anjuna-nitro-netd-parent

anjuna-nitro-netd-parent is the agent that enables Nitro enclaves to send and receive network traffic:

This agent includes two parts, one running on the parent instance (anjuna-nitro-netd-parent), and the other inside the enclave (which is started automatically by the Anjuna Nitro Runtime when the Nitro Enclave starts).

The two agents communicate over the Nitro vsock interface, which is the only channel of communication that an enclave can use to interact with external services.

This agent MUST be running before the Nitro enclave starts to enable networking capabilities in the Nitro enclaves.

Before starting the anjuna-nitro-netd-parent agent, you MUST have executed the routing-setup.sh script at least once.

This agent requires the CAP_NET_ADMIN capability.

When running the Anjuna Nitro Runtime tools directly on an EC2 instance, you can grant the anjuna-nitro-netd-parent application the CAP_NET_ADMIN capability by using the following command:

If this command succeeds, you can just run the anjuna-nitro-netd-parent agent by using the following command:

If you do not grant the CAP_NET_ADMIN capability to anjuna-nitro-netd-parent, you need to run it as root:

When running the Anjuna Nitro Runtime tools in a Docker container (for example as a pod in a Kubernetes cluster), the container must be granted the CAP_NET_ADMIN capability by starting the container with the --cap-add NET_ADMIN command line parameter (see https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities for more information).

The Anjuna Nitro Kubernetes tools automatically create pods that have this capability to allow the Nitro enclave to communicate with the outside world by using the network interface assigned to this pod.