Dstack-TEE
diff --git a/‎custom-domain/dstack-ingress/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎custom-domain/dstack-ingress/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎custom-domain/dstack-ingress/Dockerfile‎
Lines changed: 1 addition & 12 deletions b/‎custom-domain/dstack-ingress/Dockerfile‎
Lines changed: 1 addition & 12 deletions
diff --git a/‎custom-domain/dstack-ingress/build-image.sh‎
Lines changed: 63 additions & 7 deletions b/‎custom-domain/dstack-ingress/build-image.sh‎
Lines changed: 63 additions & 7 deletions
diff --git a/‎custom-domain/dstack-ingress/pinned-packages.txt‎
Lines changed: 8 additions & 22 deletions b/‎custom-domain/dstack-ingress/pinned-packages.txt‎
Lines changed: 8 additions & 22 deletions
@@ -2,3 +2,4 @@
 /CLAUDE.md
 /test/
 __pycache__
+/oci.tar
@@ -8,6 +8,7 @@ RUN set -e; \
     echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250411T024939Z bookworm-security main' >> /etc/apt/sources.list && \
     echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until && \
     # Create preferences file to pin all packages
+    rm -rf /etc/apt/sources.list.d/debian.sources && \
     mkdir -p /etc/apt/preferences.d && \
     cat /tmp/pinned-packages.txt | while read line; do \
         pkg=$(echo $line | cut -d= -f1); \
@@ -36,17 +37,6 @@ RUN mkdir -p \
     /etc/nginx/conf.d \
     /var/log/nginx
 
-# Set up Python virtual environment and install certbot
-RUN set -e; \
-    python3 -m venv --system-site-packages /opt/app-venv && \
-    . /opt/app-venv/bin/activate && \
-    pip install --upgrade pip && \
-    pip install certbot requests && \
-    # Create symlinks for system-wide access
-    ln -sf /opt/app-venv/bin/certbot /usr/local/bin/certbot && \
-    # Ensure the virtual environment is always activated for scripts
-    echo 'source /opt/app-venv/bin/activate' > /etc/profile.d/app-venv.sh
-
 COPY ./scripts /scripts/
 RUN chmod +x /scripts/*.sh /scripts/*.py
 ENV PATH="/scripts:$PATH"
@@ -55,4 +45,3 @@ COPY .GIT_REV /etc/
 
 ENTRYPOINT ["/scripts/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
-
@@ -1,15 +1,71 @@
 #!/bin/bash
-NAME=$1
-if [ -z "$NAME" ]; then
-    echo "Usage: $0 <name>[:<tag>]"
-    exit 1
-fi
+
+# Parse command line arguments
+PUSH=false
+REPO=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --push)
+            PUSH=true
+            REPO="$2"
+            if [ -z "$REPO" ]; then
+                echo "Error: --push requires a repository argument"
+                echo "Usage: $0 [--push <repo>[:<tag>]]"
+                exit 1
+            fi
+            shift 2
+            ;;
+        *)
+            echo "Usage: $0 [--push <repo>[:<tag>]]"
+            exit 1
+            ;;
+    esac
+done
 # Check if buildkit_20 already exists before creating it
 if ! docker buildx inspect buildkit_20 &>/dev/null; then
     docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20
 fi
 touch pinned-packages.txt
 git rev-parse HEAD > .GIT_REV
-docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" --output type=docker,name="$NAME",rewrite-timestamp=true .
-docker run --rm --entrypoint bash "$NAME" -c "dpkg -l | grep '^ii' |awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+TEMP_TAG="dstack-ingress-temp:$(date +%s)"
+docker buildx build --builder buildkit_20 --no-cache --build-arg SOURCE_DATE_EPOCH="0" \
+    --output type=oci,dest=./oci.tar,rewrite-timestamp=true \
+    --output type=docker,name="$TEMP_TAG" .
+
+if [ "$?" -ne 0 ]; then
+    echo "Build failed"
+    rm .GIT_REV
+    exit 1
+fi
+
+echo "Build completed, manifest digest:"
+echo ""
+skopeo inspect oci-archive:./oci.tar | jq .Digest
+echo ""
+
+if [ "$PUSH" = true ]; then
+    echo "Pushing image to $REPO..."
+    skopeo copy --insecure-policy oci-archive:./oci.tar docker://"$REPO"
+    echo "Image pushed successfully to $REPO"
+else
+    echo "To push the image to a registry, run:"
+    echo ""
+    echo " $0 --push <repo>[:<tag>]"
+    echo ""
+    echo "Or use skopeo directly:"
+    echo ""
+    echo " skopeo copy --insecure-policy oci-archive:./oci.tar docker://<repo>[:<tag>]"
+fi
+echo ""
+
+# Extract package information from the built image
+echo "Extracting package information from built image: $TEMP_TAG"
+docker run --rm --entrypoint bash "$TEMP_TAG" -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" > pinned-packages.txt
+
+echo "Package information extracted to pinned-packages.txt ($(wc -l < pinned-packages.txt) packages)"
+
+# Clean up the temporary image from Docker daemon
+docker rmi "$TEMP_TAG" 2>/dev/null || true
+
 rm .GIT_REV
@@ -2,10 +2,9 @@ adduser=3.134
 apt=2.6.1
 base-files=12.4+deb12u10
 base-passwd=3.6.1
-bash=5.2.15-2+b8
+bash=5.2.15-2+b7
 bsdutils=1:2.38.1-5+deb12u3
 ca-certificates=20230311
-certbot=2.1.0-4
 coreutils=9.1-1
 curl=7.88.1-10+deb12u12
 dash=0.5.12-2
@@ -97,8 +96,8 @@ libpcre2-8-0:amd64=10.42-1
 libpng16-16:amd64=1.6.39-2
 libpsl5:amd64=0.21.2-1
 libpython3-stdlib:amd64=3.11.2-1+b1
-libpython3.11-minimal:amd64=3.11.2-6+deb12u6
-libpython3.11-stdlib:amd64=3.11.2-6+deb12u6
+libpython3.11-minimal:amd64=3.11.2-6+deb12u5
+libpython3.11-stdlib:amd64=3.11.2-6+deb12u5
 librav1e0:amd64=0.5.1-6
 libreadline8:amd64=8.2-1.3
 librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2
@@ -113,7 +112,7 @@ libsmartcols1:amd64=2.38.1-5+deb12u3
 libsqlite3-0:amd64=3.40.1-2+deb12u1
 libss2:amd64=1.47.0-2
 libssh2-1:amd64=1.10.0-3+b1
-libssl3:amd64=3.0.16-1~deb12u1
+libssl3:amd64=3.0.15-1~deb12u1
 libstdc++6:amd64=12.2.0-14
 libsvtav1enc1:amd64=1.4.1+dfsg-1
 libsystemd0:amd64=252.36-1~deb12u1
@@ -140,7 +139,6 @@ libyuv0:amd64=0.0~git20230123.b2528b0-1
 libzstd1:amd64=1.5.4+dfsg2-5
 login=1:4.13+dfsg1-1+b1
 logsave=1.47.0-2
-lsb-release=12.0-1
 mawk=1.3.4.20200120-3.1
 media-types=10.0.0
 mount=2.38.1-5+deb12u3
@@ -151,40 +149,28 @@ nginx-module-image-filter=1.27.4-1~bookworm
 nginx-module-njs=1.27.4+0.8.9-1~bookworm
 nginx-module-xslt=1.27.4-1~bookworm
 nginx=1.27.4-1~bookworm
-openssl=3.0.16-1~deb12u1
+openssl=3.0.15-1~deb12u1
 passwd=1:4.13+dfsg1-1+b1
 perl-base=5.36.0-7+deb12u1
-python3-acme=2.1.0-1
-python3-certbot=2.1.0-4
 python3-certifi=2022.9.24-1
-python3-cffi-backend:amd64=1.15.1-5+b1
 python3-chardet=5.1.0+dfsg-2
 python3-charset-normalizer=3.0.1-2
-python3-configargparse=1.5.3-1
-python3-configobj=5.0.8-1
-python3-cryptography=38.0.4-3+deb12u1
-python3-distro=1.8.0-1
 python3-distutils=3.11.2-3
 python3-idna=3.3-1+deb12u1
-python3-josepy=1.13.0-1
 python3-lib2to3=3.11.2-3
 python3-minimal=3.11.2-1+b1
-python3-openssl=23.0.0-1
-python3-parsedatetime=2.6-3
 python3-pip-whl=23.0.1+dfsg-1
 python3-pip=23.0.1+dfsg-1
 python3-pkg-resources=66.1.1-1+deb12u1
 python3-requests=2.28.1+dfsg-1
-python3-rfc3339=1.1-4
 python3-setuptools-whl=66.1.1-1+deb12u1
 python3-setuptools=66.1.1-1+deb12u1
 python3-six=1.16.0-4
-python3-tz=2022.7.1-4
 python3-urllib3=1.26.12-1+deb12u1
 python3-wheel=0.38.4-2
-python3.11-minimal=3.11.2-6+deb12u6
-python3.11-venv=3.11.2-6+deb12u6
-python3.11=3.11.2-6+deb12u6
+python3.11-minimal=3.11.2-6+deb12u5
+python3.11-venv=3.11.2-6+deb12u5
+python3.11=3.11.2-6+deb12u5
 python3=3.11.2-1+b1
 readline-common=8.2-1.3
 sed=4.9-1