diff --git a/.jenkins/infrastructure/docker/build_linux_docker_images.Jenkinsfile b/.jenkins/infrastructure/docker/build_linux_docker_images.Jenkinsfile index e38815d36a..fa545b970d 100644 --- a/.jenkins/infrastructure/docker/build_linux_docker_images.Jenkinsfile +++ b/.jenkins/infrastructure/docker/build_linux_docker_images.Jenkinsfile @@ -15,6 +15,7 @@ pipeline { string(name: "REPOSITORY_NAME", defaultValue: "openenclave/openenclave", description: "GitHub repository to checkout") string(name: "BRANCH_NAME", defaultValue: "master", description: "The branch used to checkout the repository") string(name: "DOCKER_TAG", defaultValue: "standalone-linux-build", description: "The tag for the new Docker images") + string(name: "BASE_DOCKER_TAG", defaultValue: "SGX-${params.SGX_VERSION}", description: "The tag for the new Base Docker images. Use SGX- for releases. Example: SGX-2.15.100") string(name: "INTERNAL_REPO", defaultValue: "https://oejenkinscidockerregistry.azurecr.io", description: "Url for internal Docker repository") string(name: "OECI_LIB_VERSION", defaultValue: 'master', description: 'Version of OE Libraries to use') booleanParam(name: "PUBLISH_DOCKER_HUB", defaultValue: false, description: "Publish container to OECITeam Docker Hub?") @@ -22,6 +23,7 @@ pipeline { } environment { INTERNAL_REPO_CREDS = 'oejenkinscidockerregistry' + // Docker plugin cannot seem to use credentials from Azure Key Vault DOCKERHUB_REPO_CREDS = 'oeciteamdockerhub' BASE_DOCKERFILE_DIR = ".jenkins/infrastructure/docker/dockerfiles/linux/base/" LINUX_DOCKERFILE = ".jenkins/infrastructure/docker/dockerfiles/linux/Dockerfile" @@ -45,8 +47,8 @@ pipeline { chmod +x ./build.sh mkdir build cd build - ../build.sh -v "${params.SGX_VERSION}" -u "18.04" -t "${params.DOCKER_TAG}" - ../build.sh -v "${params.SGX_VERSION}" -u "20.04" -t "${params.DOCKER_TAG}" + ../build.sh -v "${params.SGX_VERSION}" -u "18.04" -t "${params.BASE_DOCKER_TAG}" + ../build.sh -v "${params.SGX_VERSION}" -u "20.04" -t "${params.BASE_DOCKER_TAG}" """ } } @@ -56,8 +58,8 @@ pipeline { stage("Test Base - 18.04") { steps { script { - def image = docker.image("openenclave-bionic:${params.DOCKER_TAG}") - image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") { + base_1804_image = docker.image("oeciteam/openenclave-base-ubuntu-18.04:${params.BASE_DOCKER_TAG}") + base_1804_image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") { sh """ apt update apt install -y build-essential open-enclave libssl-dev @@ -70,8 +72,8 @@ pipeline { stage("Test Base - 20.04") { steps { script { - def image = docker.image("openenclave-focal:${params.DOCKER_TAG}") - image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") { + base_2004_image = docker.image("oeciteam/openenclave-base-ubuntu-20.04:${params.BASE_DOCKER_TAG}") + base_2004_image.inside("--user root:root --cap-add=SYS_PTRACE --device /dev/sgx:/dev/sgx --volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket") { sh """ apt update apt install -y build-essential open-enclave libssl-dev @@ -83,6 +85,41 @@ pipeline { } } } + stage('Push to internal repository') { + steps { + script { + docker.withRegistry(params.INTERNAL_REPO, env.INTERNAL_REPO_CREDS) { + base_1804_image.push() + base_2004_image.push() + if ( params.TAG_LATEST ) { + base_1804_image.push('latest') + base_2004_image.push('latest') + } + } + sh "docker logout" + } + } + } + stage("Push to Docker Hub") { + when { + expression { + return params.PUBLISH_DOCKER_HUB + } + } + steps { + script { + docker.withRegistry('', DOCKERHUB_REPO_CREDS) { + base_1804_image.push() + base_2004_image.push() + if ( params.TAG_LATEST ) { + base_1804_image.push('latest') + base_2004_image.push('latest') + } + } + sh "docker logout" + } + } + } } } stage("Full CI/CD Image") { @@ -136,13 +173,4 @@ pipeline { } } } - post { - always { - emailext( - subject: "Jenkins: ${env.JOB_NAME} [#${env.BUILD_NUMBER}] status is ${currentBuild.currentResult}", - body: "See build log for details: ${env.BUILD_URL}", - recipientProviders: [[$class: 'DevelopersRecipientProvider'], [$class: 'RequesterRecipientProvider']] - ) - } - } } diff --git a/.jenkins/infrastructure/docker/dockerfiles/linux/base/README.md b/.jenkins/infrastructure/docker/dockerfiles/linux/base/README.md new file mode 100644 index 0000000000..9fd9e1958a --- /dev/null +++ b/.jenkins/infrastructure/docker/dockerfiles/linux/base/README.md @@ -0,0 +1,32 @@ +# Open Enclave Base Docker Image + +This Docker image provides a minimal Ubuntu environment that can run Open Enclave applications. + +Please note the purpose of this image is not to build Open Enclave applications. + +## Mounting the Intel SGX devices +This image will require access to the Intel SGX devices. It will depend on the Intel SGX driver version you are running on your host system. + +For Intel SGX driver 1.36.2 and lower, the following parameter is needed: + ```--device /dev/sgx:/dev/sgx``` + +For Intel SGX driver 1.41 and above, the following parameters are needed: + ```--device /dev/sgx/provision:/dev/sgx/provision``` + ```--device /dev/sgx/enclave:/dev/sgx/enclave``` + +## Out-of-proc attestation support +This image supports out-of-proc attestation using Intel SGX. To allow this, the Intel SGX AESM Service will need to be made available by running the container with the following parameters: + ```--volume /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket``` + ```--env SGX_AESM_ADDR=1``` + +## Versions + +All base images available are: +[oeciteam/openenclave-base-ubuntu-18.04](https://hub.docker.com/r/oeciteam/openenclave-base-ubuntu-18.04) for Ubuntu 18.04 +[oeciteam/openenclave-base-ubuntu-20.04](https://hub.docker.com/r/oeciteam/openenclave-base-ubuntu-20.04) for Ubuntu 20.04 + +The base Docker images can be pulled from Dockerhub like so: +```docker pull oeciteam/openenclave-base-ubuntu-18.04``` + +Tags are versioned by the Intel SGX version that are used to build it. For example: `SGX-2.15.100`. +Alternatively, you can use the `latest` tag to pull in the container with the latest Intel SGX version. diff --git a/.jenkins/infrastructure/docker/dockerfiles/linux/base/build.sh b/.jenkins/infrastructure/docker/dockerfiles/linux/base/build.sh index c657d8a215..476173ddc9 100644 --- a/.jenkins/infrastructure/docker/dockerfiles/linux/base/build.sh +++ b/.jenkins/infrastructure/docker/dockerfiles/linux/base/build.sh @@ -66,6 +66,11 @@ if [[ ! -z "${1}" ]]; then exit 1 fi +# Check SGX version +if [[ -z ${SGX_VERSION+x} ]]; then + usage +fi + # Set Ubuntu Codename case "${UBUNTU_VERSION}" in 18.04) UBUNTU_CODENAME="bionic" @@ -74,6 +79,11 @@ case "${UBUNTU_VERSION}" in ;; esac +# Default image tag +if [[ -z "${IMAGE_TAG+x}" ]]; then + IMAGE_TAG="SGX-${SGX_VERSION}" +fi + # Download Intel SGX package preferences to pin to a specific Intel SGX version echo "Checking for Intel SGX version ${SGX_VERSION} for Ubuntu ${UBUNTU_CODENAME}..." if [[ -d "${BUILD_DIR}/apt_preference_files" ]]; then @@ -109,5 +119,5 @@ DOCKER_BUILDKIT=1 docker build \ --build-arg UBUNTU_CODENAME="${UBUNTU_CODENAME}" \ --no-cache \ --file "${SOURCE_DIR}/Dockerfile" \ - --tag "openenclave-${UBUNTU_CODENAME}:${IMAGE_TAG}" \ + --tag "oeciteam/openenclave-base-ubuntu-${UBUNTU_VERSION}:${IMAGE_TAG}" \ "${BUILD_DIR}"