Skip to content

Add docker release for teeracle #1295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 38 commits into from
May 26, 2023
Merged

Add docker release for teeracle #1295

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
dace222
Add docker release for teeracle
mosonyi May 8, 2023
58bf709
Fix release teeracle
mosonyi May 8, 2023
39644ae
Use ref_name instead of tag_name
mosonyi May 9, 2023
79f6a44
Fix downloading binary
mosonyi May 9, 2023
d1b4e8b
Fix upload binary
mosonyi May 9, 2023
080241d
Added file to the release
mosonyi May 10, 2023
0dc311b
Add prod build
mosonyi May 11, 2023
4e02b22
Fix syntax
mosonyi May 11, 2023
d829cf6
Add release-build dependency
mosonyi May 11, 2023
22f2a4f
Pass production mode arg
mosonyi May 11, 2023
059ace2
Added vault import secrets
mosonyi May 19, 2023
6a9e657
Added vault import secrets
mosonyi May 19, 2023
771aeed
Added vault import secrets
mosonyi May 22, 2023
c281259
Added vault import secrets
mosonyi May 22, 2023
f1505c1
Remove tabs
mosonyi May 22, 2023
636f5c7
Hardcoded path
mosonyi May 22, 2023
f04a742
Back to path secret
mosonyi May 22, 2023
28683b6
Back to path secret
mosonyi May 22, 2023
5023865
Runs on self hosted
mosonyi May 22, 2023
4fa684a
Fix run all command
mosonyi May 23, 2023
cc59106
Fix run all command
mosonyi May 23, 2023
2cbebf5
Added ssl pubout
mosonyi May 23, 2023
055999e
Added ssl pubout
mosonyi May 23, 2023
079477f
itp-attestation-handler: make sure the production flag gets activated…
OverOrion May 23, 2023
231af77
Revert back tests
mosonyi May 24, 2023
aae7f95
Revert back tests
mosonyi May 24, 2023
cfb2e7b
Merge branch 'master' into zm/teeracle_docker
mosonyi May 24, 2023
b480585
Update .github/workflows/build_and_test.yml
mosonyi May 25, 2023
c8a7927
Update .github/workflows/build_and_test.yml
mosonyi May 25, 2023
49ef317
Update build.Dockerfile
mosonyi May 25, 2023
2517ad3
Rename COMMERCIAL KEY to SIGN KEY
mosonyi May 25, 2023
25705e7
Put back release binaries
mosonyi May 25, 2023
c569650
Merge branch 'master' into zm/teeracle_docker
mosonyi May 25, 2023
3f66bc8
Rename SIGN Key to COMMERCIAL Key
mosonyi May 25, 2023
ea18707
Comment out release binaries
mosonyi May 25, 2023
e16a073
Try to get tag name
mosonyi May 25, 2023
7e4cdd7
Remove unneeded file
mosonyi May 26, 2023
351f657
Merge branch 'master' into zm/teeracle_docker
OverOrion May 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
167 changes: 139 additions & 28 deletions .github/workflows/build_and_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,16 @@ jobs:
name: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz
path: integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }}.tar.gz

- name: Delete images
run: |
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
docker images --all

clippy:
runs-on: ubuntu-latest
container: "integritee/integritee-dev:0.2.1"
Expand Down Expand Up @@ -327,6 +337,12 @@ jobs:

- name: Delete images
run: |
if [[ "$(docker images -q integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-worker-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee-cli-client-${{ matrix.flavor_id }}-${{ github.sha }} 2>/dev/null
fi
if [[ "$(docker images -q ${{ env.WORKER_IMAGE_TAG }} 2> /dev/null)" != "" ]]; then
docker image rmi --force ${{ env.WORKER_IMAGE_TAG }} 2>/dev/null
fi
Expand All @@ -338,47 +354,141 @@ jobs:
fi
docker images --all


release:
runs-on: ubuntu-latest
name: Draft Release
release-build:
runs-on: integritee-builder-sgx
name: Release Build of teeracle
if: startsWith(github.ref, 'refs/tags/')
needs: [build-test, integration-tests]
outputs:
release_url: ${{ steps.create-release.outputs.html_url }}
asset_upload_url: ${{ steps.create-release.outputs.upload_url }}

strategy:
fail-fast: false
matrix:
include:
- flavor_id: teeracle
mode: teeracle
sgx_mode: HW

steps:
- uses: actions/checkout@v3

- name: Download Integritee Service
uses: actions/download-artifact@v3
with:
name: integritee-worker-sidechain-${{ github.sha }}
path: integritee-worker-tmp
- name: Add masks
run: |
echo "::add-mask::$VAULT_TOKEN"
echo "::add-mask::$PRIVKEY_B64"
echo "::add-mask::$PRIVKEY_PASS"

- name: Download Integritee Client
uses: actions/download-artifact@v3
- name: Set env
run: |
fingerprint=$RANDOM
echo "FINGERPRINT=$fingerprint" >> $GITHUB_ENV
if [[ ${{ matrix.sgx_mode }} == 'HW' ]]; then
echo "DOCKER_DEVICES=--device=/dev/sgx/enclave --device=/dev/sgx/provision" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=--volume /var/run/aesmd:/var/run/aesmd" >> $GITHUB_ENV
else
echo "DOCKER_DEVICES=" >> $GITHUB_ENV
echo "DOCKER_VOLUMES=" >> $GITHUB_ENV
fi
echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
name: integritee-client-sidechain-${{ github.sha }}
path: integritee-client-tmp
buildkitd-flags: --debug
driver: docker-container

- name: Download Enclave Signed
uses: actions/download-artifact@v3
- name: Import secrets
uses: hashicorp/vault-action@v2
id: import-secrets
with:
name: enclave-signed-sidechain-${{ github.sha }}
path: enclave-signed-tmp
url: ${{ secrets.VAULT_URL }}
tlsSkipVerify: false
token: ${{ env.VAULT_TOKEN }}
exportEnv: false
secrets: |
${{ secrets.VAULT_PATH }} intel_sgx_pem_base64 | PRIVKEY_B64 ;
${{ secrets.VAULT_PATH }} password | PRIVKEY_PASS

- name: Get secrets
env:
PRIVKEY_B64: ${{ steps.import-secrets.outputs.PRIVKEY_B64 }}
PRIVKEY_PASS: ${{ steps.import-secrets.outputs.PRIVKEY_PASS }}
run: |
echo $PRIVKEY_B64 | base64 --ignore-garbage --decode > enclave-runtime/intel_sgx.pem
echo $PRIVKEY_PASS > enclave-runtime/passfile.txt

- name: Build Worker & Run Cargo Test
env:
DOCKER_BUILDKIT: 1
run: >
docker build -t integritee/${{ matrix.flavor_id }}:${{ github.ref_name }}
--target deployed-worker
--build-arg WORKER_MODE_ARG=${{ matrix.mode }} --build-arg SGX_COMMERCIAL_KEY=enclave-runtime/intel_sgx.pem --build-arg SGX_PASSFILE=enclave-runtime/passfile.txt --build-arg SGX_PRODUCTION=1 --build-arg ADDITIONAL_FEATURES_ARG=${{ matrix.additional_features }} --build-arg SGX_MODE=${{ matrix.sgx_mode }}
-f build.Dockerfile .

- name: Save released teeracle
run: |
docker image save integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} | gzip > integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz
docker images --all

- name: Move service binaries
run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer
- name: Upload teeracle image
uses: actions/upload-artifact@v3
with:
name: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz
path: integritee-worker-${{ matrix.flavor_id }}-${{ github.ref_name }}.tar.gz

- name: Move service client binaries
run: mv integritee-client-tmp/integritee-cli ./integritee-client
- name: Delete images
run: |
if [[ "$(docker images -q integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee/${{ matrix.flavor_id }}:${{ github.ref_name }} 2>/dev/null
fi
docker images --all

- name: Move service client binaries
run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so
release:
runs-on: ubuntu-latest
name: Draft Release
if: startsWith(github.ref, 'refs/tags/')
needs: [build-test, integration-tests, release-build]
outputs:
release_url: ${{ steps.create-release.outputs.html_url }}
asset_upload_url: ${{ steps.create-release.outputs.upload_url }}
steps:
- uses: actions/checkout@v3

- name: Create required package.json
run: test -f package.json || echo '{}' >package.json
- name: Download Worker Image
uses: actions/download-artifact@v3
with:
name: integritee-worker-teeracle-${{ github.ref_name }}.tar.gz
path: .

#
# Temporary comment out until we decide what to release
#
# - name: Download Integritee Service
# uses: actions/download-artifact@v3
# with:
# name: integritee-worker-sidechain-${{ github.sha }}
# path: integritee-worker-tmp

# - name: Download Integritee Client
# uses: actions/download-artifact@v3
# with:
# name: integritee-client-sidechain-${{ github.sha }}
# path: integritee-client-tmp

# - name: Download Enclave Signed
# uses: actions/download-artifact@v3
# with:
# name: enclave-signed-sidechain-${{ github.sha }}
# path: enclave-signed-tmp

# - name: Move service binaries
# run: mv integritee-worker-tmp/integritee-service ./integritee-demo-validateer

# - name: Move service client binaries
# run: mv integritee-client-tmp/integritee-cli ./integritee-client

# - name: Move service client binaries
# run: mv enclave-signed-tmp/enclave.signed.so ./enclave.signed.so

- name: Changelog
uses: scottbrenner/generate-changelog-action@master
Expand All @@ -398,6 +508,7 @@ jobs:
${{ steps.Changelog.outputs.changelog }}
draft: true
files: |
integritee-worker-teeracle-${{ github.ref_name }}.tar.gz
integritee-client
integritee-demo-validateer
enclave.signed.so
15 changes: 10 additions & 5 deletions .github/workflows/delete-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,22 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
binary: ["integritee-client", "integritee-demo-validateer"]
#binary: ["integritee-client", "integritee-demo-validateer"]
binary: ["teeracle"]
steps:
- uses: actions/checkout@v2

- name: Set output
id: vars
run: echo "{tag}={$GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

- name: Get Tag
id: get_tag
run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\//}

- name: Check output
env:
RELEASE_VERSION: ${{ steps.vars.outputs.tag }}
RELEASE_VERSION: ${{ steps.get_tag.outputs.TAG }}
run: |
echo $RELEASE_VERSION
echo ${{ steps.vars.outputs.tag }}
Expand All @@ -39,7 +44,7 @@ jobs:
run: |
ORGANIZATION="integritee"
IMAGE="${{ matrix.binary }}"
TAG="${{ steps.vars.outputs.tag }}"
TAG="${{ steps.get_tag.outputs.TAG }}"

login_data() {
cat <<EOF
Expand All @@ -57,9 +62,9 @@ jobs:
-H "Authorization: JWT ${TOKEN}"

- name: Delete tag as well
uses: dev-drprasad/[email protected].0
uses: dev-drprasad/[email protected].1
with:
delete_release: false # it is triggered by release deletion
tag_name: ${{ steps.vars.outputs.tag }} # tag name to delete
tag_name: ${{ steps.get_tag.outputs.TAG }} # tag name to delete
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
11 changes: 8 additions & 3 deletions .github/workflows/publish-docker-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
name: Publish Docker image for new releases

# Just disable it temporary
# on:
# release:
# types:
# - published
on:
release:
types:
- published
push:
branches:
- 'releases/**'

jobs:
main:
Expand Down
43 changes: 43 additions & 0 deletions .github/workflows/publish-docker-teeracle.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: Publish Docker image for new teeracle release

on:
release:
types:
- published

jobs:
main:
name: Push Integritee Teeracle to Dockerhub
runs-on: [ self-hosted ]
steps:
- uses: actions/checkout@v3

- name: Download teeracle from release
uses: dsaltares/fetch-gh-release-asset@master
with:
version: "tags/${{ github.event.release.tag_name }}"
file: integritee-worker-teeracle-${{ github.event.release.tag_name }}.tar.gz
target: "integritee-worker-teeracle.tar.gz"
token: ${{ secrets.GITHUB_TOKEN }}


- name: Login to Dockerhub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Load Worker & Push
env:
DOCKER_BUILDKIT: 1
run: |
docker image load --input integritee-worker-teeracle.tar.gz
docker images --all
docker push integritee/teeracle:${{ github.event.release.tag_name }}
- name: Delete images
run: |
if [[ "$(docker images -q integritee/teeracle:${{ github.event.release.tag_name }} 2> /dev/null)" != "" ]]; then
docker image rmi --force integritee/teeracle:${{ github.event.release.tag_name }} 2>/dev/null
fi
docker images --all
17 changes: 17 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,11 +75,13 @@ ifeq ($(SGX_PRODUCTION), 1)
SGX_ENCLAVE_MODE = "Production Mode"
SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.production.xml"
SGX_SIGN_KEY = $(SGX_COMMERCIAL_KEY)
SGX_SIGN_PASSFILE = $(SGX_PASSFILE)
WORKER_FEATURES := --features=production,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
else
SGX_ENCLAVE_MODE = "Development Mode"
SGX_ENCLAVE_CONFIG = "enclave-runtime/Enclave.config.xml"
SGX_SIGN_KEY = "enclave-runtime/Enclave_private.pem"
SGX_SIGN_PASSFILE = ""
WORKER_FEATURES := --features=default,$(WORKER_MODE),$(WORKER_FEATURES),$(ADDITIONAL_FEATURES)
endif

Expand Down Expand Up @@ -194,7 +196,22 @@ $(RustEnclave_Name): enclave enclave-runtime/Enclave_t.o
$(Signed_RustEnclave_Name): $(RustEnclave_Name)
@echo
@echo "Signing the enclave: $(SGX_ENCLAVE_MODE)"
@echo "SGX_ENCLAVE_SIGNER: $(SGX_ENCLAVE_SIGNER)"
@echo "RustEnclave_Name: $(RustEnclave_Name)"
@echo "SGX_ENCLAVE_CONFIG: $(SGX_ENCLAVE_CONFIG)"
@echo "SGX_SIGN_PASSFILE: $(SGX_SIGN_PASSFILE)"
@echo "SGX_SIGN_KEY: $(SGX_SIGN_KEY)"


ifeq ($(SGX_PRODUCTION), 1)
$(SGX_ENCLAVE_SIGNER) gendata -enclave $(RustEnclave_Name) -out enclave_sig.dat -config $(SGX_ENCLAVE_CONFIG)
openssl rsa -passin file:$(SGX_SIGN_PASSFILE) -pubout -in $(SGX_SIGN_KEY) -out intel_sgx.pub
openssl dgst -sha256 -passin file:$(SGX_SIGN_PASSFILE) -sign $(SGX_SIGN_KEY) -out signature.dat enclave_sig.dat
openssl dgst -sha256 -verify intel_sgx.pub -signature signature.dat enclave_sig.dat
$(SGX_ENCLAVE_SIGNER) catsig -enclave $(RustEnclave_Name) -config $(SGX_ENCLAVE_CONFIG) -out $@ -key intel_sgx.pub -sig signature.dat -unsigned enclave_sig.dat
else
$(SGX_ENCLAVE_SIGNER) sign -key $(SGX_SIGN_KEY) -enclave $(RustEnclave_Name) -out $@ -config $(SGX_ENCLAVE_CONFIG)
endif
@echo "SIGN => $@"
@echo
@echo "Enclave is in $(SGX_ENCLAVE_MODE)"
Expand Down
11 changes: 10 additions & 1 deletion build.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ ENV CARGO_NET_GIT_FETCH_WITH_CLI true
ARG SGX_MODE=SW
ENV SGX_MODE=$SGX_MODE

ARG SGX_PRODUCTION=0
ENV SGX_PRODUCTION=$SGX_PRODUCTION

ARG WORKER_FEATURES_ARG
ENV WORKER_FEATURES=$WORKER_FEATURES_ARG

Expand All @@ -55,14 +58,20 @@ ENV ADDITIONAL_FEATURES=$ADDITIONAL_FEATURES_ARG

ARG FINGERPRINT=none

ARG SGX_COMMERCIAL_KEY=enclave-runtime/Enclave_private.pem
ENV SGX_COMMERCIAL_KEY ${SGX_COMMERCIAL_KEY}

ARG SGX_PASSFILE
ENV SGX_PASSFILE ${SGX_PASSFILE}

WORKDIR $WORKHOME/worker

COPY . .

RUN --mount=type=cache,id=cargo-registry,target=/opt/rust/registry \
--mount=type=cache,id=cargo-git,target=/opt/rust/git/db \
--mount=type=cache,id=cargo-sccache-${WORKER_MODE}${ADDITIONAL_FEATURES},target=/home/ubuntu/.cache/sccache \
echo ${FINGERPRINT} && make && cargo test --release && sccache --show-stats
echo ${FINGERPRINT} && make && make identity && cargo test --release && sccache --show-stats

### Base Runner Stage
### The runner needs the aesmd service for the `SGX_MODE=HW`.
Expand Down