anjuna-gcp-cli instance describe
anjuna-gcp-cli instance describe --instance <instance-name> [OPTIONS...]
Gets additional information (such as serial and attestation report) for the GCP VM instance.
The anjuna-gcp-cli instance describe
command displays information on the specified
GCP Confidential VM.
When no parameters are provided (other than --instance
, which is required),
the command displays the values of all the configuration parameters for the instance.
Options
--logs
Shows messages from GCP Cloud Logging service
The Anjuna Confidential Container supports both a serial console and Google Cloud Logging.
Using Cloud Logging is recommended. Application logs are automatically pushed to Cloud Logging if a service account with the Log Writer role is used to create the instance.
The option --logs
shows instance logs from Google Cloud Logging.
By default, it will print the recent instance output and then exit.
Add the --tail
option to stream the output until the Anjuna Confidential Container terminates or the command
is interrupted.
To access the logs on the GCP Cloud Logging service, you will need to grant the Logs Viewer role to the account being used. |
See Controlling log access for a more detailed explanation on how to use service accounts to control access to the logs.
Google Cloud projects have quota settings that also apply to Cloud Logging I/O loads.
Check Cloud Logging Quotas
for more information on how to configure them for your project.
Frequent read requests can trigger a quota violation error.
anjuna-gcp-cli implements exponential backoff to work with Google’s APIs.
It will print a warning when it adds a pause to slow down the rate.
|
$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --logs
ANJ-ENCLAVE: Container setup finished
ANJ-ENCLAVE: Launching command /usr/sbin/nginx
2023/02/17 22:07:34 [notice] 1#1: using the "epoll" event method
2023/02/17 22:07:34 [notice] 1#1: nginx/1.23.3
2023/02/17 22:07:34 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2023/02/17 22:07:34 [notice] 1#1: OS: Linux 4.15.0-194-generic
2023/02/17 22:07:34 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/02/17 22:07:34 [notice] 1#1: start worker processes
2023/02/17 22:07:34 [notice] 1#1: start worker process 30
2023/02/17 22:07:34 [notice] 1#1: start worker process 31
2023/02/17 22:07:34 [notice] 1#1: start worker process 32
2023/02/17 22:07:34 [notice] 1#1: start worker process 33
--serial
Shows messages from the serial console
If Cloud Logging is not available, the Anjuna Confidential Container falls back to logging to the serial console.
The serial console can be viewed by anyone with access to the project, which may expose confidential information in the application logs. The serial console is also extremely slow and may have a significant performance impact. Using Cloud Logging by attaching a service account with appropriate permissions is recommended instead. |
The serial console logs may also be used to diagnose issues if the Anjuna Confidential Container fails to boot before Cloud Logging is available.
By default, --serial
will print the full serial console output and then exit.
Add the --tail
option to stream the output
until the Anjuna Confidential Container terminates or the command is interrupted.
--tail
Streams the output when using the --logs
or --serial
options
--tail
streams the output until the Anjuna Confidential Container terminates or the command is interrupted.
--show-ip
Displays the network access configurations of the instance
The --show-ip
command displays all the network access configurations attached to the instance.
$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --show-ip INFO [0000] Using GCP project: my-project INFO [0000] INFO [0000] Instance (anjuna-gcp-nginx-instance) ID: 1360527994822224099 INFO [0000] Created: 2022-01-14T12:27:41.611-07:00 INFO [0000] M/C type: n2d-standard-2 Zone: us-central1-a Confidential: true INFO [0000] Network configuration: INFO [0000] nic0 Kind: compute#networkInterface IpAddr: 10.128.0.31 INFO [0000] AccessConfig: External NAT IpAddr: 35.238.111.111
--attestation-report
Shows the SEV Attestation report
The --attestation
command displays the Measured Boot measurements (Measurements
)
and the SEV launch attestation report (SevPolicy
and Integrity Check
).
$ anjuna-gcp-cli instance describe anjuna-gcp-nginx-instance --attestation-report
INFO [0000] Using GCP project: my-project
INFO [0000]
INFO [0000] Instance (anjuna-gcp-nginx-instance) ID: 1360527994822224099
INFO [0000] Created: 2022-01-14T12:27:41.611-07:00
INFO [0000] M/C type: n2d-standard-2 Zone: us-central1-a Confidential: true
Measurements:
PCR_0 0xC032C3B51DBB6F96B047421512FD4B4DFDE496F3
PCR_1 0xA397259104C4DFE42A77F269BD3FBC5281B33E2D
PCR_2 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_3 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_4 0x3BE35BA596CEA84FD2330181999C7781E190D31A
PCR_5 0x2A6AB2900EABD0BE97B664CB4C4FF03CD4EC93DF
PCR_6 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_7 0x8F0938646BEA0FF83B71B080EFAD8400B89D345C
PCR_8 0x360BC4823BBDEA3861F7B6331F4395AD23F316C4
PCR_9 0xCA087A7BD7CAEC2B8C4C0CC0E51D1A70D27DEA1F
INFO [0002]
SevPolicy:
{
"debugEnabled": false,
"domainOnly": false,
"esRequired": false,
"keySharingAllowed": false,
"minApiMajor": 0,
"minApiMinor": 0,
"sendAllowed": true,
"sevOnly": true
}
INFO [0002]
Integrity Check: true
The Google Cloud API does not provide the values of PCR15
(the application running in the enclave)
and PCR16
(the signing key) in this output,
but the Anjuna Confidential Container will log them to the serial console.
You can view PCR15
and PCR16
with the following command:
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial | grep -A5 'ANJ-ENCLAVE: SHA256:'
ANJ-ENCLAVE: SHA256:
4: 0xDCE9A00D23A51C9EACCD551396BC43A62E4E5184B2C087C07F134B27B83832FF
5: 0x898A85C2D72DE2D908F7AC49FDA755A0126882E79EC9CB164E6D1A41D661C1AE
9: 0x25E941D5D41BDD04B877A95CA09E06DA8787F5E3558275409501EDEA97FA6D23
15: 0xC1CCA2458A714DBEC728D45D648C656076CB505FEA796682F1732929FB35ECDC
16: 0x0000000000000000000000000000000000000000000000000000000000000000
For more information on PCR values, see Identifying the software in an AMD SEV Confidential VM.
Examples
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --logs
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --logs --tail
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --serial --tail
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --show-ip
$ anjuna-gcp-cli instance describe --instance anjuna-gcp-nginx-instance --attestation-report
$ anjuna-gcp-cli --project my-project instance describe --instance anjuna-gcp-nginx-instance --serial
ANJ-ENCLAVE: Console initialized
ANJ-ENCLAVE: ANJUNA - INFO: Network interface #00: lo
ANJUNA - INFO: Executing command: /sbin/ifconfig lo up
ANJUNA - INFO: Network interface #01: eth0
ANJUNA - INFO: Executing command: /sbin/ifconfig eth0 up