Accepting request 1030207 from home:aplanas:branches:devel:BCI:Tumbleweed
- Drop rust-keylime-start.sh CMD script - Replace "-a" with "&&" in the configure script - Drop docker-entrypoint.sh script - Add README documentation OBS-URL: https://build.opensuse.org/request/show/1030207 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/rust-keylime-image?expand=0&rev=2
This commit is contained in:
parent
7aa0fb91e2
commit
adc93d93ee
16
Dockerfile
16
Dockerfile
@ -21,29 +21,23 @@ LABEL com.suse.release-stage="released"
|
|||||||
|
|
||||||
LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
|
LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
|
||||||
LABEL INSTALL="podman volume create rust-keylime-volume"
|
LABEL INSTALL="podman volume create rust-keylime-volume"
|
||||||
LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /docker-entrypoint.d/10-configure.sh"
|
LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /rust-keylime-configure.sh"
|
||||||
LABEL UNINSTALL="podman volume rm rust-keylime-volume"
|
LABEL UNINSTALL="podman volume rm rust-keylime-volume"
|
||||||
|
|
||||||
RUN set -euo pipefail; \
|
RUN set -euo pipefail; \
|
||||||
zypper -n in --no-recommends \
|
zypper -n in --no-recommends \
|
||||||
findutils \
|
|
||||||
rust-keylime \
|
rust-keylime \
|
||||||
iproute2; \
|
iproute2; \
|
||||||
zypper -n clean; \
|
zypper -n clean; \
|
||||||
rm -rf /var/log/*
|
rm -rf /var/log/*
|
||||||
|
|
||||||
COPY docker-entrypoint.sh /
|
COPY rust-keylime-configure.sh /
|
||||||
COPY 10-configure.sh /docker-entrypoint.d/
|
|
||||||
COPY rust-keylime-start.sh /
|
|
||||||
RUN set -euo pipefail; \
|
RUN set -euo pipefail; \
|
||||||
chmod a+x /docker-entrypoint.sh; \
|
chmod a+x rust-keylime-configure.sh
|
||||||
chmod a+x /docker-entrypoint.d/10-configure.sh; \
|
|
||||||
chmod a+x /rust-keylime-start.sh
|
|
||||||
|
|
||||||
ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>"
|
ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" RUST_LOG="keylime_agent=info"
|
||||||
|
|
||||||
ENTRYPOINT ["/docker-entrypoint.sh"]
|
CMD ["/usr/bin/keylime_agent"]
|
||||||
CMD ["/rust-keylime-start.sh"]
|
|
||||||
VOLUME ["/var/lib/keylime"]
|
VOLUME ["/var/lib/keylime"]
|
||||||
EXPOSE 9002
|
EXPOSE 9002
|
||||||
|
|
||||||
|
67
README
Normal file
67
README
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
Keylime agent service
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
This container delivers the Keylime agent service for remote
|
||||||
|
attestation based on TPM2. This is the component that needs to be
|
||||||
|
installed in all the monitored systems.
|
||||||
|
|
||||||
|
The control plane, that contains the Keylime services for the verifier
|
||||||
|
and the registrar, should be present in the network.
|
||||||
|
|
||||||
|
|
||||||
|
Installation and use
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
The container is already present in the OBS project
|
||||||
|
devel:microos:containers, and can be pulled directly from it.
|
||||||
|
|
||||||
|
podman pull \
|
||||||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||||||
|
|
||||||
|
The agent service needs to be configured before it can be used. It
|
||||||
|
will need a persistent volume where to store the certificates and the
|
||||||
|
configuration files required to find the control plane services. We
|
||||||
|
can create this volume running the "install" label.
|
||||||
|
|
||||||
|
podman container runlabel install \
|
||||||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||||||
|
|
||||||
|
This will create the "rust-keylime-volume" that will be attached into
|
||||||
|
the running container.
|
||||||
|
|
||||||
|
Now we need to create a configuration file, were we indicate the UUID
|
||||||
|
for the agent and the IP of the remote verifier and registrar. For
|
||||||
|
that we can run the "configure" label.
|
||||||
|
|
||||||
|
podman container runlabel configure \
|
||||||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \
|
||||||
|
$(uuidgen) 10.88.0.1
|
||||||
|
|
||||||
|
The last configuration step is to copy the certificate from the
|
||||||
|
control plane into the agent container. This will allow the
|
||||||
|
connection between the agent, the verifier and the tenant. For
|
||||||
|
details about how to extract this certificate, check the documentation
|
||||||
|
of the control plane container.
|
||||||
|
|
||||||
|
One way to copy the certificate is mounting the volume generated
|
||||||
|
during the first step.
|
||||||
|
|
||||||
|
podman volume mount rust-keylime-volume
|
||||||
|
|
||||||
|
cp -a cacert.crt \
|
||||||
|
/var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/.
|
||||||
|
|
||||||
|
We can now start the agent.
|
||||||
|
|
||||||
|
podman container runlabel run \
|
||||||
|
registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
|
||||||
|
|
||||||
|
We can monitor the status with podman.
|
||||||
|
|
||||||
|
podman ps
|
||||||
|
|
||||||
|
podman logs rust-keylime-container
|
||||||
|
|
||||||
|
And finally, we can stop the services via the kill command.
|
||||||
|
|
||||||
|
podman kill rust-keylime-container
|
@ -1,45 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
entrypoint_log() {
|
|
||||||
if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
|
|
||||||
echo "$@"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
|
|
||||||
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
|
|
||||||
|
|
||||||
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
|
|
||||||
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
|
|
||||||
case "$f" in
|
|
||||||
*.envsh)
|
|
||||||
if [ -x "$f" ]; then
|
|
||||||
entrypoint_log "$0: Sourcing $f";
|
|
||||||
source "$f"
|
|
||||||
else
|
|
||||||
# warn on shell scripts without exec bit
|
|
||||||
entrypoint_log "$0: Ignoring $f, not executable";
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*.sh)
|
|
||||||
if [ -x "$f" ]; then
|
|
||||||
entrypoint_log "$0: Launching $f";
|
|
||||||
"$f"
|
|
||||||
else
|
|
||||||
# warn on shell scripts without exec bit
|
|
||||||
entrypoint_log "$0: Ignoring $f, not executable";
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*) entrypoint_log "$0: Ignoring $f";;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
|
|
||||||
entrypoint_log "$0: Configuration complete; ready for start up"
|
|
||||||
else
|
|
||||||
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
exec "$@"
|
|
@ -5,7 +5,7 @@ set -e
|
|||||||
[ -n "$1" ] && UUID="$1"
|
[ -n "$1" ] && UUID="$1"
|
||||||
[ -n "$2" ] && REMOTE_IP="$2"
|
[ -n "$2" ] && REMOTE_IP="$2"
|
||||||
|
|
||||||
if [ -n "$UUID" -a "$UUID" != "<UUID>" -a -n "$REMOTE_IP" -a "$REMOTE_IP" != "<REMOTE_IP>" ]; then
|
if [ -n "$UUID" ] && [ "$UUID" != "<UUID>" ] && [ -n "$REMOTE_IP" ] && [ "$REMOTE_IP" != "<REMOTE_IP>" ]; then
|
||||||
mkdir -p /var/lib/keylime/cv_ca
|
mkdir -p /var/lib/keylime/cv_ca
|
||||||
mkdir -p /etc/keylime/agent.conf.d
|
mkdir -p /etc/keylime/agent.conf.d
|
||||||
cat <<EOF > /etc/keylime/agent.conf.d/agent.conf
|
cat <<EOF > /etc/keylime/agent.conf.d/agent.conf
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||||
|
|
||||||
|
- Drop rust-keylime-start.sh CMD script
|
||||||
|
- Replace "-a" with "&&" in the configure script
|
||||||
|
- Drop docker-entrypoint.sh script
|
||||||
|
- Add README documentation
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||||
|
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
RUST_LOG=keylime_agent=info /usr/bin/keylime_agent
|
|
Loading…
Reference in New Issue
Block a user