Accepting request 1030208 from home:aplanas:branches:devel:BCI:Tumbleweed
- Add "exec" in keylime-control-plane-start.sh - Drop docker-entrypoint.sh script - Add README documentation OBS-URL: https://build.opensuse.org/request/show/1030208 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/keylime-control-plane-image?expand=0&rev=2
This commit is contained in:
parent
7f183ebd5d
commit
c7b33211de
@ -30,7 +30,6 @@ LABEL UNINSTALL="podman volume rm keylime-control-plane-volume"
|
||||
|
||||
RUN set -euo pipefail; \
|
||||
zypper -n in --no-recommends \
|
||||
findutils \
|
||||
keylime-registrar \
|
||||
keylime-verifier \
|
||||
keylime-tenant \
|
||||
@ -41,13 +40,10 @@ RUN set -euo pipefail; \
|
||||
zypper -n clean; \
|
||||
rm -rf /var/log/*
|
||||
|
||||
COPY docker-entrypoint.sh /
|
||||
COPY keylime-control-plane-start.sh /
|
||||
RUN set -euo pipefail; \
|
||||
chmod a+x /docker-entrypoint.sh; \
|
||||
chmod a+x /keylime-control-plane-start.sh
|
||||
|
||||
ENTRYPOINT ["/docker-entrypoint.sh"]
|
||||
CMD ["/keylime-control-plane-start.sh"]
|
||||
VOLUME ["/var/lib/keylime"]
|
||||
EXPOSE 8881 8890 8891
|
||||
|
70
README
Normal file
70
README
Normal file
@ -0,0 +1,70 @@
|
||||
Keylime control plane
|
||||
---------------------
|
||||
|
||||
This container delivers the control plane service (verifier and
|
||||
registrar) and command line tool (tenant) for the Keylime project for
|
||||
remote attestation based on TPM2.
|
||||
|
||||
|
||||
Installation and use
|
||||
--------------------
|
||||
|
||||
The container is already present in the OBS project
|
||||
devel:microos:containers, and can be pulled directly from it.
|
||||
|
||||
podman pull \
|
||||
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||||
|
||||
The different services will require an additional volume to persist
|
||||
the database and certificates required during the attestation process.
|
||||
A volume can be created running the "install" label.
|
||||
|
||||
podman container runlabel install \
|
||||
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||||
|
||||
This will create the "keylime-control-plane-volume" volume. This
|
||||
command should be executed only one time.
|
||||
|
||||
To launch the services we can execute the "run" label.
|
||||
|
||||
podman container runlabel run \
|
||||
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
||||
|
||||
This will create the "keylime-control-plane-container" container, and
|
||||
inside there the Keylime registrar and verifier services will be
|
||||
configured and executed.
|
||||
|
||||
Internally it will expose several ports from the container into the
|
||||
host, using the default values. Validate the firewall configuration
|
||||
to allow the access to those ports, and to allow communication
|
||||
intra-containers, as this will be required later when we execute the
|
||||
tenant CLI.
|
||||
|
||||
We can monitor the status with podman.
|
||||
|
||||
podman ps
|
||||
|
||||
podman logs keylime-control-plane-container
|
||||
|
||||
The first time that this container gets executed, the services will
|
||||
create a certificate that will be required later by the different
|
||||
agents. We can extract the certificate with this command:
|
||||
|
||||
podman cp \
|
||||
keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt .
|
||||
|
||||
Another possibility is to mount the "keylime-control-plane-volume" and
|
||||
copy it from there.
|
||||
|
||||
The tenant CLI tool is present in the container, and if the host
|
||||
firewall is properly configured, it can be executed using the same
|
||||
image.
|
||||
|
||||
podman run --rm \
|
||||
-v keylime:/var/lib/keylime \
|
||||
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest \
|
||||
keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist
|
||||
|
||||
We can stop the services via the kill command.
|
||||
|
||||
podman kill keylime-control-plane-container
|
@ -1,45 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
entrypoint_log() {
|
||||
if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
|
||||
echo "$@"
|
||||
fi
|
||||
}
|
||||
|
||||
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
|
||||
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
|
||||
|
||||
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
|
||||
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
|
||||
case "$f" in
|
||||
*.envsh)
|
||||
if [ -x "$f" ]; then
|
||||
entrypoint_log "$0: Sourcing $f";
|
||||
source "$f"
|
||||
else
|
||||
# warn on shell scripts without exec bit
|
||||
entrypoint_log "$0: Ignoring $f, not executable";
|
||||
fi
|
||||
;;
|
||||
*.sh)
|
||||
if [ -x "$f" ]; then
|
||||
entrypoint_log "$0: Launching $f";
|
||||
"$f"
|
||||
else
|
||||
# warn on shell scripts without exec bit
|
||||
entrypoint_log "$0: Ignoring $f, not executable";
|
||||
fi
|
||||
;;
|
||||
*) entrypoint_log "$0: Ignoring $f";;
|
||||
esac
|
||||
done
|
||||
|
||||
entrypoint_log "$0: Configuration complete; ready for start up"
|
||||
else
|
||||
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
|
||||
fi
|
||||
|
||||
|
||||
exec "$@"
|
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
- Add "exec" in keylime-control-plane-start.sh
|
||||
- Drop docker-entrypoint.sh script
|
||||
- Add README documentation
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||
|
||||
|
@ -6,4 +6,4 @@ set -e
|
||||
/usr/bin/keylime_verifier &
|
||||
# TODO fix the race condition
|
||||
sleep 2
|
||||
/usr/bin/keylime_registrar
|
||||
exec /usr/bin/keylime_registrar
|
||||
|
Loading…
Reference in New Issue
Block a user