Skip to content

Commit

Permalink
Merge openenclave#4289
Browse files Browse the repository at this point in the history 
4289: Release base Docker image r=rs-- a=CyanDevs

* Uploads base Docker image to repositories.
* Allow different tags between base and full OE images.
* Changes the image versioning scheme to reflect the SGX version rather than OE release.
* Renames the base image from `openenclave-<ubuntuVer>` to `openenclave-base-ubuntu-<ubuntuVer>`.
* Adds README for users.

Signed-off-by: Chris Yan <[email protected]>

Co-authored-by: Chris Yan <[email protected]>
  • Loading branch information
@oeciteam @CyanDevs
oeciteam and CyanDevs committed Oct 30, 2021
2 parents d450ec8 + 3e4556b commit 31618a1
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 16 deletions.
58 changes: 43 additions & 15 deletions .jenkins/infrastructure/docker/build_linux_docker_images.Jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,15 @@ pipeline {
string(name: "REPOSITORY_NAME", defaultValue: "openenclave/openenclave", description: "GitHub repository to checkout")
string(name: "BRANCH_NAME", defaultValue: "master", description: "The branch used to checkout the repository")
string(name: "DOCKER_TAG", defaultValue: "standalone-linux-build", description: "The tag for the new Docker images")
string(name: "BASE_DOCKER_TAG", defaultValue: "SGX-${params.SGX_VERSION}", description: "The tag for the new Base Docker images. Use SGX-<version> for releases. Example: SGX-2.15.100")
string(name: "INTERNAL_REPO", defaultValue: "https://oejenkinscidockerregistry.azurecr.io", description: "Url for internal Docker repository")
string(name: "OECI_LIB_VERSION", defaultValue: 'master', description: 'Version of OE Libraries to use')
booleanParam(name: "PUBLISH_DOCKER_HUB", defaultValue: false, description: "Publish container to OECITeam Docker Hub?")
booleanParam(name: "TAG_LATEST", defaultValue: false, description: "Update the latest tag to the currently built DOCKER_TAG")
}
environment {
INTERNAL_REPO_CREDS = 'oejenkinscidockerregistry'
// Docker plugin cannot seem to use credentials from Azure Key Vault
DOCKERHUB_REPO_CREDS = 'oeciteamdockerhub'
BASE_DOCKERFILE_DIR = ".jenkins/infrastructure/docker/dockerfiles/linux/base/"
LINUX_DOCKERFILE = ".jenkins/infrastructure/docker/dockerfiles/linux/Dockerfile"
Expand All @@ -45,8 +47,8 @@ pipeline {
chmod +x ./build.sh
mkdir build
cd build
../build.sh -v "${params.SGX_VERSION}" -u "18.04" -t "${params.DOCKER_TAG}"
../build.sh -v "${params.SGX_VERSION}" -u "20.04" -t "${params.DOCKER_TAG}"
../build.sh -v "${params.SGX_VERSION}" -u "18.04" -t "${params.BASE_DOCKER_TAG}"
../build.sh -v "${params.SGX_VERSION}" -u "20.04" -t "${params.BASE_DOCKER_TAG}"
"""
}
}
Expand All @@ -56,8 +58,8 @@ pipeline {
stage("Test Base - 18.04") {
steps {
script {
def image = docker.image("openenclave-bionic:${params.DOCKER_TAG}")
image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") {
base_1804_image = docker.image("oeciteam/openenclave-base-ubuntu-18.04:${params.BASE_DOCKER_TAG}")
base_1804_image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") {
sh """
apt update
apt install -y build-essential open-enclave libssl-dev
Expand All @@ -70,8 +72,8 @@ pipeline {
stage("Test Base - 20.04") {
steps {
script {
def image = docker.image("openenclave-focal:${params.DOCKER_TAG}")
image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") {
base_2004_image = docker.image("oeciteam/openenclave-base-ubuntu-20.04:${params.BASE_DOCKER_TAG}")
base_2004_image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") {
sh """
apt update
apt install -y build-essential open-enclave libssl-dev
Expand All @@ -83,6 +85,41 @@ pipeline {
}
}
}
stage('Push to internal repository') {
steps {
script {
docker.withRegistry(params.INTERNAL_REPO, env.INTERNAL_REPO_CREDS) {
base_1804_image.push()
base_2004_image.push()
if ( params.TAG_LATEST ) {
base_1804_image.push('latest')
base_2004_image.push('latest')
}
}
sh "docker logout"
}
}
}
stage("Push to Docker Hub") {
when {
expression {
return params.PUBLISH_DOCKER_HUB
}
}
steps {
script {
docker.withRegistry('', DOCKERHUB_REPO_CREDS) {
base_1804_image.push()
base_2004_image.push()
if ( params.TAG_LATEST ) {
base_1804_image.push('latest')
base_2004_image.push('latest')
}
}
sh "docker logout"
}
}
}
}
}
stage("Full CI/CD Image") {
Expand Down Expand Up @@ -136,13 +173,4 @@ pipeline {
}
}
}
post {
always {
emailext(
subject: "Jenkins: ${env.JOB_NAME} [#${env.BUILD_NUMBER}] status is ${currentBuild.currentResult}",
body: "See build log for details: ${env.BUILD_URL}",
recipientProviders: [[$class: 'DevelopersRecipientProvider'], [$class: 'RequesterRecipientProvider']]
)
}
}
}
32 changes: 32 additions & 0 deletions .jenkins/infrastructure/docker/dockerfiles/linux/base/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Open Enclave Base Docker Image

This Docker image provides a minimal Ubuntu environment that can run Open Enclave applications.

Please note the purpose of this image is not to build Open Enclave applications.

## Mounting the Intel SGX devices
This image will require access to the Intel SGX devices. It will depend on the Intel SGX driver version you are running on your host system.

For Intel SGX driver 1.36.2 and lower, the following parameter is needed:
```--device /dev/sgx:/dev/sgx```

For Intel SGX driver 1.41 and above, the following parameters are needed:
```--device /dev/sgx/provision:/dev/sgx/provision```
```--device /dev/sgx/enclave:/dev/sgx/enclave```

## Out-of-proc attestation support
This image supports out-of-proc attestation using Intel SGX. To allow this, the Intel SGX AESM Service will need to be made available by running the container with the following parameters:
```--volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket```
```--env SGX_AESM_ADDR=1```

## Versions

All base images available are:
[oeciteam/openenclave-base-ubuntu-18.04](https://hub.docker.com/r/oeciteam/openenclave-base-ubuntu-18.04) for Ubuntu 18.04
[oeciteam/openenclave-base-ubuntu-20.04](https://hub.docker.com/r/oeciteam/openenclave-base-ubuntu-20.04) for Ubuntu 20.04

The base Docker images can be pulled from Dockerhub like so:
```docker pull oeciteam/openenclave-base-ubuntu-18.04```

Tags are versioned by the Intel SGX version that are used to build it. For example: `SGX-2.15.100`.
Alternatively, you can use the `latest` tag to pull in the container with the latest Intel SGX version.
12 changes: 11 additions & 1 deletion .jenkins/infrastructure/docker/dockerfiles/linux/base/build.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ if [[ ! -z "${1}" ]]; then
exit 1
fi

# Check SGX version
if [[ -z ${SGX_VERSION+x} ]]; then
usage
fi

# Set Ubuntu Codename
case "${UBUNTU_VERSION}" in
18.04) UBUNTU_CODENAME="bionic"
Expand All @@ -74,6 +79,11 @@ case "${UBUNTU_VERSION}" in
;;
esac

# Default image tag
if [[ -z "${IMAGE_TAG+x}" ]]; then
IMAGE_TAG="SGX-${SGX_VERSION}"
fi

# Download Intel SGX package preferences to pin to a specific Intel SGX version
echo "Checking for Intel SGX version ${SGX_VERSION} for Ubuntu ${UBUNTU_CODENAME}..."
if [[ -d "${BUILD_DIR}/apt_preference_files" ]]; then
Expand Down Expand Up @@ -109,5 +119,5 @@ DOCKER_BUILDKIT=1 docker build \
--build-arg UBUNTU_CODENAME="${UBUNTU_CODENAME}" \
--no-cache \
--file "${SOURCE_DIR}/Dockerfile" \
--tag "openenclave-${UBUNTU_CODENAME}:${IMAGE_TAG}" \
--tag "oeciteam/openenclave-base-ubuntu-${UBUNTU_VERSION}:${IMAGE_TAG}" \
"${BUILD_DIR}"

0 comments on commit 31618a1

Please sign in to comment.