Low prior, but needs to be done.
https://docs.docker.com/engine/scan/

ARG VERSION_RUST_SGX_SDK=1.1.3 -> ARG VERSION_RUST_SGX_SDK=1.1.4

The current worker dev image has an ld version of 2.35 which has a bug that prevents us from building the integritee node inside that container.
This is brought in by the base image FROM baiduxlab/sgx-rust:2004-1.1.3}.

Note: The image for the sdk version 1.1.4 does not have this problem, it is at version 2.36. So when we upgrade to the sdk 1.1.4, we have to revert the solution proposed below.

My solution was to just brute-force re-install the binutils package, which contains ld. Unfortunately, apt-get install --reinstall does not work for downgrades. And since removing binutils also removes a host of other essential packages, we have to re-install them again.

My change (just after importing the base image:

# re-install / downgrade binutils since the baiduxlab/sgx-rust image 
# comes with ld version 2.35 which cannot compile the node.
RUN apt-get remove -y binutils && \
    apt-get update && \
    apt-get install -y binutils build-essential clang-10 debhelper dh-autoreconf \
                    dpkg-dev g++ g++-9 gcc gcc-8 gcc-9 libtool ocaml \
                    ocaml-compiler-libs ocaml-interp ocaml-nox

I did:

git clone [email protected]:integritee-network/worker.git
$ cd worker
$ docker run --name integritee-dev-worker -it -v $(pwd):/home/ubuntu/worker -e MYUID=$(id -u) -e MYGUID=$(id -g) integritee/integritee-dev:0.2 /bin/bash

and in docker

> cd worker
> make 
> cd bin
> ./integritee-service --help
./integritee-service: error while loading shared libraries: libsgx_uae_service.so: cannot open shared object file: No such file or directory

To compile recent parachain runtime we'd need protobuf-compiler apt packages.

The issue wasn't raised earlier because we didn't need to compile the runtime for the tee-worker: we intentionally broke the dependencies so that tee-worker didn't rely on the parachain runtime. But significantly more effort seems to be needed with the latest substrate-api-client, so we simply bring back the parachain runtime again.

Is it possible to add it and publish a newer integritee-dev image?

We didn't submit a PR for it as we aren't familiar with the version management.

As discussed in integritee-network/worker#373, we want to switch the compiler in the docker image from clang (as is setup currently) to gcc so we can build the worker using LVI-mitigation.

Currently clang and llvm are used for c-compiler and archiver respectively. This is done in the Dockerfile: https://github.com/integritee-network/docker/blob/1a5cbcfa4a6579e50f339592ccb3bf6ac762d1ec/worker/Dockerfile#L77-L78

I tried it out, and the build seems to work, I just removed those two lines, thus reverting back to default gcc.

If for some reason we find out, that we need clang and cannot use gcc, we should try to update clang to at least version 12.0 which has the necessary flags for LVI hardening (that would however also require some changes to our Makefile in the worker).

Add basic docker templates for parachain and worker