[CentOS-devel] Keylime configuration changes

Tue Sep 27 08:22:50 UTC 2022
Anderson Sasaki <ansasaki at redhat.com>

Hello,

We would like to announce that the new versions of the keylime and
keylime-agent-rust packages will include major changes in their
configuration files. These changes were introduced in the upstream Keylime
6.5.0 release [1] and rust-keylime 0.1.0 release [2], and implement the
specification from the enhancement proposal [3]. The goal of the changes is
to make the configuration process easier, with more intuitive and
consistent options.

The first and more notable change is the split of the previous single file
configuration into multiple per-component configuration files. The old
“/etc/keylime.conf” file is replaced with six separate configuration files:


   -

   /etc/keylime/agent.conf: the Keylime agent configuration file
   -

   /etc/keylime/verifier.conf: the Keylime verifier configuration file
   -

   /etc/keylime/registrar.conf: the Keylime registrar configuration file
   -

   /etc/keylime/tenant.conf: the Keylime tenant configuration file
   -

   /etc/keylime/ca.conf: the shared CA configuration file
   -

   /etc/keylime/logging.conf: the shared logging configuration file


The “ca.conf” and “logging.conf” are shared configuration files that need
to be present regardless of the Keylime component installed. In CentOS
Stream they are included in the keylime-base subpackage which is required
by the other components.

The other configuration files are delivered as part of the respective
component subpackage. For example, the keylime-verifier subpackage includes
the “verifier.conf” file.

Another feature introduced is the ability to override the default
configuration options through configuration snippets. For each component
configuration file, there is a respective /etc/keylime/*.conf.d directory
where the user can place files containing snippets to override previously
set options. This is the recommended way of overriding configuration
options instead of modifying the default configuration file directly. Keep
in mind that the configuration processing applies the snippets files in
lexicographic order. The last value set to an option is kept.

Finally, various options names were modified, especially those related with
the TLS configuration. The goal was to make them consistent and intuitive,
using the same option name for similar configurations in all components.
For example, the “server_key” option sets the private key file used by the
server for each of the components that run a server.

For more information, please refer to the enhancement proposal [3] or
contact us on upstream Slack channel [4] (#keylime on CNCF Slack instance).

Thank you,

Keylime development team

[1] https://github.com/keylime/keylime/releases/tag/v6.5.0

[2] https://github.com/keylime/rust-keylime/releases/tag/v0.1.0

[3]
https://github.com/keylime/enhancements/blob/master/72_config_and_simplify_tls.md

[4] https://cloud-native.slack.com/messages/C01ARE2QUTZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20220927/dc26a007/attachment-0002.html>