diff --git a/Dockerfile b/Dockerfile index 44c278f..b675bfe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,7 +30,6 @@ LABEL UNINSTALL="podman volume rm keylime-control-plane-volume" RUN set -euo pipefail; \ zypper -n in --no-recommends \ - findutils \ keylime-registrar \ keylime-verifier \ keylime-tenant \ @@ -41,13 +40,10 @@ RUN set -euo pipefail; \ zypper -n clean; \ rm -rf /var/log/* -COPY docker-entrypoint.sh / COPY keylime-control-plane-start.sh / RUN set -euo pipefail; \ - chmod a+x /docker-entrypoint.sh; \ chmod a+x /keylime-control-plane-start.sh -ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["/keylime-control-plane-start.sh"] VOLUME ["/var/lib/keylime"] EXPOSE 8881 8890 8891 diff --git a/README b/README new file mode 100644 index 0000000..5cc0acf --- /dev/null +++ b/README @@ -0,0 +1,70 @@ +Keylime control plane +--------------------- + +This container delivers the control plane service (verifier and +registrar) and command line tool (tenant) for the Keylime project for +remote attestation based on TPM2. + + +Installation and use +-------------------- + +The container is already present in the OBS project +devel:microos:containers, and can be pulled directly from it. + + podman pull \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest + +The different services will require an additional volume to persist +the database and certificates required during the attestation process. +A volume can be created running the "install" label. + + podman container runlabel install \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest + +This will create the "keylime-control-plane-volume" volume. This +command should be executed only one time. + +To launch the services we can execute the "run" label. + + podman container runlabel run \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest + +This will create the "keylime-control-plane-container" container, and +inside there the Keylime registrar and verifier services will be +configured and executed. + +Internally it will expose several ports from the container into the +host, using the default values. Validate the firewall configuration +to allow the access to those ports, and to allow communication +intra-containers, as this will be required later when we execute the +tenant CLI. + +We can monitor the status with podman. + + podman ps + + podman logs keylime-control-plane-container + +The first time that this container gets executed, the services will +create a certificate that will be required later by the different +agents. We can extract the certificate with this command: + + podman cp \ + keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt . + +Another possibility is to mount the "keylime-control-plane-volume" and +copy it from there. + +The tenant CLI tool is present in the container, and if the host +firewall is properly configured, it can be executed using the same +image. + + podman run --rm \ + -v keylime:/var/lib/keylime \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest \ + keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist + +We can stop the services via the kill command. + + podman kill keylime-control-plane-container diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh deleted file mode 100644 index 0b778bb..0000000 --- a/docker-entrypoint.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -set -e - -entrypoint_log() { - if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then - echo "$@" - fi -} - -if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then - entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" - - entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" - find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do - case "$f" in - *.envsh) - if [ -x "$f" ]; then - entrypoint_log "$0: Sourcing $f"; - source "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *.sh) - if [ -x "$f" ]; then - entrypoint_log "$0: Launching $f"; - "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *) entrypoint_log "$0: Ignoring $f";; - esac - done - - entrypoint_log "$0: Configuration complete; ready for start up" -else - entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" -fi - - -exec "$@" diff --git a/keylime-control-plane-image.changes b/keylime-control-plane-image.changes index 2e2c74c..55453de 100644 --- a/keylime-control-plane-image.changes +++ b/keylime-control-plane-image.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez + +- Add "exec" in keylime-control-plane-start.sh +- Drop docker-entrypoint.sh script +- Add README documentation + ------------------------------------------------------------------- Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez diff --git a/keylime-control-plane-start.sh b/keylime-control-plane-start.sh index dfedd30..b79a239 100644 --- a/keylime-control-plane-start.sh +++ b/keylime-control-plane-start.sh @@ -6,4 +6,4 @@ set -e /usr/bin/keylime_verifier & # TODO fix the race condition sleep 2 -/usr/bin/keylime_registrar +exec /usr/bin/keylime_registrar