From 00c6048945a3adbb84bd269f8388282d81110499 Mon Sep 17 00:00:00 2001 From: Eugene Koira Date: Wed, 6 Mar 2024 15:31:08 +0100 Subject: [PATCH] Update kmstool documentation Since Docker 24.x `socket` syscall for `vsock` argument is restricted through seccomp rules by default: https://github.com/moby/moby/pull/44562 It should be safe to lift those seccomp restrictions completely with a dedicated flag when launching container on parent instance. Container is not used for isolation here, but more for reproducible environment. --- docs/kmstool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/kmstool.md b/docs/kmstool.md index 2cda75a..01091a6 100644 --- a/docs/kmstool.md +++ b/docs/kmstool.md @@ -291,7 +291,7 @@ Back on the first terminal session where you [encrypted the test message](#encry CMK_REGION=us-east-1 # Must match above ENCLAVE_CID=$(nitro-cli describe-enclaves | jq -r .[0].EnclaveCID) # Run docker with network host to allow it to fetch IAM credentials with IMDSv2 -docker run --network host -it kmstool-instance \ +docker run --network host --security-opt seccomp=unconfined -it kmstool-instance \ /kmstool_instance --cid "$ENCLAVE_CID" --region "$CMK_REGION" "$CIPHERTEXT" ``` PowerShell: