Troubleshooting

You may see enclave log messages mentioning a tainted kernel like this:

This is an informational message for Linux kernel developers and does not indicate an issue with your host. It is printed when the system loads the Nitro Secure Module kernel module, which is software that is developed by AWS to implement various operations for AWS Nitro Enclaves, including attestation.

The taint message informs kernel developers that a kernel module has been installed and is not included in the mainline Linux kernel, which may be helpful to know when debugging kernel issues. See the Linux kernel documentation on Tainted kernels for more information.

This error indicates that you are trying to run anjuna-nitro-cli run-enclave with an odd-numbered --cpu-count. AWS Nitro Enclaves on Intel and AMD-based instance types require an even number of CPUs due to hyperthreading.

To resolve the error, update --cpu-count to use an even number of CPUs.

You may see error messages like Invalid config file "config.yaml": yaml: line 8: found unexpected end of stream. This occurs when the --enclave-config-file for anjuna-nitro-cli build-enclave is not a valid YAML file.

See Anjuna Nitro Enclave Configuration for more information on the config file syntax. You may find it useful to use a YAML validation tool with your configuration file, and in some scenarios, use YAML multi-line strings.

You may see informational messages like Found config version 1.6. For the latest, use: "version: 1.7". This occurs when you are using an --enclave-config-file with a version that is not the latest version.

The version of the Anjuna Nitro Enclave Configuration may be updated to add new fields or fix bugs in enclave behavior. Using the latest config version for your Anjuna Nitro Runtime version is recommended.

You may see error messages like Startup failure: cannot add network services: listen tcp :80: bind: permission denied in the log of anjuna-nitro-netd-parent. This error occurs when you are trying to expose a port numbered less than 1024, but the anjuna-nitro-netd-parent does not have permission to bind on privileged ports.

Following the instructions in Install the Anjuna Nitro Runtime, run the following command to give anjuna-nitro-netd-parent the ability to bind on privileged ports. The command assumes you have installed the Anjuna Nitro Runtime at the default location /opt/anjuna/nitro.

Using setcap is preferred over running anjuna-nitro-netd-parent with sudo. setcap is a one-time setup operation and grants only the needed port binding capability.

You may see error messages like Can’t proxy a datagram to udp: write udp 127.0.0.1:39187→127.0.0.1:10514: write: connection refused in the log of anjuna-nitro-netd-parent.

The Anjuna Nitro Runtime has limited support for UDP connections. The enclave can send outbound message with UDP, like DNS requests, and responses to those messages can be received. But if the connection is inactive for a long time, it will be closed. This means that if an enclave sends out a UDP packet and a long time passes before the response is sent back, the enclave may not be able to receive the response.

At this time, the Anjuna Nitro Runtime does not support an enclave listening for UDP requests. The enclave will not be able to expose a UDP listener via anjuna-nitro-netd-parent. If you are interested in UDP listeners, please contact support@anjuna.io.

You may see error codes like [E01] or [E59]. These errors are documented in the AWS Error codes page.

If you do not see your error documented on this page, try searching the documentation using the search bar at the upper-right corner of the page.

Otherwise, contact support@anjuna.io with the error message, Anjuna Nitro Runtime version number, and relevant context about the action you were trying to perform.