Enroll a Compute Node Using Nitro on Amazon Linux
Setting up the Environment
- Create a new VM:
- Select Amazon Linux 2 Machine Image (AMI):
Figure 1: Select AMI
- Select Instance Type: Choose an adequate instance. The
c5a.xlarge
type is the minimum option that supports Nitro enclaves (see https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-reqs)Figure 2: Instance Type
- Click Configure Instance and enable enclave support (Advanced Details: Enclave).
Figure 3: Configure Instance
- Click Add Storage: The default storage is 8GiB. Increase the storage to a reasonable value.
- Add Inbound ports under Security Group. The ports are 22 (for ssh), 80 (for http), and 443 (for https).
- Configure the rest of the parameters as needed and launch the enclave.
- Select Amazon Linux 2 Machine Image (AMI):
- Install Nitro Driver and Utilities: Follow the instructions in https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-cli-install.html
Install Nitro Node Agent
- Obtain the join token from Fortanix CCM. To generate your Join Token, please log in to https://ccm.fortanix.com/. In the Infrastructure tab, click +ENROLL NODE on the Compute Nodes page.
- In the ENROLL NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself.
Figure 4: Copy join token
- Click Copy to copy the Join Token (Figure 4).
- Download the Amazon Nitro node agent installer.
- Extract the contents of the package and open the folder.
- Open the readme file which contains the steps to enroll the compute node in Fortanix CCM.
- To enroll the compute node:
- Copy the file
installer.sh
to your VM. - Run the
installer.sh
with the join token copied in Step 3 . This will enroll the compute node in Fortanix CCM.sudo bash ./installer.sh <join-token>
- Copy the file
- After the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.
Figure 5: Node enrolled
- Debug:
- To view the logs, run the following command:
journalctl -xe | grep em-agent
- To view the status, run the following command:
systemctl status em-agent-nitro
- To view the logs, run the following command:
Comments
Please sign in to leave a comment.