anjuna-nitro-cli build-enclave
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
Builds an enclave image from a Docker image and saves it to a file.
Launching an AWS Nitro Enclave requires an Enclave Image File (EIF).
The anjuna-nitro-cli build-enclave tool creates an EIF from a Docker container and provides
the enclave’s measurements.
Enclave configuration file
When building the enclave, you can specify an enclave configuration file (using the
--enclave-config-file command-line option) and override some of the attributes defined
in the Docker image without updating the Docker image itself:
-
environment variables
-
startup command specified in the container (
CMD/ENTRYPOINT) -
configuration files
-
default user
In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Anjuna Nitro Enclave configuration for a complete description of the file format used to specify the enclave configuration.
System requirements and environment
For details on the system requirements and environment needed for building an EIF image see Requirements for building an EIF image.
anjuna-nitro-cli build-enclave will use temporary files in the $ANJ_NITRO_CLI_ARTIFACTS
directory.
If you run multiple builds in parallel,
these files may conflict and cause corrupted EIFs to be produced.
It is recommended to set $ANJ_NITRO_CLI_ARTIFACTS to a different path for each
parallel build-enclave command.
|
Size limitation
The EIF has a size limitation:
-
The maximum size of an EIF is currently 4GB. If you need a larger EIF size, contact support@anjuna.io.
-
If the EIF is too large, it will fail when you try to start the enclave.
-
At this time, the EIF will build successfully and does not fail until you try to start the enclave.
Options
Usage
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
--docker-uri
(Required) URI pointing to an existing Docker image,
or the image to be created locally when docker-dir is present
The Docker image can be specified by:
-
a Docker URI to any Docker registry you have access to (for example
1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest) -
a local URI (for example
hello-world:latest) -
the name of the image that will be created from the Dockerfile in the path provided by
--docker-dir
Only Docker images with the platform linux/amd64 are supported.
If you are using an Apple Silicon Mac or other ARM-based platform,
you must explicitly specify --platform=linux/amd64 in your docker build command.
Using a Docker image with the wrong platform
will result in an [ E36 ] Enclave boot failure error at runtime.
--enclave-config-file
Local path to an enclave configuration file
Configuration files should be less than 560 MB in size in order to successfully build the enclave.
--signing-certificate
Local path to developer’s X509 signing certificate
If you choose to sign the Enclave Image File (EIF) using your signing certificate, you need to monitor the signing certificate expiration. AWS Nitro Enclaves CLI performs validation on the signing certificate when the enclave starts, whether or not PCR8 is used for attestation. If the signing certificate has expired, it will prevent building the EIF and prevent the enclave from starting.
Example
The following command converts the Nginx Docker image (from Docker Hub) to an enclave image file
named nginx.eif.
$ anjuna-nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eifwhich produces output similar to this:
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "....",
"PCR1": "....",
"PCR2": "...."
}
}