Skip to content

Commit

Permalink
Update kmstool documentation
Browse files Browse the repository at this point in the history
Since Docker 24.x `socket` syscall for `vsock` argument is restricted through seccomp rules by default:
moby/moby#44562

It should be safe to lift those seccomp restrictions completely with a dedicated flag when launching container on parent instance. Container is not used for isolation here, but more for reproducible environment.
  • Loading branch information
eugkoira authored and meerd committed Mar 6, 2024
1 parent 498d141 commit 00c6048
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/kmstool.md
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ Back on the first terminal session where you [encrypted the test message](#encry
CMK_REGION=us-east-1 # Must match above
ENCLAVE_CID=$(nitro-cli describe-enclaves | jq -r .[0].EnclaveCID)
# Run docker with network host to allow it to fetch IAM credentials with IMDSv2
docker run --network host -it kmstool-instance \
docker run --network host --security-opt seccomp=unconfined -it kmstool-instance \
/kmstool_instance --cid "$ENCLAVE_CID" --region "$CMK_REGION" "$CIPHERTEXT"
```
PowerShell:
Expand Down

0 comments on commit 00c6048

Please sign in to comment.