CON-1203: Gradle plugin using conclave-build container for GraalVM on Linux

[anien]

Originally, enclaves were built in the docker container only on macOS and Windows. Now, all GraalVM enclaves are built in the conclave-build container regardless the OS. Gramine enclaves are still built outside this container, therefore python, Gramine, etc still do need to be installed on the machines.

Docker is now installed in the integration-tests docker container. Conclave-build container is now run with the same user as the integration-tests container - this is to prevent permission issues when deleting files.

[shamsasari]

Caused by: net.rubygrapefruit.platform.NativeException: Could not start 'docker'
14:59:01     at net.rubygrapefruit.platform.internal.DefaultProcessLauncher.start(DefaultProcessLauncher.java:27)
14:59:01     at net.rubygrapefruit.platform.internal.WrapperProcessLauncher.start(WrapperProcessLauncher.java:36)
14:59:01     at org.gradle.process.internal.ExecHandleRunner.startProcess(ExecHandleRunner.java:98)
14:59:01     at org.gradle.process.internal.ExecHandleRunner.run(ExecHandleRunner.java:71)
14:59:01     ... 7 more
14:59:01   Caused by: java.io.IOException: Cannot run program "docker" (in directory "/data/buildAgent/work/a4c864046b3e21f/integration-tests/general/threadsafe-enclave"): error=2, No such file or directory
14:59:01     at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1143)
14:59:01     at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)
14:59:01     at net.rubygrapefruit.platform.internal.DefaultProcessLauncher.start(DefaultProcessLauncher.java:25)
14:59:01     ... 10 more
14:59:01   Caused by: java.io.IOException: error=2, No such file or directory
14:59:01     at java.base/java.lang.ProcessImpl.forkAndExec(Native Method)
14:59:01     at java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java:314)
14:59:01     at java.base/java.lang.ProcessImpl.start(ProcessImpl.java:244)
14:59:01     at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1110)

It can't find docker, which doesn't make sense, until you realise this is inside the integration-tests container! So perhaps we have install docker inside that container??

[anien]

Docker is available inside integrations-tests container. We already expose docker socket to the container by having
-v /var/run/docker.sock:/var/run/docker.sock parameter.
According this: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/, that option allows you to create a 'sibling' containers, instead of a child containers, which is better approach. The Could not start 'docker' error is just hiding the real problem. If you add --privileged to docker command (which the article above recommend as well), the error changes to Permission denied. We do funky things with users in our docker containers, which I don't understand yet. I think we now only need to add some users we have in the docker container to the docker group inside the integration-tests container, so it can start the docker process.

[shamsasari]

Only the python bits are left from this TODO, so update accordingly. No need for the CON-1181 reference.

[anien]

You still need python, pip and jep libraries installed on a local machine for Python enclaves. Updated accordingly.

[shamsasari]

Yay, the integration tests now pass! Now to add that flag and update the error message to point to the GItHub issues page (and merge conflict!)

[shamsasari]

Some more comments, hopefully the last.

[shamsasari]

I don't think we need to mention submitting a GH issue here. It could be they find out what the issue is by enabling --info and fix the issue themselves. Mentioning it in the exception message is sufficient.

[shamsasari]

Hang on, we've got this wrong! The mention of the --info flag needs to be in the exception below.

[anien]

Okay, that now makes sense :) I'll fix that.

[anien]

Hopefully this now make sense.

[shamsasari]

Can you update PR description.

[shamsasari]

Looking good!

@JohnJoser3 remind me that we need to sit down regarding documentation for this and all the Gramine stuff.