Hello,
We would like to announce that the new versions of the keylime and keylime-agent-rust packages will include major changes in their configuration files. These changes were introduced in the upstream Keylime 6.5.0 release [1] and rust-keylime 0.1.0 release [2], and implement the specification from the enhancement proposal [3]. The goal of the changes is to make the configuration process easier, with more intuitive and consistent options.
The first and more notable change is the split of the previous single file configuration into multiple per-component configuration files. The old “/etc/keylime.conf” file is replaced with six separate configuration files:
-
/etc/keylime/agent.conf: the Keylime agent configuration file -
/etc/keylime/verifier.conf: the Keylime verifier configuration file -
/etc/keylime/registrar.conf: the Keylime registrar configuration file -
/etc/keylime/tenant.conf: the Keylime tenant configuration file -
/etc/keylime/ca.conf: the shared CA configuration file -
/etc/keylime/logging.conf: the shared logging configuration file
The “ca.conf” and “logging.conf” are shared configuration files that need to be present regardless of the Keylime component installed. In CentOS Stream they are included in the keylime-base subpackage which is required by the other components.
The other configuration files are delivered as part of the respective component subpackage. For example, the keylime-verifier subpackage includes the “verifier.conf” file.
Another feature introduced is the ability to override the default configuration options through configuration snippets. For each component configuration file, there is a respective /etc/keylime/*.conf.d directory where the user can place files containing snippets to override previously set options. This is the recommended way of overriding configuration options instead of modifying the default configuration file directly. Keep in mind that the configuration processing applies the snippets files in lexicographic order. The last value set to an option is kept.
Finally, various options names were modified, especially those related with the TLS configuration. The goal was to make them consistent and intuitive, using the same option name for similar configurations in all components. For example, the “server_key” option sets the private key file used by the server for each of the components that run a server.
For more information, please refer to the enhancement proposal [3] or contact us on upstream Slack channel [4] (#keylime on CNCF Slack instance).
Thank you,
Keylime development team
[1] https://github.com/keylime/keylime/releases/tag/v6.5.0
[2] https://github.com/keylime/rust-keylime/releases/tag/v0.1.0
[3] https://github.com/keylime/enhancements/blob/master/72_config_and_simplify_t...