From Fedora Project Wiki
m (Remove administrative header)
(Add trackers)
 
(7 intermediate revisions by 3 users not shown)
Line 12: Line 12:
This should link to your home wiki page so we know who you are.  
This should link to your home wiki page so we know who you are.  
-->
-->
* Name: [[User:Scorreia| Sergio Correia]]
* Name: [[User:Scorreia| Sergio Correia]], [[User:Ueno| Daiki Ueno]]
* Email: scorreia@redhat.com
* Email: scorreia@redhat.com, dueno@redhat.com
 
* Name: [[User:Ueno| Daiki Ueno]]
* Email: dueno@redhat.com
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->




== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF36]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 41: Line 35:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/KRP7AF7PGQ3AKX5VFRGIU7OHUR52C3TE/ devel list thread]
* Tracker bug: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2716 #2716]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2045874 #2045874]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/793 #793]


== Detailed Description ==
== Detailed Description ==
Line 86: Line 81:
** The keylime package will be a meta package that will install all the subpackages
** The keylime package will be a meta package that will install all the subpackages
** The Rust based [https://github.com/keylime/rust-keylime agent] will be packaged along with its build dependencies
** The Rust based [https://github.com/keylime/rust-keylime agent] will be packaged along with its build dependencies
** Both keylime-agent implementations, one written in Python, the other written in Rust, will be selectively installable through [https://docs.fedoraproject.org/en-US/packaging-guidelines/Alternatives/ alternatives] or a similar mechanism
** Both keylime-agent implementations, one written in Python, the other written in Rust, will be selectively installable through RPM's installable alternatives framework, similar to how we can select beween PipeWire/PulseAudio and pipewire-media-session/wireplumber.


* Other developers: N/A (not a System Wide Change)<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: N/A (not a System Wide Change)<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 129: Line 124:
# Install the subpackages individually and see if they function as expected
# Install the subpackages individually and see if they function as expected
# Install the meta package (keylime) and see if it pulls all the subpackages
# Install the meta package (keylime) and see if it pulls all the subpackages
# Install rust-keylime-agent package and see if it does not interfere with the keylime-agent package
# Selectively install a package that provides the keylime-agent functionality: either  keylime-agent-rust (Rust-based) or (python-)keylime-agent (Python-based); they should conflict with each other, so that we should have only one of them installed at a time
# Check that rust-keylime-agent can be the default, using the alternative --set command
 


== User Experience ==
== User Experience ==

Latest revision as of 20:25, 25 January 2022


Keylime subpackaging and agent alternatives

Summary

The keylime package will be split into subpackages per role (agent, registrar, verifier, and admin components), while allowing the alternative agent implementation in Rust.

Owner


Current status

Detailed Description

The current Keylime package available in Fedora provides all the components as a single package. To support the usage scenarios where only agent or management component is deployed on a specific host, we plan to split the package into subpackages per role. This change also enables the alternative Keylime agent implementation in Rust, which will eventually be preferred over the Python implementation.

Feedback

Benefit to Fedora

This makes it easier to deploy Keylime agent in IoT or Fedora CoreOS spins and thus enable remote attestation without installing full dependencies of Keylime.

Scope

  • Proposal owners:
    • The keylime package will provide subpackages (keylime-agent, keylime-registrar, etc)
    • The keylime package will be a meta package that will install all the subpackages
    • The Rust based agent will be packaged along with its build dependencies
    • Both keylime-agent implementations, one written in Python, the other written in Rust, will be selectively installable through RPM's installable alternatives framework, similar to how we can select beween PipeWire/PulseAudio and pipewire-media-session/wireplumber.
  • Other developers: N/A (not a System Wide Change)
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

The keylime package will remain as a meta package for the compatibility with the current packaging.

How To Test

  1. Make sure that your systems meet the requirement to run either Keylime agent or other components, as described in the documentation
  2. Install the subpackages individually and see if they function as expected
  3. Install the meta package (keylime) and see if it pulls all the subpackages
  4. Selectively install a package that provides the keylime-agent functionality: either keylime-agent-rust (Rust-based) or (python-)keylime-agent (Python-based); they should conflict with each other, so that we should have only one of them installed at a time


User Experience

No visible change should be observed by the existing users.

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), No


Documentation

N/A (not a System Wide Change)

Release Notes