User's Guide: Compute Nodes

Introduction

Compute Nodes

Compute nodes are bare metal servers or virtual machines running in the cloud or on-premise.

Users can label compute nodes when registering to Fortanix Confidential Computing Manager (CCM) to provide identity and policy management on the compute nodes​. Before running a Compute Node, it must be enrolled in the Fortanix CCM. This is called the Node Enrollment process. 

Node Agent

Fortanix Node Agent software enables registration of the compute nodes to Fortanix CCM when installed on a compute node​.

The Node Agent assists in the verification of Hardware and Platform software running on the compute nodes.

The Node Agent also assists with application attestation and visibility for Fortanix CCM.

Kernel Version Supported

The OS supported:

  • Ubuntu server 16.04 LTS Gen2
  • Ubuntu server 20.04 LTS Gen2
  • CentOS 7
  • Amazon Linux 2

The Hardware platform supported:

  • Ice Lake server

The Kernel version supported:

  • Ubuntu server 16.04 LTS Gen2: Kernel version: 4.15.0-1113-azure
  • Ubuntu server 20.04 LTS Gen2: Kernel version: 5.8.0-1042-azure
  • CentOS 7 : Kernel version: 3.10.0-1062.12.1.el7.x86_64

Enroll Compute Nodes

Option 1: Enroll a Compute Node Using Azure Marketplace

  1. First, generate a Join Token using Fortanix CCM UI. To generate your Join Token, please log in to https://ccm.fortanix.com and in the Infrastructure tab, click the + ENROLL NODE in the Compute Nodes page. CCMUserguide35a.png
    Figure 1: Enroll compute node
  2. Click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself. NitroJoinToken.png
    Figure 2: Copy Join Token
  3. Visit https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent to create the Node Agent VM to register the compute node.
    NOTE
    Alternatively, you can also download the latest node agent software from https://support.fortanix.com/hc/en-us/articles/360043407012-Fortanix-Node-Agent and install it on your own machine.
  4. Click the GET IT NOW button in the “Fortanix Confidential Computing Node Agent” page.
      azure_1.png
    Figure 3: Get the node agent
  5. Click Continue in the pop-up window. azure_2.png
    Figure 4: Confirm creating app in Azure
  6. In the Node Agent preview page, click Create. azure_3.png
    Figure 5: Proceed to create a node agent
  7. In the Create Fortanix Confidential Computing Node Agent form (Figure 6), fill all the necessary details.
    1. In the Region field, select either (US) East US, (UK) South UK, or Central Canada (more regions will be added as Azure adds Confidential Computing support to more regions).
      NOTE
      The node agent instance is currently available in (US) East US(UK) South UK,  or Central Canada regions only.
    2. In the Join Token field, paste the join token that you had generated using the Fortanix CCM UI.
    3. We strongly recommend using DCAP attestation as the Attestation Protocol while installing the node agent on azure VM
       
  8. Click the Review + create button to validate the node agent details. CreateNodeAgentCCM.png
    Figure 6: Validate node agent
  9. Wait for the validation to pass.
  10. Once the validation is successful, click Create to create the node agent. CreateNodeAgentCCMValidation.png
    Figure 7: Create node agent CCM_54.png
    Figure 8: node agent created
  11. Once the node agent is created, the compute node will be enrolled in the Fortanix CCM, you will see it under the Compute Nodes overview table. CCMUserguide78b.png
    Figure 9: Enrolled node
    NOTE
    To know the attestation type of the node, hover on the certificate CCM_82.png icon. The attestation type is either "DCAP" or "EPID"
  12. Add Labels: To control which applications are allowed to run on which nodes, we add Labels for applications and nodes in the form of “Key:Value” pairs. Refer to Application and Compute Node Policy Enforcement for more details.
    1. Suggested Labels – This field will show the top 10 labels that are frequently used by users of an account.
    2. Add Labels – Enter the Key and Value pair and click the LABEL button to save the label. The newly created label will appear in the Labels Added field. A user can also choose an existing label from the Suggested Labels field.
      Example of a “Key:Value” pairs is – “Location:Location_name” where “Location” is the Key and “Location_name” is the Value of the key such as “South UK”.
      NOTE
      • A label's key and value can have a maximum of 256 characters and is case-sensitive.
      • Some keys are reserved for internal use which are called system-defined labels.
        • Such as: 'Fortanix', 'fortanix', ‘CCM’, ‘ccm’, confidentialcomputingmanager. Or
        • {Fortanix|Fortanix|CCM|ccm|confidentialcomputingmanager|  Confidentialcomputingmanager}<Any_Non-Alphanumeric-Char><Any-Char>.
    3. If we are adding labels for an application then it is mandatory to add the same labels on the node on which the application will run.
    4. A node can have multiple labels that belong to different applications. For example:
      App1’s label => Location1: Value1
      App2’s label => Location2: Value2
      Then the Node can have labels => Location1: Value1 , Location2: Value2.

      CCMUserguide36a.pngFigure 10: Node label

Option 2: Enroll a Compute Node (bare metal or VM)

Download Node Agent Installer - Ubuntu 16.04/Ubuntu 20.04

Click the following URL to download the Ubuntu Node Agent installer:
Download Ubuntu Node Agent Installer

Download Node Agent Installer - CentOS 7

Click the following URL to download the CentOS Node Agent installer:
Download CentOS Node Agent Installer

Enroll Compute Node

  1. Extract the content of the Node-Agent-Installer.tar.gz package and open the folder.
  2. Open the INSTALLER_README.md file which contains the steps to enroll the compute node in Fortanix CCM.
    nodeagentinstaller.png
    Figure 11: INSTALLER_README

    The INSTALLER_README.md has the steps to enroll a compute node in Fortanix CCM:

  3. Fortanix supports any SGX capable server nodes.
  4. Ensure that applications on the node are allowed to make local connections to the Node Agent on port 9092.
    WARNING
    Ports do not accept remote connections as a best practice. So, do not allow remote connections to the node agent.
  5. Enroll your compute node in Fortanix CCM:
    1. Copy the file installer.sh to your VM.
    2. Run the installer.sh using the command:
      sudo bash installer.sh <join-token> --attestation-type=<attestation-type>
    NOTE
    • If the attestation-type is DCAP, then make sure that you have az-dcap-client installed on your machine. To install az-dcap-client, please refer to INSTALLER_README.md file.
    • We strongly recommend using DCAP attestation while installing the node agent on azure VM
  6. To generate your Join Token, please log in to https://ccm.fortanix.com, and in the Infrastructure tab, clickENROLL NODE in the Computes Nodes page. CCMUserguide35a.png
    Figure 12: Enroll compute node
  7. In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register an SGX compute node". This Join Token is used by the compute node to authenticate itself.
    NitroJoinToken.png
    Figure 13: Join token generated
  8. Click Copy to copy the Join Token (Figure 13). 
  9. Run the installer.sh with the Join Token that you copied. This will enroll the compute node in Fortanix CCM.
  10. Once the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table. CCMUserguide79.pngFigure 14: Enrolled node

Enroll a Node Using AWS Nitro on Amazon Linux

Setting up the Environment

  1. Create a new VM:
    1. Select Amazon Linux 2 Machine Image (AMI): NitroEnroll.pngFigure 15: Select AMI
    2. Select Instance Type: Choose an adequate instance. The c5a.xlarge type is the minimum option that supports Nitro enclaves (see https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-reqs) NitroEnroll_ChooseInstance.pngFigure 16: Instance Type
    3. Click Configure Instance and enable enclave support (Advanced Details: Enclave). NitroEnrollEnableEnclave.pngFigure 17: Configure Instance
    4. Click Add Storage: The default storage is 8GiB. Increase the storage to a reasonable value.
    5. Add Inbound ports under Security Group. The ports are 22 (for ssh), 80 (for http), and 443 (for https).
    6. Configure the rest of the parameters as needed and launch the enclave.
  2. Install Nitro Driver and Utilities: Follow the instructions in https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-cli-install.html 

Install Nitro Node Agent

  1. Obtain the join token from Fortanix CCM. To generate your Join Token, please log in to https://ccm.fortanix.com/. In the Infrastructure tab, click +ENROLL NODE on the Compute Nodes page. 
  2. In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself. NitroJoinToken.pngFigure 18: Copy join token
  3. Click Copy to copy the Join Token (Figure 18). 
  4. Download the Amazon Linux node agent installer.
    <link TBD>
  5. Extract the contents of the package and open the folder.
  6. Open the readme file which contains the steps to enroll the compute node in Fortanix CCM.
  7. To enroll the compute node:
    1. Copy the file installer.sh to your VM.
    2. Run the installer.sh with the join token copied in Step 3 . This will enroll the compute node in Fortanix CCM.
      sudo bash ./installer.sh <join-token>
  8. Once the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table. NitroEnrollNode.pngFigure 19: Node enrolled
  9. Debug:
    1. To view the logs, run the following command:
      journalctl -xe | grep em-agent
    2. To view the status, run the following command:
      systemctl status em-agent-nitro

Manage Nodes using Fortanix Confidential Computing Manager

  1. Sign in to the Fortanix CCM UI, and navigate to the Infrastructure tab in the Management Console.
  2. Click the IP address of the node that you want to investigate. An information screen opens.
  3. On the information screen, you can choose to deactivate/delist the node or download the certificate that is used. To download the certificate, refer to the next section, Download Confidential Computing Manager Node Attestation Certificate.

Download Confidential Computing Manager Node Attestation Certificate

To download the CCM node attestation certificate:

  1. Go to the Infrastructure tab and on the Compute Nodes page, click the compute node for which you want to download the certificate. Quickstart13.png Figure 20: Select node
  2. You can download the certificate from the Compute Node detailed view using the Download option on the right. This certificate contains Intel SGX details such as CPUSVN (CPU Security Version Number) of the compute node, MRENCLAVE of the node agent software, and so on, as seen from the screenshot below. CCMUserguide38a.png
    Figure 21: Download Certificate

Comments

Please sign in to leave a comment.

Was this article helpful?
1 out of 1 found this helpful