anjuna-gcp-cli instance
Create and manage GCP Confidential VMs.
DESCRIPTION
The anjuna-gcp-cli instance tool supports the following options to manage
GCP Confidential VMs:
-
create: Create a new instance -
delete: Delete existing instance -
list: List all active instances -
describe: Get additional information (such as serial and attestation report) for the instance
GCP resources are created within Projects. Thus, while working with Anjuna CLI commands
that create or modify cloud resources, either a project needs to be specified explicitly using the
--project flag, or the GOOGLE_DEFAULT_PROJECT environment variable needs to be set.
|
Creating a GCP Confidential VM requires GCP compatible disk images. See anjuna-gcp-cli disk for a description of the tools needed to create and upload disk images.
You must be logged in to a valid GCP account before using this command.
Use the gcloud auth list command to confirm that you are logged in to GCP, and/or
gcloud init to initialize your gcloud session.
|
anjuna-gcp-cli instance create
The anjuna-gcp-cli instance create tool can create AMD SEV instances on Google Cloud or Microsoft Azure.
anjuna-gcp-cli instance create --instance [instance-name] [OPTIONS]
Common options
--image Image name to be used for this instance
--instance Name of the instance to be created
--machine Machine type to be used, note that AMD SEV is supported
on N2D instances (default "n2d-standard-2").
--network Network to be used (optional).
--region Region to be used for this instance (default: inferred from zone)
--subnet Subnet to be used (optional).
--zone Zone to be used for this instance (default: "us-central1-a").
--service-account Service Account to be used (optional).
--scopes Comma separated list of Service Account Scopes to be used (optional).
Should be used with a service-account.
See N2D machine series for more information on the GCP machine types. See https://cloud.google.com/compute/docs/access/service-accounts for more information on the use of service accounts and scopes.
When a GCP Confidential VM is created, GCP automatically creates a new boot disk from the specified image and attaches it to the instance. During its runtime, the instance uses the disk for persistent storage, changing the disk content.
|
Restarting the instance through the ANJ-ENCLAVE: The Confidential Container was started with a non-empty disk. Please follow the directions in the Anjuna documentation to delete the disk and create a new instance of the Confidential Container. Stopping the Confidential Container. |
anjuna-gcp-cli instance delete (described below) can be used to automatically delete the VM along with the attached boot disk.
DESCRIBE
The anjuna-gcp-cli instance describe command displays information on the specified
GCP Confidential VM.
anjuna-gcp-cli instance describe [OPTIONS]
OPTIONS
--instance Name of the instance to be queried (required) --logs Show messages from GCP Cloud Logging service --serial Show messages from the serial console --tail Poll for newer messages (when showing messages) --show-ip Display the network access configurations of the instance --attestation-report Show the SEV Attestation report
EXAMPLES
$ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --logs $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --logs --tail $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --serial $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --serial --tail $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --show-ip $ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --attestation-report
When no parameters are provided (other than --instance, which is required),
the command displays the values of all the configuration parameters for the instance.
Show network access configurations
The --show-ip command displays all the network access configurations attached to the instance.
$ anjuna-gcp-cli --project=my-project instance describe --instance=anjuna-gcp-nginx-instance --show-ip INFO [0000] Using GCP project: my-project INFO [0000] INFO [0000] Instance (anjuna-gcp-nginx-instance) ID: 1360527994822224099 INFO [0000] Created: 2022-01-14T12:27:41.611-07:00 INFO [0000] M/C type: n2d-standard-2 Zone: us-central1-a Confidential: true INFO [0000] Network configuration: INFO [0000] nic0 Kind: compute#networkInterface IpAddr: 10.128.0.31 INFO [0000] AccessConfig: External NAT IpAddr: 35.238.111.111
Show instance output
The Anjuna Confidential Container supports both a serial console and Google Cloud Logging.
Using Cloud Logging is recommended. Application logs are automatically pushed to Cloud Logging if a service account with the Log Writer role is used to create the instance.
The option --logs shows instance logs from Google Cloud Logging.
By default, it will print the recent instance output and then exit.
Add the --tail option to stream the output
until the Anjuna Confidential Container terminates or the command is interrupted.
| To access the logs on the GCP Cloud Logging service, you will need to grant the Logs Viewer role to the account being used. |
See Controlling log access with service accounts for a more detailed explanation on how to use service accounts to control access to the logs.
Google Cloud projects have quota settings that also apply to Cloud Logging I/O loads.
Please check Cloud Logging Quotas
for more information on how to configure them for your project.
Frequent read requests can trigger a quota violation error.
anjuna-gcp-cli implements exponential backoff to work with Google’s APIs.
It will print a warning when it adds a pause to slow down the rate.
|
$ anjuna-gcp-cli --project=my-project instance describe --instance=anjuna-gcp-nginx-instance --logs
ANJ-ENCLAVE: Container setup finished
ANJ-ENCLAVE: Launching command /usr/sbin/nginx
2023/02/17 22:07:34 [notice] 1#1: using the "epoll" event method
2023/02/17 22:07:34 [notice] 1#1: nginx/1.23.3
2023/02/17 22:07:34 [notice] 1#1: built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
2023/02/17 22:07:34 [notice] 1#1: OS: Linux 4.15.0-194-generic
2023/02/17 22:07:34 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/02/17 22:07:34 [notice] 1#1: start worker processes
2023/02/17 22:07:34 [notice] 1#1: start worker process 30
2023/02/17 22:07:34 [notice] 1#1: start worker process 31
2023/02/17 22:07:34 [notice] 1#1: start worker process 32
2023/02/17 22:07:34 [notice] 1#1: start worker process 33Show serial console output
If Cloud Logging is not available, the Anjuna Confidential Container falls back to logging to the serial console.
| The serial console can be viewed by anyone with access to the project, which may expose confidential information in the application logs. The serial console is also extremely slow and may have a significant performance impact. Using Cloud Logging by attaching a service account with appropriate permissions is recommended instead. |
The serial console logs may also be used to diagnose issues if the Anjuna Confidential Container fails to boot before Cloud Logging is available.
The option --serial shows the serial console output.
By default, --serial will print the full serial console output and then exit.
Add the --tail option to stream the output
until the Anjuna Confidential Container terminates or the command is interrupted.
$ anjuna-gcp-cli --project=my-project instance describe --instance=anjuna-gcp-nginx-instance --serial
ANJ-ENCLAVE: Console initialized
ANJ-ENCLAVE: ANJUNA - INFO: Network interface #00: lo
ANJUNA - INFO: Executing command: /sbin/ifconfig lo up
ANJUNA - INFO: Network interface #01: eth0
ANJUNA - INFO: Executing command: /sbin/ifconfig eth0 upShow attestation report
The --attestation command displays the Measured Boot measurements (Measurements)
and the SEV launch attestation report (SevPolicy and Integrity Check).
$ anjuna-gcp-cli instance describe anjuna-gcp-nginx-instance --attestation-report
INFO [0000] Using GCP project: my-project
INFO [0000]
INFO [0000] Instance (anjuna-gcp-nginx-instance) ID: 1360527994822224099
INFO [0000] Created: 2022-01-14T12:27:41.611-07:00
INFO [0000] M/C type: n2d-standard-2 Zone: us-central1-a Confidential: true
Measurements:
PCR_0 0xC032C3B51DBB6F96B047421512FD4B4DFDE496F3
PCR_1 0xA397259104C4DFE42A77F269BD3FBC5281B33E2D
PCR_2 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_3 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_4 0x3BE35BA596CEA84FD2330181999C7781E190D31A
PCR_5 0x2A6AB2900EABD0BE97B664CB4C4FF03CD4EC93DF
PCR_6 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
PCR_7 0x8F0938646BEA0FF83B71B080EFAD8400B89D345C
PCR_8 0x360BC4823BBDEA3861F7B6331F4395AD23F316C4
PCR_9 0xCA087A7BD7CAEC2B8C4C0CC0E51D1A70D27DEA1F
INFO [0002]
SevPolicy:
{
"debugEnabled": false,
"domainOnly": false,
"esRequired": false,
"keySharingAllowed": false,
"minApiMajor": 0,
"minApiMinor": 0,
"sendAllowed": true,
"sevOnly": true
}
INFO [0002]
Integrity Check: trueThe Google Cloud API does not provide the values of PCR15 (the application running in the enclave)
and PCR16 (the signing key) in this output,
but the Anjuna Confidential Container will log them to the serial console.
You can view PCR15 and PCR16 with the following command:
$ anjuna-gcp-cli instance describe --instance=anjuna-gcp-nginx-instance --serial | grep -A5 'ANJ-ENCLAVE: SHA256:'
ANJ-ENCLAVE: SHA256:
4: 0xDCE9A00D23A51C9EACCD551396BC43A62E4E5184B2C087C07F134B27B83832FF
5: 0x898A85C2D72DE2D908F7AC49FDA755A0126882E79EC9CB164E6D1A41D661C1AE
9: 0x25E941D5D41BDD04B877A95CA09E06DA8787F5E3558275409501EDEA97FA6D23
15: 0xC1CCA2458A714DBEC728D45D648C656076CB505FEA796682F1732929FB35ECDC
16: 0x0000000000000000000000000000000000000000000000000000000000000000For more information on PCR values, see Identifying the Software in an AMD SEV Confidential VM.