Alberto Planas Dominguez
797861c512
- Correct documentation OBS-URL: https://build.opensuse.org/request/show/1069190 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/keylime-control-plane-image?expand=0&rev=4
71 lines
2.4 KiB
Plaintext
71 lines
2.4 KiB
Plaintext
Keylime control plane
|
|
---------------------
|
|
|
|
This container delivers the control plane service (verifier and
|
|
registrar) and command line tool (tenant) for the Keylime project for
|
|
remote attestation based on TPM2.
|
|
|
|
|
|
Installation and use
|
|
--------------------
|
|
|
|
The container is already present in the OBS project
|
|
devel:microos:containers, and can be pulled directly from it.
|
|
|
|
podman pull \
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
|
|
|
The different services will require an additional volume to persist
|
|
the database and certificates required during the attestation process.
|
|
A volume can be created running the "install" label.
|
|
|
|
podman container runlabel install \
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
|
|
|
This will create the "keylime-control-plane-volume" volume. This
|
|
command should be executed only one time.
|
|
|
|
To launch the services we can execute the "run" label.
|
|
|
|
podman container runlabel run \
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-control-plane:latest
|
|
|
|
This will create the "keylime-control-plane-container" container, and
|
|
inside there the Keylime registrar and verifier services will be
|
|
configured and executed.
|
|
|
|
Internally it will expose several ports from the container into the
|
|
host, using the default values. Validate the firewall configuration
|
|
to allow the access to those ports, and to allow communication
|
|
intra-containers, as this will be required later when we execute the
|
|
tenant CLI.
|
|
|
|
We can monitor the status with podman.
|
|
|
|
podman ps
|
|
|
|
podman logs keylime-control-plane-container
|
|
|
|
The first time that this container gets executed, the services will
|
|
create a certificate that will be required later by the different
|
|
agents. We can extract the certificate with this command:
|
|
|
|
podman cp \
|
|
keylime-control-plane-container:/var/lib/keylime/cv_ca/cacert.crt .
|
|
|
|
Another possibility is to mount the "keylime-control-plane-volume" and
|
|
copy it from there.
|
|
|
|
The tenant CLI tool is present in the container, and if the host
|
|
firewall is properly configured, it can be executed using the same
|
|
image.
|
|
|
|
podman run --rm \
|
|
-v keylime-control-plane-container:/var/lib/keylime \
|
|
keylime-control-plane:latest \
|
|
keylime_tenant -v 10.88.0.1 -r 10.88.0.1 --cert default -c reglist
|
|
|
|
We can stop the services via the kill command.
|
|
|
|
podman kill keylime-control-plane-container
|