Troubleshooting

Enclaver Manifest File

Enclaver relies on a manifest file to understand how to transform your container into an enclave and run it securely. Egress and Ingress rules are encoded into the image to ensure portability with the enclave image, which enhances security.

The file is YAML formatted and passed to Enclaver via the -f flag. By default, Enclaver looks for enclaver.yaml in the current directory.

$ enclaver build -f enclaver.yaml

Example Manifest

version: v1
name: "example-enclave"
target: "testapp:enclave-latest"
sources:
  app: "testapp:latest"
defaults:
  memory_mb: 4096
egress:
  allow:
    - google.com
    - www.google.com
ingress:
  - listen_port: 8080

An enclave is not required to have both ingress or egress, but without one of these it is not very useful. All egress locations, including internal VPC addresses or hostnames for AWS services must be declared.

The host hostname can be used to refer to localhost on the parent EC2 machine, if allowed under the egress section.

Enclaver uses an HTTP/HTTPS proxy for enforcement and the usual http_proxy, https_proxy and no_proxy environment variables are set correctly.

In the future, a more transparent TCP proxy mode will be added to ease integration with applications. See Issue #69 for more details.

Manifest Specification