Run Edera

At the end of this guide, you will have launched an isolated zone and run a workload inside it.

Launch a zone

Launching a zone typically takes less than a minute. If it takes longer, check logs with sudo journalctl -u protect-daemon -n 50.

sudo protect zone launch -n test-zone --wait
sudo protect zone list

Expected output:

┌───────────┬──────────────────────────────────────┬───────┬──────────────┬──────────────────────┐
│ name      ┆ uuid                                 ┆ state ┆ ipv4         ┆ ipv6                 │
╞═══════════╪══════════════════════════════════════╪═══════╪══════════════╪══════════════════════╡
│ test-zone ┆ 1aa92875-eafa-47c9-ba31-f1e63e50079d ┆ ready ┆ 10.75.0.2/16 ┆ fdd4:1476:6c7e::2/48 │
└───────────┴──────────────────────────────────────┴───────┴──────────────┴──────────────────────┘

A zone in ready state is running and available.

Run a workload

Launch an interactive shell inside the zone:

sudo protect workload launch \
  --zone test-zone \
  --name alpine-shell \
  -t -a \
  docker.io/library/alpine:latest sh

Once inside, run uname -r to confirm you’re running in an isolated zone with its own kernel:

uname -r
# Expected: 6.18.18

Type exit to leave the shell.

Troubleshooting

Show troubleshooting steps

Daemon not running after reboot

Check logs: sudo journalctl -u protect-daemon -n 50
Verify Xen booted: ls /proc/xen (if missing, the machine booted into the stock kernel instead of Xen)
Verify UEFI boot: [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS

Instance unreachable after reboot

Wait 2-3 minutes — Xen boot takes longer than a normal boot. If still unreachable, check the EC2 serial console for boot errors.

Common daemon errors:

“no viable machine identifiers” — The instance may be in BIOS boot mode. Terminate and relaunch with a UEFI-compatible AMI.
Xen not present (/proc/xen missing) — GRUB booted into the stock kernel instead of Xen. Check sudo grub-editenv list and verify the saved entry matches a Xen menu entry.

Missing license key

If the daemon fails with a missing license error, inject it manually:

sudo mkdir -p /var/lib/edera/protect
echo $EDERA_LICENSE_KEY | sudo tee /var/lib/edera/protect/license.key
sudo systemctl restart protect-daemon

For additional help, file an issue on GitHub.

Clean up

When you’re done evaluating, terminate the instance and delete the security group:

aws ec2 terminate-instances --instance-ids <INSTANCE_ID>
aws ec2 delete-security-group --group-id <YOUR_SG_ID>

ℹ️

Deactivate your node at on.edera.dev before terminating so you can reuse your license on another instance.

Learn more

Validate your installation — Verify Edera is protecting your workloads
Edera Concepts — How Edera isolation works
Edera CLI Reference — protect-ctl command reference

Last updated on 2026-04-15