From adc93d93eeaa36afbefb497ab2a968bb2292a54b76829eb2abb5edbcec4898dc Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Thu, 20 Oct 2022 14:32:00 +0000 Subject: [PATCH] Accepting request 1030207 from home:aplanas:branches:devel:BCI:Tumbleweed - Drop rust-keylime-start.sh CMD script - Replace "-a" with "&&" in the configure script - Drop docker-entrypoint.sh script - Add README documentation OBS-URL: https://build.opensuse.org/request/show/1030207 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/rust-keylime-image?expand=0&rev=2 --- Dockerfile | 16 ++--- README | 67 ++++++++++++++++++++ docker-entrypoint.sh | 45 ------------- 10-configure.sh => rust-keylime-configure.sh | 2 +- rust-keylime-image.changes | 8 +++ rust-keylime-start.sh | 5 -- 6 files changed, 81 insertions(+), 62 deletions(-) create mode 100644 README delete mode 100644 docker-entrypoint.sh rename 10-configure.sh => rust-keylime-configure.sh (74%) delete mode 100644 rust-keylime-start.sh diff --git a/Dockerfile b/Dockerfile index 648ecee..ec706f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,29 +21,23 @@ LABEL com.suse.release-stage="released" LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE" LABEL INSTALL="podman volume create rust-keylime-volume" -LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /docker-entrypoint.d/10-configure.sh" +LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /rust-keylime-configure.sh" LABEL UNINSTALL="podman volume rm rust-keylime-volume" RUN set -euo pipefail; \ zypper -n in --no-recommends \ - findutils \ rust-keylime \ iproute2; \ zypper -n clean; \ rm -rf /var/log/* -COPY docker-entrypoint.sh / -COPY 10-configure.sh /docker-entrypoint.d/ -COPY rust-keylime-start.sh / +COPY rust-keylime-configure.sh / RUN set -euo pipefail; \ - chmod a+x /docker-entrypoint.sh; \ - chmod a+x /docker-entrypoint.d/10-configure.sh; \ - chmod a+x /rust-keylime-start.sh + chmod a+x rust-keylime-configure.sh -ENV UUID="" REMOTE_IP="" +ENV UUID="" REMOTE_IP="" RUST_LOG="keylime_agent=info" -ENTRYPOINT ["/docker-entrypoint.sh"] -CMD ["/rust-keylime-start.sh"] +CMD ["/usr/bin/keylime_agent"] VOLUME ["/var/lib/keylime"] EXPOSE 9002 diff --git a/README b/README new file mode 100644 index 0000000..3d6572e --- /dev/null +++ b/README @@ -0,0 +1,67 @@ +Keylime agent service +--------------------- + +This container delivers the Keylime agent service for remote +attestation based on TPM2. This is the component that needs to be +installed in all the monitored systems. + +The control plane, that contains the Keylime services for the verifier +and the registrar, should be present in the network. + + +Installation and use +-------------------- + +The container is already present in the OBS project +devel:microos:containers, and can be pulled directly from it. + + podman pull \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest + +The agent service needs to be configured before it can be used. It +will need a persistent volume where to store the certificates and the +configuration files required to find the control plane services. We +can create this volume running the "install" label. + + podman container runlabel install \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest + +This will create the "rust-keylime-volume" that will be attached into +the running container. + +Now we need to create a configuration file, were we indicate the UUID +for the agent and the IP of the remote verifier and registrar. For +that we can run the "configure" label. + + podman container runlabel configure \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \ + $(uuidgen) 10.88.0.1 + +The last configuration step is to copy the certificate from the +control plane into the agent container. This will allow the +connection between the agent, the verifier and the tenant. For +details about how to extract this certificate, check the documentation +of the control plane container. + +One way to copy the certificate is mounting the volume generated +during the first step. + + podman volume mount rust-keylime-volume + + cp -a cacert.crt \ + /var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/. + +We can now start the agent. + + podman container runlabel run \ + registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest + +We can monitor the status with podman. + + podman ps + + podman logs rust-keylime-container + +And finally, we can stop the services via the kill command. + + podman kill rust-keylime-container diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh deleted file mode 100644 index 0b778bb..0000000 --- a/docker-entrypoint.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh - -set -e - -entrypoint_log() { - if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then - echo "$@" - fi -} - -if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then - entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" - - entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/" - find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do - case "$f" in - *.envsh) - if [ -x "$f" ]; then - entrypoint_log "$0: Sourcing $f"; - source "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *.sh) - if [ -x "$f" ]; then - entrypoint_log "$0: Launching $f"; - "$f" - else - # warn on shell scripts without exec bit - entrypoint_log "$0: Ignoring $f, not executable"; - fi - ;; - *) entrypoint_log "$0: Ignoring $f";; - esac - done - - entrypoint_log "$0: Configuration complete; ready for start up" -else - entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration" -fi - - -exec "$@" diff --git a/10-configure.sh b/rust-keylime-configure.sh similarity index 74% rename from 10-configure.sh rename to rust-keylime-configure.sh index abc9b43..fc20745 100644 --- a/10-configure.sh +++ b/rust-keylime-configure.sh @@ -5,7 +5,7 @@ set -e [ -n "$1" ] && UUID="$1" [ -n "$2" ] && REMOTE_IP="$2" -if [ -n "$UUID" -a "$UUID" != "" -a -n "$REMOTE_IP" -a "$REMOTE_IP" != "" ]; then +if [ -n "$UUID" ] && [ "$UUID" != "" ] && [ -n "$REMOTE_IP" ] && [ "$REMOTE_IP" != "" ]; then mkdir -p /var/lib/keylime/cv_ca mkdir -p /etc/keylime/agent.conf.d cat < /etc/keylime/agent.conf.d/agent.conf diff --git a/rust-keylime-image.changes b/rust-keylime-image.changes index 2e2c74c..dc4dc5b 100644 --- a/rust-keylime-image.changes +++ b/rust-keylime-image.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez + +- Drop rust-keylime-start.sh CMD script +- Replace "-a" with "&&" in the configure script +- Drop docker-entrypoint.sh script +- Add README documentation + ------------------------------------------------------------------- Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez diff --git a/rust-keylime-start.sh b/rust-keylime-start.sh deleted file mode 100644 index 81dc9ef..0000000 --- a/rust-keylime-start.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -set -e - -RUST_LOG=keylime_agent=info /usr/bin/keylime_agent