Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft: Remove keylime.conf #1133

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Draft: Remove keylime.conf #1133

wants to merge 17 commits into from

Conversation

ansasaki
Copy link
Contributor

Remove all mentions to the old configuration file keylime.conf.

@ansasaki
README: Remove mentions to keylime.conf
d6d2bb1 
This also updates the configuration description.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove mentions to keylime.conf from secure payload user guide
1b90148 
Also update the options names used on the examples.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove mentions to keylime.conf from runtime ima user guide
0c9f789 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove mentions to keylime.conf from PCR monitoring user guide
8404105 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
demo: Remove mentions to keylime.conf from README
f01a482 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
docs/installation: Remove mentions to keylime.conf
eaa678e 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove mentions to keylime.conf from measured boot user guide
15fa353 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove mentions to keylime.conf from old agent tarball notes
b890f08 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
keylime_agent: Remove mentions to keylime.conf
b44bc0c 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki ansasaki changed the title Remove keylime.conf Draft: Remove keylime.conf Oct 14, 2022
@ansasaki
Copy link
Contributor Author

I need to fix the test scripts to generate the configuration files. Leaving this as a draft for now.

mpeters
mpeters reviewed Oct 14, 2022
View reviewed changes
installer.sh Outdated
@@ -409,7 +409,7 @@ echo "==========================================================================
mkdir -p /etc/keylime
mkdir -p config
pushd scripts
python3 convert_config.py --input ../keylime.conf --out ../config
python3 convert_config.py --input /dev/null --out ../config
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this using /dev/null as input?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal is to provide an empty input to:

  • use the default values for all options
  • not use the system installed configuration files. If no input is provided, the convert_config.py script will try to use the system installed configuration.

I think I can modify the script to accept a new option to used default values for all options instead of using this workaround.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use --input as optional, and it will default to None. This can signal what you want, and the cli will be clear: python3 convert_config --out ../config

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default behavior when no input is provided is to use the system installed configuration files as input to generate upgraded config without changing the user set options. This is already implemented.

What I want is to use the default values for the options ignoring any eventual system installed files. The workaround was to provide an empty file as input (so that it wouldn't search for the system installed files). But it is kind of ugly.

I decided to add a separate option --defaults to make the script to ignore any input.

@ansasaki
convert_config: Add --defaults option to use default values
113937c 
When the '--defaults' option is provided, the script will ignore input
files and the system installed files and will use the default value for
all options.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
setup: Don't use keylime.conf to generate the split configuration
91b04c9 
The split configuration files can be generated without any input by
using the default values for all options.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Correctly strip elements of a list on config v2.0 adjust script
e0f1f5d 
The resulting elements after the manual splitting of a list were not
correctly stripped to remove leading/trailing white spaces.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Fix default values in mappings
ae85006 
Some of the default values in the mappings would result in a
configuration not functional out of the box.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
docker/ci/Dockerfile: Remove mention to keylime.conf
9ab79ea 
Install keylime using the installer.sh script instead of moving only the
old configuration file.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
Remove old keylime.conf file
b2c208b 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@ansasaki
installer: Remove mention to keylime.conf
6d74a33 
Use the default values for all options.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@codecov-commenter
Copy link

Codecov Report

Merging #1133 (af36199) into master (f969d39) will decrease coverage by 15.83%.
The diff coverage is 0.00%.

❗ Current head af36199 differs from pull request most recent head 6d74a33. Consider uploading reports for the commit 6d74a33 to get more accurate results

Additional details and impacted files
Flag Coverage Δ
packit-e2e 55.36% <0.00%> (-17.05%) ⬇️
testsuite 48.92% <0.00%> (-5.22%) ⬇️
unittests 14.61% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
keylime/keylime_agent.py 37.11% <0.00%> (-36.35%) ⬇️
keylime/elchecking/example.py 20.00% <0.00%> (-74.00%) ⬇️
keylime/elchecking/tests.py 26.20% <0.00%> (-55.77%) ⬇️
keylime/tpm_ek_ca.py 30.43% <0.00%> (-52.18%) ⬇️
keylime/cloud_verifier_common.py 32.16% <0.00%> (-48.26%) ⬇️
keylime/measured_boot.py 20.33% <0.00%> (-45.77%) ⬇️
keylime/ima/file_signatures.py 33.82% <0.00%> (-39.71%) ⬇️
keylime/tpm/tpm_abstract.py 47.00% <0.00%> (-34.62%) ⬇️
keylime/revocation_notifier.py 29.55% <0.00%> (-32.08%) ⬇️
... and 21 more

@ansasaki
Do not install keylime nor configuration files during tests
87edc1b 
Use a virtual environment for the python components and temporary
directories for the generated files.  The dependencies are still
installed in the system.

The used configuration files are generated in a temporary directory with
the changes necessary to run the tests. The installed configuration
files are not modified.

The files generated when running run_tests.sh will be removed at the end
of the execution unless the environment variable KEEP_TMP_FILES=1.

If the tests are executed using the run_tests.sh script, all the
necessary dependencies are installed and environment variables set.

When running test_restful.py outside run_tests.sh with RUST_TEST=1, it
expects the KEYLIME_RUST_AGENT and KEYLIME_RUST_CONF environment
variables set, respectively, with the path to the rust agent binary and
the rust agent configuration file.

If the environment variables are not set, it tries to find the
rust agent binary and configuration in an adjacent directory (i.e. in
the same location run_tests.sh downloads it).

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
@THS-on
Copy link
Member

THS-on commented Oct 18, 2022

Only somewhat related: I think we should move the convert_config.py out of the scripts folder and into the keylime/cmd directory. Then we can add it as an binary to the setup.cfg. This makes it easier to ensure that this script is actually being packaged.

@ansasaki
Copy link
Contributor Author

Only somewhat related: I think we should move the convert_config.py out of the scripts folder and into the keylime/cmd directory. Then we can add it as an binary to the setup.cfg. This makes it easier to ensure that this script is actually being packaged.

I think this is a good idea, to move this script and install along the others. In future the script relevance will only grow. Another change that we should consider is to have the configuration mappings/templates which are currently in scripts/templates installed somewhere in the system (maybe /usr/share/keylime) and use this local as the default.

@ansasaki ansasaki mentioned this pull request Oct 19, 2022
Closed
@stefanberger
Copy link
Contributor

To get rid of some of the test failures you may want to rebase on master.

@THS-on THS-on mentioned this pull request Nov 10, 2022
Merged
@maugustosilva maugustosilva mentioned this pull request Nov 28, 2022
Merged
@THS-on THS-on added the breaking-change This change requires user interaction during upgrades label Dec 2, 2022
@THS-on THS-on added the cleanup label Dec 2, 2022
@THS-on
Copy link
Member

THS-on commented Jan 18, 2023

@ansasaki what is the state of this PR now that othe config PR was merged?

@ansasaki
Copy link
Contributor Author

@ansasaki what is the state of this PR now that othe config PR was merged?

I'll get back to this, but I can't promise that it will be very soon. Hopefully I will get back to this and finish before 7.0.0, but I don't consider it a release blocker.

@maugustosilva maugustosilva mentioned this pull request Feb 22, 2023
Closed
21 tasks
@THS-on
Copy link
Member

THS-on commented May 26, 2023

@ansasaki do you have the time to complete this or should I pick up this PR?

I think the changes to the converter script are already in the master branch, so it should be just fixing the merge conflict issues and seeing if we not missed something.

stefanberger
stefanberger reviewed May 26, 2023
View reviewed changes
scripts/templates/2.0/adjust.py
@@ -93,7 +93,7 @@ def adjust(config, mapping):
v = value.strip("[]").split(",")

# Eliminate surrounding blank space from each element
map(lambda x: x.strip(), v)
v = map(lambda x: x.strip(), v)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems unnecessary to assign it to v.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpeters mpeters mpeters left review comments

@aplanas aplanas aplanas left review comments

@stefanberger stefanberger stefanberger left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
breaking-change This change requires user interaction during upgrades cleanup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ansasaki @codecov-commenter @THS-on @stefanberger @mpeters @aplanas