This repository has been archived by the owner on May 2, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #57 from brave/reproducible-example
Make enclave application build reproducibly.
- Loading branch information
Showing
6 changed files
with
95 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,22 @@ | ||
FROM alpine:latest | ||
# A Go base image is enough to build nitriding reproducibly. | ||
# We use a specific instead of the latest image to ensure reproducibility. | ||
FROM golang:1.20 as builder | ||
|
||
RUN mkdir -p /lib64 && ln -sf /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 | ||
RUN apk add --no-cache py3-requests | ||
WORKDIR / | ||
|
||
COPY nitriding / | ||
COPY service.py / | ||
COPY start.sh / | ||
# Clone the repository and build the stand-alone nitriding executable. | ||
RUN git clone https://github.com/brave/nitriding.git | ||
RUN make -C nitriding/cmd/ nitriding | ||
|
||
CMD ["/start.sh"] | ||
# Use the intermediate builder image to add our files. This is necessary to | ||
# avoid intermediate layers that contain inconsistent file permissions. | ||
COPY service.py start.sh /bin/ | ||
RUN chown root:root /bin/service.py /bin/start.sh | ||
RUN chmod 0755 /bin/service.py /bin/start.sh | ||
|
||
FROM python:3.11-slim-bullseye | ||
|
||
# Copy all our files to the final image. | ||
COPY --from=builder /nitriding/cmd/nitriding /bin/start.sh /bin/service.py /bin/ | ||
|
||
CMD ["start.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,29 +1,38 @@ | ||
.PHONY: all docker enclave kill run clean | ||
|
||
docker_image = python-test | ||
enclave_image = $(docker_image).eif | ||
godeps = ../cmd/*.go ../*.go ../go.mod ../go.sum | ||
binary = nitriding | ||
|
||
all: $(binary) docker enclave kill run | ||
|
||
$(binary): $(godeps) | ||
make -C ../cmd/ | ||
cp ../cmd/nitriding . | ||
|
||
docker: Dockerfile | ||
docker build -t $(docker_image):latest . | ||
|
||
enclave: | ||
nitro-cli build-enclave --docker-uri $(docker_image):latest --output-file $(enclave_image) | ||
|
||
kill: | ||
$(eval ENCLAVE_ID=$(shell nitro-cli describe-enclaves | jq -r '.[0].EnclaveID')) | ||
@if [ "$(ENCLAVE_ID)" != "null" ]; then nitro-cli terminate-enclave --enclave-id $(ENCLAVE_ID); fi | ||
|
||
run: | ||
nitro-cli run-enclave --cpu-count 2 --memory 512 --enclave-cid 4 --eif-path $(enclave_image) --debug-mode | ||
nitro-cli console --enclave-id $$(nitro-cli describe-enclaves | jq -r '.[0].EnclaveID') | ||
|
||
prog := python-enclave | ||
version := $(shell git describe --tag --dirty) | ||
image_tag := $(prog):$(version) | ||
image_tar := $(prog)-$(version)-kaniko.tar | ||
image_eif := $(image_tar:%.tar=%.eif) | ||
|
||
.PHONY: all | ||
all: run | ||
|
||
.PHONY: image | ||
image: $(image_tar) | ||
|
||
$(image_tar): Dockerfile service.py start.sh | ||
docker run \ | ||
-v $(PWD):/workspace \ | ||
gcr.io/kaniko-project/executor:v1.9.2 \ | ||
--reproducible \ | ||
--no-push \ | ||
--tarPath $(image_tar) \ | ||
--destination $(image_tag) \ | ||
--custom-platform linux/amd64 | ||
|
||
$(image_eif): $(image_tar) | ||
docker load -i $< | ||
nitro-cli build-enclave \ | ||
--docker-uri $(image_tag) \ | ||
--output-file $(image_eif) | ||
|
||
.PHONY: run | ||
run: $(image_eif) | ||
# Terminate already-running enclave. | ||
nitro-cli terminate-enclave --all | ||
# Start our proxy and the enclave. | ||
./run-enclave.sh $(image_eif) | ||
|
||
.PHONY: clean | ||
clean: | ||
rm -f $(binary) | ||
rm -f $(image_tar) $(image_eif) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
|
||
if [ $# -ne 1 ] | ||
then | ||
echo >&2 "Usage: $0 IMAGE_EIF" | ||
exit 1 | ||
fi | ||
image_eif="$1" | ||
|
||
# gvproxy is the untrusted proxy application that runs on the EC2 host. It | ||
# acts as the bridge between the Internet and the enclave. The code is | ||
# available here: | ||
# https://github.com/brave-intl/bat-go/tree/master/nitro-shim/tools/gvproxy | ||
echo "[ec2] Starting gvproxy." | ||
sudo gvproxy -listen vsock://:1024 & | ||
pid="$!" | ||
|
||
# Run enclave in debug mode and attach console, to see what's going on | ||
# inside. Note that this disables remote attestation. | ||
echo "[ec2] Starting enclave." | ||
nitro-cli run-enclave \ | ||
--cpu-count 2 \ | ||
--memory 600 \ | ||
--enclave-cid 4 \ | ||
--eif-path "$image_eif" \ | ||
--debug-mode \ | ||
--attach-console | ||
|
||
echo "[ec2] Stopping gvproxy." | ||
sudo pkill -INT -P "$pid" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,9 @@ | ||
#!/bin/sh | ||
|
||
/nitriding -fqdn example.com -extport 443 -intport 8080 & | ||
nitriding -fqdn example.com -extport 443 -intport 8080 & | ||
echo "[sh] Started nitriding." | ||
|
||
sleep 1 | ||
|
||
/service.py | ||
service.py | ||
echo "[sh] Ran Python script." |