Update GSC with Gramine's new SGX driver requirements

[adarshan-intel]

Description of the Changes

This pull request updates the Gramine Shielded Containers (GSC) to comply with the new SGX driver requirements.
As part of the gramineproject/gramine#2061 in the Gramine master branch, the options -Dsgx_driver, -Dsgx_driver_include_path, and -Dsgx_driver_device have been removed. Similar changes should be backported into GSC as well.

It includes modifications to the Dockerfile and entry point templates for CentOS and Debian. Additionally, it removes the -Dsgx_driver and -Dsgx_driver_include_path options when building Gramine inside the container. For further details, please refer to gramine PR #2061

Previously, we explicitly used to locate the sgx.h package in /gramine/driver using Dsgx_driver_include_path.
However, we are now installing additional package linux-libc-dev that provides sgx.h out of the box.

Fixes #227

How to Test This PR

Continuous Integration (CI)

---

This change is 

[adarshan-intel]

@kailun-qin Please review

[anirbanbasu]

These changes now result in meson.build:108:7: ERROR: C header 'asm/sgx.h' not found -- I am not sure what am I missing.

[adarshan-intel]

Can you go through this PR - Remove support for OOT (out-of-tree) SGX driver by woju · Pull Request #2061 · gramineproject/gramine
It has explanation of why this could be failing, probably older kernel?

Reviewable status: 0 of 4 files reviewed, all discussions resolved, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners

[anirbanbasu]

Can you go through this PR - Remove support for OOT (out-of-tree) SGX driver by woju · Pull Request #2061 · gramineproject/gramine It has explanation of why this could be failing, probably older kernel?

Reviewable status: 0 of 4 files reviewed, all discussions resolved, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners

Thanks @adarshan-intel, I am using the 6.8.0-40-generic kernel -- thus, asm/sgx.h should be available to meson on line 108 of the meson build (https://github.com/gramineproject/gramine/blob/5789620a6d04208e5803321953e09eca2c24dd7b/meson.build#L108), isn't it?

[adarshan-intel]

@anirbanbasu Have made a recent change in the commit, try running again.
Previously, we explicitly used to locate the sgx.h package in /gramine/driver using Dsgx_driver_include_path.
However, we are now including it in /usr/include, which contains all the header files by default.

[woju]

@woju Do you have an idea how to proceed with this?

The correct solution is to install linux-libc-dev package that needs to match kernel >= 5.11, provided that distro ships recent enough version (all distros supported by Gramine do). On which distros this error happens?

(Downloading the header from the Internet and copying it into /usr/include is not a correct solution).

[anirbanbasu]

@adarshan-intel, downloading to /usr/include does not throw the asm/sgx.h not found error. It builds but the built container does not execute -- it may be some other application-level error, which I need to investigate. I see that you have changed some other files but I have not tried those changes yet.

@woju, this is happening on Ubuntu and Debian. Should I install linux-libc-dev on my application container?

[anirbanbasu]

While the build process succeeds, I get a separate error when starting the built container as [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT) but I am inclined to believe that this is some misconfiguration at my application level.

[woju]

Should I install linux-libc-dev on my application container?

Yes, you need to install it wherever you compile Gramine.

[anirbanbasu]

Should I install linux-libc-dev on my application container?

Yes, you need to install it wherever you compile Gramine.

@woju, should this (https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.compile.template) not be the one to install linux-libc-dev?

[anirbanbasu]

While the build process succeeds, I get a separate error when starting the built container as [P1:T1:] error: libos_init() failed in init_exec_handle: No such file or directory (ENOENT) but I am inclined to believe that this is some misconfiguration at my application level.

Just to make sure that this comment of mine does not confuse anyone, this turned out to be a misconfiguration in my application, which has now been dealt with.

[woju]

@woju, should this (https://github.com/gramineproject/gsc/blob/master/templates/Dockerfile.common.compile.template) not be the one to install linux-libc-dev?

It should be installed in templates that derive from this one, because package installation is different in different distributions (i.e. in this apt-get install:

gsc/templates/debian/Dockerfile.compile.template

Line 7 in e57a501

&& env DEBIAN_FRONTEND=noninteractive apt-get install -y \

and other distros have comparable commands that also need to be adjusted).

[adarshan-intel]

The latest commit e57fc97 (#228) does what @woju said, to remove instllation of sgx.h from internet and install from linux-libc-dev package that provides sgx.h,

I have tested basic runs on Ubuntu, Debian, CentOS, CentOS Stream 9, Red Hat, and SLES. Everything is running fine.

[anirbanbasu]

The latest commit e57fc97 (#228) does what @woju said, to remove instllation of sgx.h from internet and install from linux-libc-dev package that provides sgx.h,

I have tested basic runs on Ubuntu, Debian, CentOS, CentOS Stream 9, Red Hat, and SLES. Everything is running fine.

@adarshan-intel @woju in my case, this brought back the ERROR: C header 'asm/sgx.h' not found again, which can be fixed (again) by downloading sgx.h into /usr/include!

[adarshan-intel]

@anirbanbasu The solution I mentioned seems like a bit of a hack and might not be the best approach. According to @woju I've added the necessary package to the templates/debian/Dockerfile.compile.template Docker file, which includes the sgx.h header. Since you're using Ubuntu or debian, linux-libc-dev should already be installed in the latest commit when you run gsc build which contains sgx.h package

@woju Is there something I am missing here?

[adarshan-intel]

@anirbanbasu By the way, which Ubuntu version are you using? Is it 20.04, 22.04, 23.10 or 24.04?
If you are using Ubuntu 20.04 then this distro is not supported in further release cycle.

[anirbanbasu]

@anirbanbasu By the way, which Ubuntu version are you using? Is it 20.04, 22.04, 23.10 or 24.04? If you are using Ubuntu 20.04 then this distro is not supported in further release cycle.

@adarshan-intel I am using Ubuntu 22.04.5 LTS.

[adarshan-intel]

@anirbanbasu The changes I made should be working on Ubuntu 22.04.5. Everything looks good from my end, but let's wait for @woju's opinion to confirm.

[adarshan-intel]

@anirbanbasu Could you share the logs with me? Also, template files to troubleshoot the issue?

[anirbanbasu]

@anirbanbasu Could you share the logs with me? Also, template files to troubleshoot the issue?

@adarshan-intel unfortunately, due to confidentiality reasons, I cannot.

The template file templates/Dockerfile.common.compile.template looks exactly like the one you have on this pull request except for internal proxy configuration that should be enabled within my network to have git pull from the Gramine repository. I also modified each and every other file the way you have in your pull request.

Regarding the logs, if I remove the manual download of sgx.h into /usr/include/asm then I get the same error as the original one I reported, i.e., meson.build:108:7: ERROR: C header 'asm/sgx.h' not found.

[woju]

Sorry to be blunt, but without seeing both logs and your actual changes (rather than relying on your descriptions of changes, because you might have made a typo), it's hard to tell anything about the reasons of the error you see. I've tested this PR's ./gsc build-gramine with debian:12, works fine with regard to <asm/sgx.h>, so unless proven otherwise, I'm going to assume the problem is on your side.

woju@[...] ~/src/gsc [git||remotes/origin/pull/228/head] [17:36 4295]% ./gsc build-gramine asdf
/usr/local/lib/python3.8/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
Building base-Gramine Docker image `asdf`...
Step 1/8 : FROM debian:12 AS gramine
[...]
Step 8/8 : RUN cd /gramine     && meson setup build/ --prefix="/gramine/meson_build_output"        --buildtype=release        -Ddirect=enabled -Dsgx=enabled             && ninja -C build     && ninja -C build install

 ---> Running in 46f06c28de1e
The Meson build system
[...]
Has header "asm/sgx.h" : YES
[...]
 ---> 4c336f858e3c
Successfully built 4c336f858e3c
Successfully tagged asdf:latest
Successfully built a base-Gramine Docker image `asdf`.

Or am I missing something?

Reviewed 2 of 3 files at r2, 9 of 9 files at r4, all commit messages.
Reviewable status: all files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel and @anirbanbasu)

---

templates/centos/Dockerfile.compile.template line 22 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

This package needs to be kernel-headers. If you write kernel-devel, it will also install kernel-headers because of dependencies, (kernel-devel → gcc → glibc-devel → kernel-headers), but this is not what you want to write here.

Suggestion:

kernel-headers

---

templates/centos/Dockerfile.compile.template line 40 at r4 (raw file):

        python3-protobuf \
        rpm-build \
        wget \

I think wget is not used anywhere else, apart from the section that downloaded sgx.h, which you just removed, so you can also remove wget installation (here and everywhere else).

---

templates/suse/Dockerfile.compile.template line 29 at r4 (raw file):

        gcc11-c++ \
        git \
        kernel-devel \

On SUSE it's called linux-glibc-devel (https://software.opensuse.org/package/linux-glibc-devel)

Suggestion:

linux-glibc-devel

---

templates/debian/entrypoint.manifest.template line 4 at r4 (raw file):

{% block loader %}
loader.entrypoint = "file:/gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/libsysdb.so"

ditto (put it in that second commit, together with the other entrypoint line)

---

templates/redhat/ubi-minimal/Dockerfile.compile.template line 28 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Suggestion:

kernel-headers

---

templates/centos/entrypoint.manifest.template line 4 at r4 (raw file):

{% block loader %}
loader.entrypoint = "file:/gramine/meson_build_output/lib64/gramine/libsysdb.so"

This is unrelated change, needs to be in a separate commit.

---

templates/centos/stream/Dockerfile.compile.template line 21 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Suggestion:

kernel-headers

---

templates/redhat/ubi/Dockerfile.compile.template line 28 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Suggestion:

kernel-headers

[anirbanbasu]

Sorry to be blunt, but without seeing both logs and your actual changes (rather than relying on your descriptions of changes, because you might have made a typo), it's hard to tell anything about the reasons of the error you see.

@woju, yes, understandable. I will check things at my end.

Please use reviewable for discussions about PRs.

Okay!

[adarshan-intel]

Reviewable status: all files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @anirbanbasu and @woju)

---

templates/centos/Dockerfile.compile.template line 22 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

This package needs to be kernel-headers. If you write kernel-devel, it will also install kernel-headers because of dependencies, (kernel-devel → gcc → glibc-devel → kernel-headers), but this is not what you want to write here.

Done.

---

templates/centos/Dockerfile.compile.template line 40 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

I think wget is not used anywhere else, apart from the section that downloaded sgx.h, which you just removed, so you can also remove wget installation (here and everywhere else).

Done.

---

templates/suse/Dockerfile.compile.template line 29 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

On SUSE it's called linux-glibc-devel (https://software.opensuse.org/package/linux-glibc-devel)

Done.

---

templates/centos/stream/Dockerfile.compile.template line 21 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Done.

---

templates/redhat/ubi-minimal/Dockerfile.compile.template line 28 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Done.

---

templates/redhat/ubi/Dockerfile.compile.template line 28 at r4 (raw file):

        git \
        httpd \
        kernel-devel \

Done.

[adarshan-intel]

Reviewable status: 4 of 11 files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @anirbanbasu and @woju)

---

templates/centos/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

This is unrelated change, needs to be in a separate commit.

Done.
Removing this as of now

---

templates/debian/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

ditto (put it in that second commit, together with the other entrypoint line)

Done.
Removing this as of now

[anirbanbasu]

Reviewable status: 4 of 11 files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel and @woju)

---

templates/Dockerfile.common.compile.template line 28 at r5 (raw file):

    && sha256sum sgx.h | grep -q a34a997ade42b61376b1c5d3d50f839fd28f2253fa047cb9c0e68a1b00477956
{% endif %}

I did a clean check out of this PR and I am met with the same error as before. See the meson build excerpt below.

 ---> Running in 92a25c93b6ec
The Meson build system
Version: 1.6.0
Source dir: /gramine
Build dir: /gramine/build
Build type: native build
Project name: gramine
Project version: 1.8post~UNRELEASED
C compiler for the host machine: cc (gcc 10.2.1 "cc (Debian 10.2.1-6) 10.2.1 20210110")
C linker for the host machine: cc ld.bfd 2.35.2
C++ compiler for the host machine: c++ (gcc 10.2.1 "c++ (Debian 10.2.1-6) 10.2.1 20210110")
C++ linker for the host machine: c++ ld.bfd 2.35.2
Host machine cpu family: x86_64
Host machine cpu: x86_64
Compiler for C supports arguments -std=c23: NO
Compiler for C supports arguments -std=c2x: YES
meson.build:28: WARNING: Consider using the built-in option for language standard version instead of using "-std=c2x".
Program check-no-reloc.sh found: YES (/gramine/scripts/check-no-reloc.sh)
Program gen-pal-map.py found: YES (/gramine/scripts/gen-pal-map.py)
Program get-python-platlib.py found: YES (/gramine/scripts/get-python-platlib.py)
Program meson-clang-format.sh found: YES (/gramine/scripts/meson-clang-format.sh)
Program meson-render-script.py found: YES (/gramine/scripts/meson-render-script.py)
Fetching value of define "__GLIBC__" : 2
Program objcopy found: YES (/usr/bin/objcopy)
Program python3 found: YES (/usr/bin/python3)
WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in meson 2.0.
         See also: https://github.com/mesonbuild/meson/issues/9300
Program nasm found: YES (/usr/bin/nasm)
Compiler for C supports arguments -Wtrampolines: YES
Compiler for C supports arguments -Wnull-dereference: YES
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".

meson.build:108:7: ERROR: C header 'asm/sgx.h' not found

[anjalirai-intel]

Reviewable status: 4 of 11 files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel and @woju)

templates/Dockerfile.common.compile.template line 28 at r5 (raw file):

    && sha256sum sgx.h | grep -q a34a997ade42b61376b1c5d3d50f839fd28f2253fa047cb9c0e68a1b00477956
{% endif %}

I did a clean check out of this PR and I am met with the same error as before. See the meson build excerpt below.

 ---> Running in 92a25c93b6ec
The Meson build system
Version: 1.6.0
Source dir: /gramine
Build dir: /gramine/build
Build type: native build
Project name: gramine
Project version: 1.8post~UNRELEASED
C compiler for the host machine: cc (gcc 10.2.1 "cc (Debian 10.2.1-6) 10.2.1 20210110")
C linker for the host machine: cc ld.bfd 2.35.2
C++ compiler for the host machine: c++ (gcc 10.2.1 "c++ (Debian 10.2.1-6) 10.2.1 20210110")
C++ linker for the host machine: c++ ld.bfd 2.35.2
Host machine cpu family: x86_64
Host machine cpu: x86_64
Compiler for C supports arguments -std=c23: NO
Compiler for C supports arguments -std=c2x: YES
meson.build:28: WARNING: Consider using the built-in option for language standard version instead of using "-std=c2x".
Program check-no-reloc.sh found: YES (/gramine/scripts/check-no-reloc.sh)
Program gen-pal-map.py found: YES (/gramine/scripts/gen-pal-map.py)
Program get-python-platlib.py found: YES (/gramine/scripts/get-python-platlib.py)
Program meson-clang-format.sh found: YES (/gramine/scripts/meson-clang-format.sh)
Program meson-render-script.py found: YES (/gramine/scripts/meson-render-script.py)
Fetching value of define "__GLIBC__" : 2
Program objcopy found: YES (/usr/bin/objcopy)
Program python3 found: YES (/usr/bin/python3)
WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in meson 2.0.
         See also: https://github.com/mesonbuild/meson/issues/9300
Program nasm found: YES (/usr/bin/nasm)
Compiler for C supports arguments -Wtrampolines: YES
Compiler for C supports arguments -Wnull-dereference: YES
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".

meson.build:108:7: ERROR: C header 'asm/sgx.h' not found

@anirbanbasu Can you also share logs where apt packages are getting installed

[anirbanbasu]

Reviewable status: 4 of 11 files reviewed, 9 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel and @woju)

templates/Dockerfile.common.compile.template line 28 at r5 (raw file):

    && sha256sum sgx.h | grep -q a34a997ade42b61376b1c5d3d50f839fd28f2253fa047cb9c0e68a1b00477956
{% endif %}

I did a clean check out of this PR and I am met with the same error as before. See the meson build excerpt below.

 ---> Running in 92a25c93b6ec
The Meson build system
Version: 1.6.0
Source dir: /gramine
Build dir: /gramine/build
Build type: native build
Project name: gramine
Project version: 1.8post~UNRELEASED
C compiler for the host machine: cc (gcc 10.2.1 "cc (Debian 10.2.1-6) 10.2.1 20210110")
C linker for the host machine: cc ld.bfd 2.35.2
C++ compiler for the host machine: c++ (gcc 10.2.1 "c++ (Debian 10.2.1-6) 10.2.1 20210110")
C++ linker for the host machine: c++ ld.bfd 2.35.2
Host machine cpu family: x86_64
Host machine cpu: x86_64
Compiler for C supports arguments -std=c23: NO
Compiler for C supports arguments -std=c2x: YES
meson.build:28: WARNING: Consider using the built-in option for language standard version instead of using "-std=c2x".
Program check-no-reloc.sh found: YES (/gramine/scripts/check-no-reloc.sh)
Program gen-pal-map.py found: YES (/gramine/scripts/gen-pal-map.py)
Program get-python-platlib.py found: YES (/gramine/scripts/get-python-platlib.py)
Program meson-clang-format.sh found: YES (/gramine/scripts/meson-clang-format.sh)
Program meson-render-script.py found: YES (/gramine/scripts/meson-render-script.py)
Fetching value of define "__GLIBC__" : 2
Program objcopy found: YES (/usr/bin/objcopy)
Program python3 found: YES (/usr/bin/python3)
WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in meson 2.0.
         See also: https://github.com/mesonbuild/meson/issues/9300
Program nasm found: YES (/usr/bin/nasm)
Compiler for C supports arguments -Wtrampolines: YES
Compiler for C supports arguments -Wnull-dereference: YES
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wall".
meson.build:85: WARNING: Consider using the built-in warning_level option instead of using "-Wextra".

meson.build:108:7: ERROR: C header 'asm/sgx.h' not found

@anirbanbasu Can you also share logs where apt packages are getting installed

@anjalirai-intel please see the excerpts below. The step or steps hidden due to confidentiality reasons are for configuring access to a proxy server so that apt-get and git can work behind the proxy.

Building unsigned graminized Docker image `[name-retracted-for-confidentiality]-unsigned` from original application image `[name-retracted-for-confidentiality]`...
Warning: Duplicate key `sgx.debug`. Overriding value from `debian/entrypoint.manifest.template` by the one in `[path-retracted-for-confidentiality].manifest`.
Warning: Duplicate key `loader.env.PATH`. Concatenating values from `<merged [path-retracted-for-confidentiality].manifest and debian/entrypoint.manifest.template>` and `<[name-retracted-for-confidentiality] image env>`.

Step 1/34 : FROM debian:11 AS gramine

 ---> 91a3af22c9b3
Step 2/34 : [step-retracted-for-confidentiality]

 ---> Using cache
 ---> 0b9aa5b4d593
Step 3/34 : RUN env DEBIAN_FRONTEND=noninteractive apt-get update     && env DEBIAN_FRONTEND=noninteractive apt-get install -y         autoconf         bison         build-essential         cmake         coreutils         curl         gawk         git         libprotobuf-c-dev         linux-libc-dev         linux-headers-generic         nasm         ninja-build         pkg-config         protobuf-c-compiler         protobuf-compiler         python3         python3-cryptography         python3-protobuf         wget            python3-pip            && /usr/bin/python3 -B -m pip install 'tomli>=1.1.0' 'tomli-w>=0.4.0' 'meson>=0.56,!=1.2.*'

 ---> Using cache
 ---> c09484fc96d2
Step 4/34 : COPY intel-sgx-deb.key /

 ---> Using cache
 ---> bb42690b5d69
Step 5/34 : RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main'     > /etc/apt/sources.list.d/intel-sgx.list     && apt-key add /intel-sgx-deb.key

 ---> Using cache
 ---> 11fd2f1f4919
Step 6/34 : RUN env DEBIAN_FRONTEND=noninteractive apt-get update     && env DEBIAN_FRONTEND=noninteractive apt-get install -y libsgx-dcap-quote-verify-dev

 ---> Using cache
 ---> 2a269044c833
Step 7-10/34 : [steps-retracted-for-confidentiality]

Step 11/34 : RUN git clone https://github.com/gramineproject/gramine.git /gramine

 ---> Using cache
 ---> 008cb588f8a8
Step 12/34 : RUN cd /gramine     && git fetch origin master     && git checkout master

 ---> Using cache
 ---> 5007eda930e9
Step 13/34 : RUN cd /gramine     && meson setup build/ --prefix="/gramine/meson_build_output"        --buildtype=release        -Ddirect=enabled -Dsgx=enabled             && ninja -C build     && ninja -C build install

[anjalirai-intel]

@anirbanbasu In your logs, it is mentioned that you are using debian:11 Step 1/34 : FROM debian:11 AS gramine but you mentioned earlier that you are using ubuntu 22.04

Issue is reproducible on debian:11 workload image and also debian:11 distro will not be supported from gramine master.

sgx.h is not available as part of linux-libc-dev for debian 11 whereas it is present as part of debian 12

you can refer attached images

[anirbanbasu]

@anirbanbasu In your logs, it is mentioned that you are using debian:11 Step 1/34 : FROM debian:11 AS gramine but you mentioned earlier that you are using ubuntu 22.04

Issue is reproducible on debian:11 workload image and also debian:11 distro will not be supported from gramine master.

sgx.h is not available as part of linux-libc-dev for debian 11 whereas it is present as part of debian 12

you can refer attached images

@anjalirai-intel thanks, well spotted. My oversight there! Apologies.

However, where is this debian 11 being picked up from? Isn't it supposed to be the same base image that my non-Graminized image built from? In my case, that is python:3.12.5-bookworm, which is Debian 12?

[anirbanbasu]

However, where is this debian 11 being picked up from? Isn't it supposed to be the same base image that my non-Graminized image built from? In my case, that is python:3.12.5-bookworm, which is Debian 12?

Okay, it was specified in the default config.yaml. I have now specified Debian 12 in my app-specific config.yaml. There is no further error with asm/sgx.h. Apologies for the oversight. Thanks a lot for helping me with this, @adarshan-intel, @woju and @anjalirai-intel.

(I do have other errors now but I will check if they are at all related to this PR.)

[woju]

Reviewed 2 of 7 files at r5, all commit messages.
Reviewable status: 6 of 11 files reviewed, 5 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel and @anjalirai-intel)

---

a discussion (no related file):
@anirbanbasu @anjalirai-intel: Debian 11 has linux-libc-dev 6.1, but in bullseye-backports repository: https://packages.debian.org/bullseye-backports/linux-libc-dev

So either gsc needs to support Distro: debian:bullseye-backports (that would involve doing away with distro[1] | int in some way), or needs to detect version equal to 11 and add backports repo manually, like in this Dockerfile: https://github.com/debuerreotype/docker-debian-artifacts/blob/f5527c9b022448b28981cf274721d9749d8fc5c4/bullseye/backports/Dockerfile

Blocking on this.

---

templates/centos/Dockerfile.compile.template line 40 at r4 (raw file):

Previously, adarshan-intel (Adarsh Anand) wrote…

Done.

Not done, you didn't remove elsewhere.

---

templates/centos/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, adarshan-intel (Adarsh Anand) wrote…

Done.
Removing this as of now

Not done, I don't see a separate commit in commit list that has different commit message that would propertly describe this change, there are only fixups.

---

templates/debian/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, adarshan-intel (Adarsh Anand) wrote…

Done.
Removing this as of now

ditto (not done)

[anirbanbasu]

@adarshan-intel @woju now I am facing this error, which is related to: #225

Traceback (most recent call last):
  File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 174, in <module>

    main() # pylint: disable=no-value-for-parameter
    ^^^^^^
  File "/usr/lib/python3/dist-packages/click/core.py", line 1130, in __call__

    return self.main(*args, **kwargs)

           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/click/core.py", line 1055, in main

    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/click/core.py", line 1404, in invoke

    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/click/core.py", line 760, in invoke

    return __callback(*args, **kwargs)

           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/click/decorators.py", line 26, in new_func

    return f(get_current_context(), *args, **kwargs)

           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/gramine/meson_build_output/bin/gramine-sgx-sign", line 130, in main

    manifest = Manifest.load(manifest_file)

               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/gramine/meson_build_output/lib/python3.11/site-packages/graminelibos/manifest.py", line 388, in load

    return cls.loads(f.read())

           ^^^^^^^^^^^^^^^^^^^
  File "/gramine/meson_build_output/lib/python3.11/site-packages/graminelibos/manifest.py", line 384, in loads

    return cls(s)

           ^^^^^^
  File "/gramine/meson_build_output/lib/python3.11/site-packages/graminelibos/manifest.py", line 348, in __init__

    raise ManifestError('Unknown loader.entrypoint format (not a TOML table)')
graminelibos.manifest.ManifestError: Unknown loader.entrypoint format (not a TOML table)

[anirbanbasu]

I am facing this error, which is related to: #225

In addition, by updating the files as suggested in PR #225, my container compiles and runs fine.

[adarshan-intel]

Reviewable status: 6 of 11 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @woju)

---

templates/centos/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

Not done, I don't see a separate commit in commit list that has different commit message that would propertly describe this change, there are only fixups.

I want to clarify that PR #225 already implements this change, so I am not including it here. Once PR #225 is merged, this PR can proceed. Therefore, I am not adding any separate commit.

---

templates/debian/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

ditto (not done)

ditto

[adarshan-intel]

templates/centos/Dockerfile.compile.template line 40 at r4 (raw file):

Previously, woju (Wojtek Porczyk) wrote…

Not done, you didn't remove elsewhere.

Done.
Remove wget from all templates

[adarshan-intel]

Reviewable status: 5 of 13 files reviewed, 4 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @anirbanbasu, @anjalirai-intel, and @woju)

---

a discussion (no related file):

Previously, woju (Wojtek Porczyk) wrote…

@anirbanbasu @anjalirai-intel: Debian 11 has linux-libc-dev 6.1, but in bullseye-backports repository: https://packages.debian.org/bullseye-backports/linux-libc-dev

So either gsc needs to support Distro: debian:bullseye-backports (that would involve doing away with distro[1] | int in some way), or needs to detect version equal to 11 and add backports repo manually, like in this Dockerfile: https://github.com/debuerreotype/docker-debian-artifacts/blob/f5527c9b022448b28981cf274721d9749d8fc5c4/bullseye/backports/Dockerfile

Blocking on this.

I will discuss this with Anees and get back to you.

[woju]

Reviewed 1 of 7 files at r5, 7 of 7 files at r6, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel, @anirbanbasu, and @anjalirai-intel)

---

templates/centos/entrypoint.manifest.template line 4 at r4 (raw file):

Previously, adarshan-intel (Adarsh Anand) wrote…

I want to clarify that PR #225 already implements this change, so I am not including it here. Once PR #225 is merged, this PR can proceed. Therefore, I am not adding any separate commit.

OK, I understand. Yes, that makes sense, but in this case you should rebase the branch on top of that other branch (instead of adding another diff to a commit in this branch) and change the base of the PR in GitHub UI. Without doing that, it's not clear which branch should be merged on top of which one, and you run a risk that you'll have circular dependencies between several PRs. If you expliticly base the PRs on top of one another, then you won't make such a mistake, and we won't make a mistake when reviewing and merging.

Right now, if I'm counting correctly, we have 4 PRs against gsc repo with at least slightly overlapping scope (#223, #225, #226, #228) and it's not clear to me, in which order they should be merged, or if this matter at all. It's up to you to decide, I won't mind any particular order, as long as it won't break anything. If you're sure the order of those other PRs doesn't matter, you can leave them based on master, but at least this stuff needs to be adjusted.

[adarshan-intel]

Reviewable status: 12 of 13 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @anjalirai-intel and @woju)

---

a discussion (no related file):

Previously, adarshan-intel (Adarsh Anand) wrote…

I will discuss this with Anees and get back to you.

In the latest commit 47dcb58 have done the 2nd method of adding backports repo manually by detecting the debian 11 version

[woju]

Reviewed 1 of 1 files at r7, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel)

---

a discussion (no related file):

Previously, adarshan-intel (Adarsh Anand) wrote…

In the latest commit 47dcb58 have done the 2nd method of adding backports repo manually by detecting the debian 11 version

Thanks!

---

templates/debian/Dockerfile.compile.template line 37 at r7 (raw file):

        {%- endif %}

{%- if (distro[0] == "debian" and distro[1] | int == 11) %}

1. parens are unnecessary (I suppose you copy-pasted a bit too much from above).
2. The repo should be added before apt-get install above I think (just below {% set distro %}). If you do that, then you can also install meson, tomli, and tomli-w from the backports repo.

(the logic itself is OK)

Suggestion:

distro[0] == "debian" and distro[1] | int == 11

[adarshan-intel]

Reviewable status: 12 of 13 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @woju)

---

templates/debian/Dockerfile.compile.template line 37 at r7 (raw file):

1. parens are unnecessary (I suppose you copy-pasted a bit too much from above).

Removed brackets

2. The repo should be added before apt-get install above I think (just below {% set distro %}). If you do that, then you can also install meson, tomli, and tomli-w from the backports repo.
   Have moved {%- if (distro[0] == "debian" and distro[1] | int == 11) %} logic just below {% set distro %}

Yes I moved the logic part below {% set distro %}, if distro is debian:11 then pull the linux headers from the backports repos, for all other distros debian:12 and ubuntu packages it pulls from normal repos.

[adarshan-intel]

Reviewable status: 12 of 13 files reviewed, 3 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ), "fixup! " found in commit messages' one-liners (waiting on @woju)

---

templates/debian/Dockerfile.compile.template line 37 at r7 (raw file):

Previously, adarshan-intel (Adarsh Anand) wrote…

1. parens are unnecessary (I suppose you copy-pasted a bit too much from above).

Removed brackets

2. The repo should be added before apt-get install above I think (just below {% set distro %}). If you do that, then you can also install meson, tomli, and tomli-w from the backports repo.
   Have moved {%- if (distro[0] == "debian" and distro[1] | int == 11) %} logic just below {% set distro %}

Yes I moved the logic part below {% set distro %}, if distro is debian:11 then pull the linux headers from the backports repos, for all other distros debian:12 and ubuntu packages it pulls from normal repos.

Also updating linux-headers-generic to linux-libc-dev package for installing kernel headers as both packages cannot be used together due to mismatch

[woju]

Reviewed 1 of 1 files at r8, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: ITL), "fixup! " found in commit messages' one-liners

[anirbanbasu]

Reviewed all commit messages.
Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: ITL), "fixup! " found in commit messages' one-liners

[adarshan-intel]

@mkow @kailun-qin Can you review?

[woju]

Reviewable status: all files reviewed, all discussions resolved, not enough approvals from maintainers (1 more required), not enough approvals from different teams (1 more required, approved so far: ITL), "fixup! " found in commit messages' one-liners

[kailun-qin]

Reviewed 2 of 3 files at r2, 1 of 9 files at r4, 3 of 7 files at r5, 6 of 7 files at r6, 1 of 1 files at r8, all commit messages.
Reviewable status: all files reviewed, all discussions resolved, "fixup! " found in commit messages' one-liners

[mkow]

Reviewed 2 of 3 files at r2, 1 of 9 files at r4, 3 of 7 files at r5, 6 of 7 files at r6, 1 of 1 files at r8, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion, "fixup! " found in commit messages' one-liners (waiting on @adarshan-intel)

---

-- commits line 3 at r8:
Please Don't Capitalize Every Word In A Sentence :)

Suggestion:

Update GSC with Gramine's new SGX driver requirements

[adarshan-intel]

Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @mkow)

---

-- commits line 3 at r8:

Previously, mkow (Michał Kowalczyk) wrote…

Please Don't Capitalize Every Word In A Sentence :)

Done.
Have updated the commit message and rebased PR

[kailun-qin]

Reviewed all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @mkow)

[adarshan-intel]

Can we merge this?
@woju @kailun-qin @mkow

[adarshan-intel]

Any more pending action items on this PR ?
@woju @kailun-qin @mkow

[kailun-qin]

Any more pending action items on this PR ?

No action item. Let's just wait a bit for mkow to unblock his last comment.

Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @mkow)

[mkow]

Reviewed all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved