Ansible playbook simplification around SGX drivers (#2868)

.azure-pipelines-gh-pages.yml

@@ -7,7 +7,7 @@ trigger:
 
 jobs:
   - job: build_and_publish_docs
-    container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+    container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
     pool:
       vmImage: ubuntu-20.04
 

.azure-pipelines.yml

@@ -27,11 +27,11 @@ schedules:
 resources:
   containers:
     - container: nosgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
 
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache -v /lib/modules:/lib/modules:ro
 
 variables:

.daily.yml

@@ -23,11 +23,11 @@ schedules:
 resources:
   containers:
     - container: nosgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_PTRACE -v /dev/shm:/tmp/ccache
 
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

.github/workflows/ci-checks.yml

@@ -9,7 +9,7 @@ on:
 jobs:
   checks:
     runs-on: ubuntu-20.04
-    container: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+    container: ccfciteam/ccf-ci:oe0.17.1-focal-lite
 
     steps:
       - name: Checkout repository

.multi-thread.yml

@@ -16,7 +16,7 @@ pr:
 resources:
   containers:
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

.stress.yml

@@ -21,7 +21,7 @@ schedules:
 resources:
   containers:
     - container: sgx
-      image: ccfciteam/ccf-ci:oe0.17.1-focal-clang10
+      image: ccfciteam/ccf-ci:oe0.17.1-focal-lite
       options: --publish-all --cap-add NET_ADMIN --cap-add NET_RAW --device /dev/sgx:/dev/sgx -v /dev/shm:/tmp/ccache
 
 jobs:

doc/build_apps/build_setup.rst

@@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to build CCF itself and CCF a
 .. code-block:: bash
 
     $ cd <ccf_path>/getting_started/setup_vm
-    $ ./run.sh driver.yml # Only on SGX-enabled hardware
     $ ./run.sh ccf-dev.yml
 
 Once this is complete, you can proceed to :doc:`/build_apps/build_app`.

doc/build_apps/install_bin.rst

@@ -22,7 +22,6 @@ These dependencies can be conveniently installed using the ``ansible`` playbooks
 .. code-block:: bash
 
     $ cd <ccf_path>/getting_started/setup_vm/
-    $ ./run.sh driver.yml # Only on SGX-enabled hardware
     $ ./run.sh app-dev.yml
 
 Install

doc/operations/run_setup.rst

@@ -11,7 +11,6 @@ Then, to quickly set up the dependencies necessary to start CCF applications, si
 .. code-block:: bash
 
     $ cd <ccf_path>/getting_started/setup_vm
-    $ ./run.sh driver.yml # Only on SGX-enabled hardware
     $ ./run.sh app-run.yml
 
 Runtime Container

docker/README.md

@@ -0,0 +1,12 @@
+# Docker images for CCF
+
+- `app_run`: Builds the image containing all runtime dependencies for CCF, as well as the latest release of CCF (as per https://github.com/microsoft/CCF/releases/latest). To be used by CCF operators.
+- `app_ci`: Builds the image containing all build dependencies for CCF applications. To be used by CCF application developers.
+- `ccf_ci`: Builds the image containing all build dependencies for CCF itself. To be used by CCF contributors. It is also used by CCF Continuous Integration pipeline.
+
+To build a given image, run:
+
+```bash
+$ cd CCF/
+$ docker build -t <tag> -f docker/<app_run|app_ci|ccf_ci> .
+```

docker/app_ci

@@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
 
 COPY getting_started/setup_vm/ /setup_vm/
 RUN apt update \
-    && apt install -y ansible software-properties-common bsdmainutils dnsutils \
+    && apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
     && cd setup_vm \
     && ansible-playbook app-dev.yml $extra_vars \
     && rm -rf /tmp/* \
-    && apt remove -y ansible software-properties-common \
+    && apt remove -y ansible software-properties-common curl \
     && apt -y autoremove \
     && apt -y clean

docker/app_run

@@ -27,10 +27,10 @@ RUN ["/bin/bash", "-c", "mv *sgx_$(echo ${PSW_VERSION//./_})_${UBUNTU}_custom_ve
 
 COPY getting_started/setup_vm/ /setup_vm/
 RUN apt update \
-    && apt install -y ansible software-properties-common bsdmainutils dnsutils \
+    && apt install -y ansible software-properties-common curl bsdmainutils dnsutils \
     && cd setup_vm \
     && ansible-playbook app-run.yml $extra_vars \
     && rm -rf /tmp/* \
-    && apt remove -y ansible software-properties-common \
+    && apt remove -y ansible software-properties-common curl \
     && apt -y autoremove \
     && apt -y clean

getting_started/setup_vm/app-run.yml

@@ -8,9 +8,6 @@
     - import_role:
         name: az_dcap
         tasks_from: install.yml
-    - import_role:
-        name: openenclave
-        tasks_from: binary_install.yml
     - import_role:
         name: ccf_install
         tasks_from: deb_install.yml

getting_started/setup_vm/driver.yml

@@ -1,5 +0,0 @@
-- hosts: localhost
-  tasks:
-    - import_role:
-        name: intel
-        tasks_from: sgx-driver.yml

getting_started/setup_vm/roles/ccf_build/vars/common.yml

@@ -25,8 +25,6 @@ debs:
   - iptables # partition test infra
   - libclang1-9 # required by doxygen
   - libclang-cpp9 # required by doxygen
-  - flex # required to build doxygen
-  - bison # required to build doxygen
 
 mbedtls_ver: "2.16.10"
 mbedtls_dir: "mbedtls-{{ mbedtls_ver }}"

getting_started/setup_vm/roles/ccf_install/tasks/deb_install.yml

@@ -7,7 +7,7 @@
       if [ "{{ ccf_ver }}" = "latest" ]; then
         curl -s https://api.github.com/repos/microsoft/ccf/releases/latest | egrep 'https://.*\.deb' | cut -d\" -f4
       else
-        echo "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
+        echo "https://github.com/microsoft/CCF/releases/download/ccf-{{ ccf_ver }}/ccf_{{ ccf_ver | replace('-', '_') }}_amd64.deb"
       fi
   register: ccf_deb_url
 

getting_started/setup_vm/roles/ccf_install/tasks/install.yml

@@ -1,37 +0,0 @@
-- name: Include vars
-  include_vars: common.yml
-
-- name: Download CCF release
-  get_url:
-    url: "{{ ccf_url }}"
-    dest: "{{ workspace }}"
-
-- name: Create directory
-  file:
-    path: "/opt/ccf"
-    state: directory
-  become: true
-
-- name: Expand CCF release
-  unarchive:
-    src: "/tmp/{{ ccf_tarball }}"
-    dest: "/opt/ccf"
-    extra_opts:
-      - --strip-components=1
-  become: true
-
-- name: Copy cchost
-  copy:
-    src: "/opt/ccf/bin/cchost"
-    dest: "/usr/bin/cchost"
-    remote_src: true
-    mode: a=rx
-  become: true
-  when: run_only|bool
-
-- name: Remove release
-  file:
-    path: "/opt/ccf"
-    state: absent
-  become: true
-  when: run_only|bool

getting_started/setup_vm/roles/ccf_install/vars/common.yml

@@ -1,6 +1 @@
-workspace: "/tmp/"
 ccf_ver: "latest"
-ccf_tarball: "ccf.tar.gz"
-ccf_suffix: "{{ 'latest/download' if ccf_ver == 'latest' else 'download/ccf-' + ccf_ver }}"
-ccf_url: "https://github.com/microsoft/CCF/releases/{{ ccf_suffix }}/{{ ccf_tarball }}"
-ccf_prefix: "/opt/openenclave"

getting_started/setup_vm/roles/intel/tasks/sgx-driver.yml

@@ -1,64 +0,0 @@
-# Copyright (c) Open Enclave SDK contributors.
-# Licensed under the MIT License.
-
----
-- name: Include distribution vars
-  include_vars:
-    file: common.yml
-
-- name: Install the dkms package
-  apt:
-    name:
-      - "dkms"
-    state: latest
-    update_cache: yes
-    install_recommends: no
-  become: true
-
-- name: Populate service facts
-  service_facts:
-
-- name: Ensure aesmd service stopped
-  service:
-    name: aesmd
-    state: stopped
-  when: "'aesmd.service' in ansible_facts.services"
-  become: true
-
-- name: Download Intel SGX DCAP Driver
-  get_url:
-    url: "{{intel_sgx_w_flc_driver_url}}"
-    dest: /tmp/sgx_linux_x64_driver.bin
-    mode: 0755
-    timeout: 120
-  retries: 3
-  when: flc_enabled|bool
-  become: true
-
-- name: Download Intel SGX1 Driver
-  get_url:
-    url: "{{intel_sgx1_driver_url}}"
-    dest: /tmp/sgx_linux_x64_driver.bin
-    mode: 0755
-    timeout: 120
-  retries: 3
-  when: not flc_enabled|bool
-  become: true
-
-- name: Install the Intel SGX DCAP Driver
-  command: /tmp/sgx_linux_x64_driver.bin
-  become: true
-
-- name: Remove the Intel SGX DCAP Driver installer
-  file:
-    path: /tmp/sgx_linux_x64_driver.bin
-    state: absent
-  become: true
-
-- name: Ensure aesmd service running
-  service:
-    name: aesmd
-    state: started
-    enabled: yes
-  when: "'aesmd.service' in ansible_facts.services"
-  become: true

getting_started/setup_vm/roles/intel/tasks/sgx-psw-dev.yml

@@ -1,39 +0,0 @@
-- name: Include distribution vars
-  include_vars:
-    file: common.yml
-
-- name: Install apt-transport-https APT package
-  apt:
-    name: apt-transport-https
-    state: latest
-  become: true
-
-- name: Add APT repository key
-  apt_key:
-    url: "https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key"
-    state: present
-  become: true
-
-- name: Add APT repository
-  apt_repository:
-    repo: "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu {{ ansible_distribution_release }} main"
-    state: present
-    update_cache: yes
-  become: true
-
-- name: Install the Intel libsgx packages
-  apt:
-    name: "{{ intel_sgx_dev_packages }}"
-    state: latest
-    update_cache: yes
-    install_recommends: no
-  become: true
-
-- name: Install the Intel DCAP packages
-  apt:
-    name: "{{ intel_dcap_dev_packages }}"
-    state: latest
-    update_cache: yes
-    install_recommends: no
-  when: flc_enabled|bool
-  become: true

getting_started/setup_vm/roles/intel/vars/common.yml

@@ -3,8 +3,6 @@
 
 ---
 flc_enabled: true
-intel_sgx_w_flc_driver_url: "https://download.01.org/intel-sgx/sgx-dcap/1.7/linux/distro/ubuntu20.04-server/sgx_linux_x64_driver_1.41.bin"
-intel_sgx1_driver_url: "https://download.01.org/intel-sgx/sgx-linux/2.13/distro/ubuntu20.04-server/sgx_linux_x64_driver_2.11.0_2d2b795.bin"
 
 intel_sgx_packages:
   - "libsgx-enclave-common"
@@ -14,14 +12,7 @@ intel_sgx_packages:
   - "libsgx-qe3-logic"
   - "libsgx-pce-logic"
 
-intel_sgx_dev_packages:
-  - "libsgx-enclave-common-dev"
-
 intel_dcap_packages:
   - "libsgx-dcap-ql"
   - "libsgx-urts"
   - "libsgx-quote-ex"
-
-intel_dcap_dev_packages:
-  - "libsgx-dcap-ql-dev"
-  - "sgx-aesm-service"

getting_started/setup_vm/run.sh

@@ -4,6 +4,11 @@
 
 set -ex
 
+# Install ansible-base rather than ansible because service_facts
+# is broken on Ubuntu 20.04 with the default apt package.
+# See https://github.com/ansible/ansible/issues/68536 (fixed in ansible >= 2.10)
 sudo apt-get update
-sudo apt install ansible -y
-ansible-playbook "$@"
+sudo apt install software-properties-common
+sudo add-apt-repository -y --update ppa:ansible/ansible
+sudo apt install ansible-base -y
+ansible-playbook "$@"