Appearance

Docker

Enclave provides docker images to run the agent. Our registry is available on AWS ECR. You can find the images here: https://gallery.ecr.aws/sidechannel/enclave-agent.

Two types of tags exist in the agent repository:

  • latest - Alpine base image based on the latest stable release of the agent. This is recommended for deployment of beacons.
  • ubuntu-latest - Ubuntu base image based on the latest stable release of the agent. This is recommended for the deployment of virtual gateways and nodes. You can deploy a virtual gateway/node with the alpine image but some functionality (namely inventory and netstat plugins) will not work.

Supported environment variables

Note in production deployments we recommend mounting secrets appropriately. The following environment variables are supported:

bash
AGENT_TOKEN_FILE=/run/secrets/agent_token # recommended
AGENT_TOKEN=123456789
EMC_URL=https://enclave.sidechannel.com

Running in Docker

Pull the container:

bash
docker pull public.ecr.aws/sidechannel/enclave-agent:latest

To run the agent in docker, run the following command:

bash
docker run \
  -d  \
  --name enclave-agent \
  --env AGENT_TOKEN=$AGENT_TOKEN \
  --cap-add=NET_ADMIN \
  --device=/dev/net/tun \
  public.ecr.aws/sidechannel/enclave-agent:latest

INFO

Be sure to set the $AGENT_TOKEN environment variable before you run the command.
i.e. export AGENT_TOKEN=123456789.

Some notes on this command:

ArgumentWhat it does
-dRun a container in detacted mode
--env AGENT_TOKEN=$AGENT_TOKENPass the agent token as an environment variable. This is required to authenticate the agent with the Enclave platform.
--cap-add=NET_ADMINAdd the NET_ADMIN capability to the container. This is required to create the tunnel interface.
--device=/dev/net/tunMount the tun device into the container. This is required to create the tunnel interface.
public.ecr.aws/sidechannel/enclave-agent:latestThe docker image to run.

Running in Kubernetes

To run the agent in Kubernetes, it is best to run as a sidecar container. This allows the agent to run in the same pod as your application. This is the recommended way to run the agent. We highly recommend mounting the agent token as a secret.

To run the agent in Kubernetes, use the following manifest as a starting point:

yaml
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-app
    image: my-app:latest
    ports:
    - containerPort: 80
  - name: enclave-agent
    image: public.ecr.aws/sidechannel/enclave-agent:latest
    env:
    - name: AGENT_TOKEN
      value: $AGENT_TOKEN
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]
      privileged: true
    volumeMounts:
    - name: enclave-tun
      mountPath: /dev/net/tun
  volumes:
  - name: enclave-tun
    hostPath:
      path: /dev/net/tun