Commit 38ce6fb7 authored by Robert Schambach's avatar Robert Schambach
Browse files

Add protection for all images

parent 055ddbf8
......@@ -19,7 +19,7 @@ services:
- name: serve
image_name: client_image
command: ["python3", "rest_api.py"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPI"]
pwd: /
environment:
DB_HOST: $DB_HOST
......
export DB_POLICY_FSPF_KEY=d7ac8bf6b98821a2c5978e2a3d3db4b59d623e0e879b505353ccca349caa2ed9
export DB_POLICY_FSPF_TAG=2962b6fd26fabe1959b2e5a9c00dc48b
export MEMCACHED_POLICY_FSPF_KEY=b822b3420975432a1b801315eea0c26ad15a9e60d49b68bd0816d25782fe5c3a
export MEMCACHED_POLICY_FSPF_TAG=f76dfd97bc3e0b1c84af04d3028621f0
export DB_POLICY_FSPF_KEY=08c7b1dd2ec1eeb876be8ecf7f26ce9a778ba0c1d2921f1fc34d287f8a9e1c8e
export DB_POLICY_FSPF_TAG=7b3d30df3e66ac0682c8edc974314393
export MEMCACHED_POLICY_FSPF_KEY=497316b884850114d9095a40f6033e1e3347e5e3568ffa90163ac6b6006e56c9
export MEMCACHED_POLICY_FSPF_TAG=c290d5d3e656963812d58fc734a78277
export NGINX_POLICY_FSPF_KEY=ed161a9f3024e412874a6bcb1148befefa6ef1ca7d9f526ba46d94622d2edae0
export NGINX_POLICY_FSPF_TAG=05d3d0578870ce9869ff18f0d29fed27
export FASTAPI_POLICY_FSPF_KEY=c31c5c342ebd2988d3fac61a5c6b993a263b2af0a207eee2462545d62f420e5d
export FASTAPI_POLICY_FSPF_TAG=5abd6a7479c5d043a5d564eb954a12e6
......@@ -2,6 +2,6 @@ export CAS_MRENCLAVE="fd7efd68adeb23b5e60bca27f6fb3aec98d7fe1f4dee8fc5cf9e797299
export MRENCLAVE_MYSQLD="1bfbc131f7abcb972c5afd27c1e9554f5d6678448c24d478f2b51f1a7a557c92"
export MRENCLAVE_MYSQL="52908b023e66059e30f1ac5e16a91c8acd43027875a2a61113daddfd670b1376"
export MRENCLAVE_MY_PRINT_DEFAULTS="37fb68a5697ea48586d04d74f69a4cd08b152bbaa6597b5a7d92d9ef3a4581e9"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="2808559c02d5611b4fbf76230f5e73ddb48064830a83ffaf22a10695fac60770"
export MRENCLAVE_SIMPLECLIENT_FASTAPI="2808559c02d5611b4fbf76230f5e73ddb48064830a83ffaf22a10695fac60770"
export MRENCLAVE_MEMCACHED="dabbadf48faf46d7b0200d168f4f4d04aa5d79704f69f0bdb5a15745c962ea29"
export MRENCLAVE_NGINX="361170281c51805d00a6d62d270d4a129083cbba897675de08d55cd64b8275e2"
......@@ -18,14 +18,14 @@ function get_mrenclave {
# into the environment).
CAS_IMAGE=${CAS_IMAGE:-"registry.scontain.com:5050/sconecuratedimages/services:cas.preprovisioned-scone5.0.0"}
MARIADB_IMAGE=${MARIADB_BASE_IMAGE:-"registry.scontain.com:5050/sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0"}
FASTAPISERVER_IMAGE=${FASTAPISERVER_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
FASTAPI_IMAGE=${FASTAPI_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
CLI_IMAGE=${CLI_IMAGE:-"registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0"}
MEMCACHED_IMAGE=${MEMCACHED_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls"}
NGINX_IMAGE=${NGINX_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server"}
echo "Pulling the latest images. Make sure you have access to all of them!"
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPISERVER_IMAGE $CLI_IMAGE $MEMCACHED_IMAGE $NGINX_IMAGE; do
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPI_IMAGE $CLI_IMAGE $MEMCACHED_IMAGE $NGINX_IMAGE; do
docker pull $img
done
......@@ -36,7 +36,7 @@ CAS_MRENCLAVE=$(get_mrenclave $CAS_IMAGE cas)
MRENCLAVE_MYSQLD=$(get_mrenclave $MARIADB_IMAGE mysqld "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_MY_PRINT_DEFAULTS=$(get_mrenclave $MARIADB_IMAGE my_print_defaults "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_MYSQL=$(get_mrenclave $MARIADB_IMAGE mysql "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_SIMPLECLIENT_FASTAPISERVER=$(get_mrenclave $FASTAPISERVER_IMAGE python3 "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_SIMPLECLIENT_FASTAPI=$(get_mrenclave $FASTAPI_IMAGE python3 "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_MEMCACHED=$(get_mrenclave $MEMCACHED_IMAGE memcached "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_NGINX=$(get_mrenclave $NGINX_IMAGE nginx "-e SCONE_HEAP=2G -e SCONE_FORK=1")
......@@ -45,7 +45,7 @@ export CAS_MRENCLAVE="$CAS_MRENCLAVE"
export MRENCLAVE_MYSQLD="$MRENCLAVE_MYSQLD"
export MRENCLAVE_MYSQL="$MRENCLAVE_MYSQL"
export MRENCLAVE_MY_PRINT_DEFAULTS="$MRENCLAVE_MY_PRINT_DEFAULTS"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"
export MRENCLAVE_SIMPLECLIENT_FASTAPI="$MRENCLAVE_SIMPLECLIENT_FASTAPI"
export MRENCLAVE_MEMCACHED="$MRENCLAVE_MEMCACHED"
export MRENCLAVE_NGINX="$MRENCLAVE_NGINX"
EOF
......
......@@ -4,13 +4,15 @@ FROM registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.
FROM $BASE_IMAGE as fspf
ARG IMAGE_TYPE
COPY --from=cli /opt/scone/bin/rust-cli /usr/local/bin/scone
COPY fspf.sh /
USER root
RUN SCONE_NO_FS_SHIELD=1 /fspf.sh
RUN IMAGE_TYPE=$IMAGE_TYPE SCONE_MODE=sim SCONE_NO_FS_SHIELD=1 /fspf.sh
FROM $BASE_IMAGE
......
#!/bin/sh
set -x
# standard protection
scone fspf create fspf.pb
scone fspf addr fspf.pb / --not-protected --kernel /
scone fspf addr fspf.pb /usr/lib --authenticated --kernel /usr/lib
scone fspf addf fspf.pb /usr/lib /usr/lib
if [ "$IMAGE_TYPE" == "fastapi" ]
then
echo "Fastapi image: protect python program"
scone fspf addr fspf.pb /rest_api.py --authenticated --kernel /rest_api.py
scone fspf addf fspf.pb /rest_api.py /rest_api.py
elif [ "$IMAGE_TYPE" == "nginx" ]
then
echo "Nginx image: protect nginx configuration"
scone fspf addr fspf.pb /etc/nginx --authenticated --kernel /etc/nginx
scone fspf addf fspf.pb /etc/nginx /etc/nginx
fi
scone fspf encrypt fspf.pb
......@@ -22,12 +22,23 @@ export MARIADB_TARGET_IMAGE=${MARIADB_TARGET_IMAGE:-enterjazz/scone-test-images:
export MEMCACHED_BASE_IMAGE=${MEMCACHED_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls"}
export MEMCACHED_TARGET_IMAGE=${MEMCACHED_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls-protected"}
export NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server"}
export NGINX_TARGET_IMAGE=${NGINX_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server-protected"}
export FASTAPI_BASE_IMAGE=${FASTAPI_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
export FASTAPI_TARGET_IMAGE=${FASTAPI_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server-protected"}
./pull_latest_images.sh
# Build.
mariadb_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${MARIADB_BASE_IMAGE} -t ${MARIADB_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
memcached_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${MEMCACHED_BASE_IMAGE} -t ${MEMCACHED_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
nginx_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} -t ${NGINX_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
fastapi_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${FASTAPI_BASE_IMAGE} -t ${FASTAPI_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
MARIADB_SCONE_FSPF_KEY=$(echo $mariadb_key_tag | awk '{print $11}')
MARIADB_SCONE_FSPF_TAG=$(echo $mariadb_key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$MARIADB_SCONE_FSPF_KEY" > fspf_variables.sh
......@@ -38,10 +49,20 @@ MEMCACHED_SCONE_FSPF_TAG=$(echo $memcached_key_tag | awk '{print $9}')
echo "export MEMCACHED_POLICY_FSPF_KEY=$MEMCACHED_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export MEMCACHED_POLICY_FSPF_TAG=$MEMCACHED_SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $MARIADB_TARGET_IMAGE
NGINX_SCONE_FSPF_KEY=$(echo $nginx_key_tag | awk '{print $11}')
NGINX_SCONE_FSPF_TAG=$(echo $nginx_key_tag | awk '{print $9}')
echo "export NGINX_POLICY_FSPF_KEY=$NGINX_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export NGINX_POLICY_FSPF_TAG=$NGINX_SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $MEMCACHED_TARGET_IMAGE
FASTAPI_SCONE_FSPF_KEY=$(echo $fastapi_key_tag | awk '{print $11}')
FASTAPI_SCONE_FSPF_TAG=$(echo $fastapi_key_tag | awk '{print $9}')
echo "export FASTAPI_POLICY_FSPF_KEY=$FASTAPI_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export FASTAPI_POLICY_FSPF_TAG=$FASTAPI_SCONE_FSPF_TAG" >> fspf_variables.sh
echo "Pushing protected images"
for img in $MARIADB_TARGET_IMAGE $MEMCACHED_TARGET_IMAGE $NGINX_TARGET_IMAGE $FASTAPI_TARGET_IMAGE; do
docker push $img
done
export RELEASE_NAME=${RELEASE_NAME:-mariadb}
export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-5-0-0.scone-cas.cf} # for production use 5.0.0.scone-cas.cf
......@@ -49,11 +70,12 @@ export DB_HOST=${DB_HOST:-$RELEASE_NAME-mariadb-scone}
export DB_USER=${DB_USER:-scontain}
export MEMCACHED_HOST=${MEMCACHED_HOST:-memcached-scone}
export FASTAPI_HOST=${FASTAPI_HOST:-fastapi-scone}
export NGINX_HOST=${NGINX_HOST:-nginx-scone}
kubectl port-forward service/cas 8081:8081 & # remove this and network= host for production
# -e SCONE_LAS_ADDR=172.17.0.1
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e RELEASE_NAME=$RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e RELEASE_NAME=$RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST -e NGINX_HOST=$NGINX_HOST --device /dev/isgx -v $PWD:/policies registry.scontain.com:5050/sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
source myenv
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment