Troubleshooting
This section addresses possible warnings or errors you might encounter while using the Anjuna tools.
For issues with deploying Pods with the Anjuna Nitro K8s Toolset, the Anjuna Nitro Kubernetes toolset troubleshooting guide may also be helpful.
Loading out-of-tree module taints kernel
You may see enclave log messages mentioning a tainted kernel like this:
[ 3.431418] nsm: loading out-of-tree module taints kernel.
[ 3.431993] nsm: module verification failed: signature and/or required key missing - tainting kernel
This is an informational message for Linux kernel developers and does not indicate an issue with your host. It is printed when the system loads the Nitro Secure Module kernel module, which is software that is developed by AWS to implement various operations for AWS Nitro Enclaves, including attestation.
The taint message informs kernel developers that a kernel module has been installed and is not included in the mainline Linux kernel, which may be helpful to know when debugging kernel issues. See the Linux kernel documentation on Tainted kernels for more information.
The enclave cannot start because full CPU cores have not been set
This error indicates that you are trying to run anjuna-nitro-cli run-enclave
with an odd-numbered --cpu-count
.
AWS Nitro Enclaves on Intel and AMD-based instance types require an even number of CPUs
due to hyperthreading.
To resolve the error, update --cpu-count
to use an even number of CPUs.
Enclave services configuration error
You may see error messages similar to the following: Enclave services configuration error
.
For example, this type of error appears when the CLI fails to parse Anjuna enclave service
configuration for anjuna-nitro-netd-parent.
This error indicates that anjuna-nitro-netd-parent
for the given --enclave-name
cannot be found.
The --enclave-name
parameter must match for the anjuna-nitro-cli run-enclave
and anjuna-nitro-netd-parent
commands.
Ensure that anjuna-nitro-netd-parent
is running with the correct --enclave-name
.
Invalid enclave name
You may see error messages like Invalid enclave name 'example@enclave'
.
Enclave names can only contain alphanumeric characters, -
(dash), _
(underscore), and .
(period).
Enclave names have a maximum length of 128 characters.
Ensure that your --enclave-name
parameter meets these requirements.
Enclave already exists
You may see error messages like Enclave 'example' already exists. Please terminate the existing enclave, or use a different name
.
This error indicates that anjuna-nitro-cli run-enclave
was called with an --enclave-name
that is already used by a running enclave.
Each running enclave must have a unique enclave name.
The enclave name is used to set up Anjuna Nitro Runtime services for each running enclave.
You can view information about currently-running enclaves using anjuna-nitro-cli describe-enclaves
.
If you want to run a new enclave without stopping the running one,
choose a different --enclave-name
for anjuna-nitro-cli run-enclave
.
If you want to replace the currently-running enclave,
stop it with anjuna-nitro-cli terminate-enclave --enclave-name <name>
and
start the new one with anjuna-nitro-cli run-enclave
with the same enclave name.
EIF was built with an unknown version
You may see an error message stating that your EIF was built with an unknown version.
Your EIF version must be the same as your Anjuna Nitro Runtime version. If your versions do not match, and if the EIF was built using Anjuna Nitro Runtime 1.35 or earlier, an error message will state that your EIF was built with an unknown version. You need to rebuild your EIF using your current Anjuna Nitro Runtime version.
Invalid config file YAML
You may see error messages like Invalid config file "config.yaml": yaml: line 8: found unexpected end of stream
.
This occurs when the --enclave-config-file
for anjuna-nitro-cli build-enclave
is not a valid YAML file.
See Anjuna Nitro Enclave Configuration for more information on the config file syntax. You may find it useful to use a YAML validation tool with your configuration file, and in some scenarios, use YAML multi-line strings.
New configuration version available
You may see informational messages like Found config version 1.6. For the latest, use: "version: 1.8"
.
This occurs when you are using an --enclave-config-file
with a version that is not the latest version.
The version of the Anjuna Nitro Enclave Configuration may be updated to add new fields or fix bugs in enclave behavior. Using the latest config version for your Anjuna Nitro Runtime version is recommended.
anjuna-nitro-netd-parent
bind: permission denied
You may see error messages like Startup failure: cannot add network services: listen tcp :80: bind: permission denied
in the log of anjuna-nitro-netd-parent
.
This error occurs when you are trying to expose a port numbered less than 1024,
but the anjuna-nitro-netd-parent
does not have permission to bind on privileged ports.
Following the instructions in
Install the Anjuna Nitro Runtime,
run the following command to give anjuna-nitro-netd-parent
the ability to bind on privileged ports.
The command assumes you have installed the Anjuna Nitro Runtime at the default location /opt/anjuna/nitro
.
$ sudo setcap cap_net_bind_service=+ep /opt/anjuna/nitro/bin/anjuna-nitro-netd-parent
Using setcap
is preferred over running anjuna-nitro-netd-parent
with sudo
.
setcap
is a one-time setup operation and grants only the needed port binding capability.
Failed to validate KMS CMK ARN
You may see error messages similar to the following:
Failed to validate KMS CMK ARN: NoCredentialProviders: no valid providers in chain. Deprecated.
Failed to validate KMS CMK ARN: NoCredentialProviders: no valid providers in chain. Deprecated.
Following are possible causes for this error:
-
Not authenticated - check using
aws sts get-caller-identity
-
Using AWS SSO - this is a limitation of the AWS SDK. Use a tool like
jaxxstorm/aws-sso-creds
(Github) or follow the steps for Manual credential refresh from Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs.
The maximum number of memory regions per enclave has been reached
This error occurs when the number of huge memory pages per enclave (4096) has been exhausted, and typically occurs when a small hugepage size is used. For example, when using a 2MiB hugepage size, you will only be able to create an enclave with a maximum memory allocation of 8GiB. This limit is imposed by AWS and may change in the future.
To resolve the issue, increase the system hugepage size to 1GiB.
One way to do this is to increase memory_mib
in the AWS Nitro allocator configuration,
following the instructions in
Configure AWS Nitro Enclave resource allocation.
TCP connection issues
You may experience connection issues for one of the following two reasons:
The enclave is unreachable via IPv4
,
even though anjuna-nitro-netd-parent
is running with the correct ports.
The enclave may fail to detect the anjuna-nitro-netd-parent
if you run run-enclave
immediately
after running anjuna-nitro-netd-parent
due to a known race condition.
For now, you can add a three-second delay between the two commands using sleep 3
.
This behavior will be fixed in a future release.
UDP connection issues
You may see error messages like
Can’t proxy a datagram to udp: write udp 127.0.0.1:39187→127.0.0.1:10514: write: connection refused
in the log of anjuna-nitro-netd-parent
.
The Anjuna Nitro Runtime has limited support for UDP connections. The enclave can send outbound message with UDP, like DNS requests, and responses to those messages can be received. But if the connection is inactive for a long time, it will be closed. This means that if an enclave sends out a UDP packet and a long time passes before the response is sent back, the enclave may not be able to receive the response.
At this time, the Anjuna Nitro Runtime does not support an enclave listening for UDP requests.
The enclave will not be able to expose a UDP listener via anjuna-nitro-netd-parent
.
If you are interested in UDP listeners, please contact support@anjuna.io.
AWS Nitro CLI error codes like [E01]
You may see error codes like [E01]
or [E59]
.
These errors are documented in the AWS Error codes page.
Other errors
If you do not see your error documented on this page, try searching the documentation using the search bar at the upper-right corner of the page.
Otherwise, contact support@anjuna.io with the error message, Anjuna Nitro Runtime version number, and relevant context about the action you were trying to perform.