This project demonstrates how Occlum enables unmodified Python program flask running in SGX enclaves, which is based on glibc.
Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications.
To make the sample code more realistic, we choose to start a simple Flask TLS server by flask-restful. The sample code can be found here.
This tutorial is written under the assumption that you have Docker installed and use Occlum in a Docker container.
- Step 1: Download miniconda and install python to prefix position.
bash ./install_python_with_conda.sh
- Step 2: Generate sample cert/key
bash ./gen-cert.sh
- Step 3: Build Flask TLS Occlum instance
bash ./build_occlum_instance.sh
- Step 4: Start the Flask TLS server on Occlum
bash ./run_flask_on_occlum.sh
It starts a sample Flask server like below:
occlum run /bin/rest_api.py
* Serving Flask app "rest_api" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on all addresses.
WARNING: This is a development server. Do not use it in a production deployment.
* Running on https://localhost:4996/ (Press CTRL+C to quit)
- Step 5: Write some customers' info, such as
# curl --cacert flask.crt -X PUT https://localhost:4996/customer/1 -d "data=Tom"
# curl --cacert flask.crt -X PUT https://localhost:4996/customer/2 -d "data=Jerry"
- Step 6: Read the customers' info back
# curl --cacert flask.crt -X GET https://localhost:4996/customer/1
# curl --cacert flask.crt -X GET https://localhost:4996/customer/2