From 7aa0fb91e22ac9712a4ca2389037371c8fa165b46b2f9e11fafbc3677f8f3c6e Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Thu, 20 Oct 2022 08:41:39 +0000 Subject: [PATCH] Accepting request 1030015 from home:aplanas:branches:devel:BCI:Tumbleweed Keylime Rust agent service base container OBS-URL: https://build.opensuse.org/request/show/1030015 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/rust-keylime-image?expand=0&rev=1 --- .gitattributes | 23 +++++++++++++++++ .gitignore | 1 + 10-configure.sh | 19 ++++++++++++++ Dockerfile | 53 ++++++++++++++++++++++++++++++++++++++ _service | 10 +++++++ docker-entrypoint.sh | 45 ++++++++++++++++++++++++++++++++ rust-keylime-image.changes | 4 +++ rust-keylime-start.sh | 5 ++++ 8 files changed, 160 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 10-configure.sh create mode 100644 Dockerfile create mode 100644 _service create mode 100644 docker-entrypoint.sh create mode 100644 rust-keylime-image.changes create mode 100644 rust-keylime-start.sh diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/10-configure.sh b/10-configure.sh new file mode 100644 index 0000000..abc9b43 --- /dev/null +++ b/10-configure.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +[ -n "$1" ] && UUID="$1" +[ -n "$2" ] && REMOTE_IP="$2" + +if [ -n "$UUID" -a "$UUID" != "" -a -n "$REMOTE_IP" -a "$REMOTE_IP" != "" ]; then + mkdir -p /var/lib/keylime/cv_ca + mkdir -p /etc/keylime/agent.conf.d + cat < /etc/keylime/agent.conf.d/agent.conf +[agent] + +uuid = "$UUID" +registrar_ip = "$REMOTE_IP" +revocation_notification_ip = "$REMOTE_IP" +run_as = "root:root" +EOF +fi diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..648ecee --- /dev/null +++ b/Dockerfile @@ -0,0 +1,53 @@ +# SPDX-License-Identifier: Apache-2.0 +#!BuildTag: opensuse/rust-keylime:%%KEYLIME_VERSION%% +#!BuildTag: opensuse/rust-keylime:%%KEYLIME_VERSION%%-%RELEASE% +#!BuildTag: opensuse/rust-keylime:latest +FROM opensuse/tumbleweed:latest + +# Define labels according to https://en.opensuse.org/Building_derived_containers +# labelprefix=org.opensuse.application.rust-keylime +LABEL org.opencontainers.image.title="openSUSE Tumbleweed Keylime Rust Agent Service Container Image" +LABEL org.opencontainers.image.description="Keylime Rust agent service based on the openSUSE Tumbleweed Base Container Image." +LABEL org.opencontainers.image.version="%%KEYLIME_VERSION%%" +LABEL org.opencontainers.image.url="https://www.opensuse.org" +LABEL org.opencontainers.image.created="%BUILDTIME%" +LABEL org.opencontainers.image.vendor="openSUSE Project" +LABEL org.opencontainers.image.authors="aplanas@suse.de" +LABEL org.opensuse.reference="registry.opensuse.org/opensuse/rust-keylime:%%KEYLIME_VERSION%%-%RELEASE%" +LABEL org.openbuildservice.disturl="%DISTURL%" + +LABEL com.suse.release-stage="released" +# endlabelprefix + +LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE" +LABEL INSTALL="podman volume create rust-keylime-volume" +LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /docker-entrypoint.d/10-configure.sh" +LABEL UNINSTALL="podman volume rm rust-keylime-volume" + +RUN set -euo pipefail; \ + zypper -n in --no-recommends \ + findutils \ + rust-keylime \ + iproute2; \ + zypper -n clean; \ + rm -rf /var/log/* + +COPY docker-entrypoint.sh / +COPY 10-configure.sh /docker-entrypoint.d/ +COPY rust-keylime-start.sh / +RUN set -euo pipefail; \ + chmod a+x /docker-entrypoint.sh; \ + chmod a+x /docker-entrypoint.d/10-configure.sh; \ + chmod a+x /rust-keylime-start.sh + +ENV UUID="" REMOTE_IP="" + +ENTRYPOINT ["/docker-entrypoint.sh"] +CMD ["/rust-keylime-start.sh"] +VOLUME ["/var/lib/keylime"] +EXPOSE 9002 + +HEALTHCHECK --start-period=5m --timeout=5s --interval=5s --retries=2 \ + CMD /usr/bin/ss -ltn | /usr/bin/grep -q 0.0.0.0:9002 + +STOPSIGNAL SIGQUIT diff --git a/_service b/_service new file mode 100644 index 0000000..8ba4f15 --- /dev/null +++ b/_service @@ -0,0 +1,10 @@ + + + + + Dockerfile + %%KEYLIME_VERSION%% + rust-keylime + minor + + diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100644 index 0000000..0b778bb --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +entrypoint_log() { + if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then + echo "$@" + fi +} + +if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then + entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" + + entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" + find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do + case "$f" in + *.envsh) + if [ -x "$f" ]; then + entrypoint_log "$0: Sourcing $f"; + source "$f" + else + # warn on shell scripts without exec bit + entrypoint_log "$0: Ignoring $f, not executable"; + fi + ;; + *.sh) + if [ -x "$f" ]; then + entrypoint_log "$0: Launching $f"; + "$f" + else + # warn on shell scripts without exec bit + entrypoint_log "$0: Ignoring $f, not executable"; + fi + ;; + *) entrypoint_log "$0: Ignoring $f";; + esac + done + + entrypoint_log "$0: Configuration complete; ready for start up" +else + entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" +fi + + +exec "$@" diff --git a/rust-keylime-image.changes b/rust-keylime-image.changes new file mode 100644 index 0000000..2e2c74c --- /dev/null +++ b/rust-keylime-image.changes @@ -0,0 +1,4 @@ +------------------------------------------------------------------- +Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez + +- Initial image based on Keylime 6.5.1 diff --git a/rust-keylime-start.sh b/rust-keylime-start.sh new file mode 100644 index 0000000..81dc9ef --- /dev/null +++ b/rust-keylime-start.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +RUST_LOG=keylime_agent=info /usr/bin/keylime_agent