Use AnolisOS as components image base OS

Signed-off-by: Jiale Zhang <[email protected]>
openanolis · Feb 18, 2025 · 1fc14bf · 1fc14bf
1 parent 15e102e
commit 1fc14bf
Show file tree

Hide file tree

Showing 7 changed files with 130 additions and 78 deletions.
diff --git a/Dockerfile.as-grpc b/Dockerfile.as-grpc
@@ -4,61 +4,59 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04 as builder
+FROM openanolis/anolisos:latest as builder
 ARG ARCH=x86_64
 
 WORKDIR /usr/src/attestation-service
 COPY . .
 
-# Install TPM Build Dependencies
-RUN apt-get update && apt-get install -y git openssh-client protobuf-compiler curl gnupg openssl clang libtss2-dev python3 python3-pip python3-dev && \
-rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+RUN cd /tmp && \
+    curl https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/distro/Anolis86/sgx_rpm_local_repo.tgz --output /tmp/sgx_rpm_local_repo.tgz && \
+    tar zxvf /tmp/sgx_rpm_local_repo.tgz && \
+    yum -y install yum-utils && yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    yum -y install epel-release && \
+    yum install -y --setopt=install_weak_deps=False --nogpgcheck libsgx-dcap-quote-verify-devel perl wget curl clang openssl-devel protobuf-devel git tpm2-tss tpm2-tss-devel python38 python38-pip python38-devel libudev-devel && \
+    yum clean all && \
+    rm -rf /tmp/*
 
 # Install Rust
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
 
 # Install NV Attestation SDK
-RUN python3.12 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl --break-system-packages
-RUN python3.12 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl --break-system-packages
-
-# Install TDX Build Dependencies
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
-    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi
+RUN python3.8 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl
+RUN python3.8 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl
 
 # Build and Install gRPC attestation-service
+ENV PYTHON_VERSION=3.8
 RUN cargo install --path attestation-service --bin grpc-as --features grpc-bin --locked
 
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04
+FROM openanolis/anolisos:latest
 ARG ARCH=x86_64
 
-# Install TDX Runtime Dependencies
-RUN apt-get update && apt-get install curl gnupg openssl python3 python3-pip python3-dev -y && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+RUN cd /tmp && \
+    curl https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/distro/Anolis86/sgx_rpm_local_repo.tgz --output /tmp/sgx_rpm_local_repo.tgz && \
+    tar zxvf /tmp/sgx_rpm_local_repo.tgz && \
+    yum -y install yum-utils && yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    yum -y install epel-release && \
+    yum install -y --setopt=install_weak_deps=False --nogpgcheck libsgx-dcap-default-qpl libsgx-dcap-quote-verify tpm2-tss tpm2-tss-devel \
+        curl gnupg openssl python38 python38-pip python38-devel && \
+    yum clean all && \
+    rm -rf /tmp/*
 
 # Install NV Attestation SDK
 COPY --from=builder /usr/src/attestation-service/attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl /usr
 COPY --from=builder /usr/src/attestation-service/attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl /usr
-RUN python3.12 -m pip install /usr/nv_local_gpu_verifier-1.4.0-py3-none-any.whl --break-system-packages
-RUN python3.12 -m pip install /usr/nv_attestation_sdk-1.4.0-py3-none-any.whl --break-system-packages
+RUN python3.8 -m pip install /usr/nv_local_gpu_verifier-1.4.0-py3-none-any.whl
+RUN python3.8 -m pip install /usr/nv_attestation_sdk-1.4.0-py3-none-any.whl
 
-RUN pip3 install --upgrade setuptools==70.0.0 --break-system-packages
-RUN pip3 install --upgrade requests==2.32.0 --break-system-packages
+RUN pip3 install --upgrade setuptools==70.0.0
+RUN pip3 install --upgrade requests==2.32.0
 
 # Install NV Attestation Default Token validation policy
 COPY --from=builder /usr/src/attestation-service/deps/verifier/test_data/NVGPULocalPolicyDefault.json /usr/
 
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
-    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && \
-    apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi
-
-# Copy TPM Runtime Dependencies
-COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu
-
 COPY --from=builder /root/.cargo/bin/grpc-as /usr/local/bin/grpc-as
 
 VOLUME /opt/confidential-containers/attestation-service

diff --git a/Dockerfile.as-restful b/Dockerfile.as-restful
@@ -4,60 +4,58 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04 as builder
+FROM openanolis/anolisos:latest as builder
 ARG ARCH=x86_64
 
 WORKDIR /usr/src/attestation-service
 COPY . .
 
-# Install TPM Build Dependencies
-RUN apt-get update && apt-get install -y git openssh-client protobuf-compiler curl gnupg openssl clang libtss2-dev python3 python3-pip python3-dev && \
-rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+RUN cd /tmp && \
+    curl https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/distro/Anolis86/sgx_rpm_local_repo.tgz --output /tmp/sgx_rpm_local_repo.tgz && \
+    tar zxvf /tmp/sgx_rpm_local_repo.tgz && \
+    yum -y install yum-utils && yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    yum -y install epel-release && \
+    yum install -y --setopt=install_weak_deps=False --nogpgcheck libsgx-dcap-quote-verify-devel perl wget curl clang openssl-devel protobuf-devel git tpm2-tss tpm2-tss-devel python38 python38-pip python38-devel libudev-devel && \
+    yum clean all && \
+    rm -rf /tmp/*
 
 # Install Rust
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 ENV PATH="/root/.cargo/bin:${PATH}"
 
 # Install NV Attestation SDK
-RUN python3.12 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl --break-system-packages
-RUN python3.12 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl --break-system-packages
-
-# Install TDX Build Dependencies
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
-    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi
+RUN python3.8 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl
+RUN python3.8 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl
 
 # Build and Install RESTful attestation-service
+ENV PYTHON_VERSION=3.8
 RUN cargo install --path attestation-service --bin restful-as --features restful-bin --locked
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04
+FROM openanolis/anolisos:latest
 ARG ARCH=x86_64
 
-# Install TDX Runtime Dependencies
-RUN apt-get update && apt-get install curl gnupg openssl python3 python3-pip python3-dev -y && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+RUN cd /tmp && \
+    curl https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/distro/Anolis86/sgx_rpm_local_repo.tgz --output /tmp/sgx_rpm_local_repo.tgz && \
+    tar zxvf /tmp/sgx_rpm_local_repo.tgz && \
+    yum -y install yum-utils && yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    yum -y install epel-release && \
+    yum install -y --setopt=install_weak_deps=False --nogpgcheck libsgx-dcap-default-qpl libsgx-dcap-quote-verify tpm2-tss tpm2-tss-devel \
+        curl gnupg openssl python38 python38-pip python38-devel && \
+    yum clean all && \
+    rm -rf /tmp/*
 
 # Install NV Attestation SDK
 COPY --from=builder /usr/src/attestation-service/attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl /usr
 COPY --from=builder /usr/src/attestation-service/attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl /usr
-RUN python3.12 -m pip install /usr/nv_local_gpu_verifier-1.4.0-py3-none-any.whl --break-system-packages
-RUN python3.12 -m pip install /usr/nv_attestation_sdk-1.4.0-py3-none-any.whl --break-system-packages
+RUN python3.8 -m pip install /usr/nv_local_gpu_verifier-1.4.0-py3-none-any.whl
+RUN python3.8 -m pip install /usr/nv_attestation_sdk-1.4.0-py3-none-any.whl
 
-RUN pip3 install --upgrade setuptools==70.0.0 --break-system-packages
-RUN pip3 install --upgrade requests==2.32.0 --break-system-packages
+RUN pip3 install --upgrade setuptools==70.0.0
+RUN pip3 install --upgrade requests==2.32.0
 
 # Install NV Attestation Default Token validation policy
 COPY --from=builder /usr/src/attestation-service/deps/verifier/test_data/NVGPULocalPolicyDefault.json /usr/
 
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
-    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && \
-    apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
-    rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi
-
-# Copy TPM Runtime Dependencies
-COPY --from=builder /usr/lib/${ARCH}-linux-gnu/libtss* /usr/lib/${ARCH}-linux-gnu
-
 COPY --from=builder /root/.cargo/bin/restful-as /usr/local/bin/restful-as
 
 COPY ./attestation-service/config.json /etc/config.json

diff --git a/Dockerfile.ci b/Dockerfile.ci
@@ -4,15 +4,25 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04 as builder
+FROM openanolis/anolisos:latest as builder
 ARG ARCH=x86_64
 
 WORKDIR /usr/src/trustee
 COPY . .
 
-# Install TPM Build Dependencies
-RUN apt-get update && apt-get install -y git protobuf-compiler curl gnupg openssl clang libtss2-dev python3 python3-pip python3-dev libudev-dev pkg-config && \
-rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
+RUN cd /tmp && \
+    curl https://download.01.org/intel-sgx/sgx-dcap/1.21/linux/distro/Anolis86/sgx_rpm_local_repo.tgz --output /tmp/sgx_rpm_local_repo.tgz && \
+    tar zxvf /tmp/sgx_rpm_local_repo.tgz && \
+    yum -y install yum-utils && yum-config-manager --add-repo file:///tmp/sgx_rpm_local_repo && \
+    yum -y install epel-release && \
+    yum install -y --setopt=install_weak_deps=False --nogpgcheck pkg-config libsgx-dcap-quote-verify-devel libtdx-attest-devel \
+        perl wget git protobuf-compiler curl gnupg \
+        openssl openssl-devel clang \
+        tpm2-tss tpm2-tss-devel \
+        python38 python38-pip python38-devel \
+        libudev-devel && \
+    yum clean all && \
+    rm -rf /tmp/*
 
 # Install Rust
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
@@ -34,22 +44,19 @@ RUN curl -fsSL -o helm.tar.gz https://get.helm.sh/helm-${HELM_VERSION}-linux-amd
 RUN helm plugin install https://github.com/AliyunContainerService/helm-acr
 
 # Install NV Attestation SDK
-RUN python3.12 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl --break-system-packages
-RUN python3.12 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl --break-system-packages
+RUN python3.8 -m pip install attestation-service/docker/nv_local_gpu_verifier-1.4.0-py3-none-any.whl
+RUN python3.8 -m pip install attestation-service/docker/nv_attestation_sdk-1.4.0-py3-none-any.whl
 
-RUN pip3 install --upgrade setuptools==70.0.0 --break-system-packages
-RUN pip3 install --upgrade requests==2.32.0 --break-system-packages
-
-# Install TDX Build Dependencies
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | tee intel-sgx-deb.key | apt-key add - && \
-    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev libtdx-attest-dev; fi
+RUN pip3 install --upgrade setuptools==70.0.0
+RUN pip3 install --upgrade requests==2.32.0
 
 # Build and install client tool
+ENV PYTHON_VERSION=3.8
 RUN cargo build -p kbs-client --locked --release --no-default-features --features ci_test
 RUN cp /usr/src/trustee/target/release/kbs-client /usr/local/bin/trustee-client
 
 # Build and install evidence dump tool
+ENV PYTHON_VERSION=3.8
 RUN cargo build -p evidence-dump --locked --release
 RUN cp /usr/src/trustee/target/release/evidence-dump /usr/local/bin/evidence-dump
 

diff --git a/Dockerfile.kbs b/Dockerfile.kbs
@@ -1,20 +1,27 @@
 # syntax=docker/dockerfile:1.3
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/rust:latest as builder
+FROM openanolis/anolisos:latest as builder
 ARG ARCH=x86_64
 ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=true
 
 WORKDIR /usr/src/kbs
 COPY . .
 
-RUN apt-get update && apt install -y openssh-client protobuf-compiler git libudev-dev
+RUN yum install -y openssh protobuf-compiler protobuf-devel git libudev-devel curl make gcc openssl openssl-devel clang 
+
+# Install Rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+RUN rustup component add rustfmt clippy
 
 # Build and Install KBS
 RUN cd kbs && make AS_FEATURE=coco-as-grpc HTTPS_CRYPTO=${HTTPS_CRYPTO} POLICY_ENGINE=opa ALIYUN=${ALIYUN} && \
     make install-kbs
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/ubuntu:24.04
+FROM openanolis/anolisos:latest
+
+RUN yum install -y openssl curl
 
 COPY --from=builder /usr/local/bin/kbs /usr/local/bin/kbs
 COPY --from=builder /usr/src/kbs/kbs/kbs-init/kbs-init /usr/local/bin/coco-kbs-init

diff --git a/Dockerfile.rvps b/Dockerfile.rvps
@@ -4,19 +4,26 @@
 # Licensed under the Apache License, Version 2.0, see LICENSE for details.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/rust:latest as builder
+FROM openanolis/anolisos:latest as builder
 
 WORKDIR /usr/src/rvps
 
 COPY . .
 
-RUN apt-get update && apt-get install git openssh-client protobuf-compiler -y
+RUN yum update -y && yum install -y curl git openssh protobuf-compiler make gcc openssl openssl-devel clang
+
+# Install Rust
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+ENV PATH="/root/.cargo/bin:${PATH}"
+RUN rustup component add rustfmt clippy
 
 RUN cargo install --bin rvps --path rvps
 
-FROM trustee-registry.cn-hangzhou.cr.aliyuncs.com/daily/debian:latest
+FROM openanolis/anolisos:latest
+
+RUN yum install -y openssl curl
 
-COPY --from=builder /usr/local/cargo/bin/rvps /usr/local/bin/rvps
+COPY --from=builder /root/.cargo/bin/rvps /usr/local/bin/rvps
 
 CMD ["rvps"]
 

diff --git a/attestation-service/build.rs b/attestation-service/build.rs
@@ -6,7 +6,24 @@ fn real_main() -> Result<(), String> {
 
     tonic_build::compile_protos("../protos/reference.proto").map_err(|e| format!("{e}"))?;
 
-    println!("cargo:rustc-link-lib=python3.12");
+    let python_version = std::env::var("PYTHON_VERSION").unwrap_or_else(|_| "3.12".to_string());
+
+    match python_version.as_str() {
+        "3.8" => {
+            println!("cargo:rustc-link-lib=python3.8");
+        }
+        "3.12" => {
+            println!("cargo:rustc-link-lib=python3.12");
+        }
+        _ => {
+            println!(
+                "cargo:warning=Unsupported Python version: {}",
+                python_version
+            );
+            println!("cargo:warning=Defaulting to Python 3.12");
+            println!("cargo:rustc-link-lib=python3.12");
+        }
+    }
     println!("cargo:rustc-link-search=native=/usr/lib");
 
     Ok(())

diff --git a/deps/verifier/build.rs b/deps/verifier/build.rs
@@ -1,4 +1,22 @@
 fn main() {
-    println!("cargo:rustc-link-lib=python3.12");
+    let python_version = std::env::var("PYTHON_VERSION").unwrap_or_else(|_| "3.12".to_string());
+
+    match python_version.as_str() {
+        "3.8" => {
+            println!("cargo:rustc-link-lib=python3.8");
+        }
+        "3.12" => {
+            println!("cargo:rustc-link-lib=python3.12");
+        }
+        _ => {
+            println!(
+                "cargo:warning=Unsupported Python version: {}",
+                python_version
+            );
+            println!("cargo:warning=Defaulting to Python 3.12");
+            println!("cargo:rustc-link-lib=python3.12");
+        }
+    }
+
     println!("cargo:rustc-link-search=native=/usr/lib");
 }