anjuna-nitro-cli build-enclave
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
Builds an enclave image from a Docker image and saves it to a file.
Launching an AWS Nitro Enclave requires an Enclave Image File (EIF).
The anjuna-nitro-cli build-enclave
tool creates an EIF from a Docker container and provides
the enclave’s measurements.
Enclave configuration file
When building the enclave, you can specify an enclave configuration file (using the
--enclave-config-file
command-line option) and override some of the attributes defined
in the Docker image without updating the Docker image itself:
-
environment variables
-
startup command specified in the container (
CMD/ENTRYPOINT
) -
configuration files
-
default user
In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Anjuna Nitro Enclave configuration for a complete description of the file format used to specify the enclave configuration.
System requirements and environment
For details on the system requirements and environment needed for building an EIF image see Requirements for building an EIF image.
anjuna-nitro-cli build-enclave will use temporary files in the $ANJ_NITRO_CLI_ARTIFACTS
directory.
If you run multiple builds in parallel,
these files may conflict and cause corrupted EIFs to be produced.
It is recommended to set $ANJ_NITRO_CLI_ARTIFACTS to a different path for each
parallel build-enclave command.
|
Size limitation
The EIF has a size limitation:
-
The maximum size of an EIF is currently 4GB. If you need a larger EIF size, contact support@anjuna.io.
-
If the EIF is too large, it will fail when you try to start the enclave.
-
At this time, the EIF will build successfully and does not fail until you try to start the enclave.
Options
Usage
anjuna-nitro-cli build-enclave --docker-uri <docker-uri> --output-file <output-file> [OPTIONS...]
--docker-uri
(Required) URI pointing to an existing Docker image,
or the image to be created locally when docker-dir
is present
The Docker image can be specified by:
-
a Docker URI to any Docker registry you have access to (for example
1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest
) -
a local URI (for example
hello-world:latest
) -
the name of the image that will be created from the Dockerfile in the path provided by
--docker-dir
Only Docker images with the platform linux/amd64
are supported.
If you are using an Apple Silicon Mac or other ARM-based platform,
you must explicitly specify --platform=linux/amd64
in your docker build command.
Using a Docker image with the wrong platform
will result in an [ E36 ] Enclave boot failure
error at runtime.
Example
The following command converts the Nginx Docker image (from Docker Hub) to an enclave image file
named nginx.eif
.
$ anjuna-nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eif
which produces output similar to this:
Enclave Image successfully created. { "Measurements": { "HashAlgorithm": "Sha384 { ... }", "PCR0": "....", "PCR1": "....", "PCR2": "...." } }