File README of Package rust-keylime-image

Overview Repositories Revisions Requests Users Attributes Meta

File README of Package rust-keylime-image

Keylime agent service
---------------------

This container delivers the Keylime agent service for remote
attestation based on TPM2.  This is the component that needs to be
installed in all the monitored systems.

The control plane, that contains the Keylime services for the verifier
and the registrar, should be present in the network.

Installation and use
--------------------

The container is already present in the OBS project
devel:microos:containers, and can be pulled directly from it.

podman pull \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

The agent service needs to be configured before it can be used.  It
will need a persistent volume where to store the certificates and the
configuration files required to find the control plane services.  We
can create this volume running the "install" label.

podman container runlabel install \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

This will create the "keylime-agent-volume" that will be attached into
the running container.

Now we need to create a configuration file, were we indicate the UUID
for the agent and the IP of the remote verifier and registrar.  For
that we can run the "configure" label.

podman container runlabel configure \
        registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest \
        $(uuidgen) 10.88.0.1

The last configuration step is to copy the certificate from the
control plane into the agent container.  This will allow the
connection between the agent, the verifier and the tenant.  For
details about how to extract this certificate, check the documentation
of the control plane container.

One way to copy the certificate is mounting the volume generated
during the first step.

podman volume mount keylime-agent-volume

cp -a cacert.crt \
      /var/lib/containers/storage/volumes/keylime-agent-volume/_data/cv_ca/.

We can now start the agent.

podman container runlabel run \
      registry.opensuse.org/devel/microos/containers/containerfile/opensuse/keylime-agent:latest

We can monitor the status with podman.

podman ps

podman logs keylime-agent-container

And finally, we can stop the services via the kill command.

podman kill keylime-agent-container

Places

File README of Package rust-keylime-image

Places