Accepting request 1031956 from devel:microos:containers

OBS-URL: https://build.opensuse.org/request/show/1031956
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rust-keylime-image?expand=0&rev=2
This commit is contained in:
Dominique Leuenberger 2022-10-28 17:31:58 +00:00 committed by Git OBS Bridge
commit 02cec7308a
4 changed files with 28 additions and 20 deletions

View File

@ -1,11 +1,11 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
#!BuildTag: opensuse/rust-keylime:%%KEYLIME_VERSION%% #!BuildTag: opensuse/keylime-agent:%%KEYLIME_VERSION%%
#!BuildTag: opensuse/rust-keylime:%%KEYLIME_VERSION%%-%RELEASE% #!BuildTag: opensuse/keylime-agent:%%KEYLIME_VERSION%%-%RELEASE%
#!BuildTag: opensuse/rust-keylime:latest #!BuildTag: opensuse/keylime-agent:latest
FROM opensuse/tumbleweed:latest FROM opensuse/tumbleweed:latest
# Define labels according to https://en.opensuse.org/Building_derived_containers # Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=org.opensuse.application.rust-keylime # labelprefix=org.opensuse.application.keylime-agent
LABEL org.opencontainers.image.title="openSUSE Tumbleweed Keylime Rust Agent Service Container Image" LABEL org.opencontainers.image.title="openSUSE Tumbleweed Keylime Rust Agent Service Container Image"
LABEL org.opencontainers.image.description="Keylime Rust agent service based on the openSUSE Tumbleweed Base Container Image." LABEL org.opencontainers.image.description="Keylime Rust agent service based on the openSUSE Tumbleweed Base Container Image."
LABEL org.opencontainers.image.version="%%KEYLIME_VERSION%%" LABEL org.opencontainers.image.version="%%KEYLIME_VERSION%%"
@ -13,16 +13,16 @@ LABEL org.opencontainers.image.url="https://www.opensuse.org"
LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="openSUSE Project" LABEL org.opencontainers.image.vendor="openSUSE Project"
LABEL org.opencontainers.image.authors="aplanas@suse.de" LABEL org.opencontainers.image.authors="aplanas@suse.de"
LABEL org.opensuse.reference="registry.opensuse.org/opensuse/rust-keylime:%%KEYLIME_VERSION%%-%RELEASE%" LABEL org.opensuse.reference="registry.opensuse.org/opensuse/keylime-agent:%%KEYLIME_VERSION%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%" LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.release-stage="released" LABEL com.suse.release-stage="released"
# endlabelprefix # endlabelprefix
LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE" LABEL RUN="podman run --name keylime-agent-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent-volume:/var/lib/keylime -v keylime-agent-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
LABEL INSTALL="podman volume create rust-keylime-volume" LABEL INSTALL="podman volume create keylime-agent-volume"
LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /rust-keylime-configure.sh" LABEL CONFIGURE="podman run --rm -v keylime-agent-volume:/var/lib/keylime -v keylime-agent-volume:/etc/keylime IMAGE /keylime-agent-configure.sh"
LABEL UNINSTALL="podman volume rm rust-keylime-volume" LABEL UNINSTALL="podman volume rm keylime-agent-volume"
RUN set -euo pipefail; \ RUN set -euo pipefail; \
zypper -n in --no-recommends \ zypper -n in --no-recommends \
@ -31,9 +31,9 @@ RUN set -euo pipefail; \
zypper -n clean; \ zypper -n clean; \
rm -rf /var/log/* rm -rf /var/log/*
COPY rust-keylime-configure.sh / COPY keylime-agent-configure.sh /
RUN set -euo pipefail; \ RUN set -euo pipefail; \
chmod a+x rust-keylime-configure.sh chmod a+x keylime-agent-configure.sh
ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" RUST_LOG="keylime_agent=info" ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" RUST_LOG="keylime_agent=info"

18
README
View File

@ -16,7 +16,7 @@ The container is already present in the OBS project
devel:microos:containers, and can be pulled directly from it. devel:microos:containers, and can be pulled directly from it.
podman pull \ podman pull \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
The agent service needs to be configured before it can be used. It The agent service needs to be configured before it can be used. It
will need a persistent volume where to store the certificates and the will need a persistent volume where to store the certificates and the
@ -24,9 +24,9 @@ configuration files required to find the control plane services. We
can create this volume running the "install" label. can create this volume running the "install" label.
podman container runlabel install \ podman container runlabel install \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
This will create the "rust-keylime-volume" that will be attached into This will create the "keylime-agent-volume" that will be attached into
the running container. the running container.
Now we need to create a configuration file, were we indicate the UUID Now we need to create a configuration file, were we indicate the UUID
@ -34,7 +34,7 @@ for the agent and the IP of the remote verifier and registrar. For
that we can run the "configure" label. that we can run the "configure" label.
podman container runlabel configure \ podman container runlabel configure \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \ registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest \
$(uuidgen) 10.88.0.1 $(uuidgen) 10.88.0.1
The last configuration step is to copy the certificate from the The last configuration step is to copy the certificate from the
@ -46,22 +46,22 @@ of the control plane container.
One way to copy the certificate is mounting the volume generated One way to copy the certificate is mounting the volume generated
during the first step. during the first step.
podman volume mount rust-keylime-volume podman volume mount keylime-agent-volume
cp -a cacert.crt \ cp -a cacert.crt \
/var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/. /var/lib/containers/storage/volumes/keylime-agent-volume/_data/cv_ca/.
We can now start the agent. We can now start the agent.
podman container runlabel run \ podman container runlabel run \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest
We can monitor the status with podman. We can monitor the status with podman.
podman ps podman ps
podman logs rust-keylime-container podman logs keylime-agent-container
And finally, we can stop the services via the kill command. And finally, we can stop the services via the kill command.
podman kill rust-keylime-container podman kill keylime-agent-container

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Oct 28 12:51:07 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Rename the published image to "keylime-agent"
- Rename the volumes and container default name, and the configuration
file under "keylime-agent-XXXX"
- Update the README for use new name
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com> Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>