Concurrent EIF builds result in multiple EIFs with the same content

[ant1g]

Hello,

We are setting up a dedicated VM that will create our EIF files as a step in our CI / CD pipelines. Sometimes we have 2 builds that are triggered at the same time and when such a thing happens, 2 EIF files are getting created with the expected naming, however they are in fact the same EIF!

I have not seen anywhere in the doc that the nitro-cli build-enclave couldn't be used concurrently.

I have created this script to reproduce the issue:

#!/usr/bin/env bash

set -Cue -o pipefail

nitro-cli build-enclave \
  --docker-uri nginx:1.25.1 \
  --output-file nginx.eif &

nitro-cli build-enclave \
  --docker-uri strm/helloworld-http:latest \
  --output-file http.eif &

wait

echo "Done"

If you run the second EIF, like this: sudo nitro-cli run-enclave --enclave-name http --memory 3072 --cpu-count 2 --debug-mode --eif-path http.eif You will see that it is in fact NGINX running after checking in the logs (nitro-cli console).

Is there any way to prevent this, other than preventing any concurrent runs?

[ant1g]

After doing some digging, I figured out that it was an issue with the img files getting overwritten by the second process. If you use a different NITRO_CLI_ARTIFACTS per build-enclave process, it will work without any issue.

Perhaps something to add to the CLI documentation?

[PhoenixStucco]

Here are some brief strategies to mitigate the risks of concurrent EIFS installations:

Meticulous Scheduling: Plan the project thoroughly and ensure clear communication between all involved parties. Only one EIFS crew should work on the building at a time.

Phased Approach: For larger buildings, divide the EIFS installation into smaller sections and complete them one at a time.

Contractual Clauses: Include clauses in contracts with contractors that outline penalties for violating installation schedules or working concurrently with other crews.

Have you found any other specific ways to prevent this?