-
Notifications
You must be signed in to change notification settings - Fork 0
219 lines (204 loc) · 9.56 KB
/
sconify.yml
File metadata and controls
219 lines (204 loc) · 9.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: Build, Test and Push Docker Image
on:
workflow_call:
inputs:
docker-registry:
description: "Docker registry of docker image to sconify"
default: "docker.io"
type: string
image-name:
description: "Name of docker image to sconify"
type: string
required: true
image-tag:
description: "Tag of docker image to sconify"
type: string
required: true
sconify-version:
description: "Version of the sconify image to use"
type: string
required: true
binary:
description: "Path of the binary to use"
type: string
required: true
binary-fs:
description: "Embed the file system into the binary via Scone binary file system (default: false)"
type: boolean
default: false
fs-dir:
description: "Path of directories to add to the binary file system (use multiline to add multiple directories)"
type: string
fs-file:
description: "Path of files to add to the binary file system (use multiline to add multiple files)"
type: string
host-path:
description: "Host path, served directly from the host file system (use multiline to add multiple path)"
type: string
heap:
description: "Enclave heap size (default 1G)"
type: string
default: "1G"
mprotect:
description: "Scone mprotect mode (0:disable; 1:enable; default 0)"
type: number
default: 0
dlopen:
description: "Scone dlopen mode (0:disable; 1:enable; default 0)"
type: number
default: 0
sconify-debug:
description: "Create Scone debug image (default true)"
type: boolean
default: true
sconify-prod:
description: "Create Scone production image (default true)"
type: boolean
default: true
runner:
description: "Runner to use (overrides `runs-on`) ⚠️ the specified runner must feature Ubuntu OS and docker CE"
type: string
default: "ubuntu-latest"
secrets:
docker-username:
description: "Docker registry username"
required: true
docker-password:
description: "Docker Registry Password or Token"
required: true
scontain-username:
description: "Scontain registry username"
required: true
scontain-password:
description: "Scontain Registry Password or Token"
required: true
scone-signing-key:
description: "Signing Key for Scone Production (not required with `sconify-prod: false`)"
required: false
outputs:
debug-image-tag:
description: "Debug Sconified Image Tag"
value: ${{ jobs.build.outputs.debug-image-tag }}
debug-mrenclave:
description: "Debug Sconified Image MrEnclave Fingerprint"
value: ${{ jobs.build.outputs.debug-mrenclave }}
debug-checksum:
description: "Debug Sconified Image Checksum"
value: ${{ jobs.build.outputs.debug-checksum }}
prod-image-tag:
description: "Prod Sconified Image Tag"
value: ${{ jobs.build.outputs.prod-image-tag }}
prod-mrenclave:
description: "Prod Sconified Image MrEnclave Fingerprint"
value: ${{ jobs.build.outputs.prod-mrenclave }}
prod-checksum:
description: "Prod Sconified Image Checksum"
value: ${{ jobs.build.outputs.prod-checksum }}
jobs:
build:
runs-on: ${{ inputs.runner }}
outputs:
debug-image-tag: ${{ steps.push-debug.outputs.tag }}
debug-mrenclave: ${{ steps.push-debug.outputs.mrenclave }}
debug-checksum: ${{ steps.push-debug.outputs.checksum }}
prod-image-tag: ${{ steps.push-prod.outputs.tag }}
prod-mrenclave: ${{ steps.push-prod.outputs.mrenclave }}
prod-checksum: ${{ steps.push-prod.outputs.checksum }}
steps:
- name: Create Temporary Directory
run: mkdir -p ${{github.workspace}}/tmp
- name: Prepare Sconify Command
id: prepare-command
run: |
IMAGE_REPO=${{ inputs.docker-registry }}/${{ inputs.image-name }}
DEBUG_IMAGE_TAG=${{ inputs.image-tag }}-scone-debug-${{ inputs.sconify-version }}
PROD_IMAGE_TAG=${{ inputs.image-tag }}-scone-prod-${{ inputs.sconify-version }}
echo "image-repo=$IMAGE_REPO" | tee -a "$GITHUB_OUTPUT"
echo "debug-image-tag=$DEBUG_IMAGE_TAG" | tee -a "$GITHUB_OUTPUT"
echo "prod-image-tag=$PROD_IMAGE_TAG" | tee -a "$GITHUB_OUTPUT"
# Prepare the base command for sconify
SCONIFY_CMD="sconify_iexec"
# REQUIRED:
# --from
SCONIFY_CMD+=" --from=$IMAGE_REPO:${{ inputs.image-tag }}"
# --to will be added later on
# --binary
SCONIFY_CMD+=" --binary=${{ inputs.binary }}"
# OPTIONAL:
# --host-path variadic option
while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=" --host-path=$line" ; done <<< '${{ inputs.host-path }}'
# BINARY FILE SYSTEM (binary fs):
# --binary-fs option
if ${{ inputs.binary-fs }}; then SCONIFY_CMD+=" --binary-fs"; fi
# --fs-dir variadic option
while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=" --fs-dir=$line" ; done <<< '${{ inputs.fs-dir }}'
# --fs-file variadic option
while IFS= read -r line; do [[ -n "$line" ]] && SCONIFY_CMD+=" --file=$line" ; done <<< '${{ inputs.fs-file }}'
# SCONE ENV VARS:
# --heap option
[[ -n '${{ inputs.heap }}' ]] && SCONIFY_CMD+=" --heap=${{ inputs.heap }}"
# --dlopen option
[[ -n '${{ inputs.dlopen }}' ]] && SCONIFY_CMD+=" --dlopen=${{ inputs.dlopen }}"
# --mprotect option
[[ -n '${{ inputs.mprotect }}' ]] && SCONIFY_CMD+=" --mprotect=${{ inputs.mprotect }}"
# DEBUG
# --verbose --no-color options
SCONIFY_CMD+=" --verbose --no-color"
echo "sconify-base-command=$SCONIFY_CMD" | tee -a "$GITHUB_OUTPUT"
- name: Login to Docker Registry
uses: docker/login-action@v3
with:
registry: ${{ inputs.docker-registry }}
username: ${{ secrets.docker-username }}
password: ${{ secrets.docker-password }}
- name: Login to Scontain Docker Registry
uses: docker/login-action@v3
with:
registry: "registry.scontain.com"
username: ${{ secrets.scontain-username }}
password: ${{ secrets.scontain-password }}
- name: Pull Image to Sconify
run: docker pull ${{ inputs.docker-registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}
- name: Pull Sconify Image
run: docker pull registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }}
- name: Sconify Image Debug
if: ${{ inputs.sconify-debug }}
run: |
docker run \
--rm \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
${{ steps.prepare-command.outputs.sconify-base-command }} \
--to=${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }}
- name: Push Debug Image
if: ${{ inputs.sconify-debug }}
id: push-debug
run: |
docker push ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }}
echo "tag=${{ steps.prepare-command.outputs.debug-image-tag }}" | tee -a "$GITHUB_OUTPUT"
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT"
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.debug-image-tag }})" | tee -a "$GITHUB_OUTPUT"
- name: Sconify Image Prod
if: ${{ inputs.sconify-prod }}
run: |
mkdir -p ${{github.workspace}}/tmp/sig
echo "${{ secrets.scone-signing-key }}" > ${{github.workspace}}/tmp/sig/enclave-key.pem
docker run \
--rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ${{github.workspace}}/tmp/sig/enclave-key.pem:/sig/enclave-key.pem \
registry.scontain.com/scone-production/iexec-sconify-image:${{ inputs.sconify-version }} \
${{ steps.prepare-command.outputs.sconify-base-command }} \
--to=${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }} \
--scone-signer=/sig/enclave-key.pem
- name: Push Prod Image
if: ${{ inputs.sconify-prod }}
id: push-prod
run: |
docker push ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }}
echo "tag=${{ steps.prepare-command.outputs.prod-image-tag }}" | tee -a "$GITHUB_OUTPUT"
echo "checksum=0x$(docker image inspect ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }} | jq .[0].RepoDigests[0] | sed 's/"//g' | awk -F '@sha256:' '{print $2}')" | tee -a "$GITHUB_OUTPUT"
echo "mrenclave=$(docker run --rm -e SCONE_HASH=1 ${{ steps.prepare-command.outputs.image-repo }}:${{ steps.prepare-command.outputs.prod-image-tag }})" | tee -a "$GITHUB_OUTPUT"
- name: Clean Temporary Directory
if: always()
run: rm -rf ${{github.workspace}}/tmp