Accepting request 1030207 from home:aplanas:branches:devel:BCI:Tumbleweed

- Drop rust-keylime-start.sh CMD script - Replace "-a" with "&&" in the configure script - Drop docker-entrypoint.sh script - Add README documentation OBS-URL: https://build.opensuse.org/request/show/1030207 OBS-URL: https://build.opensuse.org/package/show/devel:microos:containers/rust-keylime-image?expand=0&rev=2
2022-10-20 14:32:00 +00:00 · 2022-10-20 14:32:00 +00:00 · adc93d93ee
commit adc93d93ee
parent 7aa0fb91e2
6 changed files with 81 additions and 62 deletions
--- a/16
+++ b/16
@ -21,29 +21,23 @@ LABEL com.suse.release-stage="released"

 LABEL RUN="podman run --name rust-keylime-container --rm --device /dev/tpm0 --device /dev/tpmrm0 -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 LABEL INSTALL="podman volume create rust-keylime-volume"
-LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /docker-entrypoint.d/10-configure.sh"
+LABEL CONFIGURE="podman run --rm -v rust-keylime-volume:/var/lib/keylime -v rust-keylime-volume:/etc/keylime IMAGE /rust-keylime-configure.sh"
 LABEL UNINSTALL="podman volume rm rust-keylime-volume"

 RUN set -euo pipefail; \
    zypper -n in --no-recommends \
-      findutils \
      rust-keylime \
      iproute2; \
    zypper -n clean; \
    rm -rf /var/log/*

-COPY docker-entrypoint.sh /
-COPY 10-configure.sh /docker-entrypoint.d/
-COPY rust-keylime-start.sh /
+COPY rust-keylime-configure.sh /
 RUN set -euo pipefail; \
-    chmod a+x /docker-entrypoint.sh; \
-    chmod a+x /docker-entrypoint.d/10-configure.sh; \
-    chmod a+x /rust-keylime-start.sh
+    chmod a+x rust-keylime-configure.sh

-ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>"
+ENV UUID="<UUID>" REMOTE_IP="<REMOTE_IP>" RUST_LOG="keylime_agent=info"

-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["/rust-keylime-start.sh"]
+CMD ["/usr/bin/keylime_agent"]
 VOLUME ["/var/lib/keylime"]
 EXPOSE 9002

--- a/67
+++ b/67
@ -0,0 +1,67 @@
+Keylime agent service
+---------------------
+
+This container delivers the Keylime agent service for remote
+attestation based on TPM2.  This is the component that needs to be
+installed in all the monitored systems.
+
+The control plane, that contains the Keylime services for the verifier
+and the registrar, should be present in the network.
+
+
+Installation and use
+--------------------
+
+The container is already present in the OBS project
+devel:microos:containers, and can be pulled directly from it.
+
+    podman pull \
+      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
+
+The agent service needs to be configured before it can be used.  It
+will need a persistent volume where to store the certificates and the
+configuration files required to find the control plane services.  We
+can create this volume running the "install" label.
+
+    podman container runlabel install \
+      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
+
+This will create the "rust-keylime-volume" that will be attached into
+the running container.
+
+Now we need to create a configuration file, were we indicate the UUID
+for the agent and the IP of the remote verifier and registrar.  For
+that we can run the "configure" label.
+
+    podman container runlabel configure \
+        registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest \
+        $(uuidgen) 10.88.0.1
+
+The last configuration step is to copy the certificate from the
+control plane into the agent container.  This will allow the
+connection between the agent, the verifier and the tenant.  For
+details about how to extract this certificate, check the documentation
+of the control plane container.
+
+One way to copy the certificate is mounting the volume generated
+during the first step.
+
+    podman volume mount rust-keylime-volume
+
+    cp -a cacert.crt \
+      /var/lib/containers/storage/volumes/rust-keylime-volume/_data/cv_ca/.
+
+We can now start the agent.
+
+    podman container runlabel run \
+      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/rust-keylime:latest
+
+We can monitor the status with podman.
+
+    podman ps
+
+    podman logs rust-keylime-container
+
+And finally, we can stop the services via the kill command.
+
+    podman kill rust-keylime-container
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -1,45 +0,0 @@
-#!/bin/sh
-
-set -e
-
-entrypoint_log() {
-    if [ -z "${ENTRYPOINT_QUIET_LOGS:-}" ]; then
-        echo "$@"
-    fi
-}
-
-if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
-    entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
-
-    entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
-    find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
-        case "$f" in
-            *.envsh)
-                if [ -x "$f" ]; then
-                    entrypoint_log "$0: Sourcing $f";
-                    source "$f"
-                else
-                    # warn on shell scripts without exec bit
-                    entrypoint_log "$0: Ignoring $f, not executable";
-                fi
-                ;;
-            *.sh)
-                if [ -x "$f" ]; then
-                    entrypoint_log "$0: Launching $f";
-                    "$f"
-                else
-                    # warn on shell scripts without exec bit
-                    entrypoint_log "$0: Ignoring $f, not executable";
-                fi
-                ;;
-            *) entrypoint_log "$0: Ignoring $f";;
-        esac
-    done
-
-    entrypoint_log "$0: Configuration complete; ready for start up"
-else
-    entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
-fi
-
-
-exec "$@"
--- a/rust-keylime-configure.sh
+++ b/rust-keylime-configure.sh
@ -5,7 +5,7 @@ set -e
 [ -n "$1" ] && UUID="$1"
 [ -n "$2" ] && REMOTE_IP="$2"

-if [ -n "$UUID" -a "$UUID" != "<UUID>" -a -n "$REMOTE_IP" -a "$REMOTE_IP" != "<REMOTE_IP>" ]; then
+if [ -n "$UUID" ] && [ "$UUID" != "<UUID>" ] && [ -n "$REMOTE_IP" ] && [ "$REMOTE_IP" != "<REMOTE_IP>" ]; then
    mkdir -p /var/lib/keylime/cv_ca
    mkdir -p /etc/keylime/agent.conf.d
    cat <<EOF > /etc/keylime/agent.conf.d/agent.conf
--- a/rust-keylime-image.changes
+++ b/rust-keylime-image.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Oct 20 11:03:57 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Drop rust-keylime-start.sh CMD script
+- Replace "-a" with "&&" in the configure script
+- Drop docker-entrypoint.sh script
+- Add README documentation
+
 -------------------------------------------------------------------
 Mon Oct 10 12:03:21 UTC 2022 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/rust-keylime-start.sh
+++ b/rust-keylime-start.sh
@ -1,5 +0,0 @@
-#!/bin/sh
-
-set -e
-
-RUST_LOG=keylime_agent=info /usr/bin/keylime_agent