Block mounts

Block mounts allow reading and writing data from and to persistent storage from inside an enclave. They are more performant than basic mounts and require the creation of a dedicated volume in advance. This page describes the steps required to set up a block mount.

Limitations

Each parent instance can only have one enclave that uses a block mount, and neither the parent instance nor another enclave can mount a volume that is being used by an enclave. A single enclave can mount at most one block volume. Block mounts are not supported in EKS.

Example

In this example, you will learn how to provide the application running in the enclave access to persistent storage using the block mount option.

Create a persistent volume

When using block mounts, data is persisted to a volume file. The contents of this volume will be available as a directory inside the enclave.

To create a new volume, run the following command:

$ anjuna-block-manager.sh create --size 2G --volume /home/ec2-user/enclave-data.img --user 1000:1000 # Create a 2048 MiB file for the volume

Any attempt to write to the volume from inside (or outside) the enclave, especially to the root directory, will need to be in a user/group context compatible with what is defined in the --user flag. For example, you can do this by using the user ID and group ID of the process that will perform the writes.

Configure the enclave to mount the volume

To use a block mount volume, you need to build the enclave with a matching configuration file.

The following configuration contains a snippet of a single mount of block type. Only one block type can be specified in the mounts section. However, block type mounts are compatible with all other configuration options, including other basic mounts.

# Set a persistent block mount
mounts:
  - type: block
    mountPath: /data/dir-in-enclave

In this example, the application running in the enclave will have access to the volume’s contents under the directory /data/dir-in-enclave.

Start the parent daemon

With the block mount option, you need to run a daemon that provides the Anjuna Nitro enclave access to the block mount volume on the parent instance. This daemon needs to be running before starting the enclave.

Start the daemon using the following command:

$ anjuna-block-manager.sh start --volume /home/ec2-user/enclave-data.img

This daemon will communicate with the enclave over the network and persist data into the volume file /home/ec2-user/enclave-data.img.

Start the enclave

Start the enclave using the Anjuna Nitro Runtime CLI. You do not need to provide any additional flags to the enclave creation to support the block mount.

Stopping the application

When stopping the application, it is important to first stop the enclave. Once the enclave is stopped, you can stop the anjuna-block-manager.sh from giving enclaves access to the volume in the parent instance, in order to prevent any loss or corruption of data.

Stop the daemon using the following command:

$ anjuna-block-manager.sh stop

Accessing the volume contents from outside of the enclave

There might be cases when you need to access the volume’s contents from outside the enclave. This could be when you want to look at the contents of the files in the volume or copy files to the volume.

anjuna-block-manager.sh allows mounting the volume on any standard Linux instance, and accessing its contents.

Mounting the volume on the parent instance is not allowed while the volume is being used from inside the enclave, as it may lead to corruption. If the volume is being used from inside the enclave, you must first follow the steps in the Stopping the application section above, before mounting the volume on the parent instance.

To make the volume contents available, use the following command:

$ mkdir -p /home/ec2-user/local-path
$ anjuna-block-manager.sh mount --volume /home/ec2-user/enclave-data.img --directory /home/ec2-user/local-path

You can now access the contents of the volume under /home/ec2-user/local-path.

Use the anjuna-block-manager.sh tool to mount the volume. If the volume was made available to enclaves or it is already mounted, the tool will not allow mounting again, preventing corruption of the volume.

When you are done using the volume contents, you should unmount the volume with the following command:

$ anjuna-block-manager.sh unmount --directory /home/ec2-user/local-path

When you use anjuna-block-manager.sh start to make a volume available for an enclave, and the volume has already been mounted locally, the tool will display this error: Failed to lock volume <volume>. Is it in use? You should first use the unmount option of the anjuna-block-manager.sh tool.