Accepting request 1030207 from home:aplanas:branches:devel:BCI:Tumbleweed

- Drop rust-keylime-start.sh CMD script
- Replace "-a" with "&&" in the configure script
- Drop docker-entrypoint.sh script
- Add README documentation

OBS-URL: https://build.opensuse.org/request/show/1030207
OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/rust-keylime-image?expand=0&rev=2
This commit is contained in:
Fabian Vogt 2022-10-20 14:32:00 +00:00 committed by Git OBS Bridge
parent 7aa0fb91e2
commit adc93d93ee
6 changed files with 81 additions and 62 deletions

View File

@ -21,29 +21,23 @@ LABEL com.suse.release-stage="released"
LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE" LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
LABEL INSTALL="podman volume create rust-keylime-volume" LABEL INSTALL="podman volume create rust-keylime-volume"
LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /docker-entrypoint.d/10-configure.sh" LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /rust-keylime-configure.sh"
LABEL UNINSTALL="podman volume rm rust-keylime-volume" LABEL UNINSTALL="podman volume rm rust-keylime-volume"
RUN set -euo pipefail; \ RUN set -euo pipefail; \
zypper -n in --no-recommends \ zypper -n in --no-recommends \
findutils \
rust-keylime \ rust-keylime \
iproute2; \ iproute2; \
zypper -n clean; \ zypper -n clean; \
rm -rf /var/log/* rm -rf /var/log/*
COPY docker-entrypoint.sh / COPY rust-keylime-configure.sh /
COPY 10-configure.sh /docker-entrypoint.d/
COPY rust-keylime-start.sh /
RUN set -euo pipefail; \ RUN set -euo pipefail; \
chmod a+x /docker-entrypoint.sh; \ chmod a+x rust-keylime-configure.sh
chmod a+x /docker-entrypoint.d/10-configure.sh; \
chmod a+x /rust-keylime-start.sh
ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" RUST_LOG="keylime_agent=info"
ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["/usr/bin/keylime_agent"]
CMD ["/rust-keylime-start.sh"]
VOLUME ["/var/lib/keylime"] VOLUME ["/var/lib/keylime"]
EXPOSE 9002 EXPOSE 9002

67
README Normal file
View File

@ -0,0 +1,67 @@
Keylime agent service
---------------------
This container delivers the Keylime agent service for remote
attestation based on TPM2. This is the component that needs to be
installed in all the monitored systems.
The control plane, that contains the Keylime services for the verifier
and the registrar, should be present in the network.
Installation and use
--------------------
The container is already present in the OBS project
devel:microos:containers, and can be pulled directly from it.
podman pull \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
The agent service needs to be configured before it can be used. It
will need a persistent volume where to store the certificates and the
configuration files required to find the control plane services. We
can create this volume running the "install" label.
podman container runlabel install \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
This will create the "rust-keylime-volume" that will be attached into
the running container.
Now we need to create a configuration file, were we indicate the UUID
for the agent and the IP of the remote verifier and registrar. For
that we can run the "configure" label.
podman container runlabel configure \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \
$(uuidgen) 10.88.0.1
The last configuration step is to copy the certificate from the
control plane into the agent container. This will allow the
connection between the agent, the verifier and the tenant. For
details about how to extract this certificate, check the documentation
of the control plane container.
One way to copy the certificate is mounting the volume generated
during the first step.
podman volume mount rust-keylime-volume
cp -a cacert.crt \
/var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/.
We can now start the agent.
podman container runlabel run \
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
We can monitor the status with podman.
podman ps
podman logs rust-keylime-container
And finally, we can stop the services via the kill command.
podman kill rust-keylime-container

View File

@ -1,45 +0,0 @@
#!/bin/sh
set -e
entrypoint_log() {
if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.envsh)
if [ -x "$f" ]; then
entrypoint_log "$0: Sourcing $f";
source "$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*.sh)
if [ -x "$f" ]; then
entrypoint_log "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*) entrypoint_log "$0: Ignoring $f";;
esac
done
entrypoint_log "$0: Configuration complete; ready for start up"
else
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
exec "$@"

View File

@ -5,7 +5,7 @@ set -e
[ -n "$1" ] && UUID="$1" [ -n "$1" ] && UUID="$1"
[ -n "$2" ] && REMOTE_IP="$2" [ -n "$2" ] && REMOTE_IP="$2"
if [ -n "$UUID" -a "$UUID" != "<UUID>" -a -n "$REMOTE_IP" -a "$REMOTE_IP" != "<REMOTE_IP>" ]; then if [ -n "$UUID" ] && [ "$UUID" != "<UUID>" ] && [ -n "$REMOTE_IP" ] && [ "$REMOTE_IP" != "<REMOTE_IP>" ]; then
mkdir -p /var/lib/keylime/cv_ca mkdir -p /var/lib/keylime/cv_ca
mkdir -p /etc/keylime/agent.conf.d mkdir -p /etc/keylime/agent.conf.d
cat <<EOF > /etc/keylime/agent.conf.d/agent.conf cat <<EOF > /etc/keylime/agent.conf.d/agent.conf

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
- Drop rust-keylime-start.sh CMD script
- Replace "-a" with "&&" in the configure script
- Drop docker-entrypoint.sh script
- Add README documentation
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com> Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

View File

@ -1,5 +0,0 @@
#!/bin/sh
set -e
RUST_LOG=keylime_agent=info /usr/bin/keylime_agent