Cannot build an enclave file after a couple of successful runs of nitro-cli build-enclave

[nshyrei]

After a couple of successful builds nitro-cli crashes with:
Linuxkit reported an error while creating the customer ramfs: "Add init containers: Process init image: docker.io/library/<my image> Add files: rootfs/dev rootfs/run rootfs/sys rootfs/var rootfs/proc rootfs/tmp cmd env Create outputs:"

The /log/nitro-enclaves says:
Action: Build Enclave Subactions: Failed to build enclave Failed to build EIF from docker Failed to create EIF image: LinuxkitExecError Root error file: src/lib.rs Root error line: 152 Build commit: v1.0.10-42-gde77067
The only solution to fix this that I have found is to restart EC2 machine.

[alcioa]

@charlolizard is this issue still happening? What size is your docker image and the instance size?

[nshyrei]

Sorry for the late reply, it has cleared itself.

[nshyrei]

@alcioa It looks like this issue appears again, now I am not able to fix it with restart. I am trying to convert this application: https://hub.docker.com/r/fortanix/python-flask

[nshyrei]

This is happening on a images close to and bigger than 1 GB in size. I am running Amazon linux with 32GB of mem.

cat /etc/os-release NAME="Amazon Linux" VERSION="2" ID="amzn"

cat /proc/meminfo MemTotal: 32510304 kB
Edit: you can use simple python docker image like FROM python:3.9 to reproduce this.

[AnatolyTikhonov]

@charlolizard I had similar error on large image when building the eif file on Amazon linux 16GB instance.
The problem was that I allocated too much memory (12GB) for enclave. So there was not enough memory to build the image.
The solution for me was to reduce the allocated memory to 4096MB in /etc/nitro_enclaves/allocator.yaml and reboot the instance.
Hope this helps.

[russellhaering]

I just resolved this for myself. There are multiple potential causes, but one that I think might be hitting people here:

There is an upper limit of 1GB on image sizes, caused by how nitro-cli is invoking linuxkit (see: linuxkit/linuxkit#3759).

One possibility is that your docker image is just naturally over 1GB.

But what happened to me is that I was building .eif images and dumping them out into the same directory where I'm building docker images. Then the next time I built a docker image it would copy in the previous .eif file, making each image recursively larger than the last.

The quickest fix for early experimenting is just to add *.eif to a .dockerignore file in the root of your repository.

[davidnugent2425]

This issue seems to be due to a lack of available RAM on the instance which is running the build. I was getting this error message until I increased the amount of RAM I had available on my instance. Now I am able to build images much larger than 1GiB, which shows that it's not a linuxkit issue.
The larger the image you are trying to build, the more RAM you will need.

[imentus-rahul]

I'm facing similar issue.
My docker image size is 4.58GB, and I'm using ubuntu:latest in docker image

When I try to build the nitro-enclave with above image, I get following error: Linuxkit reported an error while creating the customer ramfs: "Add init containers:\nProcess init image: docker.io/library/mpc-server:latest\nAdd files:\n  rootfs/dev\n  rootfs/run\n  rootfs/sys\n  rootfs/var\n  rootfs/proc\n  rootfs/tmp\n  cmd\n  env\nCreate outputs:\n"

I'm using c6.2xlarge (16GB, 70GB), I've changed default /etc/nitro_enclaves/allocator.yaml with memory as 10240, and restarted allocator service. Still facing same issue.

Is it even possible or not, to have docker size more than 1 GB in nitro-enclave image file?