Block mounts
Block mounts allow reading and writing data from and to persistent storage from inside an enclave. They are more performant than basic mounts and require the creation of a dedicated volume in advance. This page describes the steps required to set up a block mount.
Limitations
Each parent instance can only have one enclave that uses a block mount, and neither the parent instance nor another enclave can mount a volume that is being used by an enclave. A single enclave can mount at most one block volume. Block mounts are not supported in EKS.
Example
In this example, you will learn how to provide the application running in the enclave access to persistent storage using the block mount option.
Create a persistent volume
When using block mounts, data is persisted to a volume file. The contents of this volume will be available as a directory inside the enclave.
To create a new volume, run the following command:
$ anjuna-block-manager.sh create --size 2G --volume /home/ec2-user/enclave-data.img --user 1000:1000 # Create a 2048 MiB file for the volume
Any attempt to write to the volume from inside (or outside) the enclave,
especially to the root directory, will need to be in a user/group context
compatible with what is defined in the --user
flag.
For example,
you can do this by using the user ID and group ID of the process that will perform the writes.
Configure the enclave to mount the volume
To use a block mount volume, you need to build the enclave with a matching configuration file.
The following configuration contains a snippet of a single mount of block type.
Only one block type can be specified in the |
# Set a persistent block mount
mounts:
- type: block
mountPath: /data/dir-in-enclave
In this example,
the application running in the enclave will have access to the volume’s contents
under the directory /data/dir-in-enclave
.
Start the parent daemon
With the block mount option, you need to run a daemon that provides the Anjuna Nitro enclave access to the block mount volume on the parent instance. This daemon needs to be running before starting the enclave.
Start the daemon using the following command:
$ anjuna-block-manager.sh start --volume /home/ec2-user/enclave-data.img
This daemon will communicate with the enclave over the network and persist data into the volume file /home/ec2-user/enclave-data.img
.
Start the enclave
Start the enclave using the Anjuna Nitro Runtime CLI. You do not need to provide any additional flags to the enclave creation to support the block mount.
Stopping the application
When stopping the application, it is important to first stop the enclave.
Once the enclave is stopped,
you can stop the anjuna-block-manager.sh
from giving enclaves access to the volume in the parent instance,
in order to prevent any loss or corruption of data.
Stop the daemon using the following command:
$ anjuna-block-manager.sh stop
Accessing the volume contents from outside of the enclave
There might be cases when you need to access the volume’s contents from outside the enclave. This could be when you want to look at the contents of the files in the volume or copy files to the volume.
anjuna-block-manager.sh
allows mounting the volume on any standard Linux instance,
and accessing its contents.
Mounting the volume on the parent instance is not allowed while the volume is being used from inside the enclave, as it may lead to corruption. If the volume is being used from inside the enclave, you must first follow the steps in the Stopping the application section above, before mounting the volume on the parent instance. |
To make the volume contents available, use the following command:
$ mkdir -p /home/ec2-user/local-path
$ anjuna-block-manager.sh mount --volume /home/ec2-user/enclave-data.img --directory /home/ec2-user/local-path
You can now access the contents of the volume under /home/ec2-user/local-path
.
Use the |
When you are done using the volume contents, you should unmount the volume with the following command:
$ anjuna-block-manager.sh unmount --directory /home/ec2-user/local-path
When you use |