anjuna-nitro-cli run-enclave

Starts a new enclave.

SYNOPSIS

anjuna-nitro-cli run-enclave [FLAGS] [OPTIONS] --cpu-count <cpu-count> --cpu-ids <cpu-ids>... --eif-path <eif-path> --memory <memory>

DESCRIPTION

Launches a new enclave by specifying:

  • enclave image file (.eif) which contains the application that you want to run inside the enclave (created by the anjuna-nitro-cli build-enclave command),

  • an even number of vCPUs to allocate to the enclave,

  • the amount of memory to allocate to the enclave

If the application running in the Nitro Enclave requires network access, you must start the anjuna-nitro-netd-parent agent.

After starting the Nitro Enclave, the anjuna-nitro-cli run-enclave tool prints some information that describes the resources used by the enclave (number of vCPUs, amount of memory) and some of its attributes (enclave ID, flags, state).

Nitro Enclaves can be started in debug mode, which differs from production enclaves in the following two ways:

  • debug enclaves produce some output that can be viewed by running the anjuna-nitro-cli console command,

  • debug enclaves will produce an attestation document where all the enclave measurements are set to a fixed value (00000…​0000).

debug enclaves should be used only for testing. In a typical deployment environment, you should use production enclaves and make sure that the AWS KMS policies use the correct enclave measurements.

OPTIONS

USAGE:
  anjuna-nitro-cli run-enclave [FLAGS] [OPTIONS] --cpu-count <cpu-count> --cpu-ids <cpu-ids>... --eif-path <eif-path> --memory <memory>

FLAGS:
      --auto-terminate  Automatically terminates the enclave upon application exit.
      --debug-mode      Starts enclave in debug-mode. This makes the console of the enclave available over vsock at CID:
                        VMADDR_CID_HYPERVISOR (0), port: enclave_cid + 10000.
                        The stream can be accessed with the console sub-command.
  -h, --help            Prints help information
  -V, --version         Prints version information

OPTIONS:
  --config <json-config>         Config is used to read enclave settings from JSON file
  --cpu-count <cpu-count>        Number of vCPUs (must be even due to hyperthreading)
  --cpu-ids <cpu-ids>...         List of cpu-ids that will be provided to the enclave
  --eif-path <eif-path>          Path pointing to a prebuilt Eif image
  --enclave-cid <enclave-cid>    CID to be used for the newly started enclave
  --memory <memory>              Memory to allocate for the enclave in MB

EXIT STATUS

  • 0 on success

  • > 0 on error

EXAMPLE

anjuna-nitro-cli run-enclave --cpu-count 2 --memory 512 --eif-path nginx.eif --auto-terminate