This project demonstrates how Occlum enables unmodified Python programs running in SGX enclaves.
To make the sample code more realistic, we choose to write a Python program that processes CSV data files using NumPy, pandas, and scikit-learn. The sample code can be found here.
This tutorial is written under the assumption that you have Docker installed and use Occlum in a Docker container.
Occlum is compatible with native binaries from Alpine Linux, so we can prepare an Alpine Python Docker image and copy the rootfs of it, then run Python code directly on Occlum.
Step 1 (on the host): Start an Alpine Linux container with Python preinstalled
docker pull python:3.7-alpine3.10
docker run -it --entrypoint /bin/sh --name "<alpine_container_name>" python:3.7-alpine3.10
Step 2 (in the Alpine container): Install the required Python modules
apk add g++ lapack-dev gfortran
pip3 install numpy pandas scipy==1.3.1 Cython scikit-learn==0.21.1
Now that we have installed the required Python libraries in the Alpine Docker image, we can copy the content of the Alpine Docker image into the Occlum container so that we can build a trusted Occlum FS image with Alpine's Python installation inside.
Step 3 (on the host): Copy the import_alpine_python.sh script from Occlum container to host,
docker cp "<occlum_container_name>":/root/demos/python/import_alpine_python.sh <host_dir>
and import the rootfs of Alpine Linux Docker image to the Occlum container (/root/alpine_python)
./<host_dir>/import_alpine_python.sh "<alpine_container_name>" "<occlum_container_name>"
Step 4 (in the Occlum container): Run the sample code on Occlum via
./run_python_on_occlum.sh
It will process CSV data files and generate a file (smvlight.dat) in ./occlum_instance.