Commit 7f83fe2d authored by Robert Schambach's avatar Robert Schambach
Browse files

Add mariadb setup from sconeapps

parent ab12e391
[SCONE|WARN] src/enclave/dispatch.c:181:print_version(): Application runs in SGX debug mode. Its memory can be read from outside the enclave with a debugger! This is not secure!
mysqld: unknown option '--bootstrap'
[SCONE|WARN] src/enclave/dispatch.c:181:print_version(): Application runs in SGX debug mode. Its memory can be read from outside the enclave with a debugger! This is not secure!
2020-12-22 16:00:32 0 [Note] mysqld (mysqld 10.4.12-MariaDB) starting as process 49 ...
[SCONE|WARN] src/syscall/syscall.c:33:__scone_ni_syscall(): system call: membarrier, number 324 is not implemented.
2020-12-22 16:00:33 0 [Note] InnoDB: The first innodb_system data file 'ibdata1' did not exist. A new tablespace will be created!
2020-12-22 16:00:33 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2020-12-22 16:00:33 0 [Note] InnoDB: Uses event mutexes
2020-12-22 16:00:33 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2020-12-22 16:00:33 0 [Note] InnoDB: Number of pools: 1
2020-12-22 16:00:33 0 [Note] InnoDB: Using SSE2 crc32 instructions
2020-12-22 16:00:33 0 [Note] mysqld: O_TMPFILE is not supported on /var/tmp (disabling future attempts)
2020-12-22 16:00:33 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2020-12-22 16:00:34 0 [Note] InnoDB: Completed initialization of buffer pool
2020-12-22 16:00:34 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2020-12-22 16:00:34 0 [Warning] InnoDB: Failed to set memory to MADV_DODUMP: Invalid argument ptr 0x101e3b9000 size 2097152
2020-12-22 16:00:34 0 [Note] InnoDB: Setting file './ibdata1' size to 12 MB. Physically writing the file full; Please wait ...
2020-12-22 16:00:34 0 [Note] InnoDB: File './ibdata1' size is now 12 MB.
2020-12-22 16:00:34 0 [Note] InnoDB: Setting log file ./ib_logfile101 size to 50331648 bytes
2020-12-22 16:00:34 0 [Note] InnoDB: Setting log file ./ib_logfile1 size to 50331648 bytes
2020-12-22 16:00:35 0 [Note] InnoDB: Renaming log file ./ib_logfile101 to ./ib_logfile0
2020-12-22 16:00:35 0 [Note] InnoDB: New log files created, LSN=11452
2020-12-22 16:00:35 0 [Note] InnoDB: Doublewrite buffer not found: creating new
2020-12-22 16:00:35 0 [Note] InnoDB: Doublewrite buffer created
2020-12-22 16:00:35 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
2020-12-22 16:00:35 0 [Note] InnoDB: Creating foreign key constraint system tables.
2020-12-22 16:00:35 0 [Note] InnoDB: Creating tablespace and datafile system tables.
2020-12-22 16:00:35 0 [Note] InnoDB: Creating sys_virtual system tables.
2020-12-22 16:00:35 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2020-12-22 16:00:35 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2020-12-22 16:00:35 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
2020-12-22 16:00:35 0 [Note] InnoDB: 10.4.12 started; log sequence number 0; transaction id 7
2020-12-22 16:01:14 0 [Warning] InnoDB: Failed to set memory to MADV_DODUMP: Invalid argument ptr 0x101c3b9000 size 33554432
2020-12-22 16:01:14 0 [Warning] InnoDB: Failed to set memory to MADV_DODUMP: Invalid argument ptr 0x1013b99000 size 134217728
Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mysql
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
Waiting for mariadb running (120s max)
[SCONE|WARN] src/enclave/dispatch.c:181:print_version(): Application runs in SGX debug mode. Its memory can be read from outside the enclave with a debugger! This is not secure!
2020-12-22 16:01:25 0 [Note] mysqld (mysqld 10.4.12-MariaDB) starting as process 73 ...
[SCONE|WARN] src/syscall/syscall.c:33:__scone_ni_syscall(): system call: membarrier, number 324 is not implemented.
2020-12-22 16:01:26 0 [Note] InnoDB: The first innodb_system data file 'ibdata1' did not exist. A new tablespace will be created!
2020-12-22 16:01:26 0 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2020-12-22 16:01:26 0 [Note] InnoDB: Uses event mutexes
2020-12-22 16:01:26 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
2020-12-22 16:01:26 0 [Note] InnoDB: Number of pools: 1
2020-12-22 16:01:26 0 [Note] InnoDB: Using SSE2 crc32 instructions
2020-12-22 16:01:26 0 [Note] mysqld: O_TMPFILE is not supported on /var/tmp (disabling future attempts)
2020-12-22 16:01:26 0 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2020-12-22 16:01:27 0 [Note] InnoDB: Completed initialization of buffer pool
2020-12-22 16:01:27 0 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2020-12-22 16:01:27 0 [Warning] InnoDB: Failed to set memory to MADV_DODUMP: Invalid argument ptr 0x101ea3e000 size 2097152
2020-12-22 16:01:27 0 [Note] InnoDB: Setting file '/external/ibdata1' size to 12 MB. Physically writing the file full; Please wait ...
2020-12-22 16:01:27 0 [Note] InnoDB: File '/external/ibdata1' size is now 12 MB.
2020-12-22 16:01:27 0 [Note] InnoDB: Setting log file /external/ib_logfile101 size to 50331648 bytes
2020-12-22 16:01:27 0 [Note] InnoDB: Setting log file /external/ib_logfile1 size to 50331648 bytes
2020-12-22 16:01:27 0 [Note] InnoDB: Renaming log file /external/ib_logfile101 to /external/ib_logfile0
2020-12-22 16:01:27 0 [Note] InnoDB: New log files created, LSN=11472
2020-12-22 16:01:27 0 [Note] InnoDB: Doublewrite buffer not found: creating new
2020-12-22 16:01:27 0 [Note] InnoDB: Doublewrite buffer created
2020-12-22 16:01:27 0 [Note] InnoDB: 128 out of 128 rollback segments are active.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating foreign key constraint system tables.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating tablespace and datafile system tables.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating sys_virtual system tables.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating shared tablespace for temporary tables
2020-12-22 16:01:27 0 [Note] InnoDB: Setting file '/external/ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
2020-12-22 16:01:27 0 [Note] InnoDB: File '/external/ibtmp1' size is now 12 MB.
2020-12-22 16:01:27 0 [Note] InnoDB: 10.4.12 started; log sequence number 0; transaction id 7
2020-12-22 16:01:27 0 [Note] InnoDB: Creating #1 encryption thread id 69287181088 total threads 4.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating #2 encryption thread id 69289282336 total threads 4.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating #3 encryption thread id 69291383584 total threads 4.
2020-12-22 16:01:27 0 [Note] InnoDB: Creating #4 encryption thread id 69293484832 total threads 4.
2020-12-22 16:01:27 0 [Note] Plugin 'FEEDBACK' is disabled.
2020-12-22 16:01:27 0 [Note] Using encryption key id 1 for temporary files
2020-12-22 16:01:28 0 [Note] Server socket created on IP: '0.0.0.0'.
2020-12-22 16:01:28 0 [Warning] 'user' entry '@mariadb-mariadb-scone-0' ignored in --skip-name-resolve mode.
2020-12-22 16:01:28 0 [Warning] 'proxies_priv' entry '@% root@mariadb-mariadb-scone-0' ignored in --skip-name-resolve mode.
2020-12-22 16:01:28 6 [Warning] Failed to load slave replication state from table mysql.gtid_slave_pos: 1932: Table 'mysql.gtid_slave_pos' doesn't exist in engine
2020-12-22 16:01:28 0 [Note] Reading of all Master_info entries succeeded
2020-12-22 16:01:28 0 [Note] Added new Master_info '' to hash table
2020-12-22 16:01:28 0 [Note] mysqld: ready for connections.
Version: '10.4.12-MariaDB' socket: '/run/mysqld/mysqld.sock' port: 3306 MariaDB Server
[SCONE|WARN] src/enclave/dispatch.c:181:print_version(): Application runs in SGX debug mode. Its memory can be read from outside the enclave with a debugger! This is not secure!
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (111)
/demo/start.sh: line 69: 73 Killed su mysql -c 'mysqld --innodb-use-native-aio=0 --datadir=${MYSQL_DATADIR}'
......@@ -52,10 +52,10 @@ export RELEASE_NAME=mariadb
Once you are finished, it is time to submit the policies.
Export your CAS address. This example uses the public CAS hosted at 4-2-1.scone-cas.cf.
Export your CAS address. This example uses the public CAS hosted at 5.0.0.scone-cas.cf.
```bash
export SCONE_CAS_ADDR=5-0-0.scone-cas.cf
export SCONE_CAS_ADDR=5.0.0.scone-cas.cf
```
Submit your policies with the help of SCONE CLI:
......
name: $DB_SESSION
version: "0.3"
version: "0.3"
# Access control:
# - only the data owner (CREATOR) can read or update the session
......@@ -12,9 +12,8 @@ access_policy:
security:
attestation:
mode: none
# tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
# ignore_advisories: "*"
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
ignore_advisories: "*"
# Service: mariadb
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
......@@ -22,7 +21,7 @@ services:
- name: db
image_name: db_image
command: mysqld --innodb-use-native-aio=0 --innodb-flush-method=fsync
# mrenclaves: ["$MRENCLAVE_MYSQLD"]
mrenclaves: ["$MRENCLAVE_MYSQLD"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......@@ -34,7 +33,7 @@ services:
- name: bootstrap
image_name: bootstrap_image
command: mysqld --bootstrap --basedir=/usr --datadir=/var/lib/mysql --log-warnings=0 --plugin-dir=/usr/lib/mariadb/plugin --innodb-use-native-aio=0 --user=mysql --max_allowed_packet=8M --net_buffer_length=16K --default-storage-engine=innodb
# mrenclaves: ["$MRENCLAVE_MYSQLD", "$MRENCLAVE_MY_PRINT_DEFAULTS"]
mrenclaves: ["$MRENCLAVE_MYSQLD", "$MRENCLAVE_MY_PRINT_DEFAULTS"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......@@ -46,7 +45,7 @@ services:
- name: create_user
image_name: bootstrap_image
command: ["mysql", "-e", "source /etc/create-user.sql;"]
# mrenclaves: ["$MRENCLAVE_MYSQL"]
mrenclaves: ["$MRENCLAVE_MYSQL"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......@@ -73,9 +72,7 @@ images:
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'scontain'@'%';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'scontain';
CREATE DATABASE 'document_db';
CREATE TABLE 'document_db.document'(
record_id INT PRIMARY KEY,
content VARCHAR(1000) NOT NULL
......
......@@ -12,16 +12,18 @@ access_policy:
security:
attestation:
mode: none
# tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
# ignore_advisories: "*"
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
ignore_advisories: "*"
services:
- name: serve
image_name: client_image
command: ["python3", "rest_api.py"]
#mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"]
pwd: /
environment:
DB_HOST: $DB_HOST
DB_USER: $DB_USER
images:
- name: client_image
......
export DB_POLICY_FSPF_KEY=7633b7dd6b3cbf7d67e4ea12cff613ce13d53a862993440db4669c3fa4d74ae1
export DB_POLICY_FSPF_TAG=71e22d4cea5cb4ec9b48748c889d73e8
export CAS_MRENCLAVE="4cd0fe54d3d8d787553b7dac7347012682c402220acd062e4d0da3bbe10a1c2c"
export MRENCLAVE_MYSQLD="ba36c590efff835ffbadd25ecf9489105961c61749790fccdfbbb1d318b3c918"
export MRENCLAVE_MYSQL="72accf0bf85a72af59b17f276b92dc755be184d63c8857286252c3aeb6ed1a10"
export MRENCLAVE_MY_PRINT_DEFAULTS="53dd745358ceb5d53587191bb3025512956088dc6d4e6b7f0fb79448596c6946"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="0e9e559e67ddbdc33ebd693162147136abbdd92ac414de9e15e65996c6f60212"
export SIMPLE_CLIENT_CONFIG_ID=database_simpleclient_22135-11202-28626
export DB_CONFIG_ID=database_policy_22135-11202-28626
export SCONE_CAS_ADDR=localhost
......@@ -30,9 +30,13 @@ echo "export DB_POLICY_FSPF_TAG=$SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $TARGET_IMAGE
export RELEASE_NAME=${RELEASE_NAME:-mariadb}
export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-5-0-0.scone-cas.cf}
export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-localhost} # for production use 5.0.0.scone-cas.cf
export DB_HOST=${DB_HOST:-$RELEASE_NAME-mariadb-scone}
export DB_USER=${DB_USER:-scontain}
docker run -it --rm -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=172.17.0.1 -e RELEASE_NAME=$RELEASE_NAME --device /dev/isgx -v $PWD:/policies sconecuratedimages/sconecli:alpine3.7-scone5.0.0 bash /policies/upload_policies.sh
kubectl port-forward service/cas 8081:8081 & # remove this and network= host for production
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=172.17.0.1 -e RELEASE_NAME=$RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER --device /dev/isgx -v $PWD:/policies sconecuratedimages/sconecli:alpine3.7-scone5.0.0 bash /policies/upload_policies.sh
source myenv
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment