anjuna-nitro-cli build-enclave

Builds an enclave image from a Docker image and saves it to a file.

SYNOPSIS

anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>

DESCRIPTION

Launching an AWS Nitro Enclave requires an Enclave Image File (EIF). The anjuna-nitro-cli build-enclave tool creates an Enclave Image File from a Docker container and provides the enclave’s measurements.

The Docker container can be specified by:

  • a Docker URI to any Docker registry you have access to (for example 1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest)

  • a local URI (for example hello-world:latest)

  • a directory that contains a Dockerfile

When building the enclave, you can specify an enclave configuration file (using the --enclave-config-file command-line option) and override some of the attributes defined in the Docker image without updating the Docker image itself:

  • environment variables

  • startup command specified in the container (CMD/ENTRYPOINT)

  • configuration files

  • default user

In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Anjuna Nitro Enclave Configuration for a complete description of the file format used to specify the enclave configuration.

Configuration files should be less than 560 MB in size in order to successfully build the enclave.

For details on the system requirements and environment needed for building an EIF image see Requirements for building an EIF image.

anjuna-nitro-cli build-enclave will use temporary files in the $ANJ_NITRO_CLI_ARTIFACTS directory. If you run multiple builds in parallel, these files may conflict and cause corrupted EIFs to be produced. It is recommended to set $ANJ_NITRO_CLI_ARTIFACTS to a different path for each parallel build-enclave command.

OPTIONS

anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>

FLAGS:
-h, --help       Prints help information
-V, --version    Prints version information

OPTIONS:
    --docker-dir <docker-dir>                      Local path to a directory containing a Dockerfile
    --docker-uri <docker-uri>
        Uri pointing to an existing docker container or to be created  locally when docker-dir is present

    --enclave-config-file <enclave-config-file>    Local path to an enclave configuration file
    --name <image_name>                            Name for enclave image
    --version <image_version>                      Version of the enclave image
    --metadata <metadata>                          Path to JSON containing the custom metadata provided by the user
    --output-file <output-file>                    Location where the Enclave Image should be saved
    --private-key <private-key>                    Local path to developer's Elliptic Curve private key
    --signing-certificate <signing-certificate>    Local path to developer's X509 signing certificate

EXIT STATUS

  • 0 on success

  • 1 on error

EXAMPLE

The following command converts the Nginx Docker image (from Docker Hub) to an enclave image file named nginx.eif.

$ anjuna-nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eif

which produces output similar to this:

Enclave Image successfully created.
{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "....",
    "PCR1": "....",
    "PCR2": "...."
  }
}