More installation checks would be beneficial
Closed this issue · 4 comments
It would be beneficial if the following (or even more) installation checks were added to the installation package to prevent from installing on a system where Nitro Enclaves are not available:
- minimal EC2 instance type (i.e., no need to install aws-nitro-enclaves-cli on an T3 or T4 instance)
- Enclaves support enable in a compatible EC2 instances (i.e., no need to install on an M6 instance without Enclaves support enabled)
Hi @volphy, an usecase of installing the cli on a non-enabled instance is to be able to do EIF builds, for example in a CI/CD pipeline, where the build machine shouldn't have to be enclave-enabled. Also, our set of supported instances changes over time, and it wouldn't make sense to release a new version of the cli package for this purpose, unless of course there's some specific bug that needs to be addressed.
I understand your rationale.
Let me ask a related question then:
is it possible to read enclaves support attribute within a running EC2 instance without using AWS CLI?
I cannot see it in the instance metadata:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
The simplest ways that I can think of is to check if the Nitro Enclaves PCI device is present. On an instance that has nitro enclaves available the device should be present and enabled. Otherwise it should not be present.
$ cat /sys/bus/pci/drivers/nitro_enclaves/0000\:00\:02.0/enable
1
cat /sys/bus/pci/drivers/nitro_enclaves/0000\:00\:02.0/enable
cat: /sys/bus/pci/drivers/nitro_enclaves/0000:00:02.0/enable: No such file or directory
@volphy the easiest way on your enclave run-time instance is checking sysfs as above or just issue a lsmod | grep -q nitro_enclaves in your tooling and fetch the result prior to launching enclaves. Otherwise, as previously stated, we cannot make a hard dependency for the CLI since some users are building enclaves on non-EC2 systems today.