Resolves: #RHEL-153811
Backport upstream fixes for database connection pool exhaustion
that occurred during multi-host push attestation with multiple
agents, causing QueuePool timeout and HTTP 500 errors.
Upstream commits:
- 5b622eae Close DB sessions to prevent connection exhaustion
- bc28d5d2 Include thread-safe session management
- 4f5f09a6 Address some improvements from code review
- 309a0ef0 Fix race condition in SessionManager
- e75921f0 Fix linter errors in PersistableModel.get() and .all()
- 2d809d8b refactor: Remove dead code AuthSession.authenticate_agent()
- e935df8f db: Clean up scoped session after each request
- 08c0c67c fix: Check active flag in _extract_identity and guard receive_pop
- d74e7499 fix: Add fork-safety to DBManager via dispose()
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
The previous fix attempt on commit 9ae48db was incorrect. This is a
replacement for that fix.
Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.
Resolves: RHEL-111239
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.
Resolves: RHEL-111239
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
tpm2_eventlog may provide the vendor_db data as either a signature list
or raw hex bytes, depending on the version used.
In this commit we add a enrich_vendor_db_authority_variable() function
to make sure we end up with a signature list independent on the format
of the data obtained by tpm2_eventlog.
Related: RHEL-108844
Signed-off-by: Sergio Correia <scorreia@redhat.com>
The TPM cert store is now deployed to /usr/share/keylime/tpm_cert_store
and we use tpmfiles.d to sync the content there to place where Keylime
will read the certificates from, /var/lib/keylime/tpm_cert_store.
Resolves: RHEL-76925
Signed-off-by: Sergio Correia <scorreia@redhat.com>
The functionality provided by these scripts is now provided by the
keylime-policy tool.
Resolves: RHEL-79831
Signed-off-by: Sergio Correia <scorreia@redhat.com>
- Include system installed CA certificates when verifying webhook server
certificate
- Include the CA certificates added via configuration file option
'trusted_server_ca'
Resolves: RHEL-49601
Resolves: RHEL-51279
Resolves: RHEL-51321
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* Remove python3-keylime-agent subpackaged
It had been removed upstream in 7.0.0 release
* Update dependencies:
Add python3-jsonschema to python3-keylime
Add openssl to keylime-base (required by the ek-openssl-verify
script)
