anjuna-nitro-netd-parent

Configure and start a network bridge between the AWS EC2 host and the enclave.

SYNOPSIS

anjuna-nitro-netd-parent --enclave-name <enclave-name> [OPTION...]

DESCRIPTION

anjuna-nitro-netd-parent enables AWS Nitro Enclaves to send and receive network traffic:

  • Outbound connections initiated from within the enclave.

  • Inbound connections to the enclave’s exposed ports.

This agent includes two parts; one running on the parent instance (anjuna-nitro-netd-parent), and the other inside the enclave (which is started automatically by the Anjuna Nitro Runtime when the AWS Nitro Enclave starts).

The two agents communicate over the vsock interface, which is the only channel of communication that an enclave can use to interact with external services.

When connecting from inside the Parent VM to the enclave, you can connect to the enclave port via the localhost address (127.0.0.1). The listening ports inside the enclave will be exported (exposed) to both the localhost on the parent VM and to the externally facing IP on eth0 of the parent VM via the external port specified.

For the enclave to work properly, it is important to run anjuna-nitro-netd-parent before starting the enclave, even if no port needs to be exposed to enable networking capabilities in the AWS Nitro Enclaves. When there are ports to expose, you must use the --expose parameter.

In order to clean up resources when you terminate an enclave, you should kill the anjuna-nitro-netd-parent after terminating an enclave.

Specifying the --enclave-name option is recommended in order to identify AWS Nitro Enclaves and related services, such as enclave networking, especially when multiple simultaneous enclaves run on the same host. Not specifying --enclave-name is only supported when running a single enclave per host.
The enclave may fail to detect the anjuna-nitro-netd-parent if you run run-enclave immediately after running anjuna-nitro-netd-parent due to a known race condition. For now, you can add a three-second delay between the two commands using sleep 3. This behavior will be fixed in a future release.

OPTIONS

Usage: anjuna-nitro-netd-parent [options]
  -e, --expose strings        Expose enclave port to parent. Format is "local[:remote]". Example:
                                  2222:22 - expose enclave port 22 as port 2222 on parent.
                                  22      - expose enclave port 22 as port 22 on parent
  -l, --log-file string       Where logs are sent to (default "/var/log/nitro_enclaves/nitro_network.log")
  -d, --daemonize             Run in background disassociated from terminal
  -v, --version               Display version information
  -h, --help                  Display usage info
      --enclave-name string   Name of the enclave

With the --expose option you can define one of the following:

  • < port number > - expose the enclave port with the specified number to the outside world via the same port number in the Parent VM.

  • < parent port number >:< enclave port number > - expose the specified enclave port number to the outside world via the specified parent port number.

You can pass the --expose flag multiple times to specify multiple ports to expose.

EXIT STATUS

  • 0 on success

  • > 0 on error

EXAMPLE

$ anjuna-nitro-netd-parent --enclave-name example --expose 80 --daemonize
Expose port 80 of the enclave named `example` via port 80 in the parent

$ anjuna-nitro-netd-parent --enclave-name example --expose 8080:80 --daemonize
Expose enclave port 80 of the enclave named `example` via port 8080 in the parent