7.10. 配置 IBM 安全执行证书和密钥
您必须为 worker 节点配置 IBM Secure Execution (SE)证书和密钥。
先决条件
- 有堡垒节点的 IP 地址。
- 您有 worker 节点的内部 IP 地址。
流程
通过执行以下步骤来获取 attestation 策略字段:
运行以下命令,创建一个目录来下载
GetRvps.sh脚本:$ mkdir -p Rvps-Extraction/
运行以下命令来下载脚本:
$ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/GetRvps.sh -O $PWD/GetRvps.sh
运行以下命令来创建子目录:
$ mkdir -p Rvps-Extraction/static-files
运行以下命令进入
static-files目录:$ cd Rvps-Extraction/static-files
运行以下命令下载
pvextract-hdr工具:$ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/static-files/pvextract-hdr -O $PWD/pvextract-hdr
运行以下命令使工具可执行:
$ chmod +x pvextract-hdr
运行以下命令下载
se_parse_hdr.py脚本:$ wget https://github.com/openshift/sandboxed-containers-operator/raw/devel/scripts/rvps-extraction/static-files/se_parse_hdr.py -O $PWD/se_parse_hdr.py
运行以下命令,将主机密钥文档(HKD)证书复制到
static-files目录中:$ cp ~/path/to/<hkd_cert.crt> .
static-files目录包含以下文件:-
HKD.crt -
pvextract-hdr -
se_parse_hdr.py
-
运行以下命令进入
Rvps-Extraction目录:$ cd ..
运行以下命令使
GetRvps.sh脚本可执行:$ chmod +x GetRvps.sh
运行脚本:
$ ./GetRvps.sh
输出示例
***Installing necessary packages for RVPS values extraction *** Updating Subscription Management repositories. Last metadata expiration check: 0:37:12 ago on Mon Nov 18 09:20:29 2024. Package python3-3.9.19-8.el9_5.1.s390x is already installed. Package python3-cryptography-36.0.1-4.el9.s390x is already installed. Package kmod-28-10.el9.s390x is already installed. Dependencies resolved. Nothing to do. Complete! ***Installation Finished *** 1) Generate the RVPS From Local Image from User pc 2) Generate RVPS from Volume 3) Quit Please enter your choice:
输入
2从卷生成参考值提供程序服务:Please enter your choice: 2
为 libvirt 池名称输入
fa-pp:Enter the Libvirt Pool Name: fa-pp
输入 libvirt 网关 URI:
Enter the Libvirt URI Name: <libvirt-uri> 1- 1
- 指定用于创建 对等 pod secret 的
LIBVIRT_URI值。
为 libvirt 卷名称输入
fa-pp-vol:Enter the Libvirt Volume Name: fa-pp-vol
输出示例
Downloading from PODVM Volume... mount: /mnt/myvm: special device /dev/nbd3p1 does not exist. Error: Failed to mount the image. Retrying... Mounting on second attempt passed /dev/nbd3 disconnected SE header found at offset 0x014000 SE header written to '/root/Rvps-Extraction/output-files/hdr.bin' (640 bytes) se.tag: 42f3fe61e8a7e859cab3bb033fd11c61 se.image_phkh: 92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508 provenance = ewogICAgInNlLmF0dGVzdGF0aW9uX3Boa2giOiBbCiAgICAgICAgIjkyZDBhZmY2ZWI4NjcxOWI2YjFlYTBjYjk4ZDJjOTlmZjJlYzY5M2RmM2VmZmYyMTU4ZjU0MTEyZjY5NjE1MDgiCiAgICBdLAogICAgInNlLnRhZyI6IFsKICAgICAgICAiNDJmM2ZlNjFlOGE3ZTg1OWNhYjNiYjAzM2ZkMTFjNjEiCiAgICBdLAogICAgInNlLmltYWdlX3Boa2giOiBbCiAgICAgICAgIjkyZDBhZmY2ZWI4NjcxOWI2YjFlYTBjYjk4ZDJjOTlmZjJlYzY5M2RmM2VmZmYyMTU4ZjU0MTEyZjY5NjE1MDgiCiAgICBdLAogICAgInNlLnVzZXJfZGF0YSI6IFsKICAgICAgICAiMDAiCiAgICBdLAogICAgInNlLnZlcnNpb24iOiBbCiAgICAgICAgIjI1NiIKICAgIF0KfQo= -rw-r--r--. 1 root root 640 Dec 16 10:57 /root/Rvps-Extraction/output-files/hdr.bin -rw-r--r--. 1 root root 446 Dec 16 10:57 /root/Rvps-Extraction/output-files/ibmse-policy.rego -rw-r--r--. 1 root root 561 Dec 16 10:57 /root/Rvps-Extraction/output-files/se-message
通过执行以下步骤来获取证书和证书撤销列表(CRL):
运行以下命令,为证书创建一个临时目录:
$ mkdir /tmp/ibmse/certs
运行以下命令,下载
ibm-z-host-key-signing-gen2.crt证书:$ wget https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt -O /tmp/ibmse/certs/ibm-z-host-key-signing-gen2.crt
运行以下命令下载
DigiCertCA.crt证书:$ wget https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt -O /tmp/ibmse/certs/DigiCertCA.crt
运行以下命令,为 CRL 创建临时目录:
$ mkdir /tmp/ibmse/crls
运行以下命令,下载
ibm-z-host-key-gen2.crl文件:$ wget https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl -O /tmp/ibmse/crls/ibm-z-host-key-gen2.crl
运行以下命令下载
DigiCertTrustedRootG4.crl文件:$ wget http://crl3.digicert.com/DigiCertTrustedRootG4.crl -O /tmp/ibmse/crls/DigiCertTrustedRootG4.crl
运行以下命令下载
DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl文件:$ wget http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl -O /tmp/ibmse/crls/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
运行以下命令,为
hdr.bin文件创建一个临时目录:$ mkdir -p /tmp/ibmse/hdr/
运行以下命令,将
hdr.bin$ cp /root/Rvps-Extraction/output-files/hdr.bin /tmp/ibmse/hdr/
运行以下命令,为主机密钥文档(HKD)证书创建一个临时目录:
$ mkdir -p /tmp/ibmse/hkds
运行以下命令,将 HKD 证书复制到
hkds目录中:$ cp ~/path/to/<hkd_cert.crt> /tmp/ibmse/hkds/
生成 RSA 密钥:
运行以下命令来生成 RSA 密钥对:
$ openssl genrsa -aes256 -passout pass:<password> -out /tmp/encrypt_key-psw.pem 4096 1- 1
- 指定 RSA 密钥密码。
运行以下命令,为 RSA 密钥创建一个临时目录:
$ mkdir -p /tmp/ibmse/rsa
运行以下命令来创建
encrypt_key.pub密钥:$ openssl rsa -in /tmp/encrypt_key-psw.pem -passin pass:<password> -pubout -out /tmp/ibmse/rsa/encrypt_key.pub
运行以下命令来创建
encrypt_key.pem密钥:$ openssl rsa -in /tmp/encrypt_key-psw.pem -passin pass:<password> -out /tmp/ibmse/rsa/encrypt_key.pem
运行以下命令,验证
/tmp/ibmse目录的结构:$ tree /tmp/ibmse
输出示例
/tmp/ibmse ├── certs │ ├── ibm-z-host-key-signing-gen2.crt | └── DigiCertCA.crt ├── crls │ └── ibm-z-host-key-gen2.crl │ └── DigiCertTrustedRootG4.crl │ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl ├── hdr │ └── hdr.bin ├── hkds │ └── <hkd_cert.crt> └── rsa ├── encrypt_key.pem └── encrypt_key.pub通过执行以下步骤将这些文件复制到 OpenShift Container Platform worker 节点:
运行以下命令,从
/tmp/ibmse目录创建一个压缩文件:$ tar -czf ibmse.tar.gz -C /tmp/ ibmse
运行以下命令,将
.tar.gz文件复制到集群中的堡垒节点:$ scp /tmp/ibmse.tar.gz root@<ocp_bastion_ip>:/tmp 1- 1
- 指定堡垒节点的 IP 地址。
运行以下命令,通过 SSH 连接到 bastion 节点:
$ ssh root@<ocp_bastion_ip>
运行以下命令,将
.tar.gz文件复制到每个 worker 节点:$ scp /tmp/ibmse.tar.gz core@<worker_node_ip>:/tmp 1- 1
- 指定 worker 节点的 IP 地址。
运行以下命令,提取每个 worker 节点上的
.tar.gz:$ ssh core@<worker_node_ip> 'sudo mkdir -p /opt/confidential-containers/ && sudo tar -xzf /tmp/ibmse.tar.gz -C /opt/confidential-containers/'
运行以下命令更新
ibmse文件夹权限:$ ssh core@<worker_node_ip> 'sudo chmod -R 755 /opt/confidential-containers/ibmse/'
