71 lines
2.5 KiB
Plaintext
71 lines
2.5 KiB
Plaintext
|
Keylime control plane
|
||
|
---------------------
|
||
|
|
||
|
This container delivers the control plane service (verifier and
|
||
|
registrar) and command line tool (tenant) for the Keylime project for
|
||
|
remote attestation based on TPM2.
|
||
|
|
||
|
|
||
|
Installation and use
|
||
|
--------------------
|
||
|
|
||
|
The container is already present in the OBS project
|
||
|
devel:microos:containers, and can be pulled directly from it.
|
||
|
|
||
|
podman pull \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||
|
|
||
|
The different services will require an additional volume to persist
|
||
|
the database and certificates required during the attestation process.
|
||
|
A volume can be created running the "install" label.
|
||
|
|
||
|
podman container runlabel install \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||
|
|
||
|
This will create the "keylime-control-plane-volume" volume. This
|
||
|
command should be executed only one time.
|
||
|
|
||
|
To launch the services we can execute the "run" label.
|
||
|
|
||
|
podman container runlabel run \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||
|
|
||
|
This will create the "keylime-control-plane-container" container, and
|
||
|
inside there the Keylime registrar and verifier services will be
|
||
|
configured and executed.
|
||
|
|
||
|
Internally it will expose several ports from the container into the
|
||
|
host, using the default values. Validate the firewall configuration
|
||
|
to allow the access to those ports, and to allow communication
|
||
|
intra-containers, as this will be required later when we execute the
|
||
|
tenant CLI.
|
||
|
|
||
|
We can monitor the status with podman.
|
||
|
|
||
|
podman ps
|
||
|
|
||
|
podman logs keylime-control-plane-container
|
||
|
|
||
|
The first time that this container gets executed, the services will
|
||
|
create a certificate that will be required later by the different
|
||
|
agents. We can extract the certificate with this command:
|
||
|
|
||
|
podman cp \
|
||
|
keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt .
|
||
|
|
||
|
Another possibility is to mount the "keylime-control-plane-volume" and
|
||
|
copy it from there.
|
||
|
|
||
|
The tenant CLI tool is present in the container, and if the host
|
||
|
firewall is properly configured, it can be executed using the same
|
||
|
image.
|
||
|
|
||
|
podman run --rm \
|
||
|
-v keylime:/var/lib/keylime \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest \
|
||
|
keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist
|
||
|
|
||
|
We can stop the services via the kill command.
|
||
|
|
||
|
podman kill keylime-control-plane-container
|