The included patches implement graceful shutdown for both pull and push
models, cancelling pending operations, and waiting for critical
in-flight operations to finish before shutting down.
Backport the following upstream PRs:
- https://github.com/keylime/keylime/pull/1809
- Document supported configuration options
- Sync missing and removed options from configuration templates
- https://github.com/keylime/keylime/pull/1868
- Remove 'enable_authentication' from agent config templates
- https://github.com/keylime/keylime/pull/1855
- Add push-model documentation
- https://github.com/keylime/keylime/pull/1869
- Add verifier graceful shutdown
- https://github.com/keylime/keylime/pull/1883
- Ignore SIGTERM and SIGINT signals on Manager and parent processes
- https://github.com/keylime/keylime/pull/1886
- Move socket from /tmp to /var/run/keylime
Also, update the keylime-selinux to the latest release (43.2.1) to
include the following changes:
- https://github.com/RedHat-SP-Security/keylime-selinux/pull/33
- Allow Keylime to perform socket operation on /var/run/keylime
- https://github.com/RedHat-SP-Security/keylime-selinux/pull/34
- Allow Keylime to read /proc/net to populate certificates Subject
Alternative Names (SAN)
Documentation updates and configuration template updates were included
to allow the graceful shutdown patch to apply cleanly.
This also modifies the test runner to use pytest, adding python3-pytest
to the BuildRequires. This was necessary to make the fixtures created in
conftest.py to be used, which is not available when running with
unittest.
Resolves: RHEL-151493
Resolves: RHEL-151408
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Resolves: RHEL-153121
Backport upstream PR https://github.com/keylime/keylime/pull/1874
to fix a race condition in the pull-mode DELETE handler where an
agent could be deleted from the database while an in-flight
attestation cycle was still running, causing 'tenant -c update'
to intermittently fail with "Agent was not deleted from Verifier
after 5 tries".
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
Resolves: #RHEL-153811
Backport upstream fixes for database connection pool exhaustion
that occurred during multi-host push attestation with multiple
agents, causing QueuePool timeout and HTTP 500 errors.
Upstream commits:
- 5b622eae Close DB sessions to prevent connection exhaustion
- bc28d5d2 Include thread-safe session management
- 4f5f09a6 Address some improvements from code review
- 309a0ef0 Fix race condition in SessionManager
- e75921f0 Fix linter errors in PersistableModel.get() and .all()
- 2d809d8b refactor: Remove dead code AuthSession.authenticate_agent()
- e935df8f db: Clean up scoped session after each request
- 08c0c67c fix: Check active flag in _extract_identity and guard receive_pop
- d74e7499 fix: Add fork-safety to DBManager via dispose()
Signed-off-by: Sergio Arroutbi <sarroutb@redhat.com>
The previous fix attempt on commit 9ae48db was incorrect. This is a
replacement for that fix.
Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.
Resolves: RHEL-111239
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Restore the possibility of using an alternative certificate verification
script to verify the EK certificate.
Resolves: RHEL-111239
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
tpm2_eventlog may provide the vendor_db data as either a signature list
or raw hex bytes, depending on the version used.
In this commit we add a enrich_vendor_db_authority_variable() function
to make sure we end up with a signature list independent on the format
of the data obtained by tpm2_eventlog.
Related: RHEL-108844
Signed-off-by: Sergio Correia <scorreia@redhat.com>
The TPM cert store is now deployed to /usr/share/keylime/tpm_cert_store
and we use tpmfiles.d to sync the content there to place where Keylime
will read the certificates from, /var/lib/keylime/tpm_cert_store.
Resolves: RHEL-76925
Signed-off-by: Sergio Correia <scorreia@redhat.com>
The functionality provided by these scripts is now provided by the
keylime-policy tool.
Resolves: RHEL-79831
Signed-off-by: Sergio Correia <scorreia@redhat.com>
- Include system installed CA certificates when verifying webhook server
certificate
- Include the CA certificates added via configuration file option
'trusted_server_ca'
Resolves: RHEL-49601
Resolves: RHEL-51279
Resolves: RHEL-51321
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
* Remove python3-keylime-agent subpackaged
It had been removed upstream in 7.0.0 release
* Update dependencies:
Add python3-jsonschema to python3-keylime
Add openssl to keylime-base (required by the ek-openssl-verify
script)
