anjuna-nitro-netd-parent
anjuna-nitro-netd-parent --enclave-name <enclave-name> [OPTIONS...]
Configure and start a network bridge between the AWS EC2 parent instance and the enclave.
anjuna-nitro-netd-parent enables AWS Nitro Enclaves to send and receive network traffic:
-
Outbound connections initiated from within the enclave.
-
Inbound connections to the enclave’s exposed ports, defined by the
--exposeoption.
All TCP connections and TCP-based protocols are supported. UDP connections and UDP-based protocols are supported for outbound connections and their responses, but not inbound connections.
This agent includes two parts; one running on the parent instance (anjuna-nitro-netd-parent),
and the other inside the enclave
(which is started automatically by the Anjuna Nitro Runtime when the AWS Nitro Enclave starts).
The two agents communicate over the vsock interface, which is the only channel of communication that an enclave can use to interact with external services.
When connecting from the parent instance to the enclave,
you can connect to the enclave port via the localhost address (127.0.0.1).
The listening ports inside the enclave will be exported (exposed) to both the localhost on the
parent instance and to the externally facing IP on eth0 of the parent instance via the external port specified.
When connecting from the enclave to the parent instance,
you can use the special address 192.168.127.254.
See Communicating with the parent instance
for more information.
You must run anjuna-nitro-netd-parent before starting the enclave,
even if no ports need to be exposed,
in order to enable networking capabilities in the AWS Nitro Enclaves.
This is a requirement for the enclave to work properly.
When there are ports to expose, you must use the --expose parameter.
In order to clean up resources when you terminate an enclave,
you should kill the anjuna-nitro-netd-parent after terminating an enclave.
The enclave may fail to detect the anjuna-nitro-netd-parent if you run the run-enclave command
immediately after running anjuna-nitro-netd-parent due to a known race condition.
For now, you can add a three-second delay between the two commands using sleep 3.
This behavior will be fixed in a future release.
|
Options
--enclave-name
(Recommended) Custom name assigned to the enclave by the user, used to uniquely identify an enclave
-e, --expose
Expose enclave port to parent; the format is local[:remote]
With the --expose option you can define one of the following:
-
<port number>- expose the enclave port with the specified number to the outside world via the same port number in the parent instance. For example,22exposes enclave port 22 as port 22 on parent. -
<parent port number>:<enclave port number>- expose the specified enclave port number to the outside world via the specified parent port number. For example,2222:22exposes enclave port 22 as port 2222 on parent.
You can pass the --expose flag multiple times to specify multiple ports to expose.
If no ports were exposed with the --expose option,
the enclave will not be able to receive inbound connections.
The enclave will still be able to send outbound connections
and receive their responses.
Examples
To expose port 80 of the enclave named example via port 80 in the parent:
$ anjuna-nitro-netd-parent --enclave-name example --expose 80 --daemonizeTo expose enclave port 80 of the enclave named example via port 8080 in the parent:
$ anjuna-nitro-netd-parent --enclave-name example --expose 8080:80 --daemonize