gsc icon indicating copy to clipboard operation
gsc copied to clipboard
verified publisher icon gramineproject

GSC v1.9 fails for ubuntu 22.04

Open uwe-albert-ibm opened this issue 5 months ago • 4 comments

[2/2] STEP 12/21: RUN rm -rf $HOME/.cache --> fc6b13346849 [2/2] STEP 13/21: COPY --from=gramine --chown=root /gramine/meson_build_output /gramine/meson_build_output --> 9552306e0d08 [2/2] STEP 14/21: COPY --chown=root *.py /gramine/app_files/ --> 385fe9f65802 [2/2] STEP 15/21: COPY --chown=root apploader.sh /gramine/app_files/ --> d0627d6fcb77 [2/2] STEP 16/21: COPY --chown=root entrypoint.manifest /gramine/app_files/ --> 43e3366f726a [2/2] STEP 17/21: RUN cd /gramine/app_files/ && which /app/mariadb-init.sh | xargs ln -s || true --> 6bdc3d04681e [2/2] STEP 18/21: ENV PATH="/gramine/meson_build_output/bin:$PATH" --> 9764a8106adc [2/2] STEP 19/21: RUN chmod u+x /gramine/app_files/apploader.sh && /usr/bin/python3 -B /gramine/app_files/finalize_manifest.py && rm -f /gramine/app_files/finalize_manifest.py [from inside Docker container] Found 12206 files in /. Traceback (most recent call last): File "/gramine/app_files/finalize_manifest.py", line 175, in main(sys.argv) File "/gramine/app_files/finalize_manifest.py", line 166, in main rendered_manifest_dict['sgx']['trusted_files'] = expand_trusted_files(trusted_files + already_added_files) File "/gramine/app_files/finalize_manifest.py", line 45, in expand_trusted_files raise ManifestError(f'File not found: {file_path}') NameError: name 'ManifestError' is not defined Failed to build unsigned graminized Docker image gsc-idbroker-mariadb-unsigned.

can you please help us ? Many thanks in advance !

uwe-albert-ibm avatar Jul 18 '25 11:07 uwe-albert-ibm

GSC-v1.9-full-errorlog.txt

uwe-albert-ibm avatar Jul 18 '25 11:07 uwe-albert-ibm

Hi! I'd like to help. Can you share the dockerfile/code you are trying to build, and the commands to reproduce this issue?

Thanks!

donporter avatar Jul 19 '25 20:07 donporter

I also see the same issue using v1.9

weiwang217 avatar Jul 29 '25 23:07 weiwang217

same here - using v 1.9 on ubuntu:24.04

We are signing docker image, which will later be used in kubernetes. The problem is sgx.allowed_files is containing files/folders, which are not yet present in image. They will be provided later, when the container will be set up. Also according to the documentation, allowed_files can contain folders but the method compute_sha256(finalize_manifest.py) is not counting with it.

Is there some way, how to set up allowed files correctly when using mentioned scenario?

As a quick fix, is it possible and safe to skip producing an error and add a check whether the path is actually a file in finalize_manifest.py on line 45?

def expand_trusted_files(trusted_files):
    expanded_files = []
    for uri in trusted_files:
        file_path = uri2path(uri)
        if file_path.is_file():
            expanded_files.append({'uri': uri, 'sha256': compute_sha256(file_path)})
        else:
            expanded_files.append({'uri': uri})
    return expanded_files

Thank you

elnath avatar Oct 14 '25 10:10 elnath