Systemd and Service Management Challenges in Nitro Enclaves

Running systemd without being the PID 1 process is challenging due to the unique role PID 1 plays in a Linux system. As the first process started by the kernel, PID 1 is responsible for initializing the system and managing processes, including adopting orphaned processes and reaping zombie processes. systemd, designed to handle these responsibilities, requires being PID 1 to function correctly. If systemd is not PID 1, it becomes difficult to manage system services unless another instance of systemd occupies the PID 1 slot.

Nitro Enclaves use a minimal init.c program as PID 1. This simple program handles essential tasks like starting necessary processes and remains minimal to maintain a small attack surface. Therefore, programs within enclaves shouldn’t rely on systemd for service management, as the minimal init.c does not provide the extensive service management capabilities of systemd.

In summary, while systemd requires being PID 1 to work properly, Nitro Enclaves use a stripped-down init.c as PID 1, providing just enough functionality to get things started and maintain security in their specialized environment. This setup implies that programs running within enclaves should avoid using systemd for service management.

The init program uses fork to run the entrypoint - aws-nitro-enclaves-sdk-bootstrap/init/init.c at main · aws/aws-nitro-enclaves-sdk-bootstrap · GitHub. There’s probably a way to do it without fork that can retain PID 1.

Do you mean replicating the actions performed by init.c using systemd? That seems to be the only way for systemd to run with PID 1. As long as init.c is the PID 1, the same PID can’t be assigned to systemd and even if systemd is started from init.c, it would get a different PID.

Can’t the PID be retained by using one of the exec* functions?

It’s sort of what init does, but it does it after forking.

Understood. Yes apparently exec retains the PID. Let me see if I can try that and report back findings here.