1
0
Go to file
2022-10-28 17:31:58 +00:00
_service Accepting request 1030015 from home:aplanas:branches:devel:BCI:Tumbleweed 2022-10-20 08:41:39 +00:00
.gitattributes Accepting request 1030015 from home:aplanas:branches:devel:BCI:Tumbleweed 2022-10-20 08:41:39 +00:00
.gitignore Accepting request 1030015 from home:aplanas:branches:devel:BCI:Tumbleweed 2022-10-20 08:41:39 +00:00
Dockerfile Accepting request 1031952 from home:aplanas:branches:devel:microos:containers 2022-10-28 12:56:27 +00:00
keylime-agent-configure.sh Accepting request 1031952 from home:aplanas:branches:devel:microos:containers 2022-10-28 12:56:27 +00:00
README Accepting request 1031955 from home:aplanas:branches:devel:microos:containers 2022-10-28 13:01:00 +00:00
rust-keylime-image.changes Accepting request 1031955 from home:aplanas:branches:devel:microos:containers 2022-10-28 13:01:00 +00:00

Keylime agent service
---------------------

This container delivers the Keylime agent service for remote
attestation based on TPM2.  This is the component that needs to be
installed in all the monitored systems.

The control plane, that contains the Keylime services for the verifier
and the registrar, should be present in the network.


Installation and use
--------------------

The container is already present in the OBS project
devel:microos:containers, and can be pulled directly from it.

    podman pull \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

The agent service needs to be configured before it can be used.  It
will need a persistent volume where to store the certificates and the
configuration files required to find the control plane services.  We
can create this volume running the "install" label.

    podman container runlabel install \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

This will create the "keylime-agent-volume" that will be attached into
the running container.

Now we need to create a configuration file, were we indicate the UUID
for the agent and the IP of the remote verifier and registrar.  For
that we can run the "configure" label.

    podman container runlabel configure \
        registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest \
        $(uuidgen) 10.88.0.1

The last configuration step is to copy the certificate from the
control plane into the agent container.  This will allow the
connection between the agent, the verifier and the tenant.  For
details about how to extract this certificate, check the documentation
of the control plane container.

One way to copy the certificate is mounting the volume generated
during the first step.

    podman volume mount keylime-agent-volume

    cp -a cacert.crt \
      /var/lib/containers/storage/volumes/keylime-agent-volume/_data/cv_ca/.

We can now start the agent.

    podman container runlabel run \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

We can monitor the status with podman.

    podman ps

    podman logs keylime-agent-container

And finally, we can stop the services via the kill command.

    podman kill keylime-agent-container