Block mounts
Block mounts allow reading and writing data from and to persistent storage from inside an enclave. They are more performant than basic mounts and require the creation of a dedicated volume in advance. This page describes the steps required to set up a block mount.
Limitations
Each parent instance can only have one enclave that uses a block mount, and neither the parent instance nor another enclave can mount a volume that is being used by an enclave. A single enclave can mount at most one block volume. Block mounts are not supported in EKS.
Example
In this example, you will learn how to provide the application running in the enclave access to persistent storage using the block mount option.
Create a persistent volume
When using block mounts, data is persisted to a volume file. The content of this volume will be available as a directory inside the enclave.
To create a new volume, run the following command:
$ anjuna-block-manager.sh create --size 2G --volume /home/ec2-user/enclave-data.img --user 1000:1000 # Create a 2048 MiB file for the volumeAny attempt to write to the volume from inside (or outside) the enclave, especially to the root directory, will need to be in a user/group context
compatible with what is defined in the --user flag. For example, this can be achieved by using the user id and group id of the process that will perform
the writes.
Configure the enclave to mount the volume
To use a block mount volume, one needs to build the enclave with a matching configuration file.
|
The following configuration contains a snippet of a single mount of block type.
Only one block type can be specified in the |
# Set a persistent block mount
mounts:
- type: block
mountPath: /data/dir-in-enclaveIn this example, the application running in the enclave will have access to the volume’s content under the directory /data/dir-in-enclave.
Start the parent daemon
With the block mount option, one needs to run a daemon that provides the Anjuna Nitro enclave access to the block mount volume on the parent instance. This daemon needs to be running before starting the enclave.
You can start the daemon using the following command:
$ anjuna-block-manager.sh start --volume /home/ec2-user/enclave-data.imgThis daemon will communicate with the enclave over the network and persist data into the volume file /home/ec2-user/enclave-data.img.
Start the enclave
Start the enclave using the Anjuna Nitro Runtime CLI. You need not provide any additional flags to the enclave creation to support the block mount.
Stopping the application
When stopping the application it is important to first stop the enclave,
and only then stop the anjuna-block-manager.sh serving of the volume in the parent instance to prevent any loss or corruption of data.
You can stop the daemon using the following command:
$ anjuna-block-manager.sh stopAccessing the volume content from outside of the enclave
There could be cases in which you need to access the volume’s content from outside the enclave. This could be when you want to look at the content of the files in the volume or copy files to the volume.
anjuna-block-manager.sh allows mounting the volume on any standard Linux instance, and accessing its content.
|
Mounting the volume on the parent instance is not allowed while the volume is being used from inside the enclave as it may lead to corruption. If the volume is being used from inside the enclave you must first follow the steps mentioned in the Stopping the application section. |
To make the volume content available, use the following command:
$ mkdir -p /home/ec2-user/local-path
$ anjuna-block-manager.sh mount --volume /home/ec2-user/enclave-data.img --directory /home/ec2-user/local-pathYou can now access the content of the volume under /home/ec2-user/local-path.
|
Only mount the volume in this way, as |
When you are done with the needed activity on the volume content, you should unmount the volume, with the following command:
$ anjuna-block-manager.sh unmount --directory /home/ec2-user/local-path|
Making a volume available for an enclave using the |