Instance management

When you start an Anjuna Confidential Container, the anjuna-metal CLI stages its launch artifacts under /var/lib/anjuna/. These files persist for the lifetime of the instance and are released automatically when the instance is deleted.

Each running instance occupies approximately the uncompressed size of the disk image (set by --disk-size at disk create time), plus around 100 MB for supporting launch artifacts. As a sizing heuristic, ensure the filesystem hosting /var/lib/anjuna/ has at least 1.5x the total disk image size of all concurrently running instances of free space before starting them.

On Ubuntu hosts, each Anjuna Confidential Container runs under a per-domain AppArmor profile generated by libvirt at instance start. The profile restricts the host-side QEMU process’s access to files, devices, and capabilities; it is independent of the SEV-SNP protections applied to the guest itself.

AppArmor confinement is configurable through the <seclabel> element of the libvirt domain XML, allowing a custom profile to be loaded in place of the default. For help adapting one to your security or compliance requirements, please contact Anjuna support.

Serial log files for Anjuna Confidential Containers can be found in /var/log/libvirt/qemu/, with a separate log file created for every run of each instance.

The log file name for each run includes the name of the instance and a timestamp, which helps to differentiate different runs that use the same disk image on the same machine.

The log files are managed by the virtlogd service and are normally owned by root, so privileged access is required to view them. This service also ensures that these files are automatically rotated and their history pruned. Settings to control this behavior can be found in /etc/libvirt/virtlogd.conf.