EC2 Instance creation

This section describes the requirements that must be satisfied for an EC2 Nitro-capable host to be configured with the Anjuna Nitro Runtime Tools.

Overview

In Setting Up the Nitro Host, you learned how to configure an EC2 host with the Anjuna Nitro Runtime Tools (manual steps).

In this section, you will learn about how to fully setup an EC2 instance in an automated way. The example provided in this page is based on a bash script, and should be adapted to match the requirements of your provisioning tool. (terraform, Cloudformation, etc.)

Supported EC2 instances

Creating a Nitro-capable node follows the same conventions as adding a regular EC2 instance. The main differences are:

EC2 instance type: you must select an instance type that is Nitro-capable. See Nitro Instance for an up-to-date list of instances/regions that support AWS Nitro.
Amazon Machine Image: The Anjuna Nitro Runtime Tools have been tested on the Amazon Linux AMI.

Additional Software Packages

You should add the following package to your instance:

aws-nitro-enclaves-cli
aws-nitro-enclaves-cli-devel
openssl11
docker
the Anjuna Nitro Runtime tools https://s3-us-west-1.amazonaws.com/anjuna-security.nitro/release-1.12/0005/anjuna-nitro-runtime.1.12.0005.tar.gz (see Installing the Anjuna Nitro Runtime)

EC2 Host Configuration

Assuming the instance contains the required additional software packages, the following services need to be configured:

docker
nitro-enclaves-allocator
anjuna-nitro

Following is a bash script that can be used to fully set up a Nitro hosts, which can be added as UserData in most provisioning tools. (terraform, Cloudformation, etc.)

#!/bin/bash

set -x

# Install dependencies
sudo yum -y update
sudo amazon-linux-extras install -y aws-nitro-enclaves-cli
sudo yum install -y aws-nitro-enclaves-cli-devel openssl11

# Add user to Nitro enclave and Docker groups
sudo usermod -aG ne ec2-user
sudo usermod -aG docker ec2-user

# Enable Docker systemd service
sudo systemctl enable docker

# Raise the memory limit for the Nitro enclave to 4GB
sudo sed -i 's/^memory_mib:.*/memory_mib: 4096/' /etc/nitro_enclaves/allocator.yaml

# Download and install the Anjuna Nitro Runtime
sudo wget https://s3-us-west-1.amazonaws.com/anjuna-security.nitro/release-1.12/0005/anjuna-nitro-runtime.1.12.0005.tar.gz -P /tmp/
sudo mkdir -p /opt/anjuna/nitro
sudo tar xf -C /opt/anjuna/nitro /tmp/anjuna-nitro-runtime.1.12.0005.tar.gz
sudo rm /tmp/anjuna-nitro-runtime.1.12.0005.tar.gz

# Add net admin permissions to the Anjuna Network Proxy
sudo setcap cap_net_admin+ep /opt/anjuna/nitro/bin/anjuna-nitro-netd-parent

# Copy the Anjuna systemd service to its correct location and enable it
sudo cp /opt/anjuna/nitro/systemd/anjuna-nitro.service /etc/systemd/system/anjuna-nitro.service
sudo chmod 644 /etc/systemd/system/anjuna-nitro.service
sudo systemctl enable anjuna-nitro.service

# Add a hostname for the Nitro enclave
echo "192.168.0.1 enclave" | sudo tee -a /etc/hosts

# Add Anjuna tools to PATH
echo "PATH=\$PATH:/opt/anjuna/nitro/bin" | tee -a /home/ec2-user/.bashrc

You should adjust this example to to allocate the proper amount of memory for Nitro Enclaves (replace the value 4096 with the desired value).

sudo sed -i 's/^memory_mib:.*/memory_mib: 4096/' /etc/nitro_enclaves/allocator.yaml