User's Guide: Enroll a Compute Node Using AWS Nitro on Amazon Linux

  • Updated on Nov 15, 2024
  • Published on Jun 11, 2024
  • 1 minute(s) read

1.0 Enroll a Compute Node Using Nitro on Amazon Linux

This article describes how to enroll a compute node using AWS Nitro on Amazon Linux.

1.1 Setting up the Environment

  1. Create a new VM:

    1. Log in to Amazon Web Service (AWS). Click EC2 → Instances → Launch Instances, and enter the name and tags for your VM.

    2. Select Amazon Linux 2023 AMI Machine Image (AMI).

      Figure 2: Select AMI

    3. Select Instance Type: Choose an adequate instance. The c5a.xlarge type is the minimum option that supports Nitro enclaves (see https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-reqs)  

      Figure 3: Add Instance Type

    4. Create a new Key pair. This provides the private key to securely connect to the VM.

      Figure 4: Configure a Key Pair

    5. Configure the required storage size. The default  storage size is 8 GB. Increase the storage to a reasonable value if required.

      Figure 5: Configure Storage

    6. Expand the Advanced Details section. Select Enable under Nitro Enclave info.

      Figure 6: Configure Nitro Enclave

    7. Configure the rest of the parameters as needed and launch the enclave.

  2. Install Nitro Driver and Utilities: To achieve this, follow the instructions under Amazon Linux 2023 in Installing the Nitro Enclaves CLI on Linux.

    NOTE

    The number of vCPUs and memory to pre-allocate are defined in the allocator service configuration file (/etc/nitro_enclaves/allocator.yaml).

1.2 Install Nitro Node Agent

  1. Obtain the join token from Fortanix CCM. To generate your Join Token, log in to https://ccm.fortanix.com/.

  2. Click the Infrastructure → Compute Nodes menu item, and click +ENROLL NODE on the Compute Nodes page.

  3. In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself.  

    NitroJoinToken.png

    Figure 7: Copy Join Token

  4. Click COPY to copy the Join Token.

  5. Download the Amazon Nitro node agent installer.

  6. Extract the contents of the package and open the folder.

  7. Open the readme file which contains the steps to enroll the compute node in Fortanix CCM.

  8. To enroll the compute node:

    1. Copy the file installer.sh to your VM.

    2. Run the installer.sh with the join token copied in Step 3 . This will enroll the compute node in Fortanix CCM.

      sudo bash ./installer.sh <join-token>

  9. After the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.  

    Enroll-Nitro-node.png

    Figure 8: Node enrolled

  10. Debug:

    1. To view the logs, run the following command:

      journalctl -xe | grep em-agent

    2. To view the status, run the following command or directly check the syslog:

      systemctl status em-agent-nitro

Related articles