anjuna-nitro-cli run-enclave

Starts a new enclave.

SYNOPSIS

anjuna-nitro-cli run-enclave [FLAGS] [OPTIONS] --enclave-name <enclave-name> --cpu-count <cpu-count> --cpu-ids <cpu-ids>... --eif-path <eif-path> --memory <memory>

DESCRIPTION

Launches a new enclave by specifying:

  • the name of the enclave

  • enclave image file (.eif) which contains the application that you want to run inside the enclave (created by the anjuna-nitro-cli build-enclave command),

  • an even number of vCPUs to allocate to the enclave,

  • the amount of memory to allocate to the enclave

Before calling run-enclave, you must start the anjuna-nitro-netd-parent agent, passing the same enclave name that you will use for the run-enclave command.

After starting the AWS Nitro Enclave, the anjuna-nitro-cli run-enclave tool prints some information that describes the resources used by the enclave (number of vCPUs, amount of memory) and some of its attributes (enclave ID, flags, state).

AWS Nitro Enclaves can be started in debug mode, which differs from production enclaves in the following two ways:

  • debug enclaves produce some output that can be viewed by running the anjuna-nitro-cli console command,

  • debug enclaves will produce an attestation document where all the enclave measurements are set to a fixed value (00000…​0000).

debug enclaves should be used only for testing. In a typical deployment environment, you should use production enclaves and make sure that the AWS KMS policies use the correct enclave measurements.
Specifying the --enclave-name option is recommended in order to identify AWS Nitro Enclaves and related services, such as enclave networking, especially when multiple simultaneous enclaves run on the same host. Not specifying --enclave-name is only supported when running a single enclave per host.
Due to an AWS Nitro limitation, only up to four simultaneous enclaves are supported per host.

ENCLAVE NAME

In cases where there are multiple enclaves running on the same host, the Anjuna Nitro Runtime needs an identifier to coordinate between the enclave and other running services such as the network proxy. This identifier is the “enclave name”, which is a user-provided string consisting of alphanumeric characters (a-z, A-Z, and 0-9), dash, underscore, and period, and not longer than 128 characters.

OPTIONS

USAGE:
    anjuna-nitro-cli run-enclave [FLAGS] [OPTIONS] --enclave-name <enclave-name> --cpu-count <cpu-count> --cpu-ids <cpu-ids>... --eif-path <eif-path> --memory <memory>

FLAGS:
        --attach-console    Attach the enclave console immediately after starting the enclave. (debug-mode only)
        --auto-terminate    Automatically terminate the enclave resources when the enclave's main process exits
        --debug-mode        Starts enclave in debug-mode. This makes the console of the enclave available over vsock at
                            CID: VMADDR_CID_HYPERVISOR (0), port: enclave_cid + 10000.
                             The stream could be accessed with the console sub-command
    -h, --help              Prints help information

OPTIONS:
        --config <json-config>                  Config is used to read enclave settings from JSON file
        --cpu-count <cpu-count>                 Number of cpus
        --cpu-ids <cpu-ids>...                  List of cpu-ids that will be provided to the enclave
        --eif-path <eif-path>                   Path pointing to a prebuilt Eif image
        --enclave-cid <enclave-cid>             CID to be used for the newly started enclave
        --enclave-name <enclave-name>           Custom name assigned to the enclave by the user
        --encrypted-config <encrypted-config>   Path to a local encrypted enclave configuration file
        --memory <memory>                       Memory to allocate for the enclave in MiB

EXIT STATUS

  • 0 on success

  • > 0 on error

EXAMPLE

$ anjuna-nitro-cli run-enclave --enclave-name nginx --cpu-count 2 --memory 512 --eif-path nginx.eif --auto-terminate