search

aws / aws-nitro-enclaves-cli

Tooling for Nitro Enclave Management
Apache License 2.0
120 stars 81 forks source link

Multiple run-enclave calls fail when called simultaneously #516

Open jasperpatterson opened 1 year ago

jasperpatterson commented 1 year ago

When trying to make multiple nitro-cli run-enclave commands simultaneously, I've found only one will succeed.

To reproduce, run the following command, substituting your EIF path:

nitro-cli run-enclave --cpu-count 2 --memory 2048 --eif-path "/path/to/your/app.eif" & nitro-cli run-enclave --cpu-count 2 --memory 2048 --eif-path "/path/to/your/app.eif"

The result is only one of the enclaves running, while any additional ones fail with E36/E39 errors:

Start allocating memory...
Start allocating memory...
[ E36 ] Enclave boot failure. Such error appears when attempting to receive the `ready` signal from a freshly booted enclave. It arises in several contexts, for instance, when the enclave is booted from an invalid EIF file and the enclave process immediately exits, failing to submit the `ready` signal. In this case, the error backtrace provides detailed information on what specifically failed during the enclave boot process.

For more details, please visit https://docs.aws.amazon.com/enclaves/latest/user/cli-errors.html#E36

If you open a support ticket, please provide the error log found at "/var/log/nitro_enclaves/err2023-07-25T17:09:51.827350506+00:00.log"
Failed connections: 1
[ E39 ] Enclave process connection failure. Such error appears when the enclave manager fails to connect to at least one enclave process for retrieving the description information.

For more details, please visit https://docs.aws.amazon.com/enclaves/latest/user/cli-errors.html#E39

If you open a support ticket, please provide the error log found at "/var/log/nitro_enclaves/err2023-07-25T17:09:51.827768135+00:00.log"
Started enclave with enclave-cid: 109, memory: 2048 MiB, cpu-ids: [1, 9]
{
  "EnclaveName": "app",
  "EnclaveID": "i-04f29a3d3b079a4b8-enc1898e075143e130",
  "ProcessID": 499098,
  "EnclaveCID": 109,
  "NumberOfCPUs": 2,
  "CPUIDs": [
    1,
    9
  ],
  "MemoryMiB": 2048
}

Is this expected behaviour? I wasn't able to find any mention of this limitation in the documentation.

The real use-case where I'm running into simultaneous enclave runs is via a docker compose up command which results in multiple Docker containers trying to start an enclave.