Comment on page
Build Scone app
In this tutorial, you will learn how to build and run a Confidential Computing application with the Scone TEE framework.
Prerequisites:
In order to follow this tutorial, you will need to register a free SCONE Account to access SCONE build tools and curated images from the SCONE registry.
# when your account is ready, run `docker login` to connect the SCONE registry
docker login registry.scontain.com
For demo purposes, we omitted some development best practices in these examples.
Make sure to check your field's best practices before going to production.
Before going further, your
<docker-hub-user>/hello-world:1.0.0
image built previously is required.For this tutorial, you can reuse the same directory tree or create a new one.
To create a new directory tree, execute the following commands in
~/iexec-projects/
.cd ~/iexec-projects
mkdir tee-hello-world-app && cd tee-hello-world-app
iexec init --skip-wallet
mkdir src
touch Dockerfile
touch sconify.sh
chmod +x sconify.sh
Make sure your
chain.json
content is as follows:{
"default": "bellecour",
"chains": {
"bellecour": {
"sms": { "scone": "https://sms.scone-debug.v8-bellecour.iex.ec" }
}
}
}
If you start from a new firectory tree, you will need to replay the following steps from Build your first application:
As we mentioned earlier, the advantage of using SCONE is the ability to make the application Intel® SGX-enabled without changing the source code. The only thing we are going to do is rebuilding the app using the Trusted-Execution-Environment tooling provided by SCONE.
SCONE provides TEE conversion tooling (Python, Java, ..) plus eventually TEE base images for other languages (NodeJs).
We will use the following script to wrap the sconification process, copy the
sconify.sh
script in the current directory:Javascript
Python
sconify.sh
#!/bin/bash
# Declare the app entrypoint
ENTRYPOINT="node /app/app.js"
# Declare image related variables
IMG_NAME=tee-scone-hello-world
IMG_FROM=<docker-hub-user>/hello-world:1.0.0
IMG_TO=<docker-hub-user>/${IMG_NAME}:1.0.0-debug
docker pull registry.scontain.com/sconecuratedimages/node:14.4.0-alpine3.11
# Run the sconifier to build the TEE image based on the non-TEE image
docker run -it --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.scontain.com/scone-production/iexec-sconify-image:5.7.5-v12 \
sconify_iexec \
--name=${IMG_NAME} \
--from=${IMG_FROM} \
--to=${IMG_TO} \
--binary-fs \
--fs-dir=/app \
--host-path=/etc/hosts \
--host-path=/etc/resolv.conf \
--binary=/usr/local/bin/node \
--heap=1G \
--dlopen=1 \
--no-color \
--verbose \
--command=${ENTRYPOINT} \
&& echo -e "\n------------------\n" \
&& echo "successfully built TEE docker image => ${IMG_TO}" \
&& echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})"
sconify.sh
#!/bin/bash
# Declare the app entrypoint
ENTRYPOINT="python3 /app/app.py"
# Declare image related variables
IMG_NAME=tee-scone-hello-world
IMG_FROM=<docker-hub-user>/hello-world:1.0.0
IMG_TO=<docker-hub-user>/${IMG_NAME}:1.0.0-debug
# Run the sconifier to build the TEE image based on the non-TEE image
docker run -it \
-v /var/run/docker.sock:/var/run/docker.sock \
registry.scontain.com/scone-production/iexec-sconify-image:5.7.5-v12 \
sconify_iexec \
--name=${IMG_NAME} \
--from=${IMG_FROM} \
--to=${IMG_TO} \
--binary-fs \
--fs-dir=/app \
--host-path=/etc/hosts \
--host-path=/etc/resolv.conf \
--binary=/usr/local/bin/python3.7 \
--heap=1G \
--dlopen=1 \
--no-color \
--verbose \
--command=${ENTRYPOINT} \
&& echo -e "\n------------------\n" \
&& echo "successfully built TEE docker image => ${IMG_TO}" \
&& echo "application mrenclave.fingerprint is $(docker run --rm -e SCONE_HASH=1 ${IMG_TO})"
Run the
sconify.sh
script to build the Scone TEE application:./sconify.sh
Push your image on DockerHub:
docker push <docker-hub-user>/tee-scone-hello-world:1.0.0-debug
Congratulations, you just built your Scone TEE application.
You may have noticed the
tee-debug
flag in the image name, the built image is actually in TEE debug mode, this allows you to have some debug features while developping the app.Once you are happy with the debug app, contact us to go to production!
At this stage, your application is ready to be tested on iExec. The process is similar to testing any type of application on the platform, with these minor exceptions:
TEE applications require some additional information to be filled in during deployment.
# prepare the TEE application template
iexec app init --tee
Edit
iexec.json
and fill in the standard keys and the mrenclave
object:{
...
"app": {
"owner": "<your-wallet-address>", // starts with 0x
"name": "tee-scone-hello-world", // application name
"type": "DOCKER",
"multiaddr": "docker.io/<docker-hub-user>/tee-scone-hello-world:1.0.0-debug", // app image
"checksum": "<checksum>", // starts with 0x, update it with your own image digest
"mrenclave": {
"framework": "SCONE", // TEE framework (keep default value)
"version": "v5", // Scone version (keep default value)
"entrypoint": "node /app/app.js" OR "python3 /app/app.py", // update it with your own image entrypoint
"heapSize": 1073741824, // heap size in bytes, update it with --heap option value used in sconify.sh script during TEE image build
"fingerprint": "<mrenclave>" // fingerprint of the enclave code (mrenclave), without 0x prefix, see how to retrieve it below
}
},
...
}
Run your TEE image with
SCONE_HASH=1
to get the enclave fingerprint (mrenclave):docker run --rm -e SCONE_HASH=1 <docker-hub-user>/tee-scone-hello-world:1.0.0-debug
Deploy the app with the standard command:
iexec app deploy
Specify the tag
--tag tee,scone
in iexec app run
command to run a tee app.One last thing, in order to run a TEE-debug app you will also need to select a debug workerpool, use the debug workerpool
debug-v8-bellecour.main.pools.iexec.eth
.The debug workerpool is connected to a debug Secret Management Service (this is fine for debugging but do not use to store production secrets), we will need to init the storage token on this SMS.
# initialize the storage
iexec storage init --tee-framework scone
You are now ready to run the app
iexec app run --tag tee,scone --workerpool debug-v8-bellecour.main.pools.iexec.eth --watch
You noticed we used
debug-v8-bellecour.main.pools.iexec.eth
instead of an ethereum address, this is an ENS name.The ENS (Ethereum Name Service) protocol enables associating decentralized naming to ethereum addresses.
In this tutorial, you learned how to leverage your application with the power of Trusted Execution Environments using iExec. But according to your use case, you may need to use some confidential data to get the full potential of the Confidential Computing paradigm. Check out next chapters to see how:
Last modified 19d ago