nitrogen example for standalone runtime

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "examples/runtime/runtime"]
+	path = examples/runtime/runtime
+	url = git@github.com:capeprivacy/runtime.git

README.md

@@ -6,7 +6,7 @@
 
 [![Discord](https://img.shields.io/discord/1027271440061435975.svg?logo=discord)](https://discord.gg/S8WMGUg8ab)
 
-Nitrogen is a tool for deploying web services to AWS Nitro Enclaves. Given a dockerfile and an ssh key, Nitrogen will spin up an EC2, configure the network, and build and deploy your web service. You get back a hostname that’s ready to go. Nitrogen is fully open source and it comes with pre-built scripts for deploying popular services like Nginx, Redis, and MongoDB.
+Nitrogen is a tool for deploying web services to AWS Nitro Enclaves. Given a dockerfile and an ssh key, Nitrogen will spin up an EC2, configure the network, and build and deploy your web service. You get back a hostname that's ready to go. Nitrogen is fully open source and it comes with pre-built scripts for deploying popular services like Nginx, Redis, and MongoDB.
 
 ## Install
 

examples/runtime/Dockerfile

@@ -0,0 +1,108 @@
+FROM golang:1.18-alpine as builder
+
+ARG SERVICE_VERSION
+ENV SERVICE_VERSION=${SERVICE_VERSION:-unknown}
+ENV PATH="/usr/local/bin:${PATH}"
+
+RUN apk add git openssh
+
+WORKDIR /app
+
+RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh
+
+RUN GH_IP=$(getent hosts github.com | cut -d ' ' -f 1) && \
+    ssh-keyscan -H github.com >> /root/.ssh/known_hosts && \
+    ssh-keyscan -H $GH_IP >> /root/.ssh/known_hosts && \
+    ssh-keyscan -H github.com,$GH_IP >> /root/.ssh/known_hosts && \
+    chmod 600 /root/.ssh/known_hosts
+
+RUN git config \
+    --global \
+    url."git@github.com:".insteadOf \
+    "https://github.com"
+
+COPY runtime/go.mod .
+COPY runtime/go.sum .
+
+RUN go mod download
+
+COPY ./runtime .
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -buildvcs=false -ldflags "-X main.Version=$SERVICE_VERSION" -o bin/runtime ./cmd/runtime
+
+FROM python:3.9-slim-bullseye
+
+WORKDIR /runtime
+
+# Add some pre-bundled python libraries.
+RUN pip install python-dotenv
+RUN pip install pyjwt[crypto]
+
+# create chroot environment for jail
+RUN adduser jailuser
+RUN mkdir /chroot && \
+    cp -r /bin /chroot/ && \
+    cp -r /sbin /chroot/ && \
+    cp -r /usr /chroot/ && \
+    cp -r /etc /chroot/ && \
+    cp -r /lib /chroot/ && \
+    cp -r /lib64 /chroot/ && \
+    mkdir /chroot/dev && \
+    mknod -m 666 /chroot/dev/null c 1 3 && \
+    mknod -m 666 /chroot/dev/zero c 1 5 && \
+    mknod -m 666 /chroot/dev/random c 1 8 && \
+    mknod -m 666 /chroot/dev/urandom c 1 9 && \
+    mkdir -p /chroot/home/jailuser/ && \
+    chown -R jailuser:jailuser /chroot/home/jailuser && \
+    chmod -R 775 /chroot/home/jailuser/
+
+# sudo is needed because capejail must run as root in order to `chroot` and
+# `setuid` to jailuser. The chroot and separate user add additional isolation
+# to protect runtime (and secrets that runtime might have in memory) from the
+# user process.
+RUN apt update && \
+    apt install -y \
+        sudo \
+        wget \
+        socat \
+    && apt clean
+
+RUN echo "socat --version"
+
+RUN useradd runtime
+
+# Allow runtime to read files from jailuser (such as the results file)
+RUN usermod -aG jailuser runtime
+
+# Allow runtime to `sudo capejail`
+RUN usermod -aG sudo runtime
+RUN echo "%sudo    ALL=(ALL:ALL) NOPASSWD: /bin/capejail.sh" >> /etc/sudoers
+
+COPY --from=builder /app/bin/runtime ./bin/runtime
+
+COPY ./runtime/launch.py /runtime/.
+
+RUN chown -R runtime:runtime /runtime
+
+USER runtime
+
+# This would have to be updated for running standalone, or use self-generated certs
+COPY --chown=runtime:runtime server.key server.crt /runtime/
+ENV CAPE_CERTFILE=/runtime/server.crt CAPE_KEYFILE=/runtime/server.key
+
+COPY --from=capeprivacy/capejail:release-0c0b492 /bin/capejail /bin/
+
+COPY ./runtime/capejail.sh /bin/capejail.sh
+
+
+ENV CAPE_PORT=5000
+ENV CAPE_STANDALONE_STORAGE=true
+ENV CAPE_STANDALONE_KMS=true
+ENV CAPE_STANDALONE_LIFECYCLE=true
+ENV CAPE_STANDALONE_VALIDATOR=true
+ENV CAPE_STANDALONE_EPHEMERAL=false
+
+COPY run.sh /run.sh
+
+COPY app.sh /app.sh
+
+CMD ["/bin/sh", "/run.sh"]

examples/runtime/README.md

@@ -0,0 +1,57 @@
+# Standalone Runtime
+An example running Cape runtime via Nitrogen
+
+## Requirements
+Access to capejail and kmstool images in Dockerhub.
+```
+docker login
+```
+
+Enable Docker kit
+```
+export DOCKER_BUILDKIT=1
+```
+
+Fetch the runtime submodule
+```
+git submodule update --init --recursive
+```
+
+
+
+## Running
+Needs a local socat instance to run alongside the enclave executable. 
+
+### TLS
+
+To enable TLS you can generate self-signed certificates:
+
+```
+openssl ecparam -genkey -name secp384r1 -out server.key
+openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
+```
+
+
+### Using port 5000
+The setup for the ec2 instance points to port 5000, so the socat instance
+redirects port 5000 to the runtime websocket. 
+
+### Using with Cape CLI
+If you want to deploy/run with Cape CLI you will need to reset the key file locally. 
+
+```
+cape login    # follow promps for browser authentication
+
+# We need to reset the key file under CLI and register against the local 
+# runtime instance
+rm ~/.config/cape/capekey.pub.der
+
+cape key --url wss://<NITROGEN_EC2_INSTANCE>:5000 --insecure
+cape deploy <CUSTOM_CAPE_FUNCTION> --url wss://<NITROGEN_EC2_INSTANCE>:5000
+
+echo `<CUSTOM_FUNCTION_INPUT>`|  ./cape run -v <DEPLOYED_FUNCTION_ID>  -u wss://<NITROGEN_EC2_INSTANCE>:5000 --insecure -f -
+
+```
+
+
+

examples/runtime/app.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/runtime/bin/runtime

examples/runtime/run.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+socat tcp-listen:5000,reuseaddr,fork vsock-connect:16:5000 &
+
+sh ./app.sh