GSC failed to run signed Docker image #162
Comments
|
Please don't paste screenshots of text, instead just copy and paste the text itself. It's hard to read and makes it impossible to copy and search in it. |
This doesn't sound right. GSC doesn't do anything with the |
|
I am able to run the docker image without Gramine and it works fine. Please find the below output. After converting it to Gramine container should we mount the /opt path or change the entrypoint.sh. I'm I missing something here. `SLF4J: Class path contains multiple SLF4J bindings. 2023-07-17 10:49:10,175 1 INFO CommonConfig:507 - baffle.config.path is defined, using value /opt/baffle/Release-Baffle.1.7.0.161/shield 2023-07-17 10:49:10,429 15 INFO PrivacySchemaReaderToml:106 - Reading from BafflePrivacySchema |
|
Can you show the
|
|
Original app image command: GSC generated image:
I even tried to run the gsc container command without passing the environment variables. |
|
Have you tried to enter this GSC-generated Docker image and take a look around? With a command like: When you enter the Bash session inside this GSC-generated image, you really don't see the |
|
I tried to look inside the GSC Docker image, opt folder is there but its empty.
|
|
And it's not empty in the original app Docker image? Are you sure? How is this possible... |
|
Its not empty in the original Docker image. It has the start-baffle-shield.sh script in the defined path /opt/baffle/Release-Baffle.1.7.0.161/shield.
|
|
But you performed What if you just do: |
|
I tried the above command which you gave, the existing image has the baffle folder inside opt.
|
|
This makes no sense to me... Could you:
In other words, re-do the whole GSC process from an absolutely clean state, and show us the logs. |
|
I deleted all the Docker images and pruned it. Git cloned - https://github.com/gramineproject/gsc.git
This time the build failed in Step 9. Please find the build output below. `Step 9/29 : RUN cd /gramine && meson setup build/ --prefix="/gramine/meson_build_output" --buildtype=release -Ddirect=enabled -Dsgx=enabled -Ddcap=enabled -Dsgx_driver=upstream -Dsgx_driver_include_path=/gramine/driver && ninja -C build && ninja -C build install ---> Running in 319df51f93e9
|
|
What you are now seeing is another new issue. Please change this line to the below, and retry.
|
|
I tried the above fix and the ninja issue is resolved, but got into another error. `Step 12/29 : RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y binutils expect libprotobuf-c-dev locales openssl python3 python3-cryptography python3-protobuf python3-pyelftools \python3-pip && /usr/bin/python3 -B -m pip install click jinja2 protobuf 'tomli>=1.1.0' 'tomli-w>=0.4.0' && apt-get remove -y python3-pip && apt-get autoremove -y && rm -rf /var/lib/apt/lists/* ---> Running in 030aed51b7a5 Failed to build unsigned graminized Docker image |
|
What's the distro of your base image? |
|
Please find the details below: DISTRIB_ID=Ubuntu Gramine does not yet support Ubuntu 22.04, though the support will be merged shortly, probably next week. In the meantime, you can try this PR… |
|
So are you already using the mentioned PR? #155 ? |
|
Yes, even after using this PR I get the below error. `Step 12/29 : RUN apt-get update && env DEBIAN_FRONTEND=noninteractive apt-get install -y binutils expect libprotobuf-c-dev locales openssl python3 python3-cryptography python3-protobuf python3-pyelftools \python3-pip && /usr/bin/python3 -B -m pip install click jinja2 protobuf 'tomli>=1.1.0' 'tomli-w>=0.4.0' && apt-get remove -y python3-pip && apt-get autoremove -y && rm -rf /var/lib/apt/lists/* ---> Running in 030aed51b7a5 Failed to build unsigned graminized Docker image gsc-icr.io/data-security-broker/dsb-shield-postgresql:v1-unsigned.` |
|
please paste the contents of your |
|
Please find the contents below. # Specify the OS distro that is used to build Gramine, i.e., the distro from where the Gramine build
# gets all tools and dependencies from. This distro should match the distro underlying the
# application's Docker image; otherwise the results may be unpredictable.
#
# Currently supported distros are:
# - ubuntu:20.04, ubuntu:21.04, ubuntu:22.04
# - debian:10, debian:11, debian:12
# - centos:8
Distro: "ubuntu:22.04"
# If the image has a specific registry, define it here.
# Empty by default; example value: "registry.access.redhat.com/ubi8".
Registry: ""
# If you're using your own fork and branch of Gramine, specify the GitHub link and the branch name
# below; typically, you want to keep the default values though.
#
# It is also possible to specify the prebuilt Gramine Docker image (that was built previously via
# the `gsc build-gramine` command). For this, remove Repository and Branch and instead write:
# Image: "<prebuilt Gramine Docker image>"
#
# GSC releases are guaranteed to work with corresponding Gramine releases (and GSC `master`
# branch is guaranteed to work with current Gramine `master` branch).
Gramine:
Repository: "https://github.com/gramineproject/gramine.git"
Branch: "master"
# Specify the Intel SGX driver installed on your machine (more specifically, on the machine where
# the graminized Docker container will run); there are several variants of the SGX driver:
#
# - upstream (in-kernel) driver: use empty values like below
# Repository: ""
# Branch: ""
#
# - DCAP out-of-tree driver: same as above, use empty values
# Repository: ""
# Branch: ""
#
# - legacy out-of-tree driver: use something like the below values, but adjust the branch name
# Repository: "https://github.com/01org/linux-sgx-driver.git"
# Branch: "sgx_driver_1.9"
#
SGXDriver:
Repository: ""
Branch: ""
|
|
Please take out all the redundant comments. What's the Python version of your base image, and GSC image |
|
My base image doesn't have Python installed on it. I have attached the Distro of base image and GSC image. Base image: REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" GSC image:
|
|
Ok so that's the issue. Your base image distro is RHEL 8(and not Ubuntu 22.04 as mentioned earlier). The GSC supported distros are called out in the |
|
I tried to change the distro to centos:8 in config.yaml file and then build it using ./gsc build --insecure-args icr.io/data-security-broker/dsb-shield-postgresql:v1 test/generic.manifest command. Got the following error. ` ---> 4a357a2376f9 ---> Running in 776215230c73 Failed to build unsigned graminized Docker image |
|
GSC does not support RHEL at this point. But Gramine packages for RHEL are available, so you could consider building an image by installing RHEL packages. Another option is to move to one of the supported distros, does that work for you? If no other options, then we will have to look at taking this as a feature request. @dimakuv - any other ideas? |
|
Can you explain how to build an image by installing RHEL packages. Will this option run inside GSC or Gramine directly. Moving to other distros is not an option because this is a third party application. |
|
We will revert with a simple script to run a |
|
Ok thanks. |
|
Just wanted to check - my host OS is ubuntu and the application base image is RHEL. Will this work wrt GSC ? If not then which image is the issue here and needs to be changed to what. |
|
@NandiniKJ Please modify JAVA_HOME as loader.env.JAVA_HOME = "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/ The LD_LIBRARY_PATH that you have set there is 'j' missing in ava-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64. Could you please modify this as well? |
|
@sahason Please find the manifest file below.
Still getting the same error:
|
|
@SonaliSaha Java path is already set in manifest file. I also added LD_PRELOAD for libjava.so.
Getting the same ereor:
|
|
@NandiniKJ Could you please share a minimal docker image/Dockerfile where I can repro the issue along with manifest? It will help to debug further. |
|
@sahason I cannot share the docker image/Dockerfile as it is proprietary third party application. Can you pls confirm which version and flavour of Java does Gramine support. |
|
@NandiniKJ Could you please send the output of below commands by running inside the GSC container?
|
|
@sahason Please find the details below.
|
|
@NandiniKJ output of |
|
@sahason Sudo command not found error
|
|
@NandiniKJ I could repro the issue in my system with a custom image. After adding the below lines to the manfest file the issue got resolved. loader.env.LD_PRELOAD = "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/lib/amd64/jli/libjli.so:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/lib/amd64/libjava.so" loader.env.JAVA_HOME = "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64" If you already have these lines added to the manifest could you try removing any other entries for OpenJDK from LD_LIBRARY_PATH, LD_PRELOAD etc? Also, you mentioned you could append LD_LIBRARY_PATH. How are you doing it? I get GSC build errors when I try to add an entry for LD_LIBRARY_PATH. Is it possible for you to share your manifest file? Could you please share your build steps? |
|
@sahason Can you please confirm whether you made the above changes in entrypoint.manifest.template or entrypoint.common.manifest.template |
|
@NandiniKJ You should not modify these files. You must be building with this command gsc build [OPTIONS] <APP.MANIFEST>. Please check . I am using this command to build |
|
I tried the changes and this is the output: `root@baremetal01-innovation-poc-sgx:~/gramine/gsc-rhel/gsc# docker run --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-icr.io/data-security-broker/dsb-shield-postgresql:v1 -c 'print("HelloWorld!")'
|
|
Ok. So the libjava.so error is gone now. The libjava.so path is same for us. Please use the path that is valid for you for libjli and the error related to this will be gone. Now you are seeing this error For this kind of error please find the path for the library in the image and add it to laoder.env.LD_PRELOAD . |
|
@sahason I have updated the path accordingly, if I add the libjvm.so path to loader.env.LD_PRELOAD then I get the same error like before.
libjvm.so path has to be added to loader.env.LD_LIBRARY_PATH, but I get build errors when I try to add this.
|
|
@NandiniKJ Could you please use OpenJDK 11 instead OpenJDK 8 in your base image? |
|
@NandiniKJ To use OpenJDK 8 could you please pull the latest changes from https://github.com/sahason/gsc/tree/sahason/gsc-rhel8-support and give it a try? You need to add this line |
|
@NandiniKJ Could you please pull the latest changes from this branch https://github.com/sahason/gsc/tree/sahason/gsc-rhel8-support? Now you don't need to modify anything in your base image Dockerfile. The only change you need to make is add an entry of |
|
@sahason Thank you so much, I will try this solution and update you in sometime. |
|
@sahason Got the below error:
|
|
@NandiniKJ From your earlier comments I see that Please modify your manifest with loader.env.LD_PRELOAD = "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/lib/amd64/jli/libjli.so" and try again. |
@NandiniKJ - have you tried this? |
|
Hi @aneessahib, After taking the latest pull and making changes in the manifest file, I'm getting the below error.
|
|
@NandiniKJ Please run this command |
|
@sahason Please find the output below. `root@baremetal01-innovation-poc-sgx:~/gramine/gsc-rhel/gsc# docker run --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-icr.io/data-security-broker/dsb-shield-postgresql:v1 -c 'print("HelloWorld!")'
|
|
@NandiniKJ Could you please run this command natively (without gsc) and share the output? |
|
When I try to run the above docker command, got the below output. `root@baremetal01-innovation-poc-sgx:~# docker run icr.io/data-security-broker/dsb-shield-postgresql:v1 -c 'print("HelloWorld!")' SLF4J: Class path contains multiple SLF4J bindings. I'm able to run the docker image by passing the environment variables.
Output: `root@baremetal01-innovation-poc-sgx:~# docker run --rm -e BM_IP=dsb-manager-dsb-for-nandini.dsb-roks-vpc-412-c9b7119538b194dae4a1958742b244b0-0000.eu-de.containers.appdomain.cloud -e BM_SHIELD_SYNC_ID=IyNTSElFTEQjI2RzYi1uZ2lueCMjNDQzIyNpYm0jIzY0YWNmYWJkNjVmYWI2MTI0Zjc4NzJmYSMjODQ0NCMjMTJhM2ZkZDA0ZTdlYWEzODcxZGY5ODFjYzNmNWE0Njg3NDk2NjMyZWIwMzZjZTY3NjM3OWQ4YTQ3NjY1ZTlkMw== -e BM_SHIELD_TAG=dsb-shield-app1 -e BS_SSL=true -e BS_SSL_KEYSTORE_FILE=/opt/sslconfig/baffleshield-keystore.jks -e BS_SSL_KEYSTORE_PASSWORD=keystore -e BS_SSL_TRUSTSTORE_FILE=/opt/sslconfig/baffleshield-keystore.jks -e BS_SSL_TRUSTSTORE_PASSWORD=keystore -e BS_SSL_TLS_VERSION=TLSv1.2 -e KMS_CONFIG_PROPERTIES="{'baffle_secret':'123456','kmsType': 'local'}" icr.io/data-security-broker/dsb-shield-postgresql:v1 -c 'print("HelloWorld!")' SLF4J: Class path contains multiple SLF4J bindings. |
|
@NandiniKJ Could you please pass the same environment variables for running GSC image and share the ouput. You need to add this line |
|
@sahason Made the above chaages and got the following output. `root@baremetal01-innovation-poc-sgx:~/gramine/gsc-rhel/gsc# docker run --rm -e BM_IP=******* -e BM_SHIELD_SYNC_ID=******** -e BM_SHIELD_TAG=dsb-shield-app1 -e BS_SSL=true -e BS_SSL_KEYSTORE_FILE=/opt/sslconfig/baffleshield-keystore.jks -e BS_SSL_KEYSTORE_PASSWORD=keystore -e BS_SSL_TRUSTSTORE_FILE=/opt/sslconfig/baffleshield-keystore.jks -e BS_SSL_TRUSTSTORE_PASSWORD=keystore -e BS_SSL_TLS_VERSION=TLSv1.2 -e KMS_CONFIG_PROPERTIES="{'baffle_secret':'*****','kmsType': 'local'}" --device=/dev/sgx_enclave -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket gsc-icr.io/data-security-broker/dsb-shield-postgresql:v1
|
Description of the problem
We are trying to run a Docker image using Gramine shielded containers.
We are successfully able to create the signed image but the container is throwing the below error when we try to run the signed docker image.
We have been following this link: https://gramine.readthedocs.io/projects/gsc/en/latest/
We were able to bring this application up with normal container deployment and were able to verify that the start-baffle-shiled.sh file exists. After converting to and running inside Gramine container I found that the opt folder is empty.
Could you help us with this, are we missing something here.
Steps to reproduce
Expected results
Actual results
The text was updated successfully, but these errors were encountered: