Accepting request 1030208 from home:aplanas:branches:devel:BCI:Tumbleweed

- Add "exec" in keylime-control-plane-start.sh
- Drop docker-entrypoint.sh script
- Add README documentation

OBS-URL: https://build.opensuse.org/request/show/1030208
OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/keylime-control-plane-image?expand=0&rev=2
This commit is contained in:
Fabian Vogt 2022-10-20 14:31:39 +00:00 committed by Git OBS Bridge
parent 7f183ebd5d
commit c7b33211de
5 changed files with 78 additions and 50 deletions

View File

@ -30,7 +30,6 @@ LABEL UNINSTALL="podman volume rm keylime-control-plane-volume"
RUN set -euo pipefail; \
zypper -n in --no-recommends \
findutils \
keylime-registrar \
keylime-verifier \
keylime-tenant \
@ -41,13 +40,10 @@ RUN set -euo pipefail; \
zypper -n clean; \
rm -rf /var/log/*
COPY docker-entrypoint.sh /
COPY keylime-control-plane-start.sh /
RUN set -euo pipefail; \
chmod a+x /docker-entrypoint.sh; \
chmod a+x /keylime-control-plane-start.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["/keylime-control-plane-start.sh"]
VOLUME ["/var/lib/keylime"]
EXPOSE 8881 8890 8891

70
README Normal file
View File

@ -0,0 +1,70 @@
Keylime control plane
---------------------
This container delivers the control plane service (verifier and
registrar) and command line tool (tenant) for the Keylime project for
remote attestation based on TPM2.
Installation and use
--------------------
The container is already present in the OBS project
devel:microos:containers, and can be pulled directly from it.
podman pull \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
The different services will require an additional volume to persist
the database and certificates required during the attestation process.
A volume can be created running the "install" label.
podman container runlabel install \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
This will create the "keylime-control-plane-volume" volume. This
command should be executed only one time.
To launch the services we can execute the "run" label.
podman container runlabel run \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
This will create the "keylime-control-plane-container" container, and
inside there the Keylime registrar and verifier services will be
configured and executed.
Internally it will expose several ports from the container into the
host, using the default values. Validate the firewall configuration
to allow the access to those ports, and to allow communication
intra-containers, as this will be required later when we execute the
tenant CLI.
We can monitor the status with podman.
podman ps
podman logs keylime-control-plane-container
The first time that this container gets executed, the services will
create a certificate that will be required later by the different
agents. We can extract the certificate with this command:
podman cp \
keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt .
Another possibility is to mount the "keylime-control-plane-volume" and
copy it from there.
The tenant CLI tool is present in the container, and if the host
firewall is properly configured, it can be executed using the same
image.
podman run --rm \
-v keylime:/var/lib/keylime \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest \
keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist
We can stop the services via the kill command.
podman kill keylime-control-plane-container

View File

@ -1,45 +0,0 @@
#!/bin/sh
set -e
entrypoint_log() {
if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.envsh)
if [ -x "$f" ]; then
entrypoint_log "$0: Sourcing $f";
source "$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*.sh)
if [ -x "$f" ]; then
entrypoint_log "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*) entrypoint_log "$0: Ignoring $f";;
esac
done
entrypoint_log "$0: Configuration complete; ready for start up"
else
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
exec "$@"

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Add "exec" in keylime-control-plane-start.sh
- Drop docker-entrypoint.sh script
- Add README documentation
-------------------------------------------------------------------
Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

View File

@ -6,4 +6,4 @@ set -e
/usr/bin/keylime_verifier &
# TODO fix the race condition
sleep 2
/usr/bin/keylime_registrar
exec /usr/bin/keylime_registrar