Nitro Enclave Configuration
The Nitro Enclave Configuration file contains information the Anjuna Nitro Runtime needs to setup the application’s environment and start the application in an Nitro Enclave.
You can specify the Nitro Enclave Configuration file when building the Enclave Image File (EIF) with the anjuna-nitro-cli build-enclave command.
nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eif --enclave-config-file config.yaml
The Nitro Enclave Configuration file allows you configure the application running in the enclave (without changing the Docker image used to create the EIF):
-
Setting up new environment variables (or overriding existing ones).
-
Adding files to the application’s file system.
-
Setting the
hostname
of the enclave. -
Changing the
command
that starts the application in the enclave. -
Specifying the S3 bucket that contains secrets for the application running in the enclave.
Nitro Enclave Configuration Entries
The Nitro Enclave Configuration should be a valid YAML file.
Version
The Nitro Enclave Configuration must contain a version
entry:
version: 1.5
The Anjuna Nitro Runtime v1.21.0001
supports Nitro Enclave Configuration v1.5
and below.
Environment variables
The environment
entry contains an array of strings, where each string represents an environment
variable and its value. The string should have the following format:
name=value
For example:
environment: - NGINX_HOST=foobar.com - NGINX_PORT=80
The variables defined in this section override the ones that were defined in the Docker container.
When the Anjuna Nitro Runtime starts the Nitro Enclave, it sets up the variables in the same order than they were defined in the Nitro Enclave Configuration file.
The value for an environment variable must be a literal (i.e. references to other environment variables is not supported).
Configuration files
The files
entry contains an array of files with the following attributes:
-
path
(required): The path where the file will be created. The Anjuna Nitro Runtime will create the intermediate directories if they don’t exist. -
mode
(optional): The permissions on the file (in octal notation). The default value is 0644 (which maps to[-rw-r—r--]
in symbolic notation). -
owner
(optional): The owner (user) of the file. The default value isroot
. -
group
(optional): The owner (group) of the file. The default value is the user owner. -
content
(optional): The content of the file (if not provided, an empty file will be created).
files: - path: "/my-application/etc/config.toml" mode: 0644 owner: root group: root content: | [database] server = "192.168.1.1" ports = [ 8000, 8001, 8002 ] connection_max = 5000 enabled = true
This example defines the file /my-application/etc/config.toml
with the following content:
[database] server = "192.168.1.1" ports = [ 8000, 8001, 8002 ] connection_max = 5000 enabled = true
Container Command
The Anjuna Nitro Runtime executes the command specified by the ENTRYPOINT
and CMD
entries from the
original Dockerfile. If you want to override this value, you can specify the application and its
command-line arguments.
command: [program, 1st_arg, 2nd_arg, ...]
Note that the syntax above can alternatively be written like this for the same result:
command: - program - 1st_arg - 2nd_arg - ...
Hostname
You can change the default hostname of enclave to any value with the hostname
field.
hostname: anjuna-enclave
The value of hostname
is inserted automatically in the file /etc/hosts
on the file system of the
application running in the Nitro Enclave.
Encrypted Configuration Files
The Nitro Enclave Configuration file is inserted in the EIF in the same area as the application, and
as such, it affects the PCR2
measurement.
However, this configuration file is not encrypted and you should not insert sensitive data (secrets) in this file. To securely provide secrets to your application, use the anjuna-nitro-encrypt tool to encrypt a configuration file with an AWS KMS key and upload it to an S3 bucket.
You can then add the location of the S3 bucket in the Nitro Enclave Configuration, which allows the Anjuna Nitro Runtime to download and decrypt the encrypted secrets (as long as the Nitro Enclave is allowed to decrypt data using the AWS KMS key).
To specify the location of the S3 bucket, just add the environment variable NITRO_ATTESTED_CONF_URL
to the Nitro Enclave Configuration file.
environment: - NGINX_HOST=foobar.com - NGINX_PORT=80 - NITRO_ATTESTED_CONF_URL=s3://my-bucket.nitro.my-application/kms-encrypted-data.bin
The Encrypted Configuration file has the same format as the Nitro Enclave Configuration file. Entries defined in the Encrypted Configuration file override entries defined in the Nitro Enclave Configuration file.
Persistent Storage Mounts
The mounts
entry contains an array of mounts with the following attributes:
-
type
(required): The type of the mount; should be basic -
name
(required): The name of the volume mount -
mountPath
(required): The path to mount the volume to inside the enclave
version: 1.5 mounts: - type: basic name: example-volume mountPath: /shared/example-volume
Example
Here is a complete example of a Nitro Enclave Configuration:
version: 1.5 environment: - NGINX_HOST=anjuna-enclave - NGINX_PORT=80 - NITRO_ATTESTED_CONF_URL=s3://my-bucket.nitro.my-application/kms-encrypted-data.bin hostname: anjuna-enclave command: [nginx-debug, '-g', 'daemon off;'] files: - path: "/my-application/etc/config.toml" mode: 0644 owner: root group: root content: | [database] server = "192.168.1.1" ports = [ 8000, 8001, 8002 ] connection_max = 5000 enabled = true mounts - name: app-data type: basic mountPath: /shared/app-data