anjuna-nitro-netd-parent
Configure and start a network bridge between the AWS EC2 host and the enclave.
DESCRIPTION
anjuna-nitro-netd-parent
enables AWS Nitro Enclaves to send and receive network traffic:
-
Outbound connections initiated from within the enclave.
-
Inbound connections to the enclave’s exposed ports.
This agent includes two parts; one running on the parent instance (anjuna-nitro-netd-parent
), and the other
inside the enclave (which is started automatically by the Anjuna Nitro Runtime when the
AWS Nitro Enclave starts).
The two agents communicate over the vsock interface, which is the only channel of communication that an enclave can use to interact with external services.
When connecting from inside the Parent VM to the enclave, you can connect to the enclave port via
the localhost address (127.0.0.1
). The listening ports inside the enclave will be exported (exposed)
to both the localhost on the parent VM and to the externally facing IP on eth0
of the parent VM via
the external port specified.
For the enclave to work properly, it is important to run anjuna-nitro-netd-parent
before
starting the enclave, even if no port needs to be exposed to enable networking capabilities in the
AWS Nitro Enclaves. When there are ports to expose, you must use the --expose
parameter.
OPTIONS
Usage: anjuna-nitro-netd-parent [OPTION...] Options: --expose [<port number>] | [<parent port number>:<enclave port number>] [--expose <port> | <port>:<port> ...] Expose enclave ports as described below. --daemonize Run the networking binary as a daemon. --log-file <filename> If the flag is not specified, information is still logged to the default log file, /var/log/nitro_enclaves/nitro_network.log. If that file is not writable, output will be sent to the standard output. If you want the log files (other than initialization errors) to go to the standard output instead of a log file, specify the log file as follows: --log-file - --help Prints help information. --version Returns the release version.
With the --expose
option you can define one of the following:
-
<
port number
> - expose the enclave port with the specified number to the outside world via the same port number in the Parent VM. -
<
parent port number
>:<enclave port number
> - expose the specified enclave port number to the outside world via the specified parent port number.
You can pass the --expose
flag multiple times to specify multiple ports to expose.