PVZD Live CD

:numbered: :toc:

Purpose

This is a secure boot environment for X11-applications deployed via docker. The PVZD LiveCD comes with an LXDE desktop based on Fedora 24 and is booting automatically into a predefined docker image. Docker data and the container user's home are stored on a device with a writeable filesystem. The device is tagged with a filename in the root directory for auto-discovery at boot time.

There are currently 3 docker images supporting this LiveCD:

- https://github.com/identinetics/PVZDclient[PCZDclient@Github] 
- https://github.com/identinetics/keymgmt[keymgmt@Github]
- https://github.com/identinetics/keymgmt-safenetac[keymgmt-safenetac@Github]

Concept

• Booting the LiveCD will bring up the PVZD LXDE desktop for user livecd.
• LXDE has an autostart item to execute /usr/local/bin/start.sh.
• start.sh will do 2 steps: Execute 'predocker.sh'. This script has following tasks: ** Search the writeable filesystem to be used for storing docker data (images, container etc.), called DOCKERDATA_DIR. The respective filesystem has to be marked by a file with the name 'UseMe4DockerData' in the root directory. Once the UseMe4DockerData filesystem is found, the docker daemon is reconfigured to use DOCKERDATA_DIR. * predocker.sh will then copy a docker start script to DOCKERDATA_DIR and create a call script at /tmp/startapp_inv.sh. Execute /tmp/startapp_inv.sh. This will pull and run the docker container.

Prepare the boot device

Download or build

• link:doc/download.adoc[Download the pre-build image]
• link:doc/build.adoc[Build from source]

Copy to boot device

• Copy the ISO image to your boot device (DVD or USB Flash >= 1GB), e.g. like this:

  // insert USB-stick into hardware dmesg | tail # checl the the device name of the USB-drive dd if=livecd-PVZDliveCD-Fedora24-lxde-Remix-.iso of=/dev/

  // or like this on OSX (dd dead slow if not using rdisk; block size needs _lowercase m): sudo dd bs=1m if=livecd-centos-7-gnome-docker-pvzdclient-v0_32.iso of=/dev/rdisk2

Usage (generic)

• You require 2 media:
  1. the boot medium with the LiveCD (should be read-only, such as CD-ROM), and
  2. a writeable medium, large enough to contain a docker image and docker work files. Start with at least 8GB for a GUI.
• Initialize the data medium: Create a FAT32 partition, insert and follow the instruction or run /usr/local/bin/init_usbdrive.sh (Requires to have just a single FAT partition - otherwise format the drive with mkfs.ext4, cd into its root dir and and run touch UseMe4DockerData)
• Insert both media into the PC and connect your smartcard reader. Any PCSC-compliant reader should work.
• Boot from the boot-medium (you might have to modify the boot sequence in the BIOS)
• Wait for the system to come up
• Boot selection issues- You might need to have access to the BIOS settings - check with your admin

Security Considerations

• The execution environment (i.e. the hardware to boot the system) must be trusted.
• Booting the system on a virtual machine on a machine used for other purposes is weakening the security properties. However, using a virtual environment is OK to enable installation on a dedicated machine which cannot boot the livecd otherwise.
• Docker content security (to be implemented): The docker image must be signed with a key generated by the trusted Docker notary.
• Docker container security: containers reside on unprotected writeable media. To prevent tampering, the container is discarded after each usage and a new one is on rebooting the system.

Monitoring

• script messages go to journald and are printed on the DockerAppMonitor
• docker error messages go to journald and are printed on the DockerAppMonitor
• docker info and warning messages can be tracked in terminal with journalctl -f -u docker.service