diff --git a/tools/docker/Dockerfile.ubuntu20.04-rt b/tools/docker/Dockerfile.ubuntu20.04-rt new file mode 100644 index 00000000..6e890bcc --- /dev/null +++ b/tools/docker/Dockerfile.ubuntu20.04-rt @@ -0,0 +1,43 @@ +FROM ubuntu:20.04 +LABEL maintainer="Qi Zheng " + +# Install SGX DCAP and Occlum runtime +ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 +ARG PSW_VERSION=2.17.100.3 +ARG DCAP_VERSION=1.14.100.3 +ARG OCCLUM_VERSION=0.29.7 +RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends gnupg wget ca-certificates jq && \ + echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \ + wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \ + echo 'deb [arch=amd64] https://occlum.io/occlum-package-repos/debian focal main' | tee /etc/apt/sources.list.d/occlum.list && \ + wget -qO - https://occlum.io/occlum-package-repos/debian/public.key | apt-key add - && \ + apt update && apt install -y --no-install-recommends \ + libsgx-launch=$PSW_VERSION-focal1 \ + libsgx-epid=$PSW_VERSION-focal1 \ + libsgx-quote-ex=$PSW_VERSION-focal1 \ + libsgx-urts=$PSW_VERSION-focal1 \ + libsgx-enclave-common=$PSW_VERSION-focal1 \ + libsgx-uae-service=$PSW_VERSION-focal1 \ + libsgx-ae-pce=$PSW_VERSION-focal1 \ + libsgx-ae-qe3=$DCAP_VERSION-focal1 \ + libsgx-ae-id-enclave=$DCAP_VERSION-focal1 \ + libsgx-ae-qve=$DCAP_VERSION-focal1 \ + libsgx-dcap-ql=$DCAP_VERSION-focal1 \ + libsgx-pce-logic=$DCAP_VERSION-focal1 \ + libsgx-qe3-logic=$DCAP_VERSION-focal1 \ + libsgx-dcap-default-qpl=$DCAP_VERSION-focal1 \ + libsgx-dcap-quote-verify=$DCAP_VERSION-focal1 \ + occlum-runtime=$OCCLUM_VERSION-1 \ + && \ + apt clean && \ + rm -rf /var/lib/apt/lists/* + +COPY docker-entrypoint.sh /usr/local/bin/ + +ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH" +# This PCCS value could be updated by env passed from user by below entryp +ENV PCCS_URL="https://localhost:8081/sgx/certification/v3/" + +ENTRYPOINT ["docker-entrypoint.sh"] +WORKDIR /root +CMD ["bash"] diff --git a/tools/docker/README.md b/tools/docker/README.md index 84c41677..faf2f882 100644 --- a/tools/docker/README.md +++ b/tools/docker/README.md @@ -4,10 +4,13 @@ This folder contains scripts and Dockerfiles for users to build the Docker image for Occlum. An Occlum Docker image sets up the development environment for Occlum and also gets Occlum preinstalled. -Currently, three Linux OS distributions are supported: Ubuntu 20.04, aliyunlinux3 and anolis8.8. ## How to Build +### Docker image for development + +Currently, three Linux OS distributions are supported: Ubuntu 20.04, aliyunlinux3 and anolis8.8. + To build an Occlum Docker image, run the following command ``` ./build_image.sh @@ -22,3 +25,37 @@ Currently, `` must be one of the following values: It is optional, if not provided, "master" branch will be used. The resulting Docker image will have `occlum/occlum:-` as its label. + +### Docker image for runtime + +Currently, only one Linux OS distributions are supported for runtime docker image: Ubuntu 20.04. + +The Occlum runtime docker image has the smallest size, plus supports running prebuilt Occlum instance. + +To build an Occlum runtime Docker image, run the following command +``` +./build_rt_image.sh + +: + The Occlum version is built on, e.g "0.29.7". + Make sure this Occlum version debian packages are available in advance. + +: + The name of the OS distribution that the Docker image is based on. Currently, must be one of the following values: + ubuntu20.04 Use Ubuntu 20.04 as the base image + +: + The SGX PSW version libraries expected to be installed in the runtime docker image. + +: + The SGX DCAP version libraries expected to be installed in the runtime docker image. +``` + +The resulting Docker image will have `occlum/occlum:-rt-` as its label. + +Just note, that the ****, **** and **** have dependencies. Details please refer to Dockerfile.ubuntu20.04. + +For example, building Occlum runtime docker image for version 0.29.7. +``` +./build_rt_image.sh 0.29.7 ubuntu20.04 2.17.100.3 1.14.100.3 +``` diff --git a/tools/docker/build_rt_image.sh b/tools/docker/build_rt_image.sh new file mode 100755 index 00000000..cbaed0df --- /dev/null +++ b/tools/docker/build_rt_image.sh @@ -0,0 +1,65 @@ +#!/bin/bash +script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +report_error() { + RED=$(tput setaf 1) + NO_COLOR=$(tput sgr0) + + cat < + +: + The Occlum branch which the Occlum version is built on, e.g "0.29.7". + Make sure this Occlum version debian packages are available in advance. + +: + The name of the OS distribution that the Docker image is based on. Currently, must be one of the following values: + ubuntu20.04 Use Ubuntu 20.04 as the base image + +: + The SGX PSW version libraries expected to be installed in the runtime docker image. + +: + The SGX DCAP version libraries expected to be installed in the runtime docker image. + + +Note: , and have dependencies. Details +please refer to Dockerfile.ubuntu20.04. + +The resulting Docker image will have "occlum/occlum:-rt-" as its label. +EOF + exit 1 +} + +set -e + +if [[ ( "$#" != 4 ) ]] ; then + report_error +fi + +occlum_version=$1 +os_name=$2 +sgx_psw_version=$3 +sgx_dcap_version=$4 + +function check_item_in_list() { + item=$1 + list=$2 + [[ $list =~ (^|[[:space:]])$item($|[[:space:]]) ]] +} + +check_item_in_list "$os_name" "ubuntu20.04" || report_error + +cd "$script_dir" +docker build -f "$script_dir/Dockerfile.$os_name-rt" \ + -t "occlum/occlum:$occlum_version-rt-$os_name" \ + --build-arg OCCLUM_VERSION=$occlum_version \ + --build-arg PSW_VERSION=$sgx_psw_version \ + --build-arg DCAP_VERSION=$sgx_dcap_version \ + . diff --git a/tools/docker/docker-entrypoint.sh b/tools/docker/docker-entrypoint.sh new file mode 100755 index 00000000..7c312b63 --- /dev/null +++ b/tools/docker/docker-entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +# Update PCCS_URL +line=$(grep -n "pccs_url" /etc/sgx_default_qcnl.conf | cut -d ":" -f 1) +sed -i "${line}c \"pccs_url\": \"${PCCS_URL}\"," /etc/sgx_default_qcnl.conf + +exec "$@"