Configuration reference

The enclave configuration file allows you to control and templatize parts of the container environment, such as the application command and environment variables, without needing to modify the container image. It is written in YAML.

You can set the enclave configuration using the Anjuna CLI’s disk create command with a --config <config_file> parameter. For example, if your configuration file is config.yml in the current directory, use the following command:

  • Microsoft Azure

  • Google Cloud

$ anjuna-azure-cli disk create  \
    --disk=nginx.raw  \
    --docker-uri=nginx:latest  \
    --config=config.yml
$ anjuna-gcp-cli disk create  \
    --disk=nginx.raw  \
    --docker-uri=nginx:latest  \
    --config=config.yml

Version 1.7 of the enclave configuration file is a YAML file with the following fields.

version

This is the version of the configuration file and is the only mandatory field. Anjuna recommends to use the latest version available (currently 1.7) as follows:

version: 1.7

Docker overrides

You can use the enclave configuration file to override Dockerfile entries at runtime, without modifying the Dockerfile itself.

environment

This is a list of environment variables to be used in the container application. The format of these environment variables should be <environment variable name>=<environment variable value>. These values are added (and replaced if needed) to the environment variables provided by the Docker image.

For example, to provide the environment variables PROFILE=anjuna and NAMESPACE=anjunamespace, use the entry:

environment:
- PROFILE=anjuna
- NAMESPACE=anjunamespace

command

This is the command line to use for the container application, for both the path of the application and all arguments provided to it. If this value is omitted, the command line used is the one provided by the Docker image.

For example, to set the application command as ls -la /usr/bin, use the entry:

command:
- ls
- -la
- /usr/bin

username

This is the username or UID to use in the container application. If this value is omitted, the UID used is the one provided in the Docker image.

For example, to run the application with the user nginx, use the entry:

username: nginx

Or, to run using UID 1001, use the entry:

username: 1001

workdir

This is the working directory (PWD) to use in the container application. If this value is omitted, the working directory used is the one provided in the Docker image.

For example, to run using the working directory /home/nginx, use the entry:

workdir: /home/nginx

Configuration files

The files entry contains an array of files with the following attributes:

  • path (required): The path where the file will be created. The Anjuna Confidential Container will create the intermediate directories if they do not exist.

  • mode (optional): The permissions on the file (in octal notation). The default value is 0644 (which maps to [-rw-r—​r--] in symbolic notation).

  • owner (optional): The owner (user) of the file. The default value is root.

  • group (optional): The owner (group) of the file. The default value is the user owner.

  • content (optional): The content of the file (if not provided, an empty file will be created).

  • directory (optional): When set to true, path specifies a directory to create instead of a file.

files:
- path:  "/my-application/etc/config.toml"
  mode:  0644
  owner: root
  group: root
  content: |
    [database]
    server = "192.168.1.1"
    ports = [ 8000, 8001, 8002 ]
    connection_max = 5000
    enabled = true

This example defines the file /my-application/etc/config.toml with the following content:

[database]
server = "192.168.1.1"
ports = [ 8000, 8001, 8002 ]
connection_max = 5000
enabled = true

apmConfig

apmConfig is used to configure the communication with the Anjuna Policy Manager (APM) server. It has three configuration parameters: url, caCert, envs, and files.

url

This field points to the URL where the APM resides. This is a mandatory field, if using the apmConfig entry.

The field must start with https:// and be combined with the caCert field described below.

For example, if the APM sits on port 8200 of a server with the DNS name apm.anjuna.com, use the entry:

apmConfig:
  url: https://apm.anjuna.com:8200
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content ...
    -----END CERTIFICATE-----

caCert

This field points to the APM’s certificate. When this field is specified, the Anjuna Confidential Container instance will verify the APM’s identity using this certificate.

For example, if the APM sits on port 8200 of a server with the DNS name apm.anjuna.com, and it is using TLS connections, use the entry:

apmConfig:
  url: https://apm.anjuna.com:8200
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content ...
    -----END CERTIFICATE-----

envs

This field contains a list of environment variables to fetch from the APM. This differs from the environment entry under Docker overrides, above; instead of specifying the value of the environment variable, you specify the APM path and engine for the environment variable’s value.

In this example, you will provide GCP credentials as an environment variable to your container. Assume that the credentials are already stored in the APM using secrets engine kv, with the path credentials/example_gcp_path (see Attestation with the Anjuna Policy Manager). To set the environment variable GCP_CREDENTIALS for your container, add the following entry in the envs list of the apmConfig:

apmConfig:
  url: ...
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content ...
    -----END CERTIFICATE-----
  envs:
  - name: GCP_CREDENTIALS
    apmPath: credentials/example_gcp_path
    engine: kv

files

The files entry contains an array of files with the following attributes:

  • apmPath: the path to the secret in the engine.

  • engine: the secrets engine on the APM holding the secret.

  • path: the path where the file will be created. The Anjuna CLI will create the intermediate directories if they don’t exist.

  • mode (optional): the permissions on the file (in octal notation). The default value is 0644, which maps to [-rw-r—​r--] in symbolic notation.

  • owner (optional): the owner (user) of the file. The default value is root.

  • group (optional): the owner (group) of the file. The default value is the value of owner.

The Anjuna Confidential Container protects the confidentiality and integrity of the secrets retrieved using the APM. When the runtime retrieves secrets, it keeps the data in DRAM. The requested files are also created in a temporary directory within the ramfs, stored only in DRAM. The files are then symlinked into the container workspace at the file locations specified in the Anjuna Enclave Configuration. AMD SEV-SNP guarantees that the secure guest VM’s memory pages in the DRAM are always encrypted. Thus the secrets, both files and variables, are always encrypted in runtime memory. The Anjuna VM runtime does not allocate swap space for the ramfs. The secrets can never be silently stored in clear text on the disk unless the application explicitly copies them.

In the example below, the secret credentials/example_path is retrieved and stored in the file .ssh/authorized_keys:

apmConfig:
  url: ...
  caCert: |
    -----BEGIN CERTIFICATE-----
    ... APM's certificate content ...
    -----END CERTIFICATE-----
  files:
  - apmPath: credentials/example_path
    engine: kv
    path:  .ssh/authorized_keys
    mode:  0644
    owner: root
    group: root

autoTerminate

By default, the enclave will not terminate when the container application exits, as serial logs can only be read while the enclave is running. However, to prevent the enclave from consuming resources after it has satisfied its purpose, auto termination can be turned on by adding autoTerminate: true to the enclave’s configuration file.

autoTerminate: true