Keylime Agent will crash on hostname usage

Question

Keylime Agent will crash on hostname usage

marcostork opened this issue 9 months ago · 6 comments

Environment

Rust Keylime Agent: v0.2.5
Rust: v1.78.0

Description

The Keylime Agent will crash with the following message if Keylime Registrar is set with a hostname instead of an IP address on the agent configuration file.

Error: IpParserError(ParseError { input: "keylime-registrar", source: Error { variant: ParsingError { positives: [ip], negatives: [] }, location: Pos(0), line_col: Pos((1, 1)), path: None, line: "keylime-registrar", continued_line: None } })

Answer 1 · 2024-05-23T17:21:34.000Z

This (inability to refer to registrars with hostnames) basically breaks the attestation-operator, which relies on Kubernetes/OpenShift name resolution to allow communication between agents and registrars on pods:

oc logs hhkl-keylime-agent-zqwvv -n keylime
Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
Error: IpParserError(ParseError { input: "hhkl-keylime-registrar.keylime.svc.cluster.local", source: Error { variant: ParsingError { positives: [ip], negatives: [] }, location: Pos(0), line_col: Pos((1, 1)), path: None, line: "hhkl-keylime-registrar.keylime.svc.cluster.local", continued_line: None } })

Answer 2 · 2024-05-27T15:18:22.000Z

Thank you for reporting!

This is a duplicate of #454

Answer 3 · 2024-05-27T15:58:22.000Z

Just to be clear, the problem does not seem to be cause by setting the uuid on /etc/keylime/agent.conf. It seems to be cause by registrar_ip to a hostname instead of an IP. @marcostork please confirm that, in you test, switching from localhost to 127.0.0.1 results in the agent actually running.

Answer 4 · 2024-05-27T16:00:08.000Z

Just for more context, this used to work on the attestation-operator, but not anymore...

oc get pods -n keylime
NAME                                      READY   STATUS             RESTARTS        AGE
hhkl-keylime-agent-96jgd                  0/1     CrashLoopBackOff   6 (2m58s ago)   8m57s
hhkl-keylime-agent-m44rc                  0/1     CrashLoopBackOff   6 (3m14s ago)   8m57s
hhkl-keylime-registrar-5b9f6c5d7c-gqngr   1/1     Running            0               8m57s
hhkl-keylime-tenant-6d5f7d8dd4-jptpm      1/1     Running            0               8m57s
hhkl-keylime-verifier-0                   1/1     Running            0               8m57s

[msilva@li-ef39524a-1468-caab-e739-94c6911daeb9.ibm.com keylime-attestation-operator ]$ oc logs hhkl-keylime-agent-96jgd -n keylime
Defaulted container "keylime-agent" out of: keylime-agent, keylime-agent-init (init)
 INFO  keylime_agent::config > Using hashed EK as UUID
Error: IpParserError(ParseError { input: "hhkl-keylime-registrar.keylime.svc.cluster.local", source: Error { variant: ParsingError { positives: [ip], negatives: [] }, location: Pos(0), line_col: Pos((1, 1)), path: None, line: "hhkl-keylime-registrar.keylime.svc.cluster.local", continued_line: None } })

KEYLIME_AGENT_PORT=9002
KEYLIME_AGENT_UUID=hash_ek
KEYLIME_AGENT_ENABLE_IAK_IDEVID=false
KEYLIME_AGENT_REGISTRAR_IP=hhkl-keylime-registrar.keylime.svc.cluster.local
KEYLIME_AGENT_REGISTRAR_PORT=8890
KEYLIME_AGENT_IP=0.0.0.0
KEYLIME_AGENT_ENABLE_AGENT_MTLS=true
KEYLIME_AGENT_CONTACT_PORT=9002

Answer 5 · 2024-05-27T16:25:07.000Z

Ah, ok, I see... This is most probably due to the changes introduced to support IPv6 addresses in #765.
I'll see how hard would be to restore the functionality.

Answer 6 · 2024-05-27T18:26:51.000Z

As @maugustosilva has pinpointed, the crash occurs when you change the registrar's IP address to a hostname in the agent.conf file. The environment worked perfectly before the change (from IP address to hostname) and resumed working after reverting to an IP address.