-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathContainerfile
80 lines (72 loc) · 2.56 KB
/
Containerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
FROM stagex/eif_build:0.2.2@sha256:291653f1ca528af48fd05858749c443300f6b24d2ffefa7f5a3a06c27c774566 AS eif_build
FROM stagex/gen_initramfs:6.8@sha256:f5b9271cca6003e952cbbb9ef041ffa92ba328894f563d1d77942e6b5cdeac1a AS gen_initramfs
FROM stagex/linux-nitro:sx2024.03.0@sha256:073c4603686e3bdc0ed6755fee3203f6f6f1512e0ded09eaea8866b002b04264 AS linux-nitro
FROM common as base
RUN mkdir -p /qos/src
ADD . /qos/src
# pre-fetch all QOS deps
RUN cd /qos/src && cargo fetch
# pre-fetch all QOS deps even for crates excluded from the workspace
# these dependencies are needed when building qos_enclave
RUN cd /qos/src/init && cargo fetch
RUN cd /qos/src/qos_enclave && cargo fetch
FROM base AS build-qos_enclave
WORKDIR /qos/src/qos_enclave
RUN --network=none cargo build ${CARGOFLAGS}
RUN cp target/x86_64-unknown-linux-musl/release/qos_enclave /
RUN file /qos_enclave | grep "static-pie"
FROM base AS build-init
WORKDIR /qos/src/init
RUN --network=none cargo build ${CARGOFLAGS}
RUN cp target/x86_64-unknown-linux-musl/release/init /
RUN file /init | grep "static-pie"
FROM base as build-eif
WORKDIR /build_cpio
COPY --from=eif_build . /
COPY --from=gen_initramfs . /
COPY --from=build-init /init .
COPY --from=linux-nitro /nsm.ko .
COPY <<-EOF initramfs.list
file /init init 0755 0 0
file /nsm.ko nsm.ko 0755 0 0
dir /run 0755 0 0
dir /tmp 0755 0 0
dir /etc 0755 0 0
dir /bin 0755 0 0
dir /sbin 0755 0 0
dir /proc 0755 0 0
dir /sys 0755 0 0
dir /usr 0755 0 0
dir /usr/bin 0755 0 0
dir /usr/sbin 0755 0 0
dir /dev 0755 0 0
dir /dev/shm 0755 0 0
dir /dev/pts 0755 0 0
nod /dev/console 0600 0 0 c 5 1
EOF
ENV CPIO_TIMESTAMP=1
ENV KBUILD_BUILD_TIMESTAMP=1
RUN <<-EOF
find . -exec touch -hcd "@0" "{}" +
mkdir /build_eif
gen_init_cpio -t 1 initramfs.list > /build_eif/rootfs.cpio
touch -hcd "@0" rootfs.cpio
EOF
WORKDIR /build_eif
COPY --from=linux-nitro /bzImage .
COPY --from=linux-nitro /linux.config .
RUN eif_build \
--ramdisk rootfs.cpio \
--kernel bzImage \
--kernel_config linux.config \
--pcrs_output /nitro.pcrs \
--output /nitro.eif \
--cmdline 'reboot=k initrd=0x2000000,3228672 root=/dev/ram0 panic=1 pci=off nomodules console=ttyS0 i8042.noaux i8042.nomux i8042.nopnp i8042.dumbkbd'
FROM scratch as package
COPY --from=build-eif /nitro.eif .
COPY --from=build-eif /nitro.pcrs .
COPY --from=build-qos_enclave /qos_enclave .
ENTRYPOINT ["/qos_enclave"]
ENV EIF_PATH=/nitro.eif
ENV ENCLAVE_NAME=qos
EXPOSE 8080