Minimize test images customization

Minimize test images customization to make possible to easily test other images. Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>
RedHat-SP-Security · Jul 18, 2023 · 5f1ef93 · 5f1ef93
1 parent f8cd27f
commit 5f1ef93
Show file tree

Hide file tree

Showing 12 changed files with 195 additions and 107 deletions.
diff --git a/Library/test-helpers/Dockerfile.agent b/Library/test-helpers/Dockerfile.agent
@@ -1,9 +1,8 @@
 FROM quay.io/centos/centos:stream9
-COPY id_*.pub /root/
-COPY lime_con_start.sh /usr/local/bin/lime_con_start
-RUN dnf install -y keylime-agent-rust util-linux-core openssh openssh-server which && \
-  dnf clean all && \
-  ssh-keygen -A && mkdir -p /root/.ssh && \
-  cat /root/id_*.pub > /root/.ssh/authorized_keys && \
-  chmod 700 /root/.ssh/authorized_keys && \
-  chmod a+x /usr/local/bin/lime_con_start
+RUN dnf install -y keylime-agent-rust util-linux-core which && \
+  dnf clean all
+
+EXPOSE 9002
+EXPOSE 8892
+
+CMD ["keylime_agent"]
diff --git a/Library/test-helpers/Dockerfile.registrar b/Library/test-helpers/Dockerfile.registrar
@@ -1,9 +1,8 @@
 FROM quay.io/centos/centos:stream9
-COPY id_*.pub /root/
-COPY lime_con_start.sh /usr/local/bin/lime_con_start
-RUN dnf install -y keylime-registrar openssh openssh-server which && \
-  dnf clean all && \
-  ssh-keygen -A && mkdir -p /root/.ssh && \
-  cat /root/id_*.pub > /root/.ssh/authorized_keys && \
-  chmod 700 /root/.ssh/authorized_keys && \
-  chmod a+x /usr/local/bin/lime_con_start
+RUN dnf install -y keylime-registrar which && \
+  dnf clean all
+
+EXPOSE 8890
+EXPOSE 8891
+
+CMD ["keylime_registrar"]
diff --git a/Library/test-helpers/Dockerfile.upstream.c9s b/Library/test-helpers/Dockerfile.upstream.c9s
@@ -1,11 +1,6 @@
 FROM quay.io/centos/centos:stream9
-COPY lime_con_start.sh /usr/local/bin/lime_con_start
 COPY lime_con_install_upstream.sh /usr/local/bin/lime_con_install_upstream
-COPY id_*.pub /root/
 RUN chmod a+x /usr/local/bin/lime_con_* && \
     mkdir -p /mnt/keylime_sources && \
     cp -r /mnt/keylime_sources /var/tmp/keylime_sources && \
-    /usr/local/bin/lime_con_install_upstream && \
-    ssh-keygen -A && mkdir -p /root/.ssh && \
-    cat /root/id_*.pub > /root/.ssh/authorized_keys && \
-    chmod 700 /root/.ssh/authorized_keys
+    /usr/local/bin/lime_con_install_upstream
diff --git a/Library/test-helpers/Dockerfile.verifier b/Library/test-helpers/Dockerfile.verifier
@@ -1,9 +1,7 @@
 FROM quay.io/centos/centos:stream9
-COPY id_*.pub /root/
-COPY lime_con_start.sh /usr/local/bin/lime_con_start
-RUN dnf install -y keylime-verifier openssh openssh-server which && \
-  dnf clean all && \
-  ssh-keygen -A && mkdir -p /root/.ssh && \
-  cat /root/id_*.pub > /root/.ssh/authorized_keys && \
-  chmod 700 /root/.ssh/authorized_keys && \
-  chmod a+x /usr/local/bin/lime_con_start
+RUN dnf install -y keylime-verifier which && \
+  dnf clean all
+
+EXPOSE 8881
+
+CMD ["keylime_verifier"]
diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh
@@ -1968,7 +1968,6 @@ true <<'=cut'
 
 Prepare podman image. Specify docker file and name tag for building images.
 If /var/tmp/keylime_sources is present, it is copied to the container.
-Also the ssh access is set up for the container.
 
     limeconPrepareImage DOCKER_FILE TAG
 
@@ -2006,12 +2005,7 @@ limeconPrepareImage() {
         ARGS="--volume /var/tmp/keylime_sources:/mnt/keylime_sources:z"
     fi
 
-    #set up for ssh access
-    ls /root/.ssh/id_*.pub &>/dev/null || ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
-    cp /root/.ssh/id_*.pub .
-    cp ${limeLibraryDir}/lime_con_* .
-
-    CMDLINE="podman build $ARGS -t=$TAG --file $DOCKER_FILE ."
+    CMDLINE="podman build $ARGS -t=$TAG --file=$DOCKER_FILE"
     echo -e "\nRunning podman:\n$CMDLINE"
     $CMDLINE
 }
@@ -2023,7 +2017,7 @@ true <<'=cut'
 
 Container run via podman with specified parameters.
 
-    limeconRun NAME TAG IP NETWORK COMMAND EXTRA_PODMAN_ARGS
+    limeconRun NAME TAG IP NETWORK EXTRA_PODMAN_ARGS [COMMAND]
 
 If cv_ca directory is present in the current directory, it
 will be copied to /var/lib/keylime/cv_ca of the running container.
@@ -2044,14 +2038,14 @@ IP address of container.
 
 Name of used podman network.
 
-=item COMMAND
-
-Specify running command at start of container.
-
 =item EXTRA_PODMAN_ARGS
 
 Specify setup of starting container.
 
+=item COMMAND
+
+Specify command to run on the container.
+
 =back
 
 Returns 0.
@@ -2064,14 +2058,10 @@ limeconRun() {
     local TAG=$2
     local IP=$3
     local NETWORK=$4
-    local COMMAND=$5
-    local EXTRA_PODMAN_ARGS=$6
+    local EXTRA_PODMAN_ARGS=$5
+    local COMMAND=$6
     local CMDLINE
 
-    if [ -d cv_ca ]; then
-        EXTRA_PODMAN_ARGS="--volume $PWD/cv_ca:/mnt/cv_ca:z $EXTRA_PODMAN_ARGS"
-    fi
-
     CMDLINE="podman run -d --name $NAME --net $NETWORK --ip $IP --cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_CHROOT $EXTRA_PODMAN_ARGS localhost/$TAG $COMMAND"
     echo -e "\nRunning podman:\n$CMDLINE"
     $CMDLINE
@@ -2084,7 +2074,7 @@ true <<'=cut'
 
 Container run via podman with specified parameters.
 
-    limeconRunAgent NAME TAG IP NETWORK AGENT_FILE TESTDIR
+    limeconRunAgent NAME TAG IP NETWORK TESTDIR COMMAND [CONFDIR] [CERTDIR] [PORT] [REV_PORT]
 
 =item NAME
 
@@ -2102,13 +2092,31 @@ IP address of container.
 
 Name of used podman network.
 
-=item AGENT_FILE
+=item TESTDIR
 
-Mounted dir with configuration file.
+Local directory to be mounted inside the container.
 
-=item TESTDIR
+=item COMMAND
+
+Command to run inside the container.
+
+=item CONFDIR
+
+Local directory containing the agent configuration file.
 
-Mounted test dir.
+=item CERTDIR
+
+Local directory containing the trusted ca certificate files.
+
+=item PORT
+
+The host port to map to the port the agent will listen for requests.
+If not provided, no mapping will occur
+
+=item REV_PORT
+
+The host port to map to the port the agent will listen for revocation notifications.
+If not provided, no mapping will occur
 
 =back
 
@@ -2122,10 +2130,37 @@ limeconRunAgent() {
     local TAG=$2
     local IP=$3
     local NETWORK=$4
-    local AGENT_FILE=$5
-    local TESTDIR=$6
+    local TESTDIR=$5
+    local COMMAND=$6
+    local CONFDIR=$7
+    local CERTDIR=$8
+    local PORT=$9
+    local REV_PORT=${10}
+
+    if [ -n "$PORT" ]; then
+        ADD_PORT="-p $PORT:9002"
+        PUBLISH_PORTS="-P"
+    fi
+
+    if [ -n "$REV_PORT" ]; then
+        ADD_REV_PORT="-p $REV_PORT:8992"
+        PUBLISH_PORTS="-P"
+    fi
 
-    limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_agent" "--privileged --volume=${AGENT_FILE}:/etc/keylime/ --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=${TESTDIR}:${TESTDIR}:rw --device=/dev/tpmrm0"
+    local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --tmpfs /var/lib/keylime/secure --volume=$TESTDIR:$TESTDIR --device=/dev/tpm0 --device=/dev/tpmrm0 -e RUST_LOG=keylime_agent=trace"
+
+    if [ -n "$CONFDIR" ]; then
+        EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z $EXTRA_ARGS"
+    fi
+
+    if [ -n "$CERTDIR" ]; then
+        EXTRA_ARGS="--volume ${CERTDIR}:/var/lib/keylime/cv_ca/:z $EXTRA_ARGS"
+        # Find out better way to handle this: keylime inside the container needs access to the CA certificate
+        # On rootless container, this could be done with 'podman unshare'
+        podman run --rm --attach stdout $EXTRA_ARGS localhost/agent_image chown -R keylime:keylime /var/lib/keylime/cv_ca
+    fi
+
+    limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND
 }
 
 true <<'=cut'
@@ -2135,7 +2170,7 @@ true <<'=cut'
 
 Container run via podman with specified parameters.
 
-    limeconRunRegistrar NAME TAG IP NETWORK
+    limeconRunRegistrar NAME TAG IP NETWORK COMMAND [CONFDIR] [CERTDIR] [PORT] [TLS_PORT]
 
 =item NAME
 
@@ -2153,6 +2188,24 @@ IP address of container.
 
 Name of used podman network.
 
+=item COMMAND
+
+Command to run inside the container.
+
+=item CONFDIR
+
+Directory containing the registrar configuration.
+
+=item PORT
+
+The host port to map to the port the registrar will listen for agent registration requests.
+If not provided, no mapping will occur
+
+=item TLS_PORT
+
+The host port to map to the port the registrar will listen for requests.
+If not provided, no mapping will occur
+
 =back
 
 Returns 0.
@@ -2165,8 +2218,33 @@ limeconRunRegistrar() {
     local TAG=$2
     local IP=$3
     local NETWORK=$4
+    local COMMAND=$5
+    local CONFDIR=$6
+    local CERTDIR=$7
+    local PORT=$8
+    local TLS_PORT=$9
+
+    if [ -n "$PORT" ]; then
+        ADD_PORT="-p $PORT:8890"
+        PUBLISH_PORTS="-P"
+    fi
 
-    limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_registrar" "--volume=/etc/keylime/:/etc/keylime/"
+    if [ -n "$TLS_PORT" ]; then
+        ADD_TLS_PORT="-p $TLS_PORT:8991"
+        PUBLISH_PORTS="-P"
+    fi
+
+    local EXTRA_ARGS="${ADD_PORT} ${ADD_TLS_PORT} ${PUBLISH_PORTS}"
+
+    if [ -n "$CONFDIR" ]; then
+        EXTRA_ARGS="--volume $CONFDIR:/etc/keylime/:z $EXTRA_ARGS"
+    fi
+
+    if [ -n "$CERTDIR" ]; then
+        EXTRA_ARGS="--volume $CERTDIR:/var/lib/keylime/cv_ca:z $EXTRA_ARGS"
+    fi
+
+    limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND
 }
 
 true <<'=cut'
@@ -2223,7 +2301,7 @@ true <<'=cut'
 
 Container run via podman with specified parameters.
 
-    limeconRunVerifier NAME TAG IP NETWORK
+    limeconRunVerifier NAME TAG IP NETWORK COMMAND [CONFDIR] [CERTDIR] [PORT]
 
 =item NAME
 
@@ -2241,6 +2319,23 @@ IP address of container.
 
 Name of used podman network.
 
+=item COMMAND
+
+Command to run inside the container.
+
+=item CONFDIR
+
+Directory containing the verifier configuration files.
+
+=item CERTDIR
+
+Local directory containing the certificate files.
+
+=item PORT
+
+The host port to map to the port the verifier will listen for requests.
+If not provided, no mapping will occur
+
 =back
 
 Returns 0.
@@ -2253,8 +2348,27 @@ limeconRunVerifier() {
     local TAG=$2
     local IP=$3
     local NETWORK=$4
+    local COMMAND=$5
+    local CONFDIR=$6
+    local CERTDIR=$7
+    local PORT=$8
+
+    if [ -n "$PORT" ]; then
+        ADD_PORT="-p $PORT:8881"
+        PUBLISH_PORTS="-P"
+    fi
+
+    local EXTRA_ARGS="${ADD_PORT} ${PUBLISH_PORTS}"
+
+    if [ -n "$CONFDIR" ]; then
+        EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z"
+    fi
+
+    if [ -n "$CERTDIR" ]; then
+        EXTRA_ARGS="--volume ${CERTDIR}:/var/lib/keylime/cv_ca:z $EXTRA_ARGS"
+    fi
 
-    limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_verifier" "--volume=/etc/keylime/:/etc/keylime/"
+    limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND
 }
 
 true <<'=cut'

diff --git a/Library/test-helpers/lime_con_install_upstream.sh b/Library/test-helpers/lime_con_install_upstream.sh
@@ -69,11 +69,6 @@ yum -y install keylime-agent-rust
 curl -o /etc/keylime/keylime-agent.conf https://raw.githubusercontent.com/keylime/rust-keylime/master/keylime-agent.conf
 mkdir -p /etc/systemd/system/keylime_agent.service.d
 mkdir -p /etc/keylime/agent.conf.d
-# configure agent to use sha256 in TPM
-cat > /etc/keylime/agent.conf.d/tpm_hash_alg.conf <<_EOF
-[agent]
-tpm_hash_alg = "sha256"
-_EOF
 
 # fix conf file ownership
 useradd keylime

diff --git a/Library/test-helpers/lime_con_start.sh b/Library/test-helpers/lime_con_start.sh