anjuna-block-manager.sh

anjuna-block-manager.sh { create | start | stop | mount | unmount } OPTIONS

Manage block volumes for Anjuna Nitro Enclaves.

anjuna-block-manager.sh provides the ability to create block volumes and serve them to Anjuna Nitro Enclaves. The Anjuna Nitro Runtime connects to the served volume, and mounts it in the enclave, based on the configuration it received. It also facilitates mounting the volume locally, to read and/or modify it.

For a detailed explanation of block mounts and how to use them, see Block mounts.

anjuna-block-manager.sh prevents the same volume from being served and mounted at the same time, as well as served or mounted multiple times, so it’s important to perform such operations through the tool itself. Any attempt to do so, will result in an error of the form: Failed to lock volume <volume>. Is it in use?

There are currently no protections against serving the same volume to multiple enclaves, so care should be given to not run multiple enclaves that require block volumes at the same time.

After the enclave that uses a block volume is terminated, it’s important to stop the serving of the block volume to prevent data loss.

Similarly, after mounting the volume, it’s important to unmount it before attempting to serve it to make sure all changes have been committed correctly.

Permissions

The volume creation and serving require no special permissions, and can be run by most standard users of a system.

The volume mounting and unmounting requires the user to be in the sudoers, with the ability to run mount and umount as root.

Options

Top level usage

Usage: anjuna-block-manager.sh COMMAND
       COMMAND can be one of { create | start | stop | mount | unmount }

Create

Creates a block volume compatible with Anjuna Nitro Enclaves.

Usage

anjuna-block-manager.sh create OPTIONS

`-v, --volume`

Volume to create. Overwrites existing volumes.

`-s, --size`

Size of volume to create. Size must be an integer optionally followed by one of the following suffixes: K 1024, M 1024*1024, and likewise for G and larger sizes. If no suffix is specified, the size is in bytes.

`-u, --user`

User and group to use as the owners of the root directory of the volume. In the format "UID:GID". Note: Only IDs are supported, usernames and groupnames are not, as they only exist in the context of the container, and not necessarily in the context of the system creating the block volume. Any attempt to write to the volume from inside (or outside) the enclave, especially to the root directory, will need to be in a user/group context compatible with what is defined in this flag, otherwise it would fail.

Start

Serve the provided block volume for Anjuna Nitro Enclaves.

Usage

anjuna-block-manager.sh start OPTIONS

`-v, --volume`

Volume to use for the block service. This should be the volume created using the "create" command.

Stop

Stop serving the block volume to Anjuna Nitro Enclaves.

Usage

anjuna-block-manager.sh stop

Stops the block service. Assures that all volume changes were committed.

Run this only after stopping the enclave, to prevent data loss.

Mount

Mounts a volume to the specified directory. Allows for viewing and modifying its contents from outside the enclave.

Usage

anjuna-block-manager.sh mount OPTIONS

Use this only when the block service is not running.

`-v, --volume`

Volume to mount.

`-d, --directory`

Directory to mount the volume to.

Unmount

Unmounts a volume from the specified directory. Assures that all volume changes were committed.

Usage

anjuna-block-manager.sh unmount OPTIONS

`-d, --directory`

Directory to where a volume was mounted to.

Examples

The following example creates a volume, adds a file to it, and serves it to an enclave:

$ VOLUME="test-volume.img"
$ MOUNT_DIR="test-volume-mount-dir"
$ SIZE="32M"
$ USER="1001:1001"

$ anjuna-block-manager.sh create -v ${VOLUME} -s ${SIZE} -u ${USER}
$ mkdir -p ${MOUNT_DIR}
$ anjuna-block-manager.sh mount -v ${VOLUME} -d ${MOUNT_DIR}
$ echo "test" | sudo tee ${MOUNT_DIR}/test.txt
$ anjuna-block-manager.sh unmount -d ${MOUNT_DIR}
$ anjuna-block-manager.sh start -v ${VOLUME}

# start enclave, wait for it to finish and terminate it

$ anjuna-block-manager.sh stop