TL;DR: Nitrogen is a tool for deploying web servers, databases, and other services to AWS Nitro Enclaves. Given a Dockerfile, Nitrogen will spin up an EC2 instance, configure external networking, and build and deploy your web service. What you get back is a hostname and port that's ready to use. Nitrogen is fully open source and comes with pre-built scripts for popular services like Redis, and Nginx. For example, to deploy Nginx, first install Nitrogen:
curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh
Clone the examples:
git clone firstname.lastname@example.org:capeprivacy/nitrogen.git cd nitrogen
Note: An AWS account is required. If you have AWS cli configured you can retrieve your credentials with
cat ~/.aws/credentials. See troubleshooting if your AWS account uses MFA
export AWS_ACCESS_KEY_ID=<YOUR ACCESS KEY> export AWS_SECRET_ACCESS_KEY=<YOUR SECRET>
And then setup, build, and deploy:
nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub nitrogen build ./examples/nginx nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa
And that's it! You have a Nitro Enclave running Nginx:
A Nitro Enclave can run almost anything that a regular EC2 instance can, but typically you need do a lot of work. A Nitro Enclave is an isolated VM carved out of an EC2 instance by the Nitro Hypervisor. By default, it has no network, no disk, and no shell access. (Even a root user has no access!) These constraints are core security features, but you need to open things up a little in order to run your application. (A complete blackbox would have no effect on the outside world!) To understand this complexity, see Running an HTTP Server with AWS Nitro Enclaves by @bendecoste. Nitrogen makes working with Nitro Enclaves super easy. Let's walk through the example of deploying Nginx with Nitrogen in more detail...
# nitrogen setup <name> <public_key> nitrogen setup my-nginx-enclave ~/.ssh/id_rsa.pub
nitrogen setup uses CloudFormation to spawn an EC2 instance, and configure networking like SSH. You can now SSH into the EC2 instance if you want, but you don't need to. Nitrogen defaults to
m5a.xlarge EC2 instance type but you can also specify
# nitrogen build <dockerfile-directory> nitrogen build ./examples/nginx
nitrogen build will first build a docker image from the Dockerfile you specify, and then convert it to an Enclave Image File and save it locally.
# nitrogen deploy <name> <private_key> nitrogen deploy my-nginx-enclave ~/.ssh/id_rsa # Listening: ec2-34-56-789-0.compute-1.amazonaws.com:5000`
nitrogen deploy will upload the EIF to the EC2 instance and launch it into the Nitro Enclave.
And that's it! Nginx is now setup and running on an AWS Nitro Enclave and we can
curl the server.
curl https://ec2-34-56-789-0.compute-1.amazonaws.com:5000 # Hello World!
In a follow up post we'll walkthrough how Nitrogen works under the hood. And we'll share more details about the roadmap.
For now, you can
curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh and start using it. We'd love to hear what you think in the comments below. Please star Nitrogen on GitHub, and come chat on Discord. Thanks!