Automatically manipulate Nitro allocator

[robszumski]

Should enclaver run automatically manipulate the allocator settings up to a reasonable default limit, say 80% of the available RAM?

Currently you modify /etc/nitro_enclaves/allocator.yaml by hand. I know the vCPUs are hot unplugged once allocated, but is the same true of the RAM? If so, this is probably not a great idea but adds a ton of overhead for management of the value. In a Kubernetes world, this is going to be another thing that the scheduler will need to understand.

systemd Aside from if this is a good idea UX wise, what will that do to our system dependency chain? The currently doc'd Unit contains Requires=nitro-enclaves-allocator.service and if the ExecStart within that is going to need to start the allocator service...will that immediately fail our unit? We do have Restart=always but it would still be weird.

In the past when I have restarted the unit it killed my connection to the box and I believe restarted the entire machine:

$ sudo systemctl restart nitro-enclaves-allocator.service
client_loop: send disconnect: Broken pipe

# reconnect...
$ ssh ec2-user@ipaddress
$ uptime
 23:42:41 up 0 min,  1 user,  load average: 0.19, 0.07, 0.02

[robszumski]

Discussion result:

1. When you're running into issues at enclaver run, it's really too late to reclaim RAM or change things
2. We should absolutely have better error messages or wrap ones that we receive with better messages
3. Update the CloudFormation to have better default values per instance size

[robszumski]

3. Update the CloudFormation to have better default values per instance size

Fixed in https://github.com/edgebitio/enclaver/pull/52

[robszumski]

2. We should absolutely have better error messages or wrap ones that we receive with better messages

Covered in https://github.com/edgebitio/enclaver/pull/47