- Download our docker-compose.yml file.
$ wget https://raw.githubusercontent.com/enclave-networks/container.enclave/main/docker-compose.yml
-
Set the value of
ENCLAVE_ENROLMENT_KEY
in thedocker-compose.yml
file to an Ephemeral Enrolment Key. Visit https://enclave.io to create an account. You can get an Ephemeral Enrolment Key from the portal once you're signed in. -
Bring the container up.
$ docker-compose up -d
- Check the container is up. Once it is running, the System will be available in the Enclave Portal for you to configure and define policy for.
$ docker exec fabric enclave status
Visit https://enclave.io to create an account. You'll need to get an Ephemeral Enrolment Key from the portal once you're signed in.
Run the container and set your Enrolment key as an environment variable using the -e
flag ($ENCLAVE_ENROLMENT_KEY
). Once Enclave is running you can detached from the container using the Ctrl-p
then Ctrl-q
, or use -d
with docker run
to start the container directly in detached mode.
$ docker run -it \
--name fabric \
--cap-add NET_ADMIN \
--device /dev/net/tun \
-e ENCLAVE_ENROLMENT_KEY='XXXXX-XXXXX-XXXXX-XXXXX-XXXXX' \
-t enclavenetworks/enclave:latest
Enrolment keys can also be injected into the container as command line arguments, start --enrolment-key XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
.
Note: Running Enclave inside a docker container requires more than just basic privileges. Specifically, you
must provide the --cap-add NET_ADMIN
and --device /dev/net/tun
options for Enclave to create a tap device inside the container.
If your container stops, restart it using docker restart fabric
.
$ docker exec fabric enclave status
Local identity: R899Q
Release version . . : 2021.1.1.532
Profile name. . . . : Universe
Profile location. . : /etc/enclave/profiles/Universe.profile
Certificate . . . . : CN=R899Q Expires=Never (Perpetual Issue)
Binding address . . : 0.0.0.0:37873
Local nameserver. . : listening on 100.110.213.200:53
Virtual adapter . . : tap0 (#2) BE:18:63:A5:3A:2D
Virtual address . . : 100.110.213.200
Virtual network . . : 100.64.0.0/10 (255.192.0.0)
Capabilities. . . . : enclave\fakearp active pri=4096 local rewrites=0 peer discards=0
: enclave\unicast active pri=8192 tap eth=0 ipv4=0 ipv6=0 - partners total=0 spoofed origin discards=0
: enclave\multicast active pri=8200 igmp membership packets ipv4=0 ipv6=0
Peer: discover.enclave.io
Peer state. . . . . : Up
Certificate . . . . : CN=discover.enclave.io Expires=08/06/2024 09:59:59
Endpoint. . . . . . : Tcp/161.35.171.235:443
Authorise connections to the systems you need to reach (and make sure those systems have authorised your Local Identity in return).
$ docker exec fabric enclave add 8H62G -d "teamcity"
$ docker exec fabric enclave add Q8V28 -d "raspberry pi"
$ docker exec fabric enclave add 7L5GY -d "sarah laptop"
$ docker exec fabric enclave add 4Y66W -d "mongodb-nyc-1"
$ docker exec fabric enclave add Y7339 -d "mongodb-nyc-2"
$ docker exec fabric enclave add 968G2 -d "mongodb-lon-3"
Add your configured Virtual address (in this example 100.110.213.200
) as a DNS server to your docker container to be able to resolve system names. Print the contents of /etc/resolv.conf to verify the change and install the ping
utility to verify peers are accessible by hostname.
$ docker exec fabric cat /etc/resolv.conf
nameserver 100.82.99.37
nameserver 8.8.8.8
$ docker exec fabric apt-get update && apt-get install -t iputils-ping
$ docker exec fabric ping teamcity.enclave
PING teamcity.enclave (100.73.136.78) 56(84) bytes of data.
64 bytes from 100.73.136.78 (100.73.136.78): icmp_seq=1 ttl=128 time=17.4 ms
64 bytes from 100.73.136.78 (100.73.136.78): icmp_seq=2 ttl=128 time=13.9 ms
You can also configure other containers to share the IP stack of your Enclave container using the --network
docker argument. By running new, or existing containers which share the IP stack of an enclave container, you can quickly and easilly expose those containers to other infrastructure connected to your Enclave container, without needing to map ports or change network configuration:
$ sudo docker run --name my-nginx \
--network="container:fabric"
-d nginx
Create a "dirty" working container which shares the same network stack as your enclave container which can also communicate with connected peers.
docker run -it --rm --network="container:fabric" ubuntu:20.04
root@74f19fa990b1:/# apt-get update && apt-get install -y net-tools nano iputils-ping
root@74f19fa990b1:/# ping teamcity.enclave
PING teamcity.enclave (100.73.136.78) 56(84) bytes of data.
64 bytes from 100.73.136.78 (100.73.136.78): icmp_seq=1 ttl=128 time=17.4 ms
64 bytes from 100.73.136.78 (100.73.136.78): icmp_seq=2 ttl=128 time=13.9 ms