New docker flow

Signed-off-by: Marcus Brandenburger <[email protected]>

.github/workflows/test.yml

@@ -23,20 +23,21 @@ jobs:
       - uses: actions/checkout@v2
         with:
           submodules: 'recursive'
-      - name: build inside docker dev container
+
+      - name: build dev image
         env:
-          IS_CI_RUNNING: true
-          DOCKER_DEV_CI_MODE: 1
-          DOCKER_BUILDKIT: 0
+          DOCKER_BUILDKIT: 1
           DOCKER_QUIET_BUILD: 1
         run: |
-            DOCKER_BUILD_OPTS="--build-arg UBUNTU_VERSION=${{ matrix.os-version }} --build-arg UBUNTU_NAME=${{ matrix.os-name }}" \
-            make -C utils/docker run DOCKER_DEV_OPTIONAL_CMD='env IS_CI_RUNNING=true \
-                                                                  DOCKER_QUIET_BUILD=1 \
-                                                                  DOCKER_BUILDKIT=0 \
-                                                                  DOCKER_BUILD_OPTS="--build-arg UBUNTU_VERSION=${{ matrix.os-version }} --build-arg UBUNTU_NAME=${{ matrix.os-name }}" \
-                                                              make all clobber'
-            # we pass DOCKER_BUILD_OPTS, similar to DOCKER_QUITE_BUILD and DOCKER_BUILDKIT, to both 'make' invocations as 
-            # they are required when building the containers as part of 'make run' and when building inside the container (as part of make all)
-            # but make run does not automatically propagate environment variables to the container.
+          DOCKER_BUILD_OPTS="--build-arg UBUNTU_VERSION=${{ matrix.os-version }} --build-arg UBUNTU_NAME=${{ matrix.os-name }}" \
+          make -C utils/docker build build-dev
 
+      - name: run make inside dev container
+        env:
+          DOCKER_DEV_CI_MODE: 1
+          DOCKER_BUILDKIT: 1
+          DOCKER_QUIET_BUILD: 1
+        run: |
+          DOCKER_BUILD_OPTS="--build-arg UBUNTU_VERSION=${{ matrix.os-version }} --build-arg UBUNTU_NAME=${{ matrix.os-name }}" \
+          make -C utils/docker run-dev DOCKER_DEV_OPTIONAL_CMD='env IS_CI_RUNNING=true \
+                                                                make all clobber'

README.md

@@ -199,18 +199,26 @@ First make sure your host has
   will have to override in `$FPC_PATH/config.override.mk` the default definition in make of `DOCKER_DAEMON_SOCKET`)
 * GNU make
 
-Once you have cloned the repository, to build the docker image execute the following:
+Once you have cloned the repository, to pull the docker image and start the development container execute the following:
 ```bash
-cd $FPC_PATH
-cd utils/docker; make run
+cd $FPC_PATH/utils/docker
+make pull-dev 
+make run-dev
 ```
 
-This will open a shell inside the FPC development container, with environment variables like `$FPC_PATH` appropriately defined and all
+This will fetch the FPC development image and then opens a shell inside the FPC development container, with environment variables like `$FPC_PATH` appropriately defined and all
 dependencies like the Intel SGX SDK, ready to build and run FPC.
 
 Note that by default the dev container mounts your local cloned FPC project as a volume to `/project/src/github.com/hyperledger/fabric-private-chaincode` within the docker container.
 This allows you to edit the content of the repository using your favorite editor in your system and the changes inside the docker container. Additionally, you are also not loosing changes inside the container when you reboot or the container gets stopped for other reasons.
 
+In order to build the development image manually you can use the following commands. Note that this process may take some time.
+```bash
+cd $FPC_PATH/utils/docker
+make build-dev 
+make run-dev
+```
+
 A few more notes:
 * We use Ubuntu 20.04 by default.
   To build also docker images based on Ubuntu 18.04, add the following to `$FPC_PATH/config.override.mk`.

build.mk

@@ -15,7 +15,7 @@ endif
 GO := $(GO_CMD) $(GOFLAGS)
 
 .PHONY: all
-all: build test docker ci_report checks # keep checks last as license test is brittle ...
+all: build test ci_report checks # keep checks last as license test is brittle ...
 
 .PHONY: ci_report
 

ecc/Dockerfile.boilerplate-ecc

@@ -11,7 +11,7 @@
 #  - sgxmode:                    SGX_MODE
 #  - Chaincode as a Server Port: CAAS_PORT
 
-ARG FPC_VERSION=latest
+ARG FPC_VERSION=main
 
 FROM hyperledger/fabric-private-chaincode-ccenv:${FPC_VERSION}
 

ecc/Dockerfile.fpc-app

@@ -13,7 +13,7 @@
 # expects to be run with the docker context pointed o directory containing chaincode's enclave.so
 
 ARG HW_EXTENSION
-ARG FPC_VERSION=latest
+ARG FPC_VERSION=main
 
 FROM hyperledger/fabric-private-chaincode-boilerplate-ecc${HW_EXTENSION}:${FPC_VERSION}
 

ercc/Dockerfile

@@ -3,7 +3,9 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM hyperledger/fabric-private-chaincode-base-rt:latest
+ARG FPC_VERSION=main
+
+FROM hyperledger/fabric-private-chaincode-ccenv:${FPC_VERSION}
 
 ENV PATH=/opt/ercc:$PATH
 

samples/deployment/k8s/README.md

@@ -20,16 +20,21 @@ Many steps of this tutorial can also be invoked by using `just`. See official [i
 
 ## Prepare FPC deployment components
 
-Let's first build the FPC components.
+FPC requires a special docker container to execute a FPC chaincode, similar to Fabric's `ccenv` container image but with additional support for Intel SGX.  
+You can pull the FPC chaincode environment image (`fabric-private-chaincode-ccenv`) from our Github repository or build them manually as follows:
+
 ```bash
-cd $FPC_PATH
-make build
+# pulls the fabric-private-chaincode-ccenv image from github
+make -C $FPC_PATH/utils/docker pull
+
+# builds fabric-private-chaincode-ccenv image from scratch
+make -C $FPC_PATH/utils/docker build
 ```
 
-Next create the FPC Enclave Registry docker image
+Then we build the FPC components including the FPC Enclave Registry docker image.
 ```bash
-cd $FPC_PATH/ercc
-make docker
+make -C $FPC_PATH build
+make -C $FPC_PATH/ercc docker
 ```
 
 ### Build your FPC Chaincode

samples/deployment/test-network/README.md

@@ -8,14 +8,24 @@ the FPC Dev docker container.
 
 ## Prepare FPC Containers and the Test Network
 
-We start with building the FPC components as docker images which are deployed on our test network.
+FPC requires a special docker container to execute a FPC chaincode, similar to Fabric's `ccenv` container image but with additional support for Intel SGX.  
+You can pull the FPC chaincode environment image (`fabric-private-chaincode-ccenv`) from our Github repository or build them manually as follows:
+
+```bash
+# pulls the fabric-private-chaincode-ccenv image from github
+make -C $FPC_PATH/utils/docker pull
+
+# building fabric-private-chaincode-ccenv image from scratch
+make -C $FPC_PATH/utils/docker build
+```
+
+Next, we package the FPC components as docker images (building on top of `fabric-private-chaincode-ccenv`) which are deployed on our test network.
 Use `CC_ID` and `CC_PATH` to define the FPC Chaincode you want to build.
 
 ```bash
 cd $FPC_PATH/samples/deployment/test-network
 export CC_ID=echo
 export CC_PATH=${FPC_PATH}/samples/chaincode/echo
-make -C $FPC_PATH/utils/docker build
 make build
 ```
 

utils/docker/Makefile

@@ -11,6 +11,8 @@ HW_EXTENSION=$(shell if [ "${SGX_MODE}" = "HW" ]; then echo "-hw"; fi)
 
 # Names and namespaces
 # ------------------
+DOCKER_REGISTRY ?= ghcr.io/mbrandenburger
+
 FPC_DOCKER_NAMESPACE := hyperledger/fabric-private-chaincode
 FPC_DOCKER_CC_BUILDER_NAME = $(FPC_DOCKER_NAMESPACE)-cc-builder$(HW_EXTENSION)
 FPC_DOCKER_DEV_NAME = $(FPC_DOCKER_NAMESPACE)-dev
@@ -110,7 +112,7 @@ DOCKER_DEV_RUN_OPTS += `curl -s https://codecov.io/env | bash`
 endif
 endif
 
-# Run a specific command (rather than bash) with 'make run' by defining
+# Run a specific command (rather than bash) with 'make run-dev' by defining
 # the variable DOCKER_DEV_OPTIONAL_CMD
 DOCKER_DEV_OPTIONAL_CMD=
 
@@ -125,7 +127,9 @@ build: ccenv
 # a rebuild could cause trouble for a dev container user.
 # Note 2: we removed "cc-builder peer" as dependencies since they are currenty unused (but might be helpful).
 
-run: dev
+build-dev: base-dev
+
+run-dev: dev
 	# Cleanup existing but non-running (note absence of --force in rm!) old dev containers
 	dev_container_id=$$(docker ps -a | grep ${DOCKER_DEV_CONTAINER_NAME} | awk '{ print $$1 }'); \
 	   [ -z  "$${dev_container_id}" ] || ${DOCKER} rm "$${dev_container_id}"
@@ -154,6 +158,8 @@ clobber:
 		$(FPC_DOCKER_CCENV_NAME) \
 		$(FPC_DOCKER_BASE_RT_NAME) \
 		$(FPC_DOCKER_BASE_DEV_NAME) \
+		$(DOCKER_REGISTRY)/$(FPC_DOCKER_CCENV_NAME) \
+		$(DOCKER_REGISTRY)/$(FPC_DOCKER_BASE_DEV_NAME) \
 	    ; do \
 		if [ ! -z "$$(docker images -q $${img}:$${tag})" ]; then \
 		    ${DOCKER} rmi $${img}:$${tag}; \
@@ -207,14 +213,11 @@ peer: base-dev
          . )
 	$(DOCKER) tag $(FPC_DOCKER_PEER_NAME) $(FPC_DOCKER_PEER_NAME):${FPC_VERSION}
 
-dev: base-dev
+dev:
 	(cd ${TOP} &&\
          $(DOCKER) build $(DOCKER_BUILD_OPTS) -t $(FPC_DOCKER_DEV_NAME)\
          $(DOCKER_DEV_BUILD_OPTS)\
-         -f ./utils/docker/dev_peer_cc-builder/Dockerfile\
-	 --target dev \
-         --build-arg FPC_REPO_URL=file:///tmp/cloned-local-fpc-git-repo\
-         --build-arg FPC_REPO_BRANCH_TAG_OR_COMMIT=$$(git rev-parse HEAD)\
+         -f ./utils/docker/dev/Dockerfile\
          --build-arg SGX_MODE=${SGX_MODE}\
          . )
 	$(DOCKER) tag $(FPC_DOCKER_DEV_NAME) $(FPC_DOCKER_DEV_NAME):${FPC_VERSION}
@@ -231,3 +234,22 @@ cc-builder: base-dev
          . )
 	$(DOCKER) tag $(FPC_DOCKER_CC_BUILDER_NAME) $(FPC_DOCKER_CC_BUILDER_NAME):${FPC_VERSION}
 
+publish:
+	for img in \
+		$(FPC_DOCKER_CCENV_NAME) \
+		$(FPC_DOCKER_BASE_DEV_NAME) \
+	; do \
+	  	echo $${img}; \
+		$(DOCKER) tag $${img}:$(FPC_VERSION) $(DOCKER_REGISTRY)/$${img}:$(FPC_VERSION); \
+		$(DOCKER) push $(DOCKER_REGISTRY)/$${img}:$(FPC_VERSION); \
+	done;
+
+pull:
+	# ccenv
+	$(DOCKER) pull $(DOCKER_REGISTRY)/$(FPC_DOCKER_CCENV_NAME):$(FPC_VERSION)
+	$(DOCKER) image tag $(DOCKER_REGISTRY)/$(FPC_DOCKER_CCENV_NAME):$(FPC_VERSION) $(FPC_DOCKER_CCENV_NAME):$(FPC_VERSION)
+
+pull-dev:
+	# base-dev
+	$(DOCKER) pull $(DOCKER_REGISTRY)/$(FPC_DOCKER_BASE_DEV_NAME):$(FPC_VERSION)
+	$(DOCKER) image tag $(DOCKER_REGISTRY)/$(FPC_DOCKER_BASE_DEV_NAME):$(FPC_VERSION) $(FPC_DOCKER_BASE_DEV_NAME):$(FPC_VERSION)

utils/docker/README.md

@@ -0,0 +1,130 @@
+# FPC docker 
+
+## Use cases
+
+The docker images provided in this repository target different use cases:
+
+1) *Used as FPC dev environment*
+
+   Provides a complete development environment including Intel SGX compiler, etc... 
+   Useful to develop and test FPC locally without installing FPC dependencies on local dev machine. 
+   This refers to preferred option to getting started with FPC.
+
+1) *Used as CI environment*
+
+   Based on FPC dev environment and used during Github CI. 
+
+1) *Used as runtime environment for FPC components (FPC chaincode and ERCC)*
+
+   Required to package, deploy, and run FPC chaincode. 
+
+
+## Docker Images
+
+FPC comes with the following docker images to build FPC components and the development environment.
+All images start with `hyperledger/fabric-private-chaincode-` prefix.
+
+* `base-rt`: Base image for FPC. Includes all runtime dependencies including SGX runtime services.
+* `ccenv`: Chaincode environment image for FPC chaincodes based on `base-rt`.
+* `base-dev`: Base development image. Includes all build tools for FPC including protobuf, SGX SSL, SGX compiler, ...
+* `dev`: Development image based on `base-dev`. Add additional user-defined tools and development dependencies.
+
+These images can be build manually (see [Building images](#building-images) section) or pulled from `ghcr.io/hyperledger/fabric-private-chaincode` (see [Pulling images](#pulling-images) section).
+
+
+## Building images
+
+* `make build`: creates base-rt, ccenv
+
+* `make build-dev`: creates base-rt, base-dev
+
+
+## Pulling images
+
+* `make pull`: pulls ccenv
+
+* `make pull-dev`: pulls base-dev 
+
+Note that base-rt not pulled as it is an intermediate image included already as layer in `ccenv` and `base-dev`.
+
+## Running FPC dev environment
+
+* `make run-dev`: creates dev (if not exist) and runs it. Does not create base-dev and base-rt, returns an error if not exists.
+
+
+## Usage
+
+### Start docker-based FPC dev environment
+
+Option 1) Pull images and start dev container
+
+```bash
+cd utils/docker
+make pull-dev
+make run-dev
+## continue inside docker
+```
+
+Option 2) Build images from scratch and start dev container
+```bash
+cd utils/docker
+make build-dev
+make run-dev
+## continue inside docker
+```
+
+
+### CI
+
+If no changes in `utils/docker`
+```bash
+cd utils/docker
+make pull
+make run-dev
+## continue inside docker
+```
+
+otherwise
+```bash
+cd utils/docker
+make build-dev
+make run-dev
+## continue inside docker
+```
+
+
+### Build docker images for FPC runtime environment
+
+Pull images
+```bash
+cd utils/docker
+make pull
+```
+
+or build them
+```bash
+cd utils/docker
+make build
+```
+
+
+## Publishing
+
+We publish images for every new release (docker tag = `${FPC_VERSION}`) and on PR merged (docker tag = main) through CI.
+
+* `make publish`: pushing ccenv and base-dev to Github docker registry 
+
+When running the `publish` target manually (not through CI), docker login on `ghcr.io` is needed.
+See [documentation](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry).
+
+Use your github personal access token (PAT) to login.
+```bash
+export CR_PAT=YOUR_TOKEN
+echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin
+```
+
+Note that we only publish Ubuntu 20.04 LTS based images.
+
+### CI/CD
+TODO describe automated publishing
+

utils/docker/base-dev/Dockerfile

@@ -15,7 +15,7 @@
 #  - additional apt pkgs:       APT_ADD_PKGS
 
 
-ARG FPC_VERSION=latest
+ARG FPC_VERSION=main
 
 FROM hyperledger/fabric-private-chaincode-base-rt:${FPC_VERSION} as common
 
@@ -54,6 +54,9 @@ RUN apt-get update -q \
     python-protobuf \
     # docker commands (need as we use docker daemon from "outside")
     docker.io \
+    docker-compose \
+    psmisc \
+    bc \
     ${APT_ADD_PKGS}
 
 

utils/docker/ccenv/Dockerfile

@@ -9,6 +9,6 @@
 #  Configuration (build) paramaters (for defaults, see below section with ARGs)
 #  - fpc image version:		FPC_VERSION
 
-ARG FPC_VERSION=latest
+ARG FPC_VERSION=main
 
 FROM hyperledger/fabric-private-chaincode-base-rt:${FPC_VERSION}