{"id":183010,"date":"2026-06-18T14:27:50","date_gmt":"2026-06-18T14:27:50","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=183010"},"modified":"2026-06-18T14:27:50","modified_gmt":"2026-06-18T14:27:50","slug":"roflize-an-app-part-1-rofl-workflow-to-initialization","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=183010","title":{"rendered":"ROFLize an App? Part 1: ROFL Workflow To Initialization"},"content":{"rendered":"

Recently, I shared a quickstart guide titled \u201cHow To Enhance Your App With Oasis ROFL<\/a>\u201d. While the tutorial was complete in itself, I skipped some of the finer implementation details to keep it streamlined. Here, in this new 2-part series, I will unpack those sections step by\u00a0step.<\/p>\n

Rather than covering old ground from the post, which already features a short explainer video and visuals of the architectural breakdown and the workflow overview of the ROFL (runtime off-chain logic) framework, let\u2019s dive straight into the developers\u2019 POV\u00a0here.<\/p>\n

Workflow<\/h3>\n

As this visual shows, there is a dedicated Trusted Execution Environment (TEE) for every app that runs inside ROFL. An Oasis node provides the TEE from its ORC bundle, consisting of a zip archive containing the program binaries and metadata required for execution.
As a result, the ROFL apps registering on Oasis\u2019s network can easily authenticate to on-chain smart contracts and also transparently gain access to the decentralized per-app key management system.<\/p>\n

The TEE ensures app security and enables secure communication with the outside world. The function of the light client here is to establish a fresh view of the Oasis consensus layer. This not only provides a source of approximate time references but also acts as an integrity gatekeeper for the verification of all on-chain states.
In addition, the app also generates a set of ephemeral cryptographic keys, used in remote attestation and on-chain registration, and then discarded at the end of the session to provide forward and backward secrecy.
The authentication process for on-chain modules is completed by signing and submitting special transactions. As a result, the app can now perform any arbitrary task and interact with the outside world through network connections, authenticated via HTTPS\/TLS, or other methods such as light clients for other\u00a0chains.<\/p>\n

Prerequisites<\/h3>\n

We need 2 tools for ROFL development and deployment.<\/p>\n

Oasis CLI<\/strong>: The Oasis command-line interface (CLI) is an all-in-one tool, handling wallet management, app registration, building, deployment, and replica management. For a detailed overview and installation instructions, check out the\u00a0command.Docker<\/strong>: Having a containerized build environment is an essential prerequisite, as it ensures that you do not have to install a handful of Intel-specific libraries and dependencies on your system. Moreover, the Compose<\/strong> function will help test the ROFL locally before you deploy it on-chain.<\/p>\n

You can choose any of the 3 following ways to continue.<\/p>\n

Preferred<\/strong><\/p>\n

This method uses Oasis CLI and a container for building and testing. First, you need to download and install<\/strong><\/a> the Oasis CLI on your platform. Next, test the functionality by building the ROFL\u00a0app.<\/p>\n

oasis rofl build<\/p>\n

Conservative<\/strong><\/p>\n

In this method, there are containers everywhere.
If there are any issues while installing the Oasis CLI locally, or perhaps you want to skip the Oasis CLI step altogether, the workaround is to run the oasis<\/strong> command from the rofl-dev<\/strong><\/a>\u00a0image.<\/p>\n

Note<\/em><\/strong>: You must be careful when you bind-mount the Oasis CLI config folder, which contains your wallet. Otherwise, there is a risk of losing access to your (funded) accounts.<\/em>Invoke oasis<\/strong> from the rofl-dev<\/strong>\u00a0image.<\/p>\n

For Linux:<\/p>\n

docker run –platform linux\/amd64 –rm -v .:\/src -v ~\/.config\/oasis:\/root\/.config\/oasis -it ghcr.io\/oasisprotocol\/rofl-dev:main oasis<\/p>\n

For MacOS:<\/p>\n

docker run –platform linux\/amd64 –rm -v .:\/src -v “~\/Library\/Application Support\/oasis\/”:\/root\/.config\/oasis -it ghcr.io\/oasisprotocol\/rofl-dev:main oasis<\/p>\n

For Windows:<\/p>\n

docker run –platform linux\/amd64 –rm -v .:\/src -v %USERPROFILE%\/AppData\/Local\/oasis\/:\/root\/.config\/oasis -it ghcr.io\/oasisprotocol\/rofl-dev:main oasisThis step here is optional. You can choose to add oasis<\/strong>alias to your shell start-up script. This will mimic as if Oasis CLI was installed locally.<\/p>\n

For Linux:
~\/.bashrc<\/p>\n

alias oasis=’docker run –platform linux\/amd64 –rm -v .:\/src -v ~\/.config\/oasis:\/root\/.config\/oasis -it ghcr.io\/oasisprotocol\/rofl-dev:main oasis’<\/p>\n

For MacOS:
~\/.bash_profile<\/p>\n

alias oasis=’docker run –platform linux\/amd64 –rm -v .:\/src -v “~\/Library\/Application Support\/oasis\/”:\/root\/.config\/oasis -it ghcr.io\/oasisprotocol\/rofl-dev:main oasis’<\/p>\n

Advanced<\/strong><\/p>\n

This method uses native Oasis CLI and ROFL build\u00a0utils.<\/p>\n

Note<\/em><\/strong>: It is for <\/em>linux\/amd64<\/em><\/strong> only.<\/em><\/p>\n

The first step is installing the Oasis CLI locally.
Next, you need to install tools for creating and encrypting partitions and Quick Emulator (QEMU). For a Debian-based Linux, this can be done by running this\u00a0command:<\/p>\n

sudo apt install squashfs-tools cryptsetup-bin qemu-utils<\/p>\n

Finally, you may be looking to build SGX and TDX-raw ROFL bundles. In that case, it will require the installation of the Rust toolchain and Fortanix libraries. It is a separate detailed process involving Oasis Core prerequisites<\/strong>, which I will elaborate on in a later post. For now, you just follow the steps outlined\u00a0here<\/a>.<\/p>\n

Note<\/em><\/strong>: You do not need a working SGX\/TDX TEE when building ROFL natively. Even an Intel-based CPU and the corresponding libraries will\u00a0suffice.<\/em><\/p>\n

Containerize<\/h3>\n

We have often mentioned that an ROFL app needs to be containerized. What does this mean? A container is basically a controlled environment that includes the exact version of the operating system, both system and user libraries, as well as your configured service. The image of the container is uploaded to an OCI file server, such as docker.io<\/strong><\/a> or ghcr.io<\/strong><\/a>. The server hosting your app can then download it, consisting two\u00a0files.<\/p>\n

my-bot
\u251c\u2500\u2500 bot.py # A python bot script
\u2514\u2500\u2500 requirements.txt # Python dependencies<\/p>\n

Now, we will use Docker<\/strong><\/a> to containerize. However, you can choose to go with Podman<\/strong><\/a> instead of Docker, as once the app is deployed to a ROFL node, the containers there will be orchestrated by Podman\u00a0anyway.<\/p>\n

Dockerfile<\/strong><\/p>\n

Here we will create a file called Dockerfile<\/strong> inside the project folder. This will tell Docker to compile a python-based image<\/strong> and add the python bot script<\/strong> on top of\u00a0it.<\/p>\n

Dockerfile<\/p>\n

FROM python:alpine3.17<\/p>\n

WORKDIR \/bot
COPY .\/bot.py .\/requirements.txt \/bot
RUN pip install -r requirements.txt<\/p>\n

ENTRYPOINT [“python”, “bot.py”]<\/p>\n

Compose<\/strong><\/p>\n

The function of Docker Compose<\/strong><\/a> is to orchestrate the containers you will be using. This ensures correct sequencing, defining storage points, networking, and other functionalities. You can create compose.yaml<\/strong> with the following command.<\/p>\n

compose.yaml<\/p>\n

services:
python-bot:
build: .
image: “docker.io\/YOUR_USERNAME\/YOUR_PROJECT”
platform: linux\/amd64
environment:
– TOKEN=${TOKEN}<\/p>\n

You may need to adjust the image:<\/strong> field(s) to fit your needs. The image:<\/strong> field must always point to a publicly accessible OCI registry<\/strong> from where your image will be downloaded for execution.
If you are replacing the image:<\/strong> field with a fully qualified domain of the OCI server you use, followed by your username, the field will look\u00a0like:<\/p>\n

docker.io\/your_username\/my-bot<\/strong>ghcr.io\/your_username\/my-bot<\/strong>Note<\/em><\/strong>: Always specify the container image URL with a fully qualified domain name, e.g., <\/em>docker.io\/ollama\/ollama<\/em><\/strong> and not just <\/em>ollama\/ollama<\/em><\/strong>.<\/em><\/p>\n

Build and\u00a0Push<\/strong><\/p>\n

Now, you can build the container image and tag it using docker\u00a0compose<\/strong>.<\/p>\n

docker compose build<\/p>\n

To check the compose setup locally, test it with this\u00a0command.<\/p>\n

docker compose up<\/p>\n

To stop once done, use this\u00a0command.<\/p>\n

docker compose down<\/p>\n

After you have completed building and tagging the images, the next step is to push the container images to a publicly accessible OCI registry that we referred to earlier (docker.io<\/strong><\/a> or ghcr.io<\/strong><\/a>).
For first-time use, you need to perform an authentication step by running this\u00a0command.<\/p>\n

docker login<\/p>\n

Once done and for all those already logged in before, this command will upload the container images to the registry.<\/p>\n

docker compose pushNote<\/em><\/strong>: For first-timers, when pushing the image to GitHub containers, please ensure <\/em>public package visibility<\/em><\/a> is properly configured.<\/em><\/p>\n

Pin Your Image\u00a0Hash<\/strong><\/p>\n

This is the final step in the containerizing process. It helps prevent another container image from being pulled inside ROFL. You do it by pinning the image digest inside compose.yaml<\/strong>. To fetch the sha256:\u2026<\/strong> digest, try invoking:<\/p>\n

docker images –digests<\/p>\n

Then you need to append @<\/strong> and the digest next to the image tag in your compose.yaml<\/strong>. Example:<\/p>\n

image: “docker.io\/MY_USERNAME\/my-bot@sha256:9633593eb9e8395023cb0d926982602978466ec003efa189d94a34e7bea6ec0d”<\/p>\n

Init<\/h3>\n

In the final section of this tutorial, we will see how to initialize the ROFL app. Before starting, you need to choose from the 3 options below. Notably, whatever you choose, it would likely be a trade-off between the Trusted Computing Base (TCB) size and ease of\u00a0use.<\/p>\n

TDX containers ROFL (default)<\/strong>: A Docker compose-based container service packed in a secure virtual\u00a0machine.Raw TDX ROFL<\/strong>: A Rust app compiled as the init process of the operating system and packed in a secure virtual\u00a0machine.SGX ROFL<\/strong>: A Rust app with fixed memory allocation compiled and packed into a single secure\u00a0binary.<\/p>\n

Init App Directory and\u00a0Manifest<\/strong><\/p>\n

The first step is to create the basic directory structure for the app using the Oasis\u00a0CLI.<\/p>\n

oasis rofl init my-app<\/p>\n

You now have a my-app<\/strong> directory and have also initialized a ROFL manifest file. As noted above, the default is a TDX container-based ROFL. To select one of the other options, you need to use the\u200a\u2014\u200akind<\/strong> parameter.<\/p>\n

As a result of the init<\/strong> command, you will get the following output\u00a0summary.<\/p>\n

Creating a new ROFL app with default policy…
Name: my-app
Version: 0.1.0
TEE: tdx
Kind: container
Git repository initialized.
Created manifest in ‘rofl.yaml’.
Run `oasis rofl create` to register your ROFL app and configure an app ID.<\/p>\n

The directory structure (omitting git artifacts) will look like\u00a0this.<\/p>\n

In the concluding part of the series, I will guide you through the next steps in ROFLizing your app, involving create, build, deploy, and test processes.
Until then, if you encounter any issues, you can have a quick chat with the Oasis engineering team for help by dropping your comments in the dev-central channel<\/strong> in the official\u00a0Discord<\/a>.<\/p>\n

Originally published at <\/em>https:\/\/dev.to<\/em><\/a> on June 18,\u00a02026.<\/em><\/p>\n

ROFLize an App? Part 1: ROFL Workflow To Initialization<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":"

Recently, I shared a quickstart guide titled \u201cHow To Enhance Your App With Oasis ROFL\u201d. While the tutorial was complete in itself, I skipped some of the finer implementation details to keep it streamlined. Here, in this new 2-part series, I will unpack those sections step by\u00a0step. Rather than covering old ground from the post, […]<\/p>\n","protected":false},"author":0,"featured_media":183011,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-183010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/183010"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=183010"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/183010\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/media\/183011"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=183010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=183010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=183010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

myapp
\u251c\u2500\u2500 compose.yaml # Container compose file.
\u2514\u2500\u2500 rofl.yaml # ROFL app manifest.Note<\/em><\/strong>: The <\/em>manifest<\/em><\/a> that this step initialized is a ROFL feature that contains metadata, secrets, and requested resources. These can be modified either manually or by using the CLI commands and require to be discussed in detail separately. For now, we have finished initialization.<\/em><\/p>\n