From 9f4958b5fde49e8c193d082068caa13712e974b8 Mon Sep 17 00:00:00 2001 From: Alexandru Ciobotaru Date: Thu, 3 Nov 2022 13:54:59 +0200 Subject: [PATCH] kmstool-enclave: optimize the enclave image size Use a scratch base image and copy only the mandatory dependencies to run the KMS Decrypt demo. This reduces the EIF image size from 147 MiB to 25 MiB. Signed-off-by: Alexandru Ciobotaru --- containers/Dockerfile.al2 | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/containers/Dockerfile.al2 b/containers/Dockerfile.al2 index 37a1a0d..e166022 100644 --- a/containers/Dockerfile.al2 +++ b/containers/Dockerfile.al2 @@ -71,22 +71,35 @@ RUN cmake3 -DCMAKE_PREFIX_PATH=/usr -DCMAKE_INSTALL_PREFIX=/usr -GNinja \ RUN cmake3 --build aws-nitro-enclaves-sdk-c/build --parallel $(nproc) --target install RUN cmake3 --build aws-nitro-enclaves-sdk-c/build --parallel $(nproc) --target docs -# Test -FROM builder as test -RUN cmake3 --build aws-nitro-enclaves-sdk-c/build --target test - # kmstool-enclave -FROM amazonlinux:2 as kmstool-enclave +RUN mkdir -p /rootfs +WORKDIR /rootfs + +RUN BINS="\ + /usr/lib64/libnsm.so \ + /usr/bin/kmstool_enclave \ + " && \ + for bin in $BINS; do \ + { echo "$bin"; ldd "$bin" | grep -Eo "/.*lib.*/[^ ]+"; } | \ + while read path; do \ + mkdir -p ".$(dirname $path)"; \ + cp -fL "$path" ".$path"; \ + done \ + done + +RUN mkdir -p /rootfs/etc/pki/tls/certs/ \ + && cp -f /etc/pki/tls/certs/* /rootfs/etc/pki/tls/certs/ +RUN find /rootfs + +FROM scratch as kmstool-enclave + +COPY --from=builder /rootfs / -# TODO: building packages statically instead of cleaning up unwanted packages from amazonlinux -RUN rpm -e python python-libs python-urlgrabber python2-rpm pygpgme pyliblzma python-iniparse pyxattr python-pycurl amazon-linux-extras yum yum-metadata-parser yum-plugin-ovl yum-plugin-priorities -COPY --from=builder /usr/lib64/libnsm.so /usr/lib64/libnsm.so -COPY --from=builder /usr/bin/kmstool_enclave /kmstool_enclave ARG REGION ARG ENDPOINT ENV REGION=${REGION} ENV ENDPOINT=${ENDPOINT} -CMD ["/kmstool_enclave"] +CMD ["/usr/bin/kmstool_enclave"] # kmstool-instance FROM amazonlinux:2 as kmstool-instance @@ -104,3 +117,8 @@ FROM amazonlinux:2 as kmstool-enclave-cli RUN rpm -e python python-libs python-urlgrabber python2-rpm pygpgme pyliblzma python-iniparse pyxattr python-pycurl amazon-linux-extras yum yum-metadata-parser yum-plugin-ovl yum-plugin-priorities COPY --from=builder /usr/lib64/libnsm.so /usr/lib64/libnsm.so COPY --from=builder /usr/bin/kmstool_enclave_cli /kmstool_enclave_cli + +# Test +FROM builder as test +WORKDIR /tmp/crt-builder +RUN cmake3 --build aws-nitro-enclaves-sdk-c/build --parallel $(nproc) --target test