search

gramineproject / gsc

Gramine Shielded Containers (Docker integration)
BSD 3-Clause "New" or "Revised" License
46 stars 37 forks source link

Glibc issue in latest gsc example run on Ubuntu 22.04 #170

Closed agargi-intel closed 1 year ago

agargi-intel commented 1 year ago

Hi

I am trying to run the python:bullseye example.

I got a fresh install of Ubuntu 22.04, using a Xeon with SGX enabled and drivers installed (verified). I am using the latest master branch of GSC.

Also, I changed the distro to 22.04 from the default 20.04 in the config.yaml file after cloning gsc repo.

I am able to do the build step and the signing step successfully. On doing the docker run command, I am getting the following error.

docker run --device=/dev/sgx_enclave \ -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \ gsc-python:bullseye -c 'print("HelloWorld!")' /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8) /gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/sgx/loader: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/sgx/loader)

It appears as some other version of glibc is expected by loader not the 2.34 which came with Ubuntu 22.04. I was checking release notes for GSC v1.5, it says GLIBC 2.37 is supported.

Is there a way to make latest gsc work on Ubuntu 22.04 without changing the glibc version ? What options do I have ?

jkr0103 commented 1 year ago

python:bullseye image is based on debian:11 hence we should have debian:11 distro in config.yaml. Please correct the config.yaml and try.

dimakuv commented 1 year ago

In addition to debian:11 recommended by @jkr0103 , ubuntu:20.04 is also known to work with this Python version.

dimakuv commented 1 year ago

/gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/sgx/loader: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /gramine/meson_build_output/lib/x86_64-linux-gnu/gramine/sgx/loader)

It appears as some other version of glibc is expected by loader not the 2.34 which came with Ubuntu 22.04. I was checking release notes for GSC v1.5, it says GLIBC 2.37 is supported.

Regarding the GSC problem itself:

  1. GSC used Ubuntu 22.04 as the base OS to build Gramine. Since Gramine uses (a tiny bit) the host-level Glibc, Gramine linked itself against the Glibc version available on the base OS -- which is Glibc 2.34.
  2. Then GSC jumped to Debian 11 (bullseye) as the base OS to run Python. Gramine built binaries were simply copied by GSC from the previous step to this step.
    1. Debian 11 has Glibc 2.31.
    2. Gramine was built against Glibc 2.34, so Gramine tries to find it.
    3. Gramine fails to find it on this OS and errors out.

This is one of the quirks of GSC -- the base OS image used in step 1 (specified in config.yaml) must more or less have the same OS version as in step 2 (the OS in the original Docker image you graminize).

agargi-intel commented 1 year ago

Thanks for the help @jkr0103 and @dimakuv. I got it working, distro was the issue.

Feel this below part of documentation can be made more simpler. I got confused as distro of 'what' is needed. Something that brings out 'existing container image's (w trying to convert) distro is asked.

Distro Defines Linux distribution to be used to build Gramine in. This distro should match the distro underlying the application’s Docker image; otherwise the results may be unpredictable. Currently supported distros are Ubuntu 20.04, Ubuntu 21.04, Ubuntu 22.04, Ubuntu 23.04, Debian 10, Debian 11, Debian 12 and CentOS 8. Default value is ubuntu:20.04.