{"id":21905902,"url":"https://github.com/cosmian/mse-docker-base","last_synced_at":"2025-07-21T17:30:37.311Z","repository":{"id":105088490,"uuid":"585072581","full_name":"Cosmian/mse-docker-base","owner":"Cosmian","description":"MicroService Encryption base docker image","archived":true,"fork":false,"pushed_at":"2024-06-20T07:31:23.000Z","size":57,"stargazers_count":0,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-16T17:58:13.724Z","etag":null,"topics":["cosmian","docker","microservice-encryption","mse","sgx"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cosmian.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-04T08:47:17.000Z","updated_at":"2024-11-20T13:35:15.000Z","dependencies_parsed_at":"2024-06-20T19:42:45.014Z","dependency_job_id":"31cf1ed9-002f-4f21-bd1f-b01eb386d71b","html_url":"https://github.com/Cosmian/mse-docker-base","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Cosmian/mse-docker-base","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cosmian%2Fmse-docker-base","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cosmian%2Fmse-docker-base/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cosmian%2Fmse-docker-base/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cosmian%2Fmse-docker-base/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cosmian","download_url":"https://codeload.github.com/Cosmian/mse-docker-base/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cosmian%2Fmse-docker-base/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266342809,"owners_count":23914262,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-21T11:47:31.412Z","response_time":64,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cosmian","docker","microservice-encryption","mse","sgx"],"created_at":"2024-11-28T16:39:10.276Z","updated_at":"2025-07-21T17:30:37.044Z","avatar_url":"https://github.com/Cosmian.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Microservice Encryption Docker Base\n\n## Overview\n\nBase Docker image used for Python web application launched with [MSE](https://cosmian.com/microservice-encryption/).\n\nThe Docker image is built and released with GitHub Actions as below:\n\n```console\n$ export BUILD_DATE=\"$(date \"+%Y%m%d%H%M%S\")\"\n$ docker build -t mse-base:$BUILD_DATE .\n```\n\nYou should use images released on [pkgs/mse-base](https://github.com/Cosmian/mse-docker-base/pkgs/container/mse-base) as base layer.\n\n## Extend with your own dependencies\n\nAs an example, `mse-base` can be extended with [Flask](https://flask.palletsprojects.com/en/2.2.x/):\n\n```\nFROM ghcr.io/cosmian/mse-base:LAST_DATE_ON_GH_PACKAGES\n\nRUN pip3 install \"flask==2.2.2\"\n```\n\nreplace `LAST_DATE_ON_GH_PACKAGES` with the last one on [pkgs/mse-base](https://github.com/Cosmian/mse-docker-base/pkgs/container/mse-base), then:\n\n```console\n$ docker build -t mse-flask:2.2.2\n```\n\n## Run with SGX\n\nFirst compress your Python flask application:\n\n```console\n$ tree mse_src/\nmse_src\n└── app.py\n\n0 directories, 2 files\n$ cat mse_src/app.py\nfrom flask import Flask\n\napp = Flask(__name__)\n\n@app.route('/')\ndef hello():\n    return \"Hello World!\"\n$ tar -cvf /tmp/app.tar --directory=mse_src app.py\n```\n\nthen generate a signer RSA key for the enclave:\n\n```console\n$ openssl genrsa -3 -out enclave-key.pem 3072\n```\n\nand finally run the Docker container with:\n\n- Enclave signer key mounted to `/root/.config/gramine/enclave-key.pem`\n- Tar of the python application mounted anywhere (`/tmp/app.tar` can be used)\n- `mse-run` binary as Docker entrypoint\n- Enclave size in `--size` (could be `2G`, `4G`, `8G`)\n- Path of the tar mounted previously in `--code`\n- Module path of your Flask application in `--application` (usually `app:app`)\n- Random UUID v4 in `--uuid`\n- Expiration date of the certificate as unix epoch time in `--self-signed`\n\n```console\n$ docker run -p 8080:443 \\\n    --device /dev/sgx_enclave \\\n    --device /dev/sgx_provision \\\n    --device /dev/sgx/enclave \\\n    --device /dev/sgx/provision \\\n    -v /var/run/aesmd:/var/run/aesmd \\\n    -v \"$(realpath enclave-key.pem)\":/root/.config/gramine/enclave-key.pem \\\n    -v /tmp/app.tar:/tmp/app.tar \\\n    --entrypoint mse-run \\\n    mse-flask:2.2.2 --size 8G \\\n                    --code /tmp/app.tar \\\n                    --host localhost \\\n                    --application app:app \\\n                    --uuid 533a2b83-4bc5-4a9c-955e-208c530bfd15 \\\n                    --self-signed 1769155711\n```\n\n## Check microservice status\n\n```console\n$ # get self-signed certificate with OpenSSL\n$ openssl s_client -showcerts -connect localhost:8080 \u003c/dev/null 2\u003e/dev/null | openssl x509 -outform PEM \u003e/tmp/cert.pem\n$ # force self-signed certificate as CA bundle\n$ curl https://localhost:8080 --cacert /tmp/cert.pem\n```\n\n## Compute MRENCLAVE without SGX\n\nThe integrity of the application running in `mse-flask` is reflected in the `MRENCLAVE` value which is a SHA-256 hash digest of code, data, heap, stack, and other attributes of an enclave.\n\nUse `--dry-run` parameter with the exact same other parameters as above to output `MRENCLAVE` value:\n\n```console\n$ docker run --rm \\\n    -v /tmp/app.tar:/tmp/app.tar \\\n    --entrypoint mse-run \\\n    mse-flask:2.2.2 --size 8G \\\n                    --code /tmp/app.tar \\\n                    --host localhost \\\n                    --application app:app \\\n                    --uuid 533a2b83-4bc5-4a9c-955e-208c530bfd15 \\\n                    --self-signed 1769155711 \\\n                    --dry-run\n```\n\n__Note__: `MRSIGNER` value should be ignored because it is randomly generated at each dry run.\n\n\n## Testing Docker environment\n\nIf you want to test that your docker image contains all the dependencies needed, `mse-test` wraps `flask run` command for you if you mount your code directory to `/mse-app`:\n\n```console\n$ docker run --rm -ti \\\n    --entrypoint mse-test \\\n    --net host \\\n    -v mse_src:/mse-app \\\n    mse-flask:2.2.2 \\\n    --application app:app \\\n    --debug\n$ # default host and port of flask developement server\n$ curl http://127.0.0.1:5000\n```\n\nTo use your `secrets.json`, just add `-v secrets.json:/root/.cache/mse/secrets.json` to mount the file.\n\n\n## Determine the enclave memory size of your image\n\nSome files contained in the docker are mounted into the enclave: libs, etc. \nThese files takes some memory spaces from the enclave size you have declared. The remaining space is the effective memory your app can use.\n\nYou can compute the effective memory by adding `--memory` in the previous commands. For example:\n\n```console\n$ docker run --rm \\\n    -v /tmp/app.tar:/tmp/app.tar \\\n    --entrypoint mse-run \\\n    mse-flask:2.2.2 --size 8G \\\n                    --code /tmp/app.tar \\\n                    --host localhost \\\n                    --application app:app \\\n                    --uuid 533a2b83-4bc5-4a9c-955e-208c530bfd15 \\\n                    --self-signed 1769155711 \\\n                    --dry-run \\\n                    --memory\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcosmian%2Fmse-docker-base","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcosmian%2Fmse-docker-base","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcosmian%2Fmse-docker-base/lists"}