Alkemist by RunSafe
SELF-SERVICE PORTAL

alkemist logo

+

center logo for this page's deployment type

=

shield with heart in the middle
You're only a few steps away from deploying LFR into your Docker environment!
1 of 7
Down Arrow Mirrored

Select Docker Base OS

First, select the operating system your build image uses, then select the version of that OS. All instructions throughout the rest of the page will be tailored to those choices.

2 of 7
Down Arrow

Open Your Dockerfile

The steps that follow this one will all use this sample Dockerfile as their base. The second tab is the hello_world.c used by the COPY command on line 7.

3 of 7
Down Arrow Mirrored

Add LFR Stage

The first modification to your Dockerfile will be to add the LFR image as a stage before the stage doing the build. The LFR image contains two ONBUILD commands which handle license verification and other pre-build steps.

4 of 7
Down Arrow

Copy LFR Files

After pulling in the LFR stage you will copy LFR out of that stage and into yours. First, set the LFR_ROOT_PATH environment variable to a location in your image that will contain LFR during the build. This location will be removed at the end so pick somewhere that does not contain anything else.

Next, copy the files that comprise LFR from the LFR stage and into yours with COPY --from=lfr-files /usr/src/lfr ${LFR_ROOT_PATH}.

5 of 7
Down Arrow Mirrored

Add lfr-helper.sh and lfr-cleanup.sh

Now that your Docker image contains the files necessary for LFR to run, prepend your build commands (make, gcc, g++, etc) with lfr-helper.sh to automatically integrate LFR into your existing build process.

Also include a call to lfr-cleanup.sh after your build is completed to make sure that files which were only needed by LFR for the build are not included in your final image.

The command shown will build the given hello_world.c into an LFR-protected program called hello_world, but you can add lfr-helper.sh to any build command, simple or complex.

6 of 7
Down Arrow

Build Image with LFR

LFR expects your license key to be provided as an ALKEMIST_LICENSE_KEY build argument. The preferred way to do this is to specify your key as a build argument from the command line along with the current date, as shown.

The date is added in the Docker deployment method to avoid caching license information which will become stale in future builds. This will not invalidate the caching of your layers, only the final two ONBUILD commands within the LFR image.

7 of 7
Alkemist Logo

Verify LFR Protection

Each tab shows a different way to confirm that LFR has been applied to a given binary. The examples are for the hello_world binary built in the previous step.