anjuna-nitro-netd-parent

Configure and start a network bridge between the AWS EC2 host and the enclave.

SYNOPSIS

anjuna-nitro-netd-parent [OPTION...]

DESCRIPTION

anjuna-nitro-netd-parent enables AWS Nitro Enclaves to send and receive network traffic:

  • Outbound connections initiated from within the enclave.

  • Inbound connections to the enclave’s exposed ports.

This agent includes two parts; one running on the parent instance (anjuna-nitro-netd-parent), and the other inside the enclave (which is started automatically by the Anjuna Nitro Runtime when the AWS Nitro Enclave starts).

The two agents communicate over the vsock interface, which is the only channel of communication that an enclave can use to interact with external services.

When connecting from inside the Parent VM to the enclave, you can connect to the enclave port via the localhost address (127.0.0.1). The listening ports inside the enclave will be exported (exposed) to both the localhost on the parent VM and to the externally facing IP on eth0 of the parent VM via the external port specified.

For the enclave to work properly, it is important to run anjuna-nitro-netd-parent before starting the enclave, even if no port needs to be exposed to enable networking capabilities in the AWS Nitro Enclaves. When there are ports to expose, you must use the --expose parameter.

In order to clean up resources when you terminate an enclave, you should kill the anjuna-nitro-netd-parent after terminating an enclave.

OPTIONS

Usage: anjuna-nitro-netd-parent [OPTION...]

Options:
  --expose [<port number>] | [<parent port number>:<enclave port number>] [--expose <port> | <port>:<port> ...]
    Expose enclave ports as described below.

  --daemonize
    Run the networking binary as a daemon.

  --log-file <filename>
    If the flag is not specified, information is still logged to the default
    log file, /var/log/nitro_enclaves/nitro_network.log. If that file is not
    writable, output will be sent to the standard output.
    If you want the log files (other than initialization errors) to go to the
    standard output instead of a log file, specify the log file as follows:
    --log-file -

  --help
    Prints help information.

  --version
    Returns the release version.

With the --expose option you can define one of the following:

  • < port number > - expose the enclave port with the specified number to the outside world via the same port number in the Parent VM.

  • < parent port number >:< enclave port number > - expose the specified enclave port number to the outside world via the specified parent port number.

You can pass the --expose flag multiple times to specify multiple ports to expose.

EXIT STATUS

  • 0 on success

  • > 0 on error

EXAMPLE

$ anjuna-nitro-netd-parent --expose 80 --daemonize
Expose enclave port 80 via port 80 in the parent

$ anjuna-nitro-netd-parent --expose 8080:80 --daemonize
Expose enclave port 80 in the enclave via port 8080 in the parent