68 lines
2.3 KiB
Plaintext
68 lines
2.3 KiB
Plaintext
|
Keylime agent service
|
||
|
---------------------
|
||
|
|
||
|
This container delivers the Keylime agent service for remote
|
||
|
attestation based on TPM2. This is the component that needs to be
|
||
|
installed in all the monitored systems.
|
||
|
|
||
|
The control plane, that contains the Keylime services for the verifier
|
||
|
and the registrar, should be present in the network.
|
||
|
|
||
|
|
||
|
Installation and use
|
||
|
--------------------
|
||
|
|
||
|
The container is already present in the OBS project
|
||
|
devel:microos:containers, and can be pulled directly from it.
|
||
|
|
||
|
podman pull \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||
|
|
||
|
The agent service needs to be configured before it can be used. It
|
||
|
will need a persistent volume where to store the certificates and the
|
||
|
configuration files required to find the control plane services. We
|
||
|
can create this volume running the "install" label.
|
||
|
|
||
|
podman container runlabel install \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||
|
|
||
|
This will create the "rust-keylime-volume" that will be attached into
|
||
|
the running container.
|
||
|
|
||
|
Now we need to create a configuration file, were we indicate the UUID
|
||
|
for the agent and the IP of the remote verifier and registrar. For
|
||
|
that we can run the "configure" label.
|
||
|
|
||
|
podman container runlabel configure \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \
|
||
|
$(uuidgen) 10.88.0.1
|
||
|
|
||
|
The last configuration step is to copy the certificate from the
|
||
|
control plane into the agent container. This will allow the
|
||
|
connection between the agent, the verifier and the tenant. For
|
||
|
details about how to extract this certificate, check the documentation
|
||
|
of the control plane container.
|
||
|
|
||
|
One way to copy the certificate is mounting the volume generated
|
||
|
during the first step.
|
||
|
|
||
|
podman volume mount rust-keylime-volume
|
||
|
|
||
|
cp -a cacert.crt \
|
||
|
/var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/.
|
||
|
|
||
|
We can now start the agent.
|
||
|
|
||
|
podman container runlabel run \
|
||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||
|
|
||
|
We can monitor the status with podman.
|
||
|
|
||
|
podman ps
|
||
|
|
||
|
podman logs rust-keylime-container
|
||
|
|
||
|
And finally, we can stop the services via the kill command.
|
||
|
|
||
|
podman kill rust-keylime-container
|