Prerequisites and installation

Prerequisites

Cloud platform requirements

For this quickstart, you must have access to a supported cloud account. The examples in this document also require access to other services.

  • Microsoft Azure

  • Google Cloud

For this quickstart, you must have an Azure subscription and the ability to create Azure Confidential VM instances. The examples in this document also require an IAM role that allows you to create the following resources:

  • Azure Resource Groups

  • An Azure Blob Storage account and container

  • An Azure Compute Gallery, formerly known as Shared Image Gallery (an aggregation of shared images)

  • A Linux VM Image Definition

  • Azure Virtual Networks

  • Azure Network Security Groups (for firewall rules)

For this quickstart, you must have a GCP account and the ability to create GCP Confidential VM instances. The examples in this document also require access to the following GCP services:

  • GCP Compute Engine

  • GCP Cloud Storage

You will need your account name and key (or password) to authorize the command-line interface (CLI) in the Install and authenticate to your cloud provider’s CLI section below.

For more information on identity and access management and on best practices, see your cloud provider’s documentation:

  • Microsoft Azure

  • Google Cloud

See the GCP documentation for information on identity and access management and on best practices:

Instance type requirements

The Anjuna CLI will launch new virtual machine instances to run Anjuna Confidential Containers. This requires specific instance types that use AMD Secure Encrypted Virtualization (SEV) hardware.

  • Microsoft Azure

  • Google Cloud

DCasv5 or DCadsv5-series VMs are required in order to run Azure Confidential VMs.

See DCasv5 or DCadsv5-series confidential VMs for more information on this machine type.

The N2D machine type is required in order to run GCP Confidential VMs.

See N2D machine series for more information on this machine type.

N2D instances are only available in certain regions and zones. To see the most up-to-date availability, go to Google Cloud’s documentation on Available regions and zones, and filter "Select a machine series" to select "N2D".

Requirements for the Anjuna CLI for SEV

  • Microsoft Azure

  • Google Cloud

The Anjuna CLI will be used to manage Azure Confidential VMs. The "management host" that it is installed on must have access to Azure through the Azure CLI (az), but is not required to be an Azure VM Instance itself.

The Anjuna CLI will be used to manage GCP Confidential VMs. The "management host" that it is installed on must have access to GCP through the Google Cloud CLI, but is not required to be a GCP Compute Instance itself.

The Anjuna CLI has been tested on Ubuntu 20.04 based systems.

Resource requirements

The following resources are recommended for the management host to build Anjuna Confidential Containers:

  • Disk space: varies depending on the size of the Anjuna Confidential Container. Three times the size of the Anjuna Confidential Container’s disk is recommended.

For this quickstart, you will build an Anjuna Confidential Container with 20 GB of disk space, so 60 GB of disk space is recommended.

There is no strict requirement for minimum RAM. Since you will be working with large image sizes, it is recommended to have 16 GB or more RAM, or your system will thrash memory and increase build times.

Installation

Install and authenticate to your cloud provider’s CLI

  • Microsoft Azure

  • Google Cloud

You will install the Microsoft Azure CLI on a management host.

Follow the Azure documentation to install the Azure CLI: How to install the Azure CLI.

After Authenticating the Azure CLI, run the following command, which should display at least one entry, which is the default:

$ az account list

You will install the Google Cloud CLI on a management host.

The anjuna-gcp-cli will use the Google Cloud CLI to manage cloud resources. See the Google Cloud documentation for steps to download, install, and initialize the gcloud CLI: Install the Google Cloud CLI.

After Initializing the gcloud CLI, run the following command, which should display at least one "active" entry:

$ gcloud auth list

The Anjuna CLI and other tools like Terraform require the application default credentials to be set. Run the following command to select the application default credentials:

$ gcloud auth application-default login
GCP resources are created within Projects, which can be used to define ownership and to segregate resources. When working with Anjuna CLI commands that create or modify cloud resources, you can specify a Project using the --project flag or the GCLOUD_DEFAULT_PROJECT environment variable.

Install Docker

To build disk images for the Anjuna Confidential Container, Docker should be installed and running, and your current user should be in the docker group.

See instructions to install Docker. Then, run the following command to create the docker group and add your current user to the group.

$ sudo groupadd docker
$ sudo usermod -aG docker $USER

Next, log out and log back in to refresh your user’s groups.

Install the Anjuna CLI

Access the Anjuna Resource Center to get the Anjuna CLI for Microsoft Azure or Google Cloud.

You can use the “API” button to copy a wget command to download the Anjuna CLI for Microsoft Azure or for Google Cloud from the command line. Then you will not need to access the Anjuna Resource Center UI again.

API button
  • Microsoft Azure

  • Google Cloud

Now that you have downloaded the installer, anjuna-azure-installer.release-1.12.0007.bin, make it executable and run it:

$ chmod +x anjuna-azure-installer.release-1.12.0007.bin
$ sudo ./anjuna-azure-installer.release-1.12.0007.bin

The Anjuna CLI will be installed into /opt/anjuna/azure.

Now that you have downloaded the installer, anjuna-gcp-installer.release-1.12.0007.bin, make it executable and run it:

$ chmod +x anjuna-gcp-installer.release-1.12.0007.bin
$ sudo ./anjuna-gcp-installer.release-1.12.0007.bin

The Anjuna CLI will be installed into /opt/anjuna/gcp.

Set up environment variables for the Anjuna CLI

  • Microsoft Azure

  • Google Cloud

Run the following command to set up environment variables needed for the Anjuna CLI.

$ source /opt/anjuna/azure/env.sh

You can add the line above to your ~/.bash_profile to automatically set these environment variables every time you log in.

Run the following command to set up environment variables needed for the Anjuna CLI.

$ source /opt/anjuna/gcp/env.sh

You can add the line above to your ~/.bash_profile to automatically set these environment variables every time you log in.

Confirm the installation

  • Microsoft Azure

  • Google Cloud

To confirm that the Anjuna CLI is properly installed, run the following command:

$ anjuna-azure-cli

which should output the following text:

Deploy and manage Anjuna confidential VMs in Azure

Usage:
  anjuna-azure-cli [command]

Available Commands:
  disk        Create and manage disk images
  help        Help about any command
  instance    Manage confidential VMs

Flags:
      --debug     toggle debug mode
  -h, --help      help for anjuna-azure-cli
  -v, --version   version for anjuna-azure-cli

Use "anjuna-azure-cli [command] --help" for more information about a command.

If you see the following error:

-bash: anjuna-azure-cli: command not found

then the Anjuna CLI was not installed properly, or the PATH environment variable was not updated correctly. Ensure that you have installed the Anjuna CLI and have run the env.sh script to set up environment variables.

In the next section, you will use the Anjuna CLI to run applications in an Azure Confidential VM.

To confirm that the Anjuna CLI is properly installed, run the following command:

$ anjuna-gcp-cli

which should output the following text:

anjuna-gcp-cli - manage the confidential container instance and boot disk image

Usage:
  anjuna-gcp-cli [command]

Available Commands:
  disk        manage the confidential container boot disk
  help        Help about any command
  instance    manage the confidential container instances
  kvm-run     boot the confidential container under KVM/QEMU
  mount       mount the confidential container boot disk

Flags:
      --debug            print debug messaging
  -h, --help             help for anjuna-gcp-cli
  -p, --project string   The gcp project being used
  -v, --version          version for anjuna-gcp-cli

Use "anjuna-gcp-cli [command] --help" for more information about a command.

If you see the following error:

-bash: anjuna-gcp-cli: command not found

then the Anjuna CLI was not installed properly, or the PATH environment variable was not updated correctly. Ensure that you have installed the Anjuna CLI and have run the env.sh script to set up environment variables.

In the next section, you will use the Anjuna CLI to run applications in a GCP Confidential VM.