Accepting request 1030208 from home:aplanas:branches:devel:BCI:Tumbleweed

- Add "exec" in keylime-control-plane-start.sh
- Drop docker-entrypoint.sh script
- Add README documentation

OBS-URL: https://build.opensuse.org/request/show/1030208
OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/keylime-control-plane-image?expand=0&rev=2

Dockerfile

@@ -30,7 +30,6 @@ LABEL UNINSTALL="podman volume rm keylime-control-plane-volume"
 
 RUN set -euo pipefail; \
     zypper -n in --no-recommends \
-      findutils \
       keylime-registrar \
       keylime-verifier \
       keylime-tenant \
@@ -41,13 +40,10 @@ RUN set -euo pipefail; \
     zypper -n clean; \
     rm -rf /var/log/*
 
-COPY docker-entrypoint.sh /
 COPY keylime-control-plane-start.sh /
 RUN set -euo pipefail; \
-    chmod a+x /docker-entrypoint.sh; \
     chmod a+x /keylime-control-plane-start.sh
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["/keylime-control-plane-start.sh"]
 VOLUME ["/var/lib/keylime"]
 EXPOSE 8881 8890 8891

README

@@ -0,0 +1,70 @@
+Keylime control plane
+---------------------
+
+This container delivers the control plane service (verifier and
+registrar) and command line tool (tenant) for the Keylime project for
+remote attestation based on TPM2.
+
+
+Installation and use
+--------------------
+
+The container is already present in the OBS project
+devel:microos:containers, and can be pulled directly from it.
+
+  podman pull \
+    registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
+
+The different services will require an additional volume to persist
+the database and certificates required during the attestation process.
+A volume can be created running the "install" label.
+
+  podman container runlabel install \
+    registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
+
+This will create the "keylime-control-plane-volume" volume.  This
+command should be executed only one time.
+
+To launch the services we can execute the "run" label.
+
+  podman container runlabel run \
+    registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
+
+This will create the "keylime-control-plane-container" container, and
+inside there the Keylime registrar and verifier services will be
+configured and executed.
+
+Internally it will expose several ports from the container into the
+host, using the default values.  Validate the firewall configuration
+to allow the access to those ports, and to allow communication
+intra-containers, as this will be required later when we execute the
+tenant CLI.
+
+We can monitor the status with podman.
+
+  podman ps
+
+  podman logs keylime-control-plane-container
+
+The first time that this container gets executed, the services will
+create a certificate that will be required later by the different
+agents.  We can extract the certificate with this command:
+
+    podman cp \
+      keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt .
+
+Another possibility is to mount the "keylime-control-plane-volume" and
+copy it from there.
+
+The tenant CLI tool is present in the container, and if the host
+firewall is properly configured, it can be executed using the same
+image.
+
+    podman run --rm \
+      -v keylime:/var/lib/keylime \
+      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest \
+      keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist
+
+We can stop the services via the kill command.
+
+    podman kill keylime-control-plane-container

docker-entrypoint.sh

@@ -1,45 +0,0 @@
-#!/bin/sh
-
-set -e
-
-entrypoint_log() {
-    if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
-        echo "$@"
-    fi
-}
-
-if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
-    entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
-
-    entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
-    find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
-        case "$f" in
-            *.envsh)
-                if [ -x "$f" ]; then
-                    entrypoint_log "$0: Sourcing $f";
-                    source "$f"
-                else
-                    # warn on shell scripts without exec bit
-                    entrypoint_log "$0: Ignoring $f, not executable";
-                fi
-                ;;
-            *.sh)
-                if [ -x "$f" ]; then
-                    entrypoint_log "$0: Launching $f";
-                    "$f"
-                else
-                    # warn on shell scripts without exec bit
-                    entrypoint_log "$0: Ignoring $f, not executable";
-                fi
-                ;;
-            *) entrypoint_log "$0: Ignoring $f";;
-        esac
-    done
-
-    entrypoint_log "$0: Configuration complete; ready for start up"
-else
-    entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
-fi
-
-
-exec "$@"

keylime-control-plane-image.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add "exec" in keylime-control-plane-start.sh
+- Drop docker-entrypoint.sh script
+- Add README documentation
+
 -------------------------------------------------------------------
 Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
 

keylime-control-plane-start.sh

@@ -6,4 +6,4 @@ set -e
 /usr/bin/keylime_verifier &
 # TODO fix the race condition
 sleep 2
-/usr/bin/keylime_registrar
+exec /usr/bin/keylime_registrar