PVZD Live CD
:numbered:
:toc:
Purpose
This is a secure boot environment for X11-applications deployed via docker.
The PVZD LiveCD comes with an LXDE desktop based on Fedora 24 and is booting automatically
into a predefined docker image. Docker data and the container user's home
are stored on a device with a writeable filesystem. The device is tagged
with a filename in the root directory for auto-discovery at boot time.
There are currently 3 docker images supporting this LiveCD:
- https://github.com/identinetics/PVZDclient[PCZDclient@Github]
- https://github.com/identinetics/keymgmt[keymgmt@Github]
- https://github.com/identinetics/keymgmt-safenetac[keymgmt-safenetac@Github]
Concept
- Booting the LiveCD will bring up the PVZD LXDE desktop for user livecd.
- LXDE has an autostart item to execute /usr/local/bin/start.sh.
- start.sh will do 2 steps:
Execute 'predocker.sh'. This script has following tasks:
** Search the writeable filesystem to be used for storing docker data
(images, container etc.), called DOCKERDATA_DIR. The respective
filesystem has to be marked by a file with the name 'UseMe4DockerData'
in the root directory.
Once the UseMe4DockerData filesystem is found, the docker daemon is
reconfigured to use DOCKERDATA_DIR.
* predocker.sh will then copy a docker start script to DOCKERDATA_DIR
and create a call script at /tmp/startapp_inv.sh.
Execute /tmp/startapp_inv.sh. This will pull and run the docker container.
Prepare the boot device
Download or build
- link:doc/download.adoc[Download the pre-build image]
- link:doc/build.adoc[Build from source]
Copy to boot device
-
Copy the ISO image to your boot device (DVD or USB Flash >= 1GB), e.g. like this:
// insert USB-stick into hardware
dmesg | tail # checl the the device name of the USB-drive
dd if=livecd-PVZDliveCD-Fedora24-lxde-Remix-.iso of=/dev/
// or like this on OSX (dd dead slow if not using rdisk; block size needs _lowercase m):
sudo dd bs=1m if=livecd-centos-7-gnome-docker-pvzdclient-v0_32.iso of=/dev/rdisk2
Usage (generic)
- You require 2 media:
- the boot medium with the LiveCD (should be read-only, such as CD-ROM), and
- a writeable medium, large enough to contain a docker image and docker work files.
Start with at least 8GB for a GUI.
- Initialize the data medium:
Create a FAT32 partition, insert and follow the instruction or run /usr/local/bin/init_usbdrive.sh
(Requires to have just a single FAT partition - otherwise format the drive with mkfs.ext4, cd into
its root dir and and run
touch UseMe4DockerData
)
- Insert both media into the PC and connect your smartcard reader. Any PCSC-compliant reader should work.
- Boot from the boot-medium (you might have to modify the boot sequence in the BIOS)
- Wait for the system to come up
- Boot selection issues- You might need to have access to the BIOS settings - check with your admin
Security Considerations
- The execution environment (i.e. the hardware to boot the system) must be trusted.
- Booting the system on a virtual machine on a machine used for other purposes is
weakening the security properties. However, using a virtual environment
is OK to enable installation on a dedicated machine which cannot boot the livecd
otherwise.
- Docker content security (to be implemented): The docker image must be signed with
a key generated by the trusted Docker notary.
- Docker container security: containers reside on unprotected writeable media.
To prevent tampering, the container is discarded after each usage and a new
one is on rebooting the system.
Monitoring
- script messages go to journald and are printed on the DockerAppMonitor
- docker error messages go to journald and are printed on the DockerAppMonitor
- docker info and warning messages can be tracked in terminal with
journalctl -f -u docker.service