general/occlum
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[docker] Add dockerfile for Occlum runtime docker image

Browse Source
This commit is contained in:
Zheng, Qi 2023-09-26 15:12:33 +08:00 committed by volcano
parent 4a3ea983c1
commit 7ef8594ffe
4 changed files with 153 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
tools/docker/Dockerfile.ubuntu20.04-rt Normal file
View File

@ -0,0 +1,43 @@
FROM ubuntu:20.04
LABEL maintainer="Qi Zheng <huaiqing.zq@antgroup.com>"
# Install SGX DCAP and Occlum runtime
ENV APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1
ARG PSW_VERSION=2.17.100.3
ARG DCAP_VERSION=1.14.100.3
ARG OCCLUM_VERSION=0.29.7
RUN apt update && DEBIAN_FRONTEND="noninteractive" apt install -y --no-install-recommends gnupg wget ca-certificates jq && \
echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - && \
echo 'deb [arch=amd64] https://occlum.io/occlum-package-repos/debian focal main' | tee /etc/apt/sources.list.d/occlum.list && \
wget -qO - https://occlum.io/occlum-package-repos/debian/public.key | apt-key add - && \
apt update && apt install -y --no-install-recommends \
libsgx-launch=$PSW_VERSION-focal1 \
libsgx-epid=$PSW_VERSION-focal1 \
libsgx-quote-ex=$PSW_VERSION-focal1 \
libsgx-urts=$PSW_VERSION-focal1 \
libsgx-enclave-common=$PSW_VERSION-focal1 \
libsgx-uae-service=$PSW_VERSION-focal1 \
libsgx-ae-pce=$PSW_VERSION-focal1 \
libsgx-ae-qe3=$DCAP_VERSION-focal1 \
libsgx-ae-id-enclave=$DCAP_VERSION-focal1 \
libsgx-ae-qve=$DCAP_VERSION-focal1 \
libsgx-dcap-ql=$DCAP_VERSION-focal1 \
libsgx-pce-logic=$DCAP_VERSION-focal1 \
libsgx-qe3-logic=$DCAP_VERSION-focal1 \
libsgx-dcap-default-qpl=$DCAP_VERSION-focal1 \
libsgx-dcap-quote-verify=$DCAP_VERSION-focal1 \
occlum-runtime=$OCCLUM_VERSION-1 \
&& \
apt clean && \
rm -rf /var/lib/apt/lists/*
COPY docker-entrypoint.sh /usr/local/bin/
ENV PATH="/opt/occlum/build/bin:/usr/local/occlum/bin:$PATH"
# This PCCS value could be updated by env passed from user by below entryp
ENV PCCS_URL="https://localhost:8081/sgx/certification/v3/"
ENTRYPOINT ["docker-entrypoint.sh"]
WORKDIR /root
CMD ["bash"]

39
tools/docker/README.md
View File

@ -4,10 +4,13 @@ This folder contains scripts and Dockerfiles for users to build the Docker image
for Occlum. An Occlum Docker image sets up the development environment for for Occlum. An Occlum Docker image sets up the development environment for
Occlum and also gets Occlum preinstalled. Occlum and also gets Occlum preinstalled.
Currently, three Linux OS distributions are supported: Ubuntu 20.04, aliyunlinux3 and anolis8.8.
## How to Build ## How to Build
### Docker image for development
Currently, three Linux OS distributions are supported: Ubuntu 20.04, aliyunlinux3 and anolis8.8.
To build an Occlum Docker image, run the following command To build an Occlum Docker image, run the following command
``` ```
./build_image.sh <OCCLUM_LABEL> <OS_NAME> <OCCLUM_BRANCH> ./build_image.sh <OCCLUM_LABEL> <OS_NAME> <OCCLUM_BRANCH>
@ -22,3 +25,37 @@ Currently, `<OS_NAME>` must be one of the following values:
It is optional, if not provided, "master" branch will be used. It is optional, if not provided, "master" branch will be used.
The resulting Docker image will have `occlum/occlum:<OCCLUM_LABEL>-<OS_NAME>` as its label. The resulting Docker image will have `occlum/occlum:<OCCLUM_LABEL>-<OS_NAME>` as its label.
### Docker image for runtime
Currently, only one Linux OS distributions are supported for runtime docker image: Ubuntu 20.04.
The Occlum runtime docker image has the smallest size, plus supports running prebuilt Occlum instance.
To build an Occlum runtime Docker image, run the following command
```
./build_rt_image.sh <OCCLUM_VERSION> <OS_NAME> <SGX_PSW_VERSION> <SGX_DCAP_VERSION>
<OCCLUM_VERSION>:
The Occlum version is built on, e.g "0.29.7".
Make sure this Occlum version debian packages are available in advance.
<OS_NAME>:
The name of the OS distribution that the Docker image is based on. Currently, <OS_NAME> must be one of the following values:
ubuntu20.04 Use Ubuntu 20.04 as the base image
<SGX_PSW_VERSION>:
The SGX PSW version libraries expected to be installed in the runtime docker image.
<SGX_DCAP_VERSION>:
The SGX DCAP version libraries expected to be installed in the runtime docker image.
```
The resulting Docker image will have `occlum/occlum:<OCCLUM_VERSION>-rt-<OS_NAME>` as its label.
Just note, that the **<OCCLUM_VERSION>**, **<SGX_PSW_VERSION>** and **<SGX_DCAP_VERSION>** have dependencies. Details please refer to Dockerfile.ubuntu20.04.
For example, building Occlum runtime docker image for version 0.29.7.
```
./build_rt_image.sh 0.29.7 ubuntu20.04 2.17.100.3 1.14.100.3
```

65
tools/docker/build_rt_image.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
report_error() {
RED=$(tput setaf 1)
NO_COLOR=$(tput sgr0)
cat <<EOF
${RED}error:${NO_COLOR} input is invalid
build_image
Build an Occlum Docker runtime image for a specific OS
USAGE:
build_rt_image.sh <OCCLUM_VERSION> <OS_NAME> <SGX_PSW_VERSION> <SGX_DCAP_VERSION>
<OCCLUM_VERSION>:
The Occlum branch which the Occlum version is built on, e.g "0.29.7".
Make sure this Occlum version debian packages are available in advance.
<OS_NAME>:
The name of the OS distribution that the Docker image is based on. Currently, <OS_NAME> must be one of the following values:
ubuntu20.04 Use Ubuntu 20.04 as the base image
<SGX_PSW_VERSION>:
The SGX PSW version libraries expected to be installed in the runtime docker image.
<SGX_DCAP_VERSION>:
The SGX DCAP version libraries expected to be installed in the runtime docker image.
Note: <OCCLUM_VERSION>, <SGX_PSW_VERSION> and <SGX_DCAP_VERSION> have dependencies. Details
please refer to Dockerfile.ubuntu20.04.
The resulting Docker image will have "occlum/occlum:<OCCLUM_VERSION>-rt-<OS_NAME>" as its label.
EOF
exit 1
}
set -e
if [[ ( "$#" != 4 ) ]] ; then
report_error
fi
occlum_version=$1
os_name=$2
sgx_psw_version=$3
sgx_dcap_version=$4
function check_item_in_list() {
item=$1
list=$2
[[ $list =~ (^|[[:space:]])$item($|[[:space:]]) ]]
}
check_item_in_list "$os_name" "ubuntu20.04" || report_error
cd "$script_dir"
docker build -f "$script_dir/Dockerfile.$os_name-rt" \
-t "occlum/occlum:$occlum_version-rt-$os_name" \
--build-arg OCCLUM_VERSION=$occlum_version \
--build-arg PSW_VERSION=$sgx_psw_version \
--build-arg DCAP_VERSION=$sgx_dcap_version \
.

7
tools/docker/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
# Update PCCS_URL
line=$(grep -n "pccs_url" /etc/sgx_default_qcnl.conf | cut -d ":" -f 1)
sed -i "${line}c \"pccs_url\": \"${PCCS_URL}\"," /etc/sgx_default_qcnl.conf
exec "$@"