Setting up the AWS Nitro-based instance
In this section, you must be logged into an AWS Nitro-based instance (see the previous section).
Installing necessary packages on the AWS Nitro-based EC2 instance
The AWS Nitro-based EC2 instance requires a few packages to create AWS Nitro Enclaves.
Installing jq is included in the required dependencies in the install command below and is
recommended since many example commands throughout this document use jq. jq is a command-line
tool that formats JSON output so that it is more easily readable.
Run the following commands to install the required dependencies:
-
Amazon Linux 2
-
RHEL 8
$ sudo amazon-linux-extras install aws-nitro-enclaves-cli
$ sudo yum install -y aws-nitro-enclaves-cli-devel jq openssl11-libs
$ sudo usermod -aG ne ec2-user
$ sudo usermod -aG docker ec2-user
# Give the ne group access to /dev/vsock
$ echo 'KERNEL=="vsock", MODE="660", GROUP="ne"' | sudo tee /etc/udev/rules.d/51-vsock.rules
$ sudo udevadm control --reload
$ sudo udevadm trigger$ sudo yum update -y
$ sudo yum upgrade -y
# Install common prerequisites
$ sudo yum install -y git jq make
# Install Docker
$ sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
$ sudo yum install -y docker-ce docker-ce-cli containerd.io
$ sudo systemctl enable docker
$ sudo systemctl start docker
$ sudo usermod -aG docker ec2-user
# Create the ne group, used for AWS Nitro Enclaves
$ sudo groupadd --system ne
$ sudo usermod -aG ne ec2-user
# Set up the required directory for AWS Nitro Enclaves logs
$ sudo mkdir /var/log/nitro_enclaves
$ sudo chgrp ne /var/log/nitro_enclaves
$ sudo chmod u+rwx,g+rwx,o-rwx /var/log/nitro_enclaves
# Give the ne group access to /dev/vsock and /dev/nitro_enclaves
$ echo 'KERNEL=="vsock", MODE="660", GROUP="ne"' | sudo tee /usr/lib/udev/rules.d/99-vsock.rules
$ echo 'KERNEL=="nitro_enclaves", MODE="660", GROUP="ne"' | sudo tee /usr/lib/udev/rules.d/99-nitro_enclaves.rules
$ sudo udevadm control --reload-rules
$ sudo udevadm trigger
# Create the /run/nitro_enclaves directory on boot
$ echo 'd /run/nitro_enclaves 0775 root ne' | sudo tee /usr/lib/tmpfiles.d/nitro_enclaves.conf
# Make directory available without rebooting
$ sudo systemd-tmpfiles --create /usr/lib/tmpfiles.d/nitro_enclaves.conf
# Install the AWS CLI (only needed for developers)
$ curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$ sudo yum install -y unzip
$ unzip "awscliv2.zip"
$ sudo ./aws/install
$ rm -rf "awscliv2.zip" aws
# Install the AWS Nitro Enclaves allocator service from source
$ git clone https://github.com/aws/aws-nitro-enclaves-cli.git
$ cd aws-nitro-enclaves-cli
$ sed -i 's/\/usr\/bin\/nitro-enclaves-allocator/\/usr\/local\/bin\/nitro-enclaves-allocator/g' bootstrap/nitro-enclaves-allocator.service
$ sudo install -D -m 0755 bootstrap/nitro-enclaves-allocator /usr/local/bin/nitro-enclaves-allocator
$ sudo install -D -m 0664 bootstrap/allocator.yaml /etc/nitro_enclaves/allocator.yaml
$ sudo install -D -m 0644 bootstrap/nitro-enclaves-allocator.service /usr/lib/systemd/system/nitro-enclaves-allocator.service
$ cd ..
$ rm -rf aws-nitro-enclaves-cli
$ sudo systemctl enable nitro-enclaves-allocator && sudo systemctl start nitro-enclaves-allocatorSince changes were made to the permissions of the default user, exit the SSH session and log in to the AWS Nitro-based EC2 instance again for the permissions to become active. This is needed only the first time you install Docker on the host.
Configure AWS Nitro Enclave resource allocation
The default configuration of the Anjuna Nitro Runtime only allocates 512MB of memory and 2 vCPUs for use by a single enclave. To create enclaves that are bigger, or to create multiple enclaves, you must change these default values.
Edit the file /etc/nitro_enclaves/allocator.yaml to set values for memory (memory_mib) and vCPU (cpu_count).
It is necessary to allocate a minimum of 2 vCPUs per enclave you intend to run.
2GB-4GB of memory per enclave is recommended as a good starting point,
but requirements will vary depending on what will be run inside the enclaves.
In the following example, 16GB of memory and 8 vCPUs are available for use by enclaves.
$ cat /etc/nitro_enclaves/allocator.yaml
---
# Enclave configuration file.
#
# How much memory to allocate for enclaves (in MiB).
memory_mib: 16384
#
# How many CPUs to reserve for enclaves.
cpu_count: 8The AWS Nitro allocator service will reserve 1GiB huge memory pages based on the value specified for memory_mib above.
This memory will be available for all enclaves created on the host.