Setting up the AWS Nitro-based instance

In this section, you must be logged into an AWS Nitro-based instance (see the previous section).

Installing necessary packages on the AWS Nitro-based EC2 instance

The AWS Nitro-based EC2 instance requires a few packages to create AWS Nitro Enclaves.

Installing jq is included in the required dependencies in the install command below and is recommended since many example commands throughout this document use jq. jq is a command-line tool that formats JSON output so that it is more easily readable.

Run the following command to install the required dependencies (the commands assume the operating system is Amazon Linux 2):

$ sudo amazon-linux-extras install aws-nitro-enclaves-cli
$ sudo yum install -y aws-nitro-enclaves-cli-devel jq openssl11-libs
$ sudo usermod -aG ne ec2-user
$ sudo usermod -aG docker ec2-user

# Give the ne group access to /dev/vsock
$ echo 'KERNEL=="vsock", MODE="660", GROUP="ne"' | sudo tee /etc/udev/rules.d/51-vsock.rules
$ sudo udevadm control --reload
$ sudo udevadm trigger

Since changes were made to the permissions of the default user, exit the SSH session and log in to the AWS Nitro-based EC2 instance again for the permissions to become active. This is needed only the first time you install Docker on the host.

Configure some of the AWS Nitro components

The default configuration of the Anjuna Nitro Runtime defines the maximum size of an enclave to be 512MB. To create enclaves that are much bigger, you must change the default value (change the value 4096 to an appropriate size for the applications that you will run in enclaves. 4096 is a good default value to start with):

$ sudo sed -i 's/^memory_mib:.*/memory_mib: 4096/' /etc/nitro_enclaves/allocator.yaml

Restart/start the required services

$ sudo systemctl start nitro-enclaves-allocator.service
$ sudo systemctl enable nitro-enclaves-allocator.service
$ sudo systemctl start docker && sudo systemctl enable docker