2022-10-20 16:32:00 +02:00
|
|
|
Keylime agent service
|
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
|
|
This container delivers the Keylime agent service for remote
|
|
|
|
|
attestation based on TPM2. This is the component that needs to be
|
|
|
|
|
installed in all the monitored systems.
|
|
|
|
|
|
|
|
|
|
The control plane, that contains the Keylime services for the verifier
|
|
|
|
|
and the registrar, should be present in the network.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installation and use
|
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
|
|
The container is already present in the OBS project
|
|
|
|
|
devel:microos:containers, and can be pulled directly from it.
|
|
|
|
|
|
|
|
|
|
podman pull \
|
2022-10-28 15:01:00 +02:00
|
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
|
2022-10-20 16:32:00 +02:00
|
|
|
|
|
|
|
|
The agent service needs to be configured before it can be used. It
|
|
|
|
|
will need a persistent volume where to store the certificates and the
|
|
|
|
|
configuration files required to find the control plane services. We
|
|
|
|
|
can create this volume running the "install" label.
|
|
|
|
|
|
|
|
|
|
podman container runlabel install \
|
2022-10-28 15:01:00 +02:00
|
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
|
2022-10-20 16:32:00 +02:00
|
|
|
|
2022-10-28 15:01:00 +02:00
|
|
|
This will create the "keylime-agent-volume" that will be attached into
|
2022-10-20 16:32:00 +02:00
|
|
|
the running container.
|
|
|
|
|
|
|
|
|
|
Now we need to create a configuration file, were we indicate the UUID
|
|
|
|
|
for the agent and the IP of the remote verifier and registrar. For
|
|
|
|
|
that we can run the "configure" label.
|
|
|
|
|
|
|
|
|
|
podman container runlabel configure \
|
2022-10-28 15:01:00 +02:00
|
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest \
|
2022-10-20 16:32:00 +02:00
|
|
|
$(uuidgen) 10.88.0.1
|
|
|
|
|
|
|
|
|
|
The last configuration step is to copy the certificate from the
|
|
|
|
|
control plane into the agent container. This will allow the
|
|
|
|
|
connection between the agent, the verifier and the tenant. For
|
|
|
|
|
details about how to extract this certificate, check the documentation
|
|
|
|
|
of the control plane container.
|
|
|
|
|
|
|
|
|
|
One way to copy the certificate is mounting the volume generated
|
|
|
|
|
during the first step.
|
|
|
|
|
|
2022-10-28 15:01:00 +02:00
|
|
|
podman volume mount keylime-agent-volume
|
2022-10-20 16:32:00 +02:00
|
|
|
|
|
|
|
|
cp -a cacert.crt \
|
2022-10-28 15:01:00 +02:00
|
|
|
/var/lib/containers/storage/volumes/keylime-agent-volume/_data/cv_ca/.
|
2022-10-20 16:32:00 +02:00
|
|
|
|
|
|
|
|
We can now start the agent.
|
|
|
|
|
|
|
|
|
|
podman container runlabel run \
|
2022-10-28 15:01:00 +02:00
|
|
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
|
2022-10-20 16:32:00 +02:00
|
|
|
|
|
|
|
|
We can monitor the status with podman.
|
|
|
|
|
|
|
|
|
|
podman ps
|
|
|
|
|
|
2022-10-28 15:01:00 +02:00
|
|
|
podman logs keylime-agent-container
|
2022-10-20 16:32:00 +02:00
|
|
|
|
|
|
|
|
And finally, we can stop the services via the kill command.
|
|
|
|
|
|
2022-10-28 15:01:00 +02:00
|
|
|
podman kill keylime-agent-container
|
