Commit ab12e391 authored by Robert Schambach's avatar Robert Schambach
Browse files

Add temporary dev config to db setup and sessions - UNSAFE

parent f90242ee
......@@ -12,8 +12,9 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb]
ignore_advisories: "*"
mode: none
# tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
# ignore_advisories: "*"
# Service: mariadb
# https://mariadb.com/kb/en/securing-connections-for-client-and-server/
......@@ -21,7 +22,7 @@ services:
- name: db
image_name: db_image
command: mysqld --innodb-use-native-aio=0 --innodb-flush-method=fsync
mrenclaves: ["$MRENCLAVE_MYSQLD"]
# mrenclaves: ["$MRENCLAVE_MYSQLD"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......@@ -33,7 +34,7 @@ services:
- name: bootstrap
image_name: bootstrap_image
command: mysqld --bootstrap --basedir=/usr --datadir=/var/lib/mysql --log-warnings=0 --plugin-dir=/usr/lib/mariadb/plugin --innodb-use-native-aio=0 --user=mysql --max_allowed_packet=8M --net_buffer_length=16K --default-storage-engine=innodb
mrenclaves: ["$MRENCLAVE_MYSQLD", "$MRENCLAVE_MY_PRINT_DEFAULTS"]
# mrenclaves: ["$MRENCLAVE_MYSQLD", "$MRENCLAVE_MY_PRINT_DEFAULTS"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......@@ -45,7 +46,7 @@ services:
- name: create_user
image_name: bootstrap_image
command: ["mysql", "-e", "source /etc/create-user.sql;"]
mrenclaves: ["$MRENCLAVE_MYSQL"]
# mrenclaves: ["$MRENCLAVE_MYSQL"]
pwd: /
environment:
MYSQL_ROOT_PASSWORD: "$$SCONE::MYSQL_ROOT_PASSWORD$$"
......
......@@ -12,14 +12,15 @@ access_policy:
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb]
ignore_advisories: "*"
mode: none
# tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
# ignore_advisories: "*"
services:
- name: serve
image_name: client_image
command: ["python3", "rest_api.py"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"]
#mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"]
pwd: /
images:
......
#!/usr/bin/env bash
# Exit on error. Append "|| true" if you expect an error.
set -o errexit
# Exit on error inside any functions or subshells.
set -o errtrace
# Do not allow use of undefined vars. Use ${VAR:-} to use an undefined VAR
set -o nounset
# Catch the error in case mysqldump fails (but gzip succeeds) in `mysqldump |gzip`
set -o pipefail
# Turn on traces, useful while debugging but commented out by default
#set -o xtrace
cd $PWD/mariadb
# Define your base MariaDB image.
export BASE_IMAGE=${BASE_IMAGE:-sconecuratedimages/apps:mariadb-10.4-alpine-scone5.0.0}
# Define the image we are building. This one will be deployed to your servers.
export TARGET_IMAGE=${TARGET_IMAGE:-enterjazz/scone-test-images:mariadb}
# Download the latests images from sconecuratedimages.
./pull_latest_images.sh
# Build.
key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${BASE_IMAGE} -t ${TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
SCONE_FSPF_KEY=$(echo $key_tag | awk '{print $11}')
SCONE_FSPF_TAG=$(echo $key_tag | awk '{print $9}')
echo "export DB_POLICY_FSPF_KEY=$SCONE_FSPF_KEY" > fspf_variables.sh
echo "export DB_POLICY_FSPF_TAG=$SCONE_FSPF_TAG" >> fspf_variables.sh
docker push $TARGET_IMAGE
export RELEASE_NAME=${RELEASE_NAME:-mariadb}
export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-5-0-0.scone-cas.cf}
docker run -it --rm -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=172.17.0.1 -e RELEASE_NAME=$RELEASE_NAME --device /dev/isgx -v $PWD:/policies sconecuratedimages/sconecli:alpine3.7-scone5.0.0 bash /policies/upload_policies.sh
source myenv
helm install $RELEASE_NAME sconeapps/mariadb-scone \
--set image=$TARGET_IMAGE \
--set scone.attestation.cas=$SCONE_CAS_ADDR \
--set scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
--set scone.attestation.createUserConfigID=$DB_CONFIG_ID/create_user \
--set scone.attestation.testCreateDBConfigID=$SIMPLE_CLIENT_CONFIG_ID/serve
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment