anjuna-nitro-cli build-enclave
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
Builds an enclave image from a Docker image and saves it to a file.
Launching an AWS Nitro Enclave requires an Enclave Image File (EIF).
The anjuna-nitro-cli build-enclave tool creates an EIF from a Docker container and provides
the enclave’s measurements.
Private Docker images
When building an EIF from a private Docker image located in a remote registry, you must ensure that the environment has the right credentials to pull the image.
anjuna-nitro-cli will search for registry credentials at well-known locations in the system,
such as ${XDG_RUNTIME_DIR}/containers/auth.json, ~/.containers/auth.json or ~/.docker/config.json.
For more information, refer to the official containers-auth.json reference.
Enclave configuration file
When building the enclave, you can specify an enclave configuration file (using the
--enclave-config-file command-line option) and override some of the attributes defined
in the Docker image without updating the Docker image itself:
-
Environment variables
-
Startup command specified in the container (
CMD/ENTRYPOINT) -
Configuration files
-
Default user
In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Anjuna Nitro Enclave configuration for a complete description of the file format used to specify the enclave configuration.
System requirements and environment
anjuna-nitro-cli build-enclave will use temporary files in the $ANJ_NITRO_CLI_ARTIFACTS directory.
If you run multiple builds in parallel,
these files may conflict and cause corrupted EIFs to be produced.
It is recommended to set $ANJ_NITRO_CLI_ARTIFACTS to a different path for each
parallel build-enclave command.
Size limitation
The EIF has a size limitation:
-
The maximum size of an EIF is currently 4GB. If you need a larger EIF size, contact support@anjuna.io.
-
If the EIF is too large, it will fail when you try to start the enclave.
-
At this time, the EIF will build successfully and does not fail until you try to start the enclave.
Options
Usage
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
--docker-uri
(Required) URI pointing to an existing Docker image.
The Docker image can be specified by:
-
A Docker URI to any container registry you have access to (for example
1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest) -
A local URI in the Docker image cache (for example
hello-world:latest)
| Local images must be available in the Docker image cache. |
Only Docker images with the platform linux/amd64 are supported.
If you are using an Apple Silicon Mac or other ARM-based platform,
you must explicitly specify --platform=linux/amd64 in your docker build command.
--enclave-config-file
Local path to an enclave configuration file
Configuration files should be less than 560 MB in size in order to successfully build the enclave.
--signing-certificate
Local path to developer’s X509 signing certificate
If you choose to sign the Enclave Image File (EIF) using your signing certificate, you need to monitor the signing certificate expiration. AWS Nitro Enclaves CLI performs validation on the signing certificate when the enclave starts, whether or not PCR8 is used for attestation. If the signing certificate has expired, it will prevent building the EIF and prevent the enclave from starting.
Example
The following command converts the Nginx Docker image (from Docker Hub) to an enclave image file
named nginx.eif.
$ anjuna-nitro-cli build-enclave --docker-uri docker.io/library/nginx:latest --output-file nginx.eifwhich produces output similar to this:
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "....",
"PCR1": "....",
"PCR2": "...."
}
}