Merge pull request #16 from iExecBlockchainComputing/feature/gramine

mcornaton · web-flow · commit 304cfbd29865 · 2022-09-26T13:58:05.000+02:00
Feature/gramine
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -2,13 +2,24 @@
 
 buildInfo = getBuildInfo()
 
-def nativeImage = buildSimpleDocker_v2(
+baseDir = 'cloud-computing'
+nativeImage = buildSimpleDocker_v3(
   buildInfo: buildInfo,
-  dockerfileDir: 'cloud-computing',
+  dockerfileDir: baseDir,
+  buildContext: baseDir,
   dockerImageRepositoryName: 'python-hello-world',
-  imageprivacy: 'public'
+  visibility: 'docker.io'
 )
 
+buildSimpleDocker_v3(
+  buildInfo: buildInfo,
+  dockerfileDir: baseDir + '/gramine',
+  buildContext: baseDir,
+  dockerImageRepositoryName: 'tee-gramine-python-hello-world',
+  visibility: 'iex.ec'
+)
+
+
 sconeBuildUnlocked(
   nativeImage:     nativeImage,
   imageName:       'python-hello-world',
diff --git a/cloud-computing/gramine/Dockerfile b/cloud-computing/gramine/Dockerfile
@@ -0,0 +1,24 @@
+# FIXME: use tagged version when released
+FROM docker-regis.iex.ec/iexec-graphene-base:0.7.0
+
+RUN  apt-get install -y python3 \
+     && pip3 install pyfiglet
+
+ARG SOURCE_DIR=src
+ARG GRAMINE_DIR=gramine
+
+# get the code of app to /workplace/app
+COPY $SOURCE_DIR/app.py /workplace/app
+
+# set the main function for python and node app, no need for binnary app
+RUN sed -i "s#MAIN_FUNC=#MAIN_FUNC=/workplace/app/app.py#" /apploader.sh
+
+WORKDIR /workplace/app
+
+# Copy the manifest to use from within the base image
+# or create your own
+RUN mv /common-manifests/python.entrypoint.manifest /entrypoint.manifest \
+    && rm -r /common-manifests
+
+# Finalize app (finalize manifest and sign app)
+RUN /finalize-app.sh
diff --git a/cloud-computing/gramine/README.md b/cloud-computing/gramine/README.md
@@ -0,0 +1,90 @@
+## How to run demo with Gramine on localhost
+
+1. Start a SPS container:
+```shell
+SPS_VERSION=<set SPS version here>
+docker run -d \
+  -v /opt/multiple/sessions:/graphene/workplace/sessions \
+  -v /opt/secret-prov/certs/:/graphene/workplace/certs \
+  -p 8080:8080 -p 4433:4433 \
+  -e SPS_USERNAME=admin -e SPS_PASSWORD=admin \
+  --name iexec-sps \
+  iexechub/iexec-sps:${SPS_VERSION}
+```
+
+
+2. Build your app (from `cloud-computing` directory) :
+```shell
+docker build -t tee-gramine-python-hello-world:latest -f gramine/Dockerfile  .
+```
+Please note the `measurement` value.
+
+
+3. To add a session to the SPS, run the following after having filled both env var:
+```shell
+SESSION_ID=<define your custom session id>
+MEASUREMENT=<set previous retrieved measurement>
+
+curl --location --request POST 'localhost:8080/api/session/' \
+--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
+--header 'Content-Type: application/json' \
+--data-raw '{
+  "session": "'${SESSION_ID}'",
+  "enclaves": [
+    {
+      "name": "app",
+      "mrenclave": "'${MEASUREMENT}'",
+      "command": "/apploader.sh",
+      "environment": {
+        "IEXEC_IN": "/iexec_in",
+        "IEXEC_OUT": "/iexec_out",
+        "IEXEC_DATASET_FILENAME": "file.txt",
+        "IEXEC_INPUT_FILES_NUMBER": "1",
+        "IEXEC_INPUT_FILE_NAME_1": "file.txt",
+        "IEXEC_TASK_ID": "TASK_ID",
+        "IEXEC_APP_DEVELOPER_SECRET": "App developer secret",
+        "IEXEC_REQUESTER_SECRET_1": "Requester secret 1",
+        "IEXEC_REQUESTER_SECRET_2": "Requester secret 2",
+        "IEXEC_REQUESTER_SECRET_3": "Requester secret 3"
+      },
+      "volumes": [
+      ]
+    }
+  ]
+}'
+```
+
+
+4. Run the app:
+```shell
+docker run \
+  --device=/dev/sgx/enclave \
+  -v /iexec_in:/iexec_in -v /tmp/iexec_out:/iexec_out \
+  -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
+  -v $PWD/encryptedData:/workplace/encryptedData \
+  -v /opt/secret-prov/certs/:/graphene/attestation/certs/ \
+  --net=host \
+  -e session=${SESSION_ID} -e sps=localhost:4433 \
+  tee-gramine-python-hello-world:latest
+```
+
+
+### Troubleshooting:
+
+#### "Get keys failed"
+When the app can't communicate with the SPS, you can encounter some numeric error codes, in the following format:
+```
+[error] connect to kms failed, kms_endpoint is iexec-sps:4433, cert_path is /graphene/attestation/certs/test-ca-sha256.crt
+[error] get keys failed, return -[ERROR_CODE] 
+```
+
+Depending on the error code, the issue is the following:
+
+| Error code |       Error       |                                                         Solution                                                          |
+|:----------:|:-----------------:|:-------------------------------------------------------------------------------------------------------------------------:|
+|    111     |  Can't reach SPS  |                                       Check SPS IP is correct in app configuration.                                       |
+|    9984    | Certificate error | Check both app & SPS share a valid certificate. Regenerate it if needed, providing SPS IP as `Common Name` when prompted. |
+
+
+#### Dataset and input files are not correctly read
+Check they are correctly added as `sgx.allowed_files` in `entrypoint.manifest`.
