Use Rust agent-specific config in Makefile

[greyspectrum]

Signed-off-by: greyspectrum [email protected]

Closes #425 and #418

[THS-on]

Can you also change the default configuration path in common.rs?

[greyspectrum]

@THS-on Sure thing. I believe these will all need to be changed too; let me know if I'm incorrect.

docker/fedora/keylime_py.Dockerfile:sed -e 's/127.0.0.1/0.0.0.0/g' keylime.conf > tmp_keylime.conf && \
docker/fedora/keylime_py.Dockerfile:mv tmp_keylime.conf keylime.conf && \
docker/fedora/keylime_rust.Dockerfile:# Move keylime.conf to expected location in /etc/
docker/fedora/keylime_rust.Dockerfile:cp keylime.conf /etc/keylime.conf
src/common.rs:                        warn!("Cannot drop privileges since 'run_as' is empty in 'cloud_agent' section of keylime.conf.");
src/common.rs:                    warn!("Cannot drop privileges since 'run_as' is missing in 'cloud_agent' section of keylime.conf.");
src/common.rs:// Default test configuration. This should match the defaults in keylime.conf
src/common.rs: * KEYLIME_CONFIG or defaults to /etc/keylime.conf
src/common.rs:        //let result = config_get("keylime.conf", "general", "cloudagent_port");
src/common.rs:        assert_eq!(config_file_get(), String::from("/etc/keylime.conf"));
src/main.rs:// checks if keylime.conf indicates the payload should be unzipped, and does so if needed.
src/main.rs:            let message = "The user running the Keylime agent should be set in keylime.conf, using the parameter `run_as`, with the format `user:group`".to_string();
src/tpm.rs:/* Converts a hex value in the form of a string (ex. from keylime.conf's
src/tpm.rs:// PCR0. For example, keylime.conf specifies PCRs 15 and 22 under
src/tpm.rs:#[ignore] // This will only work as an integration test because it needs keylime.conf
tests/run.sh:KEYLIME_CONFIG=$PWD/keylime.conf \
tests/run.sh:KEYLIME_CONFIG=$PWD/keylime.conf \

[THS-on]

@kkaarreell how do you want to handle the rust agent specific config?

[THS-on]

@greyspectrum yes it makes sense to change them.

[greyspectrum]

@THS-on This should be good to go, but the integration tests expect /etc/keylime.conf still, it looks like

[kkaarreell]

How is this suppose to work for the python keylime, in particular keylime_tenant? Is it expected that [cloud_agent] (and [general]) section will be duplicated in keylime.conf?

[THS-on]

The keylime-agent.conf currently duplicates mostly the general and cloud_agent section. But in the future it will probably migrate to a toml format.

[kkaarreell]

I meant something different. Currently, keylime_tenant fails with a Traceback when [cloud_agent] section is missing in keylime.conf. I believe keylime_tenant reads and applies some settings that have not been specified on a command line. At the same time, passing all options on command line won't be user friendly which makes me assume that [cloud_agent] section would be present in keylime.conf even in the future. So what is the expected future use? Maintaining [cloud_agent] details in keylime.conf in one format and having the same settings in keylime-agent.conf in a different format?

[THS-on]

Ideally the tenant should work without the cloud_agent section. It currently does not because of the TPM abstraction in Keylime that initializes some defaults (that are not used by the tenant). @ansasaki with keylime/enhancements#73 moving forward, we should check if the different components start without the configuration for the other ones here.

Maintaining [cloud_agent] details in keylime.conf in one format and having the same settings in keylime-agent.conf in a different format?

No, we will only have a deprecation phase of roughly 3 months for the Python agent. After that the Python agent and the configuration for it will be removed from the Python code.

[kkaarreell]

@kkaarreell how do you want to handle the rust agent specific config?

I have just merged keylime-tests update that edits both config files. Please rerun packit tests with /packit test.

[greyspectrum]

/packit test

[kkaarreell]

I think one more change is needed RedHat-SP-Security/keylime-tests#162 . Please, give me 30 minutes to test and merge it.

[kkaarreell]

I think one more change is needed RedHat-SP-Security/keylime-tests#162 . Please, give me 30 minutes to test and merge it.

Merged. Please rerun tests.

[ansasaki]

/packit test

[lkatalin]

@ansasaki @THS-on @kkaarreell Any objections to merging this one?

[kkaarreell]

No objections, tests should be ready.