anjuna-nitro-cli build-enclave
Builds an enclave image from a Docker image and saves it to a file.
SYNOPSIS
anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>
DESCRIPTION
Launching an AWS Nitro Enclave requires an Enclave Image File (EIF).
The anjuna-nitro-cli build-enclave tool creates an EIF from a Docker container and provides
the enclave’s measurements.
Docker container
The Docker container can be specified by:
-
a Docker URI to any Docker registry you have access to (for example
1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest) -
a local URI (for example
hello-world:latest) -
a directory that contains a Dockerfile
Enclave configuration file
When building the enclave, you can specify an enclave configuration file (using the
--enclave-config-file command-line option) and override some of the attributes defined
in the Docker image without updating the Docker image itself:
-
environment variables
-
startup command specified in the container (
CMD/ENTRYPOINT) -
configuration files
-
default user
In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Anjuna Nitro Enclave Configuration for a complete description of the file format used to specify the enclave configuration.
| Configuration files should be less than 560 MB in size in order to successfully build the enclave. |
System requirements and environment
For details on the system requirements and environment needed for building an EIF image see Requirements for building an EIF image.
anjuna-nitro-cli build-enclave will use temporary files in the $ANJ_NITRO_CLI_ARTIFACTS
directory.
If you run multiple builds in parallel,
these files may conflict and cause corrupted EIFs to be produced.
It is recommended to set $ANJ_NITRO_CLI_ARTIFACTS to a different path for each
parallel build-enclave command.
|
Enclave Image File
The EIF has a size limitation:
-
The maximum size of an EIF is currently 4GB. If you need a larger EIF size, contact support@anjuna.io.
-
If the EIF is too large, it will fail when you try to start the enclave.
-
At this time, the EIF will build successfully and does not fail until you try to start the enclave.
OPTIONS
anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
--docker-dir <docker-dir> Local path to a directory containing a Dockerfile
--docker-uri <docker-uri>
Uri pointing to an existing docker container or to be created locally when docker-dir is present
--enclave-config-file <enclave-config-file> Local path to an enclave configuration file
--name <image_name> Name for enclave image
--version <image_version> Version of the enclave image
--metadata <metadata> Path to JSON containing the custom metadata provided by the user
--output-file <output-file> Location where the Enclave Image should be saved
--private-key <private-key> Local path to developer's Elliptic Curve private key
--signing-certificate <signing-certificate> Local path to developer's X509 signing certificate
EXAMPLE
The following command converts the Nginx Docker image (from Docker Hub) to an enclave image file named nginx.eif.
$ anjuna-nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eifwhich produces output similar to this:
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "....",
"PCR1": "....",
"PCR2": "...."
}
}