Commit df1d7284 authored by Robert Schambach's avatar Robert Schambach
Browse files

Add binaryfs for fastapi server

parent 63570f2a
FROM sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0
#FROM sconecuratedimages/apps:python-3.7.3-alpine3.10-scone5.0.0
COPY rest_api.py rest_api.py
# First stage: apply the binary-fs
# FOR BUILDING WITH BINARYFS
FROM sconecuratedimages/apps:python-3.7.3-alpine3.10 AS binary-fs
COPY rest_api.py /.
COPY requirements.txt requirements.txt
RUN pip3 install -r requirements.txt
CMD ["python3", "rest_api.py"]
RUN rm /usr/lib/python3.7/config-3.7m-x86_64-linux-gnu/libpython3.7m.a && \
SCONE_MODE=auto scone binaryfs / /binary-fs.c -v \
--include '/usr/lib/python3.7/*' \
--include /lib/libssl.so.1.1 \
--include /lib/libcrypto.so.1.1 \
--include '/lib/libz.so.1*' \
--include '/usr/lib/libbz2.so.1*' \
--include '/usr/lib/libsqlite3.so.0*' \
--include '/usr/lib/libev.so.4*' \
--include '/usr/lib/libffi.so.6*' \
--include '/usr/lib/libexpat.so.1*' \
--include /rest_api.py
# Second stage: compile the binary fs
#FROM registry.scontain.com:5050/sconecuratedimages/crosscompilers:alpine-scone5.0.0 as crosscompiler
FROM sconecuratedimages/crosscompilers:alpine3.7 as crosscompiler
COPY --from=binary-fs /binary-fs.c /.
RUN scone gcc /binary-fs.c -O0 -shared -o /libbinary-fs.so
# Third stage: patch the binary-fs into the enclave executable
# FROM registry.scontain.com:5050/sconecuratedimages/apps:python-3.7.3-alpine3.10
FROM sconecuratedimages/apps:python-3.7.3-alpine3.10
COPY --from=crosscompiler /libbinary-fs.so /.
RUN apk add --no-cache patchelf && \
patchelf --add-needed libbinary-fs.so `which python3` && \
apk del patchelf
ENV SCONE_HEAP=512M
ENV SCONE_LOG=debug
ENV LD_LIBRARY_PATH="/"
CMD sh -c "sleep 5 && python3 /rest_api.py"
......@@ -21,9 +21,9 @@ services:
command: ["python3", "rest_api.py"]
mrenclaves: ["$MRENCLAVE_SIMPLECLIENT_FASTAPI"]
pwd: /
fspf_path: /fspf.pb
fspf_key: $FASTAPI_POLICY_FSPF_KEY
fspf_tag: $FASTAPI_POLICY_FSPF_TAG
# fspf_path: /fspf.pb
# fspf_key: $FASTAPI_POLICY_FSPF_KEY
# fspf_tag: $FASTAPI_POLICY_FSPF_TAG
environment:
DB_HOST: $DB_HOST
DB_USER: $DB_USER
......
......@@ -54,7 +54,7 @@ if [ ! -z "$FASTAPI_SESSION" ]; then
export DB_DATABASE="test_db"
export TABLE="test_table"
echo "Uploading policy $FASTAPI_SESSION (MariaDB simple client)..."
echo "Uploading policy $FASTAPI_SESSION (fastapi server)..."
scone session create --use-env "${BASH_SOURCE%/*}/fastapi_session.yml"
echo ""
echo "export FASTAPI_CONFIG_ID="$FASTAPI_SESSION"" > "${BASH_SOURCE%/*}/myenv"
......
......@@ -21,7 +21,7 @@ global:
# dependencies
fastapi-scone:
image: registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server-protected
image: registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server
scone:
attestation:
FASTAPIConfigID: fastapi_config/serve
......
......@@ -27,8 +27,8 @@ export MEMCACHED_TARGET_IMAGE=${MEMCACHED_TARGET_IMAGE:-"registry.scontain.com:5
export NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server"}
export NGINX_TARGET_IMAGE=${NGINX_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server-protected"}
export FASTAPI_BASE_IMAGE=${FASTAPI_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
export FASTAPI_TARGET_IMAGE=${FASTAPI_TARGET_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server-protected"}
export FASTAPI_IMAGE=${FASTAPI_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
#export FASTAPI_IMAGE=${FASTAPI_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
export CLIENT_IMAGE=${CLIENT_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:client"}
......@@ -40,7 +40,7 @@ memcached_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${MEMCACHED_B
nginx_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} -t ${NGINX_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
fastapi_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${FASTAPI_BASE_IMAGE} -t ${FASTAPI_TARGET_IMAGE} utils/ | grep "Encrypted file system protection")
# fastapi_key_tag=$(docker build --no-cache --build-arg BASE_IMAGE=${FASTAPI_IMAGE} -t ${FASTAPI_IMAGE} utils/ | grep "Encrypted file system protection")
MARIADB_SCONE_FSPF_KEY=$(echo $mariadb_key_tag | awk '{print $11}')
......@@ -58,13 +58,13 @@ NGINX_SCONE_FSPF_TAG=$(echo $nginx_key_tag | awk '{print $9}')
echo "export NGINX_POLICY_FSPF_KEY=$NGINX_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export NGINX_POLICY_FSPF_TAG=$NGINX_SCONE_FSPF_TAG" >> fspf_variables.sh
FASTAPI_SCONE_FSPF_KEY=$(echo $fastapi_key_tag | awk '{print $11}')
FASTAPI_SCONE_FSPF_TAG=$(echo $fastapi_key_tag | awk '{print $9}')
echo "export FASTAPI_POLICY_FSPF_KEY=$FASTAPI_SCONE_FSPF_KEY" >> fspf_variables.sh
echo "export FASTAPI_POLICY_FSPF_TAG=$FASTAPI_SCONE_FSPF_TAG" >> fspf_variables.sh
#FASTAPI_SCONE_FSPF_KEY=$(echo $fastapi_key_tag | awk '{print $11}')
#FASTAPI_SCONE_FSPF_TAG=$(echo $fastapi_key_tag | awk '{print $9}')
#echo "export FASTAPI_POLICY_FSPF_KEY=$FASTAPI_SCONE_FSPF_KEY" >> fspf_variables.sh
#echo "export FASTAPI_POLICY_FSPF_TAG=$FASTAPI_SCONE_FSPF_TAG" >> fspf_variables.sh
echo "Pushing protected images"
for img in $MARIADB_TARGET_IMAGE $MEMCACHED_TARGET_IMAGE $NGINX_TARGET_IMAGE $FASTAPI_TARGET_IMAGE; do
for img in $MARIADB_TARGET_IMAGE $MEMCACHED_TARGET_IMAGE $NGINX_TARGET_IMAGE; do #$FASTAPI_IMAGE; do
echo "Pushing $img"
docker push $img
done
......@@ -108,7 +108,7 @@ helm install secure-doc-management $PWD/secure-doc-management \
--set mariadb-scone.scone.attestation.DBConfigID=$DB_CONFIG_ID/db \
--set mariadb-scone.scone.attestation.bootstrapConfigID=$DB_CONFIG_ID/bootstrap \
--set mariadb-scone.scone.attestation.createUserConfigID=$DB_CONFIG_ID/create_user \
--set fastapi-scone.image=$FASTAPI_TARGET_IMAGE \
--set fastapi-scone.image=$FASTAPI_IMAGE \
--set fastapi-scone.scone.attestation.FASTAPIConfigID=$FASTAPI_CONFIG_ID/serve \
--set nginx-scone.image=$NGINX_TARGET_IMAGE \
--set nginx-scone.scone.attestation.NGINXConfigID=$NGINX_CONFIG_ID/nginx \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment