE_OPTION="--device /dev/isgx"
+
+docker build -f Dockerfile_template."$OS" -t test-package:"$OS" .
+name="$OS"_deploy_test
+
+docker rm -f $name || true
+docker run --name="$name" --hostname="$name" --net="host" --privileged $DEVICE_OPTION test-package:"$OS" bash -c "source /root/.bashrc; cd /root/occlum-instance; occlum run /bin/hello_world"