Appearance
Docker
Enclave provides docker images to run the agent. Our registry is available on AWS ECR. You can find the images here: https://gallery.ecr.aws/sidechannel/enclave-agent.
Two types of tags exist in the agent repository:
latest
- Alpine base image based on the latest stable release of the agent. This is recommended for deployment of beacons.ubuntu-latest
- Ubuntu base image based on the latest stable release of the agent. This is recommended for the deployment of virtual gateways and nodes. You can deploy a virtual gateway/node with the alpine image but some functionality (namely inventory and netstat plugins) will not work.
Supported environment variables
Note in production deployments we recommend mounting secrets appropriately. The following environment variables are supported:
bash
AGENT_TOKEN_FILE=/run/secrets/agent_token # recommended
AGENT_TOKEN=123456789
EMC_URL=https://enclave.sidechannel.com
Running in Docker
Pull the container:
bash
docker pull public.ecr.aws/sidechannel/enclave-agent:latest
To run the agent in docker, run the following command:
bash
docker run \
-d \
--name enclave-agent \
--env AGENT_TOKEN=$AGENT_TOKEN \
--cap-add=NET_ADMIN \
--device=/dev/net/tun \
public.ecr.aws/sidechannel/enclave-agent:latest
INFO
Be sure to set the $AGENT_TOKEN
environment variable before you run the command.
i.e. export AGENT_TOKEN=123456789
.
Some notes on this command:
Argument | What it does |
---|---|
-d | Run a container in detacted mode |
--env AGENT_TOKEN=$AGENT_TOKEN | Pass the agent token as an environment variable. This is required to authenticate the agent with the Enclave platform. |
--cap-add=NET_ADMIN | Add the NET_ADMIN capability to the container. This is required to create the tunnel interface. |
--device=/dev/net/tun | Mount the tun device into the container. This is required to create the tunnel interface. |
public.ecr.aws/sidechannel/enclave-agent:latest | The docker image to run. |
Running in Kubernetes
To run the agent in Kubernetes, it is best to run as a sidecar container. This allows the agent to run in the same pod as your application. This is the recommended way to run the agent. We highly recommend mounting the agent token as a secret.
To run the agent in Kubernetes, use the following manifest as a starting point:
yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
- name: my-app
image: my-app:latest
ports:
- containerPort: 80
- name: enclave-agent
image: public.ecr.aws/sidechannel/enclave-agent:latest
env:
- name: AGENT_TOKEN
value: $AGENT_TOKEN
securityContext:
capabilities:
add: ["NET_ADMIN"]
privileged: true
volumeMounts:
- name: enclave-tun
mountPath: /dev/net/tun
volumes:
- name: enclave-tun
hostPath:
path: /dev/net/tun