Run the image in a Docker container
Once you have successfully created the Docker image,
you can use the docker run command to launch it.
In the following command, the --device option exposes the Intel® SGX devices to
the container.
The --mount option assumes that your license file is in
the current working directory,
and mounts the license file to the default license path /opt/anjuna/license.yaml.
$ docker run -it --rm \
--device /dev/sgx/enclave --device /dev/sgx/provision \
--mount "type=bind,src=$PWD/license.yaml,dst=/opt/anjuna/license.yaml" \
myname/my-anjuna-runtimeDocker launches the image and displays a bash prompt. When you run bash in the Docker image,
you are logged in as root inside the Docker container.
|
For more information about how to interact with the Docker image, see the Docker command line documentation. For more information about working with your new install of the Anjuna SGX Runtime, see the First steps section. |
Using the bash prompt you should be able to run the tools provided by the Anjuna SGX Runtime.
For example, you can check the current version of the Anjuna SGX Runtime like this:
$ anjuna-sgxrun --version
Anjuna Runtime version release-1.51.0002You can also run a standard Linux command-line tool, like ls:
$ anjuna-sgxrun ls -alThis command displays much more output than usual. The Anjuna SGX Runtime sets up a secure enclave in which to run the command. The extra output is produced as the Anjuna SGX Runtime generates configuration files, sets up the enclave, and prepares to run the command in the protected context.
At the end of the output from the Anjuna SGX Runtime,
you will see the normal output of the ls command.
Following is an example of what the output looks like:
$ anjuna-sgxrun ls -al
"manifest.template.yaml" created
Compiled manifest written to ls.manifest.sgx
"ls.manifest.sgx" created
"ls.sig" created
Starting "/bin/ls" in Anjuna Runtime
+ exec Runtime/anjuna-runtime --dev /bin/ls -al
[ 25] Anjuna Runtime version release-1.51.0002, Copyright (C) Anjuna Security, Inc. All rights reserved.
[ 25] Enclave initialized:
[ 25] Enclave base address: 0x0000000800000000
[ 25] Enclave size: 2GB
[ 25] Maximum number of threads: 64
[ 25] Enclave attributes: 0x0000000000000006
[ 25] Enclave SSA frame size: 1
[ 25] Enclave MRSIGNER: c0566a320edb50671e19dc3f05f62d04b6d7d3e25abeda5713df5ebc0258e3ac
[ 25] Enclave MRENCLAVE: 3dc36a2411cf8e5da934ecbd3c207bbbf3c035be9c2f516228a1842e0de6769c
/bin/ls: .profile: Function not implemented
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnss_compat.so.2
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnss_compat.so.2
Dev Mode - mapping untrusted library: /lib/x86_64-linux-gnu/libnss_nis-2.27.so
Dev Mode - mapping untrusted library: /lib/x86_64-linux-gnu/libnss_nis-2.27.so
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnsl.so.1
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnsl.so.1
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnss_files.so.2
Dev Mode - mapping untrusted library: /anjuna/bin/Runtime/libnss_files.so.2
[ 25] mmap: runtime does not permit direct file I/O (MAP_SHARED)
[ 25] mmap: runtime does not permit direct file I/O (MAP_SHARED)
total 40
drwx------ 1 root root 4096 Nov 25 17:15 .
drwxr-xr-x 1 root root 4096 Nov 25 17:14 ..
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
lrwxrwxrwx 1 root root 19 Nov 25 17:15 Runtime -> /anjuna/bin/Runtime
-rw------- 1 root root 1006 Nov 25 17:15 ls.manifest.sgx
-rw------- 1 root root 1808 Nov 25 17:15 ls.sig
-rw-r--r-- 1 root root 10887 Nov 25 17:15 manifest.template.yaml