diff --git a/docker/README.md b/docker/README.md index b8c21df6..9af9e6ff 100644 --- a/docker/README.md +++ b/docker/README.md @@ -181,14 +181,16 @@ As mentioned above, the docker images are built with a `UID:GID` dervied from account used to build the images. If you would prefer to use a different identity, the `--user` switch to the `docker run` command will override the builtin identities. This can be especially -useful if the images are stored in a repository. +useful if the images are stored in a registry. + ### CCF Deployment ### @@ -305,3 +307,74 @@ For example: ```bash user@has:/project/pdo# source /project/pdo/tools/start_client.sh --ledger http://127.0.0.1:6600/ ``` + + +## Pattern: Deploy PDO Images Through a Registry ## + +Deploying PDO images through a Docker registry additionally requires +creation of an account used to run the PDO services. Since services +are configured through a shared host file system (the `xfer` directory +tree) permissions must be set appropriately. + +### Build the Images ### + +PDO images that will be pushed to a shared registry should be built +with a unique user identity that is unlikely to exist on the servers +where it will be deployed. The UID that is used by default when +building the images in the GitHub registry is 55172. The following +statement will build PDO images with that UID. + +```bash +make PDO_USER_UID=55172 PDO_GROUP_UID=55172 +``` + +Once built, use the standard docker commands to push the images to +your registry. If you wish to do PDO service development, you will +need access to all of the images (`pdo_base`, `pdo_services_base`, +`pdo_services`, `pdo_client`, `pdo_ccf_base`, and `pdo_ccf`). For +using and developing contracts the only necessary images are +`pdo_services`, `pdo_client` and `pdo_ccf`. + +*Note*: prebuilt images are often available from the GitHub container +registry through +[Hyperledger Labs](https://github.com/orgs/hyperledger-labs/packages?q=pdo). +These images can be pulled using standard docker commands such as: + +```bash +docker pull ghcr.io/hyperledger-labs/pdo_client:latest +docker pull ghcr.io/hyperledger-labs/pdo_services:latest +docker pull ghcr.io/hyperledger-labs/pdo_ccf:latest +``` + +### Create Accounts ### + +To manage local storage associated with the containers (specifically +the contents of the `xfer` directory), create a local user/group +account that corresponds to the UIDs used in the PDO images. The +following commands create a `pdo_user` user and group with UIDs that +correspond to the ones used above (and consistent with the identities +used in the images in GHCR: + +```bash +sudo addgroup --gid 55172 pdo_user +sudo adduser --uid 55172 --gid 55172 --disabled-login --no-create-home pdo_user +``` + +Next, add the local user that will be used to manage the containers to +the `pdo_user` group. + +```bash +sudo adduser pdo_user +``` + +And, finally, change the `xfer` directory ownership and permissions to +give group users write permission. + +```bash +sudo chown -R pdo_user:pdo_user xfer +sudo chmod -R g+w xfer +``` + +At this point, you should be able to use the instructions above for +[Service Deployment](#pattern:-service-deployment) using the PDO +images. diff --git a/docker/base.yaml b/docker/base.yaml index 2e8062a3..8c13ec1b 100644 --- a/docker/base.yaml +++ b/docker/base.yaml @@ -13,7 +13,7 @@ # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: base_container: diff --git a/docker/ccf_base.yaml b/docker/ccf_base.yaml index 73a0c760..491446ed 100644 --- a/docker/ccf_base.yaml +++ b/docker/ccf_base.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: ccf_container: diff --git a/docker/client_base.yaml b/docker/client_base.yaml index e610e6f7..db8ed512 100644 --- a/docker/client_base.yaml +++ b/docker/client_base.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: client_container: diff --git a/docker/configured_services.yaml b/docker/configured_services.yaml index e4147309..7f47b730 100644 --- a/docker/configured_services.yaml +++ b/docker/configured_services.yaml @@ -13,7 +13,7 @@ # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: services_container: diff --git a/docker/pdo_base.dockerfile b/docker/pdo_base.dockerfile index 52af201a..3bd48715 100644 --- a/docker/pdo_base.dockerfile +++ b/docker/pdo_base.dockerfile @@ -25,8 +25,10 @@ ENV TERM=screen-256color # ----------------------------------------------------------------- ARG ADD_APT_PKGS= -ENV DEBIAN_FRONTEND "noninteractive" -RUN apt-get update \ +ENV DEBIAN_FRONTEND="noninteractive" +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + apt-get update \ && apt-get install -y -q --no-install-recommends \ autoconf \ automake \ @@ -77,5 +79,23 @@ RUN wget -q https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-$ && dpkg --install ${WASI_PACKAGE} \ && rm ${WASI_PACKAGE} +# ----------------------------------------------------------------- +# Create the pdo_user account and group that will be used for +# future installations into the pdo install directory +# ----------------------------------------------------------------- +ARG UNAME=pdo_user +ENV UNAME=${UNAME} + +ARG UID=1000 +ARG GID=$UID + +RUN groupadd -f -g $GID -o $UNAME +RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME + +# ----------------------------------------------------------------- +# Prep for the installation +# ----------------------------------------------------------------- +USER $UNAME + WORKDIR /project/pdo/tools COPY tools/environment.sh ./ diff --git a/docker/pdo_ccf.dockerfile b/docker/pdo_ccf.dockerfile index fbbd9b27..cfc0f7c6 100644 --- a/docker/pdo_ccf.dockerfile +++ b/docker/pdo_ccf.dockerfile @@ -19,7 +19,7 @@ # to cache pip downloads between builds, cutting down noticeably build time. # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune. -ARG PDO_VERSION +ARG PDO_VERSION=latest FROM pdo_ccf_base:${PDO_VERSION} # ----------------------------------------------------------------- @@ -38,6 +38,13 @@ ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD} ARG XFER_DIR=/project/pdo/xfer ENV XFER_DIR=${XFER_DIR} +# copy the source files into the image using the user +# identity that was created in the base container +ARG UNAME=pdo_user +ENV UNAME=${UNAME} + +USER $UNAME + # copy the source files into the image WORKDIR /project/pdo COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src @@ -49,9 +56,7 @@ WORKDIR /project/pdo/tools COPY --chown=${UNAME}:${UNAME} tools/*.sh ./ # build it!!! -ARG UID=1000 -ARG GID=${UID} -RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \ +RUN --mount=type=cache,target=/project/pdo/.cache/pip \ /project/pdo/tools/build_ccf.sh # Network ports for running services diff --git a/docker/pdo_ccf_base.dockerfile b/docker/pdo_ccf_base.dockerfile index 66d50f07..2210b14b 100644 --- a/docker/pdo_ccf_base.dockerfile +++ b/docker/pdo_ccf_base.dockerfile @@ -24,13 +24,17 @@ ARG UBUNTU_NAME=focal ENV TERM=screen-256color +USER root + # ----------------------------------------------------------------- # Install base packages # ----------------------------------------------------------------- ARG ADD_APT_PKGS= -ENV DEBIAN_FRONTEND "noninteractive" -RUN apt-get update \ +ENV DEBIAN_FRONTEND="noninteractive" +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + apt-get update \ && apt-get install -y -q --no-install-recommends \ libsecp256k1-dev \ lsof \ @@ -46,8 +50,9 @@ RUN apt-get update \ RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list RUN curl https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - - -RUN apt-get update \ +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + apt-get update \ && apt-get install -y --no-install-recommends \ sgx-aesm-service \ libsgx-dcap-ql \ @@ -59,19 +64,20 @@ RUN apt-get clean \ && rm -rf /var/lib/apt/lists/* # ----------------------------------------------------------------- +# Create the pdo_user account and group that will be used for +# future installations into the pdo install directory # ----------------------------------------------------------------- -WORKDIR /project/pdo - -ARG UNAME=pdo_ccf +ARG UNAME=pdo_user ENV UNAME=${UNAME} ARG UID=1000 ARG GID=$UID -RUN echo $UID $GID RUN groupadd -f -g $GID -o $UNAME RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME -RUN chown --recursive $UNAME:$UNAME /project/pdo + +# ----------------------------------------------------------------- USER $UNAME +WORKDIR /project/pdo ENTRYPOINT ["/bin/bash"] diff --git a/docker/pdo_client.dockerfile b/docker/pdo_client.dockerfile index 1f70a2b7..c5a7eb72 100644 --- a/docker/pdo_client.dockerfile +++ b/docker/pdo_client.dockerfile @@ -19,24 +19,9 @@ # to cache pip downloads between builds, cutting down noticeably build time. # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune. -ARG PDO_VERSION +ARG PDO_VERSION=latest FROM pdo_base:${PDO_VERSION} -# ----------------------------------------------------------------- -# ----------------------------------------------------------------- -WORKDIR /project/pdo - -ARG UNAME=pdo_client -ENV UNAME=${UNAME} - -ARG UID=1000 -ARG GID=${UID} - -RUN groupadd -f -g $GID -o $UNAME -RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME -RUN chown --recursive $UNAME:$UNAME /project/pdo -USER $UNAME - # ----------------------------------------------------------------- # set up the PDO sources # ----------------------------------------------------------------- @@ -54,6 +39,16 @@ ENV PDO_INTERPRETER=${PDO_INTERPRETER} ARG PDO_LOG_LEVEL=info ENV PDO_LOG_LEVEL=${PDO_LOG_LEVEL} +# ----------------------------------------------------------------- +# use the identity created in the base container +# ----------------------------------------------------------------- +ARG UNAME=pdo_user +ENV UNAME=${UNAME} + +USER $UNAME + +# ----------------------------------------------------------------- +# ----------------------------------------------------------------- # copy the source files into the image WORKDIR /project/pdo COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src @@ -65,8 +60,9 @@ WORKDIR /project/pdo/tools COPY --chown=${UNAME}:${UNAME} tools/*.sh ./ # build it!!! -RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \ +RUN --mount=type=cache,target=/project/pdo/.cache/pip \ /project/pdo/tools/build_client.sh -RUN ln -s /project/pdo/tools/bashrc_client.sh /project/pdo/.bashrc +RUN rm -f /project/pdo/.bashrc; ln -s /project/pdo/tools/bashrc_client.sh /project/pdo/.bashrc + ENTRYPOINT [ "/bin/bash" ] diff --git a/docker/pdo_services.dockerfile b/docker/pdo_services.dockerfile index f1b1889a..d832b3b4 100644 --- a/docker/pdo_services.dockerfile +++ b/docker/pdo_services.dockerfile @@ -19,7 +19,7 @@ # to cache pip downloads between builds, cutting down noticeably build time. # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune. -ARG PDO_VERSION +ARG PDO_VERSION=latest FROM pdo_services_base:${PDO_VERSION} # ----------------------------------------------------------------- @@ -28,7 +28,7 @@ FROM pdo_services_base:${PDO_VERSION} ARG REBUILD=0 ARG SGX_MODE=SIM -ENV SGX_MODE $SGX_MODE +ENV SGX_MODE=$SGX_MODE ARG PDO_DEBUG_BUILD=1 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD} @@ -45,7 +45,12 @@ ENV PDO_MEMORY_CONFIG=${PDO_MEMORY_CONFIG} ARG PDO_LOG_LEVEL=info ENV PDO_LOG_LEVEL=${PDO_LOG_LEVEL} -# copy the source files into the image +# copy the source files into the image using the user +# identity that was created in the base container +ARG UNAME=pdo_user +ENV UNAME=${UNAME} + +USER $UNAME WORKDIR /project/pdo COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src @@ -55,10 +60,8 @@ COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src WORKDIR /project/pdo/tools COPY --chown=${UNAME}:${UNAME} tools/*.sh ./ -# built it! -ARG UID=1000 -ARG GID=${UID} -RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \ +# build it! +RUN --mount=type=cache,target=/project/pdo/.cache/pip \ /project/pdo/tools/build_services.sh # Network ports for running services @@ -66,7 +69,6 @@ EXPOSE 7001 7002 7003 7004 7005 EXPOSE 7101 7102 7103 7104 7105 EXPOSE 7201 7202 7203 7204 7205 - # Note that the entry point when specified with exec syntax # can be extended through the docker run interface far more # easily than if you use the other specification format of diff --git a/docker/pdo_services_base.dockerfile b/docker/pdo_services_base.dockerfile index f4357384..2818b0fa 100644 --- a/docker/pdo_services_base.dockerfile +++ b/docker/pdo_services_base.dockerfile @@ -14,7 +14,7 @@ # limitations under the License. # ------------------------------------------------------------------------------ -ARG PDO_VERSION +ARG PDO_VERSION=latest FROM pdo_base:${PDO_VERSION} ARG UBUNTU_VERSION=22.04 @@ -24,7 +24,11 @@ ARG SGX=2.25 ARG OPENSSL=3.0.14 ARG SGXSSL=3.0_Rev4 -RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \ +USER root + +RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ + --mount=type=cache,target=/var/lib/apt,sharing=locked \ + echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \ && wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \ && apt-get update \ && apt-get install -y \ @@ -86,17 +90,9 @@ ENV SGX_SSL="/opt/intel/sgxssl" # ----------------------------------------------------------------- # ----------------------------------------------------------------- -WORKDIR /project/pdo - -ARG UNAME=pdo_services +ARG UNAME=pdo_user ENV UNAME=${UNAME} -ARG UID=1000 -ARG GID=$UID - -RUN groupadd -f -g $GID -o $UNAME -RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME -RUN chown --recursive $UNAME:$UNAME /project/pdo USER $UNAME - +WORKDIR /project/pdo ENTRYPOINT ["/bin/bash"] diff --git a/docker/services_base.yaml b/docker/services_base.yaml index d9c382cc..460f5095 100644 --- a/docker/services_base.yaml +++ b/docker/services_base.yaml @@ -13,7 +13,7 @@ # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: services_container: diff --git a/docker/test-sgx.yaml b/docker/test-sgx.yaml index 5b1a7d53..f78a0bd3 100644 --- a/docker/test-sgx.yaml +++ b/docker/test-sgx.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + services: ccf_container: diff --git a/docker/test.yaml b/docker/test.yaml index 96b11fcc..08eb15f0 100644 --- a/docker/test.yaml +++ b/docker/test.yaml @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # ------------------------------------------------------------------------------ -version: "3.4" + # Note that we do not need to specify PDO_HOSTNAME or PDO_LEDGER_URL # (or the corresponding --inteface or --ledger switches) for the test