Confidential Computing LinuxONE Workshop¶

Welcome to our Confidential Computing LinuxONE workshop. Organizations can leverage secure execution to protect Linux® workloads on IBM Z and LinuxONE. This workshop will cover how to get started with this technology on-premises using Hyper Protect Virtual Servers 2.1.x.

Agenda¶

Introductory Presentations¶

Introduction to Hyper Protect Virtual Servers 2.1.x

Lab: Build and Deploy a GREP11 Server Using Hyper Protect Virtual Servers 2.1.x¶

In this lab, you will deploy a Hyper Protect Virtual Servers 2.1.x GREP11 instance and connect to it to secure your transactions. ¹

Workshop authors¶

For the purposes of this lab, you are fulfilling the requirements of a fictional organization. These requirements could change for your specific organization but would follow a similar pattern with different specifics. ↩

On-premises Labs ↵

Lab Access¶

You will be performing your lab from what we refer to as a RHEL Jumpbox.

You can access the lab guide from anywhere on the public Internet. Actually performing the lab from anywhere other than the RHEL Jumpbox is another matter altogether- it can't be done for the following reasons.

The lab system is in the Washington Systems Center's (WSC) data center in Herndon, Virginia, USA, and is only accessible from the Internet via a VPN connection. The instructors have already logged the student jumpboxes into the WSC data center.
One unfortunate limitation of the jumpbox is that you cannot copy and paste from between the jumpbox browser window and other windows on your own laptop or workstation. You are going to be doing a lot of copying and pasting in this lab.

Therefore you will have to open up Firefox in your jumpbox and access the lab from there. We've set Firefox's home page in your jumpbox to the lab in order to make things easier for you.

Your instructors will provide the URL in the WebEx chat for you to use to sign in and reserve a jumpbox. They will also provide you with the password that you will need to be able to reserve a jumpbox.

So while we intend to always make the lab guide itself accessible to the public, actual access to the lab is restricted to students of our classes, and only for the duration of the class, as we reset the access credentials after each class.

GREP11 with CENA4SEE Lab ↵

GREP11 with CENA4SEE Lab Overview¶

Lab environment topology¶

Overview Picture — Confidential Computing Lab Architecture

Hyper Protect Virtual Servers 2.1.x provides an IBM-provided and -supported Secure Execution-enabled KVM image that runs on a Linux LPAR on an IBM Z or LinuxONE server.

Hyper Protect Virtual Servers allows you to specify your workload via a "contract" that you define.

Within the contract you specify an OCI-compliant image that provides your workload.

For our lab this LPAR is running RHEL 8.5. You can use any distribution on IBM Z or LinuxONE that supports Secure Execution- i.e., recent versions of Ubuntu and SUSE as well as RHEL.

The Hyper Protect Virtual Servers 2.1.x product provides a component, Crypto Express Network API for Secure Execution Enclaves (CENA4SEE) 1.1.2.2, that runs as an appliance in a Secure Service Container (SSC) LPAR that has direct-attached Crypto Express cards. CENA4SEE also provides a GREP11 Server OCI image that communicates with the CENA4SEE appliance.

This enables GREP11 client code written to call the GREP11 Server API to access the Crypto Express cards on the CENA4SEE SSC LPAR. The GREP11 client code can run from anywhere as long as it has network connectivity to the GREP11 Server. The GREP11 Server can run anywhere as long as it has network connectivity to the CENA4SEE server.

For our lab, the GREP11 client code will run in a KVM guest running Ubuntu 22.04 within our RHEL 8.5 Linux LPAR. Each student will start and use their own such guest. The GREP11 server will run in the same RHEL 8.5 Linux LPAR, and it will be a Secure Execution-enabled HPVS 2.1.x KVM guest. (All HPVS 2.1.x guests are by definition enabled for Secure Execution, so in the remainder of the lab we may not repeat the full phrase "Secure Execution-enabled HPVS 2.1.x KVM guest", but we used it here for emphasis). Each student will start and use their own such GREP11 server guest.

Your HPVS 2.1.x GREP11 Server guest will be configured to write log messages to an rsyslog service. For the lab, you will configure this rsyslog service on the same Ubuntu guest that you are using for the GREP11 client code.

A single SSC LPAR is used for the CENA4SEE server. Each student's HPVS 2.1.x GREP11 Server will communicate with the CENA4SEE server- therefore, the instructors have already set up this server for you.

During the lab you will log in to two servers:

The RHEL 8.5 host. From here you will launch your Ubuntu KVM guest. You will also use your host login to define the "contract" that HPVS expects so that you can launch your HPVS 2.1.x GREP11 Server.
You will log in to your Ubuntu KVM guest for configuring the rsyslog service and for running the GREP11 client code.

You will not log in directly to your HPVS 2.1.x GREP11 Server, nor to the CENA4SEE SSC LPAR, but you will make use of them via your GREP11 Client code.

Lab logistics¶

Except for the RHEL Jumpbox, the systems used in the lab are in the IBM Washington Systems Center (WSC) in the WSC's private network. Access to the WSC private network is through a virtual private network (VPN) client running on the RHEL Jumpbox. The instructors access each student's RHEL Jumpbox in order to log in via the VPN client. Students access their jumpbox from a web browser- other than a modern web browser, no additional software is required on the student's laptop or workstation.

During the lab, students will be directed to open two terminal windows on their jumpbox- one will be designated for working on the RHEL host and the other will be designated for working on their KVM standard Ubuntu guest. Two separate terminal profiles have been created on the jumpbox- one for the RHEL host and one for the KVM standard Ubuntu guest- which have different background and text colors which will help the student more easily differentiate between the two windows. The student may wish to use a single terminal window with two tabs- one with each terminal profile- instead of two different windows. It is fine to do so.

Terminal profiles we have defined in your jumpbox¶

The terminal profile we have set up for you to run commands in the RHEL host looks like this:

The terminal profile we have set up for you to run commands in your Ubuntu KVM Guest looks like this:

You are free to change the look and feel of the terminal profiles to what suits you, but the lab is written with the assumption that you are using the profiles we have set up for you. This matters only in that we may show images in the lab in an effort to help ensure you are working on the correct system when you are entering commands.

Start Ubuntu KVM Guest¶

Overview of this page¶

This page will help you verify that your jumpbox is configured properly and then guide you to logging in to the RHEL Host from which you will start your student-assigned KVM standard Ubuntu guest.

Verify the student-specific environment variables on your jumpbox¶

You will first ensure that two crucial environment variables are set on your jumpbox. Under most circumstances, the instructors will have already set these variables for you. These variables will enable you to enter all of the commands in this lab without modification- where student-specific information is required in a command, the command will contain environment variables that will be resolved with the student-specific information.

Environment variables are set in three places:

On your jumpbox. In most cases, the instructors will have configured your jumpbox with your student-specific environment variables.
You will have a userid on the RHEL host, and this userid has been configured with student-specific environment variables.
You will have your own KVM standard guest running Ubuntu, and your guest is also configured with student-specific environment variables.

Set or verify the environment variable on your jumpbox for your student ID¶

The instructors should have guided you through the process of obtaining a RHEL Jumpbox where you will perform the lab.

Note

The jumpbox is running the RHEL operating system, but the OS on the jumpbox is largely irrelevant, and in order to avoid confusion with the RHEL host (the Linux LPAR on the IBM z15 server in the Washington Systems Center data center in Herndon, Virgina, USA) that you will use during the lab, we will drop the 'RHEL' and refer to the RHEL jumpbox as just jumpbox from now on.

On your jumpbox, open a terminal window. You can do this by clicking on Activities in the upper left corner of your jumpbox and then clicking the icon that looks like a terminal window. This will bring up a window using the RHEL Host terminal profile, so your terminal window should have a dark background with a green prompt for the font, similar to the image shown in the previous section of the lab. You will use this window to perform work on the RHEL host, but before logging in you will ensure that an environment variable specifying your unique student ID has been set properly.

Each student has a unique userid assigned to them. It is likely set for you already. In an instructor-led class, your instructors will let you know if this has been set for you already.

Check this by entering this echo command:

echo ${StudentID}

Example output for student02 [click to expand me]

silliman@nat-147 ~ % echo ${StudentID}
student02

If a value starting with student and ending with a two-digit number is returned to you, then your jumpbox has been configured properly and you may scroll down a bit to the section Log in to the RHEL 8.5 host.

If no output is returned, set this variable to the userid assigned to you by the instructor. E.g., if the instructor assigned you the userid student00, enter this command:

export StudentID=student00

If you had to use the previous export command, repeat the prior echo command to ensure this was set correctly. Now, you should see your userid displayed:

echo ${StudentID}

Example output [click to expand me]

silliman@nat-147 ~ % echo ${StudentID}         
student02

Why did you make me do this?

This way we could provide instructions throughout this lab that are generic enough that every student can just copy and paste most commands "as-is" from the lab guide. (At least that was our goal).

Optional but highly recommended- add your StudentID environment variable to your shell startup script¶

Note: If your StudentID variable was already present then your shell startup script was already updated appropriately and you can scroll down to the section with the title Log in to the RHEL 8.5 host

If we had our way in supplying a system from which you are running the lab, you are probably using bash.

If you are using your own workstation or laptop, if it is running Linux you are probably either using bash or you are savvy enough to figure out which shell you are running.

If you are running it on Apple hardware then you are probably running zsh or bash or are savvy enough to figure out which shell you are running.

If you are running on a Windows machine then we hope that you are using a modern enough version of Windows so that you can use the Windows Subsystem for Linux and pretend that you are using a Linux machine.

If you are running on an older Windows machine then you should ask your manager for a new laptop. If that doesn't work out for you then ask the instructors for help (but not for a new laptop).

If you are not sure what shell you're using, you can use this command to find out what your shell is:

echo ${SHELL}

Example output when using zsh [click to expand me]

silliman@nat-147 ~ % echo ${SHELL}
/bin/zsh

Garrett uses bash 5.x on his Mac. Barry uses zsh - zsh being the default shell on newer versions of MacOS. Thus, we will show two commands to add the environment variable to your shell startup script, one for bash and one for zsh. If you are using a different shell, we trust you'll be able to figure out the equivalent command.

The Copy Button is Your Friend!

Please enter the appropriate command exactly as shown using the copy button whenever possible. Approximately 0.47% of students think they have to make the variable substitution before entering the command. That doesn't end well. This advice applies generally to every command in this lab unless we explicitly state otherwise.

For users of bash:

echo "export StudentID='${StudentID}'" >> "${HOME}/.bashrc"

For users of zsh:

echo "export StudentID='${StudentID}'" >> "${HOME}/.zshrc"

Why did I just do that?

If you use more than one terminal window to do this lab, then this would allow new terminal windows to be set with this StudentID variable so that you do not have to re-enter it. This will be handy if you either want to use multiple terminal windows for the lab or if you need to open a new window due to an old one closing for whatever reason. We are here to make your flight as comfortable as possible.

Log in to the RHEL 8.5 host¶

You will now sign into our z15 LPAR running Red Hat Enterprise Linux 8.5. This is a system that has been enabled for Secure Execution and so can run workloads provisioned with IBM Hyper Protect Virtual Servers 2.1.x.

Use your terminal tab or window set aside for doing work on the RHEL host- the one that (by default) looks like this:

Run this command:

ssh -l ${StudentID} 192.168.22.64

One of two things should happen:

a. If you are on an instructor-provided system and the instructors have had the time to load it with an appropriate RSA private key that matches an RSA public key that has been loaded into your assigned userid's account on the RHEL host:

you will be able to sign in without a password!

OR

b. If you are not on an instructor-provided system or we did not have a chance to load the parts of the RSA key pair in the appropriate locations

you will be prompted to enter a password. Your instructor will provide you a password by some clandestine means, surely we're not going to put it on a page on the Internet !

Example messages upon login [Click me]

*
*  IBM Washington Systems Center (WSC)   .....
*    IBM Z and LinuxONE                 C C  /
*                                      /<   /
*                       ___ __________/_#__=o
*                      /(- /(\_\________   \
*                      \ ) \ )_      \o     \
*                      /|\ /|\       |'     |
*                                    |     _|
*  Red Hat Enterprise Linux 8.5      /o   __\
*                                   / '     |
*                                  / /      |
*                                 /_/\______|
*                                (   _(    <
*  KVM Hypervisor for Blockchain  \    \    \
*       and Hyper Protect          \    \    \
*       and Digital Assets          \____\____\
*    on IBM Z and LinuxONE        ____\_\__\_\
*                                /`   /`     o\
*           "It's alive!"        |___ |_______|..o-o-o-(#)
*
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Feb 13 16:50:14 2023 from 192.168.215.147
[student02@bczkvm(192.168.22.64) ~ [19:11:51] (0)]$

Start your Ubuntu KVM guest¶

A KVM Guest has been defined for each student by the instructors. This guest has the Ubuntu 22.04.2 operating system installed on it. A very straightforward installation path was taken with no additional software packages selected during the installation. You will add additional software packages as necessary during the lab. This guest does not take advantage of the additional protection offered by Secure Execution and HPVS. It could have, but you will already be creating another KVM Guest that is protected by Secure Execution and HPVS. This also helps to make the point that you can run "standard", i.e., non-Secure Execution-protected guests, and Secure Execution-protected guests on the same LPAR.

Display your KVM guest's definition with this command:

sudo virsh dumpxml $(whoami)

We named your Ubuntu KVM guest the same as your userid on the RHEL host, which is why you can use the whoami command.

Example virsh dumpxml output [Click me]

<domain type='kvm'>
  <name>student02</name>
  <uuid>531199d9-3671-424e-a9c9-74ff5ca3980b</uuid>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='s390x' machine='s390-ccw-virtio-rhel8.6.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <cpu mode='host-model' check='partial'/>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/hpvslab/student02/student02-ubuntu22.04.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sda' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='scsi' index='0' model='virtio-scsi'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0002'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='virtio-serial' index='0'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0003'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:67:e5:c1'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
    </interface>
    <console type='pty'>
      <target type='sclp' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <audio id='1' type='none'/>
    <memballoon model='virtio'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0004'/>
    </memballoon>
    <panic model='s390'/>
  </devices>
</domain>

Look for the your userid in the output of the virsh dumpxml command. You'll see it in two places- at the top where it names your guest, and then within the filepath and filename of the qcow2 image that provides your KVM guest.

Run this command to start your Ubuntu KVM guest:

sudo virsh start $(whoami)

Expected output (for student02)

Domain 'student02' started

Your domain (i.e., your KVM guest) has startedYour domain didn't start for whatever reason

You are off to a smashing start!

You should now open a new window or tab using the terminal profile named KVM Standard Guest. From your current terminal window, click File on the menu bar, and then choose either New Tab or New Window based on your personal preference, but, in either case, choose the profile named KVM Standard Guest. This will create a terminal tab or window with a light beige background and a gray font. You'll be directed to use this new tab or window when doing work on your KVM Ubuntu guest and you'll be directed to use your original terminal tab or window when doing work on the RHEL host.

You have departed from the happy path...

Please ask your instructor for help.

Configure rsyslog service¶

Overview of this page¶

The HPVS 2.1.x-protected GREP11 Server that you will create later in the lab will log its output to an rsyslog service on the Ubuntu KVM guest that you just started in the previous section. Rsyslog on your Ubuntu KVM guest is initially not set up for this, so you will configure rsyslog in this section of the lab. You may, however, have already set some of this up if you did the PayNow Lab prior to doing this GREP11 with CENA4SEE Lab. Carefully follow the instructions as they are written to succeed in either scenario if you follow them closely!

Logging to IBM Log Analysis on IBM Cloud

You can also log the output of an HPVS 2.1.x guest to an IBM Log Analysis instance on IBM Cloud. That is not covered in this lab but if you are interested in this, it is covered in the product documentation.

Open a new terminal window or tab with the KVM Standard Guest profile¶

From your terminal window with the RHEL Host profile, click on File in the menu bar and then, according to your preferences, select either New Tab or New Window, and, from either choice, select 1. KVM Standard Guest

Choosing a new tab offers compactness but you won't be able to see both the RHEL Host tab and the KVM Standard Guest tab at the same time- you have to switch back and forth by clicking the appropriate tab header at the top. Choosing a new window allows you to drag your windows or otherwise rearrange them so that you can see both windows on your screen. The choice is yours. Advanced students may wish to open more windows and tabs but the lab is written with the assumption that you have just one window or tab with the RHEL Host profile and just one window or tab with the KVM Standard Guest profile.

Your window or tab should like like this (unless you customized the profile we provided you):

Log in to your Ubuntu KVM guest¶

How tricky can logging in be?

The Ubuntu KVM guest that you started is in a KVM internal private network that uses NAT (Network Address Translation) in order to communicate with the "outside world". "Outside world" in this context refers to any server outside of our RHEL 8.5 host.

Your home network is probably doing the same thing

Your cable modem or DSL modem or satellite modem provides NAT services for your home network. This modem connects to your network router either:

combined into a single physical unit that acts as a modem and a router (and maybe a toaster or coffee maker- at least it should be given how much my wallet shrinks after paying my monthly bill!)

OR

a separate modem and router you buy yourself for better performance or to save money in the long run by eliminating monthly equipment rental fees from your internet provider

tl;dr

You will use "port forwarding" to get from the RHEL 8.5 host to your Ubuntu KVM guest. It's a little tricky but we've set things up to make it easy for you.

How have we made it easy for you?

If you're on an instructor-provided system, we've hopefully set an environment variable for you that specifies the port you'll need to connect to on the RHEL 8.5 host that will allow it to successfully forward your login attempt to your Ubuntu KVM guest. Run this:

echo ${Student_SSH_Port}

Example output when variable was set

silliman@nat-147 ~ % echo ${Student_SSH_Port}     
20024

If you don't see a port number somewhere between 20023 and 20042- each student will have a unique port- then ask the instructor for your port and set it with this command (changing 22222 from the example to your instructor-assigned port)

export Student_SSH_Port=22222

There is nothing magical about the port range 20023 to 20042- this just happens to be the range of ports the instructors configured on the host system. The secret formula used by the instructors is 20022 + last two digits of your student userid, and the system has been set up to allow twenty students to take the lab at the same time.

For the same reason as explained the in the beginning of the lab when we had you check that your student userid was set in a variable, if this variable was not already set and you had to set it, it is optional but recommended to update your shell so that this change will take effect in new terminal windows or tabs as well. Examples are shown for bash and zsh- pick the appropriate command or tailor for your shell:

echo "export Student_SSH_Port='${Student_SSH_Port}'" >> "${HOME}/.bashrc"

echo "export Student_SSH_Port='${Student_SSH_Port}'" >> "${HOME}/.zshrc"

You're now ready to log in to your Ubuntu KVM guest:

ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Example messages logging into Ubuntu KVM guest

silliman@nat-147 ~ % ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Last login: Thu Feb  9 19:32:09 2023 from 192.168.215.147
student@ubuntu2204:~$

Continue to enter commands in your KVM Standard Guest terminal tab or window until directed to switch to your other tab or window.

Is my userid really student?

That's right, your userid is student on your Ubuntu KVM guest. Each student has a unique userid on the RHEL 8.5 host, but since each student has their own unique Ubuntu KVM guest, you each have the same userid, student, since you have this guest all to yourself.

You should be able to log in without a password prompt, but if not, your instructor will provide you with the password.

Install rsyslog-gnutls package¶

The initial installation of Ubuntu installed an rsyslog service. Display it with this command:

sudo systemctl status rsyslog

Example output

● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-02-14 00:24:49 UTC; 12min ago
TriggeredBy: ● syslog.socket
     Docs: man:rsyslogd(8)
           man:rsyslog.conf(5)
           https://www.rsyslog.com/doc/
 Main PID: 654 (rsyslogd)
    Tasks: 4 (limit: 2350)
   Memory: 2.2M
      CPU: 8ms
   CGroup: /system.slice/rsyslog.service
           └─654 /usr/sbin/rsyslogd -n -iNONE

Feb 14 00:24:49 ubuntu2204 systemd[1]: Starting System Logging Service...
Feb 14 00:24:49 ubuntu2204 systemd[1]: Started System Logging Service.
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (f>
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: rsyslogd's groupid changed to 115
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: rsyslogd's userid changed to 107
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="654" x->
Feb 14 00:24:49 ubuntu2204 systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 654 (rsyslogd)>
Feb 14 00:34:49 ubuntu2204 rsyslogd[654]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="654" x->
lines 1-22/22 (END)

If you're having trouble getting back to a command prompt, press q (for quit).

The default implementation of rsyslog uses the rsyslog package. Run this command to see which version of this packge is installed: Prove to yourself that the rsyslog package has already been installed (by the "bare-bones" default Ubuntu setup):

sudo apt-cache policy rsyslog

Output showing rsyslog is already installed

rsyslog:
    Installed: 8.2112.0-2ubuntu2.2
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
*** 8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
        100 /var/lib/dpkg/status
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

The default implementation of rsyslog needs to be modified to allow it to receive messages sent across the network using the TCP protocol and with mutual TLS authentication. This will require the installation of the rsyslog-gnutls package.

Run this command to see if the rsyslog-gnutls package is installed:

sudo apt-cache policy rsyslog-gnutls

The second line of your output will indicate whether or not rsyslog-gnutls is already installed. Choose the tab below that matches your output and follow the instructions.

Output showing rsyslog-gnutls is not installedOutput showing rsyslog-gnutls is installed

rsyslog-gnutls:
    Installed: (none)
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
    8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

Run the following command to install rsyslog-gnutls:

sudo apt-get install rsyslog-gnutls

Your output should look like this:

Output from installing rsyslog-gnutls

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
    gnutls-bin
The following NEW packages will be installed:
    rsyslog-gnutls
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.8 kB of archives.
After this operation, 90.1 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x rsyslog-gnutls s390x 8.2112.0-2ubuntu2.2 [17.8 kB]
Fetched 17.8 kB in 0s (71.9 kB/s)         
Selecting previously unselected package rsyslog-gnutls.
(Reading database ... 56568 files and directories currently installed.)
Preparing to unpack .../rsyslog-gnutls_8.2112.0-2ubuntu2.2_s390x.deb ...
Unpacking rsyslog-gnutls (8.2112.0-2ubuntu2.2) ...
Setting up rsyslog-gnutls (8.2112.0-2ubuntu2.2) ...
Scanning processes...                                                                                     
Scanning linux images...                                                                                  

Running kernel seems to be up-to-date (ABI upgrades are not detected).

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Return to the beginning of this step (step 3) and rerun the sudo apt-cache policy... command.

rsyslog-gnutls:
    Installed: 8.2112.0-2ubuntu2.2
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
    8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

Proceed to the next step.

Configure rsyslog to listen for TLS-enabled connections on port 6514¶

Run this command to see if your rsyslog server has already been configured to listen for TLS-enabled connections on port 6514:

cat /etc/rsyslog.d/server.conf

Choose the tab below based on your output from the above command:

Your configuration file does not existYour configuration file already exists

cat: /etc/rsyslog.d/server.conf: No such file or directory

Become the root user:

sudo su -

Example output when becoming root

student@ubuntu2204:~$ sudo su -
root@ubuntu2204:~#

Run this command which will create the configuration file:

cat << EOF > /etc/rsyslog.d/server.conf
# output to journal
module(load="omjournal")
template(name="journal" type="list") {
# can add other metadata here
property(outname="PRIORITY" name="pri")
property(outname="SYSLOG_FACILITY" name="syslogfacility")
property(outname="SYSLOG_IDENTIFIER" name="app-name")
property(outname="HOSTNAME" name="hostname")
property(outname="MESSAGE"  name="msg")
}

ruleset(name="journal-output") {
action(type="omjournal" template="journal")
}

# make gtls driver the default and set certificate files
\$DefaultNetstreamDriver "gtls"
\$DefaultNetstreamDriverCAFile /var/lib/rsyslog/x509/ca.crt
\$DefaultNetstreamDriverCertFile /var/lib/rsyslog/x509/server.crt
\$DefaultNetstreamDriverKeyFile /var/lib/rsyslog/x509/server-key.pem

# load TCP listener
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/certvalid"
)

# start up listener at port 6514
input(
type="imtcp"
port="6514"
ruleset="journal-output"
)

EOF

Exit from being the root user:
```
exit
```
Your command prompt should now end with a dollar sign ($) indicating you are operating with regular authority as userid student, as opposed to the hash sign (#) prompt that you had when you were operating with root authority.
Return to the beginning of this step (step 1) and rerun the cat /etc/rsyslog.d/server.conf command.

    # output to journal
    module(load="omjournal")
    template(name="journal" type="list") {
    # can add other metadata here
    property(outname="PRIORITY" name="pri")
    property(outname="SYSLOG_FACILITY" name="syslogfacility")
    property(outname="SYSLOG_IDENTIFIER" name="app-name")
    property(outname="HOSTNAME" name="hostname")
    property(outname="MESSAGE"  name="msg")
    }

    ruleset(name="journal-output") {
    action(type="omjournal" template="journal")
    }

    # make gtls driver the default and set certificate files
    $DefaultNetstreamDriver "gtls"
    $DefaultNetstreamDriverCAFile /var/lib/rsyslog/x509/ca.crt
    $DefaultNetstreamDriverCertFile /var/lib/rsyslog/x509/server.crt
    $DefaultNetstreamDriverKeyFile /var/lib/rsyslog/x509/server-key.pem

    # load TCP listener
    module(
    load="imtcp"
    StreamDriver.Name="gtls"
    StreamDriver.Mode="1"
    StreamDriver.Authmode="x509/certvalid"
    )

    # start up listener at port 6514
    input(
    type="imtcp"
    port="6514"
    ruleset="journal-output"
    )

Take a look at the bottom of the file

There are three sections of interest that are highlighted in the above code block. If these lines could speak to you, they would say, "We are going to receive TCP messages on port 6514, and we will use TLS to authenticate with the sender of these messages and to enable encryption of the messages, and here are the certificate and keys needed to enable this to work".

Proceed to the next step.

Create a Certification Authority (CA) for your rsyslog service¶

For this configuration file to work, you'll need to create the certificate and keys and put them where the configuration file says you put them- in the /var/lib/rsyslog/x509/ directory.

Background Information¶

The TLS authentication for communication with the rysyslog service requires an X509 certificate and private key. An X509 certificate contains a public key that goes with the private key. An X509 certificate also contains metadata including the identification of the holder of the certificate, the purposes the certificate is intended for, and more. Think of a public key as a yummy cake baked with yellow dough, it's moist and tastes pretty good- but the X509 certificate wrapped around it is like the chocolate icing and the rainbow sprinkles- it's delicious! (Break time!!) If you haven't given up on the analogy, think of the private key as the secret recipe to bake the cake that nobody but you knows about. For a slightly more technical (but still just scratching the surface), but perhaps not as tasty, description of public key cryptography check out this description from one of our earlier labs.

An X509 certificate needs to be created and signed by a certification authority (CA).

The authority prefers certification

Most people call a CA a "certificate authority" but actually the Internet Request for Comment (RFC) that defines the X509 standard uses the term "certification authority". Imagine that!

For the lab you will create your own CA- what is often called a "self-signed" CA. A utility called openssl can be used to do this. A CA signs certificates that it creates. In order to digitally sign something, you use a private key. In simple terms, a publicly known algorithm- which can be poked at and prodded at by researchers and academics in an effort to prove its security or to hopefully win a large bounty by proving its insecurity- is run against a private key that nobody else knows, and produces a unique output, or signature. This signature can be verified algorithmically by anybody who holds the private key's corresponding public key.

Who holds the public key?

That's right, the public ! It is safe to share your public key with others- it is your private key that you must protect from loss, theft or exposure.

If you receive a piece of digital information that is signed, and the public key that corresponds to the private key used to create the signature, you can prove that whoever signed this had to have held the private key in order to create the signature. Okay, cool. But what if a malicious actor had the private key and gave you the public key? Would you feel so great knowing you verified the signer if they were malicious? No! That is where a CA comes in. The idea is that the following process occurs:

An individual or organization submits a request for a certificate (CSR) with their public key.
The CA takes the effort to verify that the owner of the public key is a good actor and is who they say they are and can be trusted.
The CA creates the certificate that holds the public key, essentially stating "I am a CA and you can trust me and the holder of this certificate that I just signed is a good person and they are who they say they are, so you can trust this certificate and anything it signs".

How is that working out for us?

The X509 Certification Authority protocol is outstanding in theory. In practice its vulnerability lies in the need for the holders of private keys to protect them with diligence. Losing your private key is akin to losing your wallet or your house key or your drivers license or ... you get the picture. Attacks such as software supply chain attacks are often accomplished by malicious actors who have stolen others' private keys. This is why initiatives like Confidential Computing and technologies like Hardware Security Modules are important.

In real world practice, for external, customer-facing applications an enterprise will ask a well-known and trusted third-party CA to issue its certificates. In many cases an enterprise may run its own internal CA for certificates for internal applications. In this lab you're going to create your own CAs. Hopefully, you trust yourself enough to feel comfortable with this...

Create the Certificate Authority for your rsyslog service if it doesn't exist yet¶

Run this command to see if these files already exist:
```
ls -l ${HOME}/x509Work/rsyslog/CA/{ca.crt,ca-key.pem}
```
Choose the tab below that resembles your output from the above command:
Your CA for rsyslog does not yet existYour CA for rsyslog exists
ls: cannot access '/home/student/x509Work/rsyslog/CA/ca.crt': No such file or directory ls: cannot access '/home/student/x509Work/rsyslog/CA/ca-key.pem': No such file or directory
1. Run this command sequence (which we've split across multiple lines for readability):
  
  cd ${HOME} && \ mkdir -p x509Work/rsyslog/{CA,server,clients} && \ cd x509Work/rsyslog/CA
  
  It accomplishes the following:
  
  Ensures you are in your home directory (which you already are in unless you wandered off on your own)
  
  Creates a fresh directory structure, if it doesn't yet exist, that you'll work in for this activity (and also later in the lab)
  
  Switches to the directory intended for use in creating a self-signed CA- in fact, while the command should not have produced any output, you should notice that your command prompt shows that you are now in your ~/x509Work/rsyslog/CA directory
2. Create a private key. It will be the private key your self-signed CA for rsyslog will use and we'll call it ca-key.pem:
  
  openssl genrsa -out ca-key.pem 4096
3. Run the following command to create a configuration file for your CA:
  
  cat << EOF > ca.cnf [ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn [ dn ] C = US O = IBM WSC IBM Z and LinuxONE CN = CA for rsyslog for SE-enabled KVM guests EOF
  
  Why are we using .cnf configuration files?
  
  Some openssl commands have a tendency to ask a bunch of questions which can be tedious and error-prone when typing the answers, but you can avoid that by creating a configuration file that provides the answers and thus avoids the questions. You'll see this pattern throughout the lab.
4. A CA itself has a certificate that it can send or make available to others (others being people, or computer processes, or whomever). You don't have one yet- all you have is a private key. A certificate signing request (CSR) can be created from a private key- it derives the public key from the private key and creates an object called a Certificate Signing Request (CSR) that contains the public key and other identifying information and can be sent to a CA. Create your CSR:
  
  openssl req -config ca.cnf -key ca-key.pem -new -out ca-req.csr
  
  Certificate Signing Request (CSR)
  
  The RSA algorithm is a magical mystery tour to most mortals, but the algorithm is such that the public key can be extracted from a private key. You will use the private key as input to a command that will create what is known as a CSR. A CSR is a file that contains the public key (the yellow dough) and other information (the icing and the sprinkles) that you then send to the CA and say "please, please, I'm a good person and you can trust me and please create a real certificate for me". A CSR is like a caterpillar and the resulting certificate is like a beautiful butterfly .
  
  Now you have a certificate signing request.
  
  So you normally send a CSR to a CA to sign. There's a "chicken or the egg" problem here. If a CA needs a Certificate, and a Certificate has to be created by another CA, then how did that CA get created? By another CA? Yes, possibly. But, does the chain go on forever? No- at some point in the chain the CA's certificate was signed by its own private key, and not a higher CA. This is the root of the chain, and it is self-signed. In real life, a chain could be many layers deep, but it eventually has to stop. Think of it like a management chain in an organization's org chart- there are first-line managers, second-line managers, and so forth up to the CEO. The Root certificate is like the CEO.
5. Since you're the boss of your lab, and the worker, you don't need a big long chain of CA's. Just one will do fine. So you'll build a single root, or self-signed, CA, and you'll like it! :
  
  openssl x509 -signkey ca-key.pem -in ca-req.csr -req -days 365 -out ca.crt
  
  Output from creating self-signed CA certificate
  
  Certificate request self-signature ok subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
6. Return to the beginning of this step (step 1) to rerun the ls command to ensure you completed these instructions successfully.
-rw------- 1 student student 3268 Dec 7 22:46 /home/student/x509Work/rsyslog/CA/ca-key.pem -rw-rw-r-- 1 student student 1903 Dec 7 22:47 /home/student/x509Work/rsyslog/CA/ca.crt
Congratulations! Continue to the next step in the lab.

Create a certificate and key for your rsyslog service¶

Process Overview¶

In real life, a CA will probably issue lots of certificates- it's how they make money. Your CA is only going to create a couple:

a certificate for the rsyslog service which you will create next.
a certificate for the client (your future GREP11 Server) of the rsyslog service, which you will create later in the lab.
if you also do the PayNow Lab you will create a separate client certificate in that lab (or maybe you already created it if you did that lab first).

In this section we will create the certificate for the rsyslog service. The process is the same as what you just went through for creating your CA for steps 1-3 below, and differs slightly for step 4:

Create a private key
Create a configuration file to answer questions ahead of time
Use the key and the config file to create a CSR
This time you'll have your "self-signed" CA create and sign the certificate that your rsyslog service uses

Creation time¶

Check to see if the rsyslog certificate and key has already been created:

ls -l ${HOME}/x509Work/rsyslog/server/{server-key.pem,server.crt}

Choose the tab below that resembles your output from the above command:

Your rsyslog server certificate and key do not yet existYour rsyslog server certificate and key exist

ls: cannot access '/home/student/x509Work/rsyslog/server/server-key.pem': No such file or directory
ls: cannot access '/home/student/x509Work/rsyslog/server/server.crt': No such file or directory

Change to the directory that you will use for the rsyslog service's certificate and key:
```
cd ${HOME}/x509Work/rsyslog/server
```
Create a private key that your rsyslog service will use:
```
openssl genrsa -out server-key.pem 4096
```
Create the configuration file to preemptively answer the inevitable questions. We've used a command pipe to extract your guest's IP address into a variable and then we use that variable in two places in the configuration file. If you borrow this technique for your system please ensure that this command pipe works on your system:
```
export ip="$(ip route get 1.1.1.1 | grep -oP 'src \K[^ ]+')" && \
cat << EOF > server.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ server ]
subjectAltName = IP:${ip}
extendedKeyUsage = serverAuth

[ dn ]
C = US
O = Rsyslog Service
CN = ${ip}
EOF
```
Optional: You know you can't resist looking at the output file to see if that IP magic worked, so just do it:
```
cat server.cnf
```

Create the rsyslog service's Certificate Signing Request:

openssl req -config server.cnf \
-key server-key.pem \
-new \
-out server-req.csr

You will use the rsyslog "self-signed" CA to create the certificate for your rsyslog server, by running this command:

openssl x509 -req \
-in server-req.csr \
-days 365 \
-CA ../CA/ca.crt \
-CAkey ../CA/ca-key.pem \
-CAcreateserial \
-extfile server.cnf \
-extensions server \
-out server.crt

Example output from certificate creation

Certificate request self-signature ok
subject=C = US, O = Rsyslog Test Server, CN = 172.16.0.42

Run this command to display the rsyslog service's certificate in a form that a human can comprehend:

openssl x509 -noout -text -in server.crt

Example human-readable display of certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            72:1b:54:77:9d:c9:28:b0:7c:f0:b8:d6:dc:24:e1:b1:60:fa:59:f7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:18:18 2023 GMT
            Not After : Feb 14 01:18:18 2024 GMT
        Subject: C = US, O = Rsyslog Test Server, CN = 172.16.0.42
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:ed:d0:83:3c:65:8c:6c:4d:f5:bc:bc:56:e9:
                    3c:57:ab:b8:3c:29:14:2a:73:d6:ca:a0:7e:0c:00:
                    fc:4f:cc:28:88:1c:01:e9:26:9e:5e:0b:60:5e:ee:
                    69:f3:c7:c8:f9:26:19:71:a7:1a:c1:54:3a:3d:6b:
                    01:4a:e2:20:ab:89:a5:31:a7:f4:a2:39:71:30:21:
                    29:17:4f:04:15:73:1d:b7:b6:c2:81:c2:f1:d9:a8:
                    29:d8:ca:c9:d6:97:f3:37:8e:17:9d:a7:b1:30:c8:
                    5c:1c:be:e2:75:5e:9f:88:08:76:54:5a:ee:40:d4:
                    90:26:2b:74:35:71:a2:d1:4d:86:db:46:bf:18:38:
                    0a:fb:e4:1a:ab:ef:f6:49:1e:7b:bc:76:71:3a:b7:
                    5e:e8:c0:c7:3d:db:74:2d:87:20:5b:e6:5e:27:67:
                    1a:e9:e1:ea:20:b8:d2:fc:5e:2d:79:c0:e5:46:22:
                    cf:6e:26:54:c6:00:d1:d0:05:46:0b:9d:97:8c:cb:
                    68:e7:a4:b2:9a:47:21:67:e5:56:32:cb:ba:c3:0e:
                    c8:f3:f4:17:02:ca:ee:ac:37:0e:f3:40:cf:a4:56:
                    98:9d:b3:e3:e2:c2:43:d7:3b:a5:c1:09:92:2b:e9:
                    fb:5b:a6:73:d0:83:97:c9:70:7f:f8:84:59:b3:b6:
                    4f:e8:40:98:92:74:5c:8c:9f:db:27:7f:94:4b:00:
                    a6:cf:06:9b:0f:a9:f4:35:17:01:e6:d6:6d:c2:78:
                    f8:41:59:f6:f6:f2:11:d1:52:28:b5:06:78:ba:db:
                    12:f2:3f:c6:ef:14:64:cd:85:49:ce:8e:fc:91:b8:
                    2a:c3:25:6a:cc:3c:46:9d:e8:10:aa:30:fd:3b:55:
                    3a:26:97:00:8b:62:c4:d6:89:f0:36:68:13:63:19:
                    ba:18:f4:0c:4f:bc:5d:34:c8:24:d9:8e:2f:4b:e5:
                    d9:dd:9f:39:8d:00:54:fe:d9:00:d7:f1:71:6b:8b:
                    9c:ed:66:de:6a:26:3f:48:cb:3a:4a:fc:9c:50:12:
                    f5:da:dc:e7:e5:08:6c:0a:6d:60:73:cf:e6:b2:3e:
                    06:59:98:00:2c:97:25:38:01:50:2e:c2:c6:35:fa:
                    e4:d5:20:01:fb:9d:ca:4c:78:3f:7a:ad:c7:5d:db:
                    5e:04:c7:0f:e2:9f:a1:e9:27:f8:f2:a9:9f:00:07:
                    58:68:c9:3f:d6:41:5b:46:90:f5:26:6a:04:2c:cf:
                    44:c9:f8:1e:5d:38:95:95:71:e2:30:57:d5:83:41:
                    73:a4:00:88:6b:99:84:71:d3:60:ce:32:9c:bb:3b:
                    39:46:a7:77:fd:7e:ed:1c:81:02:e3:da:83:85:2c:
                    c9:60:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                IP Address:172.16.0.42
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                CC:01:AD:BA:8C:5F:31:B9:58:A9:2D:4E:05:C7:B1:B7:82:10:90:05
            X509v3 Authority Key Identifier: 
                DirName:/C=US/O=IBM WSC IBM Z and LinuxONE/CN=CA for rsyslog for SE-enabled KVM guests
                serial:0B:4A:84:C6:84:00:F8:7F:B7:0A:F0:82:FD:4E:C1:F2:99:C2:63:BC
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4c:a3:7a:76:21:0d:8f:db:e9:3a:a6:3f:6b:3a:9a:5d:bb:ac:
        7e:75:5c:ed:69:3c:b9:2b:6e:84:1c:fc:1f:56:47:ff:b3:38:
        92:fe:0f:5b:2c:87:32:0e:8f:60:c3:33:ff:d5:89:26:61:9a:
        7f:ce:ae:f3:6b:cc:77:1b:4d:d0:59:5f:d9:09:e1:fa:21:5c:
        6a:6f:b3:71:45:10:98:4f:6e:fe:08:7f:31:42:e6:dd:83:9a:
        11:de:2d:eb:b5:b9:40:4d:80:86:7f:f8:88:cc:87:60:38:d4:
        e2:9a:89:9d:ec:43:61:ad:34:96:38:93:ca:4a:63:8d:cc:b7:
        33:98:33:e2:63:c1:7b:04:98:80:b3:e1:54:df:f6:24:57:82:
        98:c4:e8:64:8a:3b:d2:af:65:56:d7:97:c0:c3:dc:45:06:c9:
        4f:ce:5b:d3:49:7f:2b:28:83:27:57:b9:bf:1a:46:81:68:4c:
        6b:85:d7:db:f0:d4:25:7b:3d:92:63:d0:91:b5:ec:df:cb:e4:
        6b:6c:b0:c4:47:3c:c6:91:64:33:f6:11:6b:5b:f7:70:bd:e1:
        71:ef:a6:28:57:b2:a0:e0:2e:ef:ab:34:7a:c4:b8:24:18:88:
        5f:92:0b:92:ca:14:a2:b6:62:ab:2c:e6:c2:bb:27:91:54:de:
        84:56:1e:ed:f3:7d:b7:e8:34:b4:78:76:2c:1f:af:d9:61:b7:
        6e:59:fa:e8:33:38:b4:5e:30:69:71:06:4d:df:fe:cb:46:03:
        ba:69:7c:85:3c:f0:73:f7:d8:4e:b0:39:aa:79:72:1f:52:2e:
        05:cb:81:9f:e3:62:6b:66:55:7c:92:13:21:62:dc:fd:9d:8f:
        f8:77:dd:d2:b6:61:c4:8f:fa:fa:a0:74:95:fa:9d:f2:5d:d2:
        7d:d4:41:95:d8:41:50:99:7d:80:3d:36:28:75:28:62:67:05:
        11:a3:95:c7:85:8f:20:37:d6:b8:b5:8a:f6:8a:e3:d0:85:6e:
        cd:2a:41:f9:e7:48:bb:b0:b7:54:dc:6b:df:c9:a2:5e:f7:61:
        c2:3a:4c:82:7e:6b:e9:82:cf:c6:3a:7f:a2:ae:39:00:d9:ac:
        bf:8a:84:72:e6:ae:c1:75:e0:92:60:5e:cd:4b:64:1f:5a:44:
        3a:09:15:2c:95:b8:c3:ca:44:ec:79:1e:d5:96:bc:20:9a:7a:
        cf:6b:e4:cf:e0:91:f2:c2:e6:fd:f1:8a:66:c4:ae:eb:90:90:
        f4:ec:64:66:9a:9a:11:8d:11:ab:ef:05:d2:42:fb:e5:2c:78:
        8a:db:16:b7:96:ae:06:b8:42:b4:c7:23:26:b2:9a:c2:85:d8:
        6b:6d:d8:4e:84:0e:ab:a1

Return to the beginning of this step (step 1) to rerun the ls command to ensure you completed these instructions successfully.

-rw------- 1 student student 3272 Dec  7 23:06 /home/student/x509Work/rsyslog/server/server-key.pem
-rw-rw-r-- 1 student student 2151 Dec  7 23:17 /home/student/x509Work/rsyslog/server/server.crt

Congratulations! Continue to the next step in the lab.

Copy certificates and private key to the location specified in the /etc/rsyslog.d/server.conf file¶

You used directories under ${HOME}/x509Work/rsyslog to create your rsyslog CA and your rsyslog service's certficate. The rsyslog CA's certificate and both the certificate and key for the rsyslog service need to be in the /var/lib/rsyslog/x509/ directory, because that's the location you specified in rsyslog's configuration file.

In this section you'll check to see if they are already present in /var/lib/rsyslog/x509/, and if they aren't, the instructions will get them there for you!

Run this command to see if these files are already in their proper place:

ls -l /var/lib/rsyslog/x509/{ca.crt,server.crt,server-key.pem}

Choose the tab below that resembles your output from the above command:

The files are not thereThe files are in their proper place

ls: cannot access '/var/lib/rsyslog/x509/ca.crt': No such file or directory
ls: cannot access '/var/lib/rsyslog/x509/server.crt': No such file or directory
ls: cannot access '/var/lib/rsyslog/x509/server-key.pem': No such file or directory

Run the following command to copy the files to where they belong and to set the ownership of the files to the user and group that the rsyslog service runs under:

sudo mkdir -p /var/lib/rsyslog/x509 && \
sudo cp -ipv ../CA/ca.crt /var/lib/rsyslog/x509/. && \
sudo cp -ipv server.crt /var/lib/rsyslog/x509/. && \
sudo cp -ipv server-key.pem /var/lib/rsyslog/x509/. && \
sudo chown -R syslog:syslog /var/lib/rsyslog

Output from copying files

'../CA/ca.crt' -> '/var/lib/rsyslog/x509/./ca.crt'
'server.crt' -> '/var/lib/rsyslog/x509/./server.crt'
'server-key.pem' -> '/var/lib/rsyslog/x509/./server-key.pem'

Return to the top of this step (step 1) to repeat the ls command to ensure these instructions succeeded.

-rw-rw-r-- 1 syslog syslog 1903 Dec  7 22:47 /var/lib/rsyslog/x509/ca.crt
-rw------- 1 syslog syslog 3272 Dec  7 23:06 /var/lib/rsyslog/x509/server-key.pem
-rw-rw-r-- 1 syslog syslog 2151 Dec  7 23:17 /var/lib/rsyslog/x509/server.crt

Continue to the next section.

Restart your rsyslog service¶

You'll truly know that you configured everything correctly later in the lab when you try to write messages to it from your yet-to-be-created HPVS 2.1.x GREP11 Server. But for now, you will verify it somewhat by checking which TCP ports on your system are listening and looking in the output to see if rsyslog is listening on port 6514.

Run this command:

sudo lsof -nP -iTCP -sTCP:LISTEN

Choose the appropriate tab depending on whether you see port 6514 in your command output:

Port 6514 not in outputrsyslog is listening on port 6514

systemd-r 578 systemd-resolve   14u  IPv4  14169      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd      719            root    3u  IPv4  16746      0t0  TCP *:22 (LISTEN)
sshd      719            root    4u  IPv6  16757      0t0  TCP *:22 (LISTEN)

Restart the rsyslog service:
```
sudo systemctl restart rsyslog
```
No news is good news on the above command- it's pretty quiet when it works.

Display the rsyslog service's status and notice it hasn't been active very long, since it was just restarted:

sudo systemctl status rsyslog

Output showing rsyslog status after restart

● rsyslog.service - System Logging Service
    Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2023-02-14 01:30:47 UTC; 13s ago
TriggeredBy: ● syslog.socket
        Docs: man:rsyslogd(8)
            man:rsyslog.conf(5)
            https://www.rsyslog.com/doc/
    Main PID: 1439 (rsyslogd)
        Tasks: 9 (limit: 2350)
    Memory: 1.8M
        CPU: 1.008s
    CGroup: /system.slice/rsyslog.service
            └─1439 /usr/sbin/rsyslogd -n -iNONE

Feb 14 01:30:46 ubuntu2204 systemd[1]: Starting System Logging Service...
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (>
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: rsyslogd's groupid changed to 115
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: rsyslogd's userid changed to 107
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="1439" >
Feb 14 01:30:47 ubuntu2204 systemd[1]: Started System Logging Service.

Return to the top of this step (step 1) to repeat the sudo lsof ... command to ensure these instructions succeeded.

COMMAND    PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  602 systemd-resolve   14u  IPv4  15472      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd       709            root    3u  IPv4  16871      0t0  TCP *:22 (LISTEN)
sshd       709            root    4u  IPv6  16882      0t0  TCP *:22 (LISTEN)
rsyslogd  1439          syslog    6u  IPv4  22401      0t0  TCP *:6514 (LISTEN)
rsyslogd  1439          syslog    7u  IPv6  22402      0t0  TCP *:6514 (LISTEN)

Notice that rsyslogd is listening on port 6514. You have configured the rsyslog service correctly and may continue in the lab.

Switch to your terminal tab or window for your session with the RHEL host, as you will start the next section of the lab working on the RHEL host.

Please proceed to the next section of the lab by clicking the Next link on the bottom right of this page.

Create rsyslog client certificate for the GREP11 Server¶

Overview of this section¶

In the last section you created the following:

self-signed CA for the rsyslog service
server certificate for the rsyslog service

In this section you will use your self-signed CA (1 above) to create:

client certificate for your (not-yet-created) HPVS 2.1.x GREP11 Server

Your GREP11 Server will be a client to the rsyslog service. (It serves clients who want to make GREP11 requests, but for logging it is a client to the rsyslog service).

Please read the instructions carefully

You'll be switching between both of your userids in this section:

your studentnn userid on the RHEL host where nn is unique to you and between 01 and 20
your student userid on your Ubuntu KVM guest

We'll do our part by telling you when to switch. Please do your part by reading the instructions carefully!

If necessary, log in to the RHEL host¶

If you are following the lab in order in one sitting, you are already logged in and have switched to the correct terminal tab and window, the one that looks like this:

But if you need to log in for any reason, the command is ssh -l ${StudentID} 192.168.22.64

Create certificate for client access to rsyslog¶

Steps 1 through 5 will be performed on the RHEL host.

Create a working directory and switch to it:

mkdir -p ~/grep11Lab/x509Work/rsyslogClient && \
cd ~/grep11Lab/x509Work/rsyslogClient

Create a new private key:

openssl genrsa -out client-key.pem 4096

Example output when creating RSA private key

Generating RSA private key, 4096 bit long modulus (2 primes)
..++++
................................................................................++++
e is 65537 (0x010001)

You should see output similar to what is shown above on the RHEL 8.5 host. This same command was very quiet on your Ubuntu KVM guest.

Create a configuration file:

cat << EOF > client.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ dn ]
C = US
O = IBM WSC IBM Z and LinuxONE
CN = SE-enabled HPVS 2.1.x Grep11 Server

EOF

Create a certificate signing request (CSR):

openssl req \
-config client.cnf \
-key client-key.pem \
-new \
-out grep11Lab-client-req.csr

Now you are going to use a pattern that is similar to a real-world pattern:

You are going to send your CSR, which you just created on the RHEL host, to the Rsyslog CA which you created on your Ubuntu KVM guest:
```
scp grep11Lab-client-req.csr \
student@${StudentGuestIP}:./x509Work/rsyslog/clients/.
```
Example output when sending file
```
grep11Lab-client-req.csr                                                          100% 1691     9.2MB/s   00:00 
```
Switch to your terminal tab or window for your KVM Ubuntu guest. Yes, this one:
If you are doing the lab in one sitting, in order, then you are already logged in. If you need to login for any reason the command is ssh -p ${Student_SSH_Port} -l student 192.168.22.64. Steps 8 through 12 will be performed on your Ubuntu KVM guest.
You are now the CA registrar. Switch to your working directory and find the certificate signing request(CSR) that your customer (i.e., you) sent to you.
```
cd ${HOME}/x509Work/rsyslog/clients \
&& ls -l grep11Lab-client*.csr
```
Make sure your csr is listed
```
-rw-r--r-- 1 student student 1691 Feb 14 01:47 grep11Lab-client-req.csr
```

You will do your due diligence and check the contents of the CSR:

openssl req -noout -text \
-in grep11Lab-client-req.csr

Example human-readable display of CSR

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS 2.1.x Grep11 Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8d:0b:7b:fd:eb:6b:04:85:4f:b6:a8:81:8f:03:77:aa:26:7d:
        58:44:3a:af:1b:de:fe:73:52:38:7c:8b:e9:2d:47:34:93:31:
        9d:04:0b:08:3a:3c:92:72:cf:60:c6:3b:83:6c:9a:8d:7b:08:
        4b:13:44:8b:3c:14:58:f7:b6:26:8c:c8:d5:29:f7:f8:fb:98:
        a6:9f:78:6a:9a:f4:10:88:16:55:b8:83:ee:7d:1b:95:4c:02:
        77:10:9c:ca:61:01:c7:33:7f:65:81:6e:5e:18:25:a7:68:26:
        e0:5e:b5:6d:89:00:31:ed:21:bf:32:c8:13:4b:00:c6:a3:b5:
        5f:4d:13:4c:86:51:31:59:02:92:fd:88:30:3a:1f:ac:da:8b:
        82:25:b2:3d:7e:1d:1f:e3:55:aa:7a:26:1f:85:b6:86:87:34:
        9a:36:5e:55:0b:a9:6b:dd:77:56:4f:54:3e:27:ec:ac:a7:aa:
        ea:bb:86:40:a2:e8:af:88:77:5b:41:ec:42:0f:06:1e:7a:36:
        85:5f:36:14:d4:02:30:3c:27:8d:85:61:0c:93:83:a0:0d:cd:
        e7:c3:ac:02:d9:49:2e:58:a5:a1:24:33:56:a6:6c:e1:dc:dc:
        5b:11:32:65:84:08:70:7e:b2:52:2f:34:5e:83:46:45:8e:91:
        dc:4a:2d:31:2d:3e:3a:4a:03:a2:c4:02:d9:7f:6a:89:42:10:
        da:a4:7a:24:c2:2a:b5:fb:25:c8:1b:45:5f:f1:85:91:ca:0a:
        44:74:8f:60:44:86:e5:49:ab:d9:d1:d8:fa:0c:6d:1f:a8:7c:
        7c:6f:3f:66:0b:d9:46:5a:5c:4d:6e:79:7a:c2:eb:d2:02:a9:
        80:1e:66:53:b9:fd:5d:cf:6e:86:e7:58:7f:a4:74:31:cd:9f:
        b6:c2:b0:24:69:70:2f:9e:6e:4f:2d:74:53:8b:15:74:6c:08:
        bd:f0:b9:d2:e4:e0:a4:14:cf:b1:77:4d:6d:88:8a:ee:c7:6c:
        4b:15:c9:91:85:7d:a2:fa:cd:10:27:b3:27:fc:3b:f2:d1:86:
        57:33:0d:27:02:f2:c6:ab:46:8e:00:de:88:1f:59:d0:fd:6f:
        30:39:94:ba:af:17:89:37:df:0d:9e:1a:a7:d6:49:de:f5:40:
        61:e3:fa:52:70:3d:57:76:9f:fa:15:30:be:64:85:27:61:b0:
        02:9f:f6:20:c3:2d:1a:84:44:48:f6:08:db:f8:80:b9:ea:38:
        16:52:fe:2a:c0:f1:d9:8f:80:37:9f:fd:e2:ec:1e:99:c3:01:
        2d:b6:11:dd:5a:29:c8:02:2c:aa:d7:3f:78:c5:f2:fe:29:d7:
        98:f4:d1:1d:7e:9e:5d:8d

Time to mint the certificate

Due diligence check

For the purposes of this lab assume you've done a background check on the customer, checked their reviews on Yelp and NextDoor, looked at their Facebook page and LinkedIn profiles. You're a little concerned with some of those college fraternity party pictures on Facebook, but, what the heck, their check has cleared the bank, so you decide to go ahead and mint the certificate.
```
openssl x509 -req -in grep11Lab-client-req.csr \
      -days 365 -CA ../CA/ca.crt -CAkey ../CA/ca-key.pem \
      -CAcreateserial -out grep11Lab-client.crt
```
Output from creating the certificate
```
Certificate request self-signature ok
subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS 2.1.x Grep11 Server
```

Your quality control department asks you to display the certificate before sending it to the customer:

openssl x509 -noout -text -in grep11Lab-client.crt

It should look similar to this [click to expand]

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            29:4a:dd:c7:66:81:ab:5a:1d:bb:20:76:a0:25:34:90:21:93:40:6b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:58:14 2023 GMT
            Not After : Feb 14 01:58:14 2024 GMT
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS 2.1.x Grep11 Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9f:41:62:18:0f:db:0a:84:f6:59:bc:cd:22:e4:73:d6:18:b0:
        d0:4e:2a:da:8f:5c:46:06:f1:80:f3:4b:5d:cf:fe:a2:a3:97:
        cc:bd:96:8e:d2:d4:58:ab:ac:56:dd:6f:12:3b:52:a8:df:e5:
        4b:26:8e:92:b3:ed:28:9a:c3:28:6d:8b:f9:13:b0:01:fa:ed:
        8f:48:08:08:07:ac:8f:61:00:fc:53:41:9e:d2:53:c5:b8:d7:
        f4:f2:c9:cc:87:58:2d:48:f3:34:be:fe:0d:dc:9e:b6:11:74:
        18:da:92:db:db:b3:c6:4f:10:63:6c:4c:fb:5f:86:36:9a:a8:
        58:a9:d3:d9:7c:e0:8d:2f:96:f3:64:85:bf:8d:39:28:d2:06:
        8b:63:93:d6:42:e3:ad:6d:5b:2e:d3:5a:3d:3c:af:1e:a2:61:
        a0:d7:c7:a0:4f:b7:16:f1:3b:94:44:23:d8:16:6f:d7:38:36:
        84:10:31:ac:e7:17:43:2a:24:04:26:5b:46:50:03:05:7c:8d:
        cc:77:f5:c1:c1:e3:a2:04:4a:6d:7c:b2:c7:1e:e3:68:b0:4e:
        24:92:63:dd:bd:87:3c:af:8c:63:a5:ea:2f:41:90:67:79:e3:
        31:89:41:54:be:aa:44:89:45:65:85:2e:5e:b9:8c:af:7c:7e:
        0f:08:9a:9b:97:7c:6f:fc:9f:30:e8:0c:30:c4:be:7a:0c:7d:
        d0:45:71:f2:a7:35:c3:f9:f1:b7:2c:9e:1d:a1:da:3b:70:59:
        5b:05:93:a3:fc:59:41:c5:db:bf:0f:20:ec:15:ef:64:61:7e:
        52:3b:6a:a1:69:0b:73:93:52:a4:a3:79:ca:b3:0c:b8:cd:2b:
        59:b5:19:03:2e:21:b8:b5:d3:8d:05:2e:d6:0d:b0:9a:7d:e9:
        f9:e7:2b:96:3a:a5:e3:05:b6:d8:0a:e2:ea:2f:b0:02:42:ba:
        a5:9c:1d:d8:29:7f:3b:bd:7c:73:1a:4a:ae:ca:3a:1d:50:16:
        3a:42:3c:0c:23:6a:15:ed:57:01:88:f3:dc:b7:e3:3e:55:48:
        31:07:4f:38:9c:dc:10:71:e8:8c:82:d3:9e:a6:97:ca:70:20:
        e9:70:31:b2:46:09:79:03:20:93:b0:16:af:07:67:eb:0c:4f:
        b0:c0:a9:e8:eb:bc:ab:74:37:93:76:89:92:82:f3:48:a5:a1:
        16:62:39:2d:d5:79:67:e2:ea:6e:a9:6e:40:e1:7f:da:01:df:
        f0:4f:6f:a0:36:80:ae:ab:a2:4d:07:6e:ba:14:bf:85:82:50:
        e1:3d:df:64:bc:91:3d:60:c4:90:8c:3b:6f:0f:11:31:a6:5f:
        4f:36:5a:69:04:05:88:b5

Now you send the certificate to the customer:

scp grep11Lab-client.crt \
${StudentID}@192.168.22.64:./grep11Lab/x509Work/rsyslogClient/.

Example output from sending file

grep11Lab-client.crt                                                              100% 1907     9.7MB/s   00:00

Now switch back to your terminal tab or window for your session on the RHEL host. A gentle reminder of what that tab or window looks like:
If you are doing the lab in one sitting, in order, then you are still logged in on the RHEL host. If you need to login for any reason the command is ssh -l ${StudentID} 192.168.22.64. Steps 15 and 16 will be performed on the RHEL 8.5 host.

Switch to the directory where the CA "sent" your new certificate and list the files:

cd ${HOME}/grep11Lab/x509Work/rsyslogClient/ && \
ls -ltr

File listing shows your client certificate (client.crt)

total 16
-rw------- 1 student02 hpvs_students 3247 Feb 13 20:42 client-key.pem
-rw-r--r-- 1 student02 hpvs_students  192 Feb 13 20:44 client.cnf
-rw-r--r-- 1 student02 hpvs_students 1691 Feb 13 20:45 grep11Lab-client-req.csr
-rw-r--r-- 1 student02 hpvs_students 1907 Feb 13 21:06 grep11Lab-client.crt

Display your certificate in human-readable form to make sure your CA did their job correctly:

openssl x509 -noout -text \
-issuer \
-subject \
-in grep11Lab-client.crt

Example display of certificate

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            29:4a:dd:c7:66:81:ab:5a:1d:bb:20:76:a0:25:34:90:21:93:40:6b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:58:14 2023 GMT
            Not After : Feb 14 01:58:14 2024 GMT
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS 2.1.x Grep11 Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        9f:41:62:18:0f:db:0a:84:f6:59:bc:cd:22:e4:73:d6:18:b0:
        d0:4e:2a:da:8f:5c:46:06:f1:80:f3:4b:5d:cf:fe:a2:a3:97:
        cc:bd:96:8e:d2:d4:58:ab:ac:56:dd:6f:12:3b:52:a8:df:e5:
        4b:26:8e:92:b3:ed:28:9a:c3:28:6d:8b:f9:13:b0:01:fa:ed:
        8f:48:08:08:07:ac:8f:61:00:fc:53:41:9e:d2:53:c5:b8:d7:
        f4:f2:c9:cc:87:58:2d:48:f3:34:be:fe:0d:dc:9e:b6:11:74:
        18:da:92:db:db:b3:c6:4f:10:63:6c:4c:fb:5f:86:36:9a:a8:
        58:a9:d3:d9:7c:e0:8d:2f:96:f3:64:85:bf:8d:39:28:d2:06:
        8b:63:93:d6:42:e3:ad:6d:5b:2e:d3:5a:3d:3c:af:1e:a2:61:
        a0:d7:c7:a0:4f:b7:16:f1:3b:94:44:23:d8:16:6f:d7:38:36:
        84:10:31:ac:e7:17:43:2a:24:04:26:5b:46:50:03:05:7c:8d:
        cc:77:f5:c1:c1:e3:a2:04:4a:6d:7c:b2:c7:1e:e3:68:b0:4e:
        24:92:63:dd:bd:87:3c:af:8c:63:a5:ea:2f:41:90:67:79:e3:
        31:89:41:54:be:aa:44:89:45:65:85:2e:5e:b9:8c:af:7c:7e:
        0f:08:9a:9b:97:7c:6f:fc:9f:30:e8:0c:30:c4:be:7a:0c:7d:
        d0:45:71:f2:a7:35:c3:f9:f1:b7:2c:9e:1d:a1:da:3b:70:59:
        5b:05:93:a3:fc:59:41:c5:db:bf:0f:20:ec:15:ef:64:61:7e:
        52:3b:6a:a1:69:0b:73:93:52:a4:a3:79:ca:b3:0c:b8:cd:2b:
        59:b5:19:03:2e:21:b8:b5:d3:8d:05:2e:d6:0d:b0:9a:7d:e9:
        f9:e7:2b:96:3a:a5:e3:05:b6:d8:0a:e2:ea:2f:b0:02:42:ba:
        a5:9c:1d:d8:29:7f:3b:bd:7c:73:1a:4a:ae:ca:3a:1d:50:16:
        3a:42:3c:0c:23:6a:15:ed:57:01:88:f3:dc:b7:e3:3e:55:48:
        31:07:4f:38:9c:dc:10:71:e8:8c:82:d3:9e:a6:97:ca:70:20:
        e9:70:31:b2:46:09:79:03:20:93:b0:16:af:07:67:eb:0c:4f:
        b0:c0:a9:e8:eb:bc:ab:74:37:93:76:89:92:82:f3:48:a5:a1:
        16:62:39:2d:d5:79:67:e2:ea:6e:a9:6e:40:e1:7f:da:01:df:
        f0:4f:6f:a0:36:80:ae:ab:a2:4d:07:6e:ba:14:bf:85:82:50:
        e1:3d:df:64:bc:91:3d:60:c4:90:8c:3b:6f:0f:11:31:a6:5f:
        4f:36:5a:69:04:05:88:b5
issuer=C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS 2.1.x Grep11 Server

Click the Next link at the bottom of the page to continue to the next part of the lab, where you will create the contract that HPVS 2.1.x expects, so that you can run your GREP11 Server.

Create Contract for GREP11 Server¶

Overview of this section¶

IBM provides the Secure Execution feature on z15 and newer generations of its IBM Z and LinuxONE servers. Currently, that's z15 and LinuxONE III for the "z15" generation and z16 and LinuxONE Emperor 4 for the "z16" generation.

You could create your own Secure Execution-enabled KVM guests and run a workload in it without Hyper Protect Virtual Servers 2.1.x. However, there's non-trivial work involved in setting this up. HPVS 2.1.x has done that hard work for you, and provided a KVM guest image that will run your application workload as one or more OCI-compliant (again, think "Docker" in the popular vernacular) containers within the HPVS 2.1.x KVM guest. There is still some work involved in setting up the contract that HPVS 2.1.x expects- but this is work closer to the application or business level. There is also added value in HPVS 2.1.x in areas such as:

This lab covers the features that are checked in the list above. (We won't rest on our laurels until we've built this lab out to cover everything under the sun, but, as the saying goes, Rome wasn't built in a day).

One of the things we just mentioned in the previous paragraph was separation of duties. In a real world situation, multiple personas could create different portions of the contract:

an application owner deployer might create the workload section of the contract
a systems administrator might create the environment section of the contract

Then, you could imagine the following scenario taking place:

application owner can encrypt their piece of the contract such that it can only be decrypted within the HPVS 2.1.x runtime
application owner passes their encrypted piece of the contract to the systems administrator
the systems administrator encrypts their own section
the systems administrator combines the two sections and signs the resultant contract so that it can be verified by the HPVS 2.1.x runtime.

Your inquiring mind may say, well that's all well and good, but what about the disk storage of the machine?

If your workload requires persistent disk storage (to survive a container restart) then each of the two personas supplies part of a seed that is used in the calculation of an encryption key for the persistent disk. Neither persona has knowledge of the other's part of the seed if it is passed between parties encrypted, so that no human has the ability to decrypt the persistent disk. The HPVS developers have thought through security very carefully!

Now our lab does not include all of the above features (yet)- for example, the GREP11 Server is stateless (this is a feature, not a bug) so we do not need persistent disk storage. And for this lab, you have and will continue to wear many hats, including both the application owner workload deployer and the system administrator environment deployer. We are not going to cover attestation in this lab either, but hope to do so in a future lab.

Creation of directory structure for contract¶

This section starts where the last section left off- on your session with the RHEL host:

This command will create the directory structure expected by the lab instructions:

mkdir -p ${HOME}/grep11Lab/contract/{workload/compose,environment/rsyslog}

Run the tree command to see the directory hierarchy you just created:

cd ${HOME} && tree grep11Lab/contract

Expected output from tree command

  [student03@bczkvm(192.168.22.64) ~ [12:23:58] (0)]$ tree grep11Lab/contract
  grep11Lab/contract
  ├── environment
  │   └── rsyslog
  └── workload
      └── compose

  4 directories, 0 files

Read about the directory structure and the purpose of each directory:

Directory	Purpose
grep11Lab/contract	Top-level directory for the contract for the GREP11 Server. Typically, the "workload deployer" signs the concatenation of the encrypted "environment" section that they create and the encrypted "workload" section that the "workload provider" creates.
environment	Used by the "workload deployer" persona to hold an encrypted environment section of the contract
rsyslog	Used to hold the artifacts needed to construct the logging subsection of the environment section
workload	Used by the "workload provider" to hold an encrypted workload section of the contract
compose	Used to hold the Docker compose file specifying the application image and supporting files

A contract requires a workload section and an environment section, so for the lab they each get their own directory. Then the sections are packaged together, and signed, and the signature is added as the third section. This final result- the contract- will be stored in your ${HOME}/grep11Lab/contract directory.

While creating the contract in this lab, you will be performing the role of workload provider and workload deployer. In most production scenarios these two roles would be performed by different persons or processes. The following diagram shows at a high level how these two roles cooperate to form the contract:

flowchart LR
  A["Workload provider
  creates
  workload section"];
  B["Workload deployer
  creates
  environment section"]
  C["Workload provider
  gives workload section
  to Workload deployer"]
  A --> C
  D["Workload deployer
  signs combined
  environment and
  workload sections"]
  B --> D
  C --> D

Create workload section of the contract¶

Hyper Protect Virtual Servers 2.1.x expects the contract to specify an OCI container in one of two ways- as a Docker Compose file in the compose subsection of the workload section, or as a Pod specification in the play subsection of the workload section. For this lab we will use a Docker Compose file in the compose subsection of the workload section. This Docker Compose file will specify an OCI image to run and other information necessary to configure the resulting container. Your workload is the GREP11 Server, so, yes, there's an OCI image for that. The container that runs the GREP11 Server will be configured with information such as:

the port it listens on
a configuration file that describes the GREP11 server
another configuration file that describes its connection to the CENA4SEE server
certificates and keys to enable TLS communication with the CENA4SEE server
certificates and keys to enable TLS communication with clients that call the GREP11 Server

That's right, two more "sets" of X509 certificates, egads!! You've already worked with one set for the rsyslog service, so we'll offer the commands for these next two sets without as much commentary.

A brief history of the term 'CENA4SEE', or, you say to-MAY-toe and I say to-MAH-toe

You will not see the term CENA4SEE in any official product documentation. Try googling it. CENA4SEE is the instructor's abbreviation for Crypto Express Network API for Secure Execution Enclaves. The product documentation often uses the term c16. When the instructor inquired to the developers what c16 stood for, because he is sure that customers will ask that question, and was told that it doesn't stand for anything, he coined this acronym and will continue to use it until he is threatened with either legal action or involuntary termination of employment.

You are going to put the building blocks for the workload section of the contract together in the following order:

You will create a docker-compose file
1. docker-compose.yml - this file will reference each of the files listed in items 2-5 of this list
You will create a GREP11 Server configuration file
1. ep11server.yaml
You will create a configuration file for the GREP11 Server to the CENA4SEE server connection
1. c16client.yaml
You will create x509 material to enable secure communication between GREP11 clients and the GREP11 Server
1. grep11-ca.pem
2. grep11-server.pem
3. grep11-server.key
You will create or obtain x509 material to enable secure communication between GREP11 Server and the CENA4SEE server
1. c16server-ca.pem - this file has already been created by the instructors
2. c16server-client.key
3. c16server-client.pem - the instructors will create this file upon your request in a subsequent step in the lab
4. c16server-restricted-server.pem - this file has already been created by the instructors

Let's get started!

Create docker-compose file¶

Switch to the directory that will hold the docker-compose file and the files referenced by the docker-compose file:

cd ${HOME}/grep11Lab/contract/workload/compose

Create the docker-compose file:

cat << EOF > docker-compose.yml
services:
  $(whoami)-ep11server:
    user: "0"
    image: quay.io/bsilliman/grep11server@sha256:1ebda8a7124c99735f5e7743dfc7ff335dd3e68f7b75f5ca9a41fed6e409d513
    ports:
        - 9876:9876
    volumes:
        - ./c16client.yaml:/etc/c16/c16client.yaml
        - ./c16server-ca.pem:/cfg/c16server-ca.pem
        - ./c16server-client.key:/cfg/c16server-client.key
        - ./c16server-client.pem:/cfg/c16server-client.pem
        - ./c16server-restricted-server.pem:/cfg/c16server-restricted-server.pem
        - ./grep11server.yaml:/etc/ep11server/ep11server.yaml
        - ./grep11-ca.pem:/cfg/grep11-ca.pem
        - ./grep11-server.pem:/cfg/grep11-server.pem
        - ./grep11-server.key:/cfg/grep11-server.key

EOF

Notice the value of the image key. This is the GREP11 Server OCI image provided with the Crypto Express Network API for Secure Execution Enclaves 1.1.2.2 (CENA4SEE) that Barry (bsilliman) has uploaded to his account on Quay.io for this lab. (Not for your production usage as it could disappear at any time).

Notice the list of nine items under the volumes section. The left side of each entry in the list specifies the name of the file on the RHEL host. The value after the ':' specifies where that file is mapped to within the OCI container that will run in the HPVS 2.1.x guest. Taking the first item in the list as an example, you will create a file named c16client.yaml and then within the OCI container it will be available at /etc/c16/c16client.yaml. (As an aside, you can also map entire directories from your host to a Docker container, although this example only maps individual files).

Create the configuration file for the GREP11 server¶

Run this command to create the configuration file for the GREP11 server:

cat << EOF > grep11server.yaml
#
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#

logging:
  # Package log levels
  # Levels: info, warning, debug, error, fatal, trace, and panic
  levels:
    entry: debug
    # example below
    # entry: info

###################################
## GRPC SERVICES TALKING TO GREP11 server ##
ep11crypto:
  enabled: true
  connection:
    address: 0.0.0.0
    port: 9876

    # Secure connection TLS options
    tls:
        enabled: true
        # certfile, keyfilie and cacert refer to the pem files that holds the certs
        certfile: /cfg/grep11-server.pem
        keyfile: /cfg/grep11-server.key

        mutual: true
        cacert: /cfg/grep11-ca.pem

        # same as above, but instead of filename, contents of PEM can be in an environment
        # variable (i.e. to avoid mounting files into docker container)
        cacertbytes:
        certfilebytes:
        keyfilebytes:

    # Server TCP/IP connection monitoring
    # serverKeepaliveTime is the duration in seconds after which if the server
    # does not see any activity from the client it pings the client to see
    # if it is alive
    # serverKeepaliveTimeout is the duration the server waits for a response
    # from the client after sending a ping before closing the connection
    keepalive:
        serverKeepaliveTime: 30
        serverKeepaliveTimeout: 5

  # Comma-separated list of card.domain tuples. card and domain are hex numbers
  # i.e. "08.0016,0a.0016" corresponds to 22nd (x16) domain on eighth card and 22nd domain on tenth (x0a) card
  domain: "08.0016"
EOF

Create the client configuration file for the CENA4SEE server.¶

Run this command to create the client configuration for the the CENA4SEE server:
```
cat << EOF > c16client.yaml
#trace, debug, info, warn, err, error, critical, off
loglevel: 'debug'
servers:
  - hostname: 192.168.22.80
    port: 9001
    mTLS: true
    server_cert_file: "/cfg/c16server-ca.pem"
    client_key_file: "/cfg/c16server-client.key"
    client_cert_file: "/cfg/c16server-client.pem"
    restrict_server_cert_file: "/cfg/c16server-restricted-server.pem"

EOF
```
Debug log level for lab purposes

For the two configuration files you just created, you set the log level to debug. We would probably not recommend a log level of debug for most normal production use cases but you won't be trodding too heavily on the server in the lab and it provides extra information for your current pursuit of knowledge.

The value for the hostname in c16client.yaml, 192.168.22.80, is the IP address of the CENA4SEE server running on the SSC LPAR used in the lab.
Pick out the names of the files you will be creating from the grep11server.yaml file with the following command:
```
grep -e 'file:' -e 'cacert:' grep11server.yaml
```
Your output should look like this:
You will create these files in the lab [Click me]
```
    certfile: /cfg/grep11-server.pem
    keyfile: /cfg/grep11-server.key
    cacert: /cfg/grep11-ca.pem
```

Pick out the names of the files you will be creating or getting from the instructors from the c16client.yaml file with the following command:

grep 'file:' c16client.yaml

You get the first and fourth files and create the other two [Click me]

    server_cert_file: "/cfg/c16server-ca.pem"
    client_key_file: "/cfg/c16server-client.key"
    client_cert_file: "/cfg/c16server-client.pem"
    restrict_server_cert_file: "/cfg/c16server-restricted-server.pem"

Create x509 material for GREP11 client to GREP11 Server communication¶

Your GREP11 Server acts as both a server and a client. Its primary purpose is to be a server- to serve requests from GREP11 clients. But in order to get its job done, the GREP11 Server must send requests to the CENA4SEE server, so it is a client to the CENA4SEE server. (It is also a client to the rsyslog service so that it can send its log messages there).

In this section, you'll set up the material to enable the GREP11 Server's role as a, well, GREP11 Server!

Create and change to a new directory which you will use for your self-signed GREP11 Server CA:
```
mkdir -p ${HOME}/grep11Lab/x509Work/GREP11Server/{CA,server,clients} \
&& cd ${HOME}/grep11Lab/x509Work/GREP11Server/CA
```
(The above command also creates some other directories that you'll use later in the lab)
Create an RSA private key for your self-signed GREP11 Server CA:
```
openssl genrsa -out grep11-ca-key.pem 2048
```

Create a configuration file to assist in creation of your self-signed CA for the GREP11 Server:

cat << EOF > ca.cnf

[ req ]
default_bits           = 2048
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = US
ST                     = Virginia
L                      = Herndon
O                      = IBM
OU                     = Washington Systems Center - IBM Z and LinuxONE
CN                     = WSC $(whoami) HPVS CA
emailAddress           = student@notreal.email.com

[ req_attributes ]
challengePassword              = A challenge password

[ x509_extensions ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = critical,CA:TRUE

EOF

Create your self-signed CA for the GREP11 Server. Notice it uses the private key you created two commands ago and refers to the configuration file your last command created:

openssl req -new -x509 \
      -key grep11-ca-key.pem \
      -out grep11-ca.pem \
      -days 395 -config ca.cnf \
      -extensions x509_extensions

Display the CA certificate that you just created:

openssl x509 -noout -text -in grep11-ca.pem

Your output will look similar to this:

Example of display of certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:1d:d1:10:f4:34:bd:84:7b:ca:0b:59:2b:cf:1e:e2:16:5a:01:5c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM Z and LinuxONE, CN = WSC student02 HPVS CA, emailAddress = student@notreal.email.com.com
        Validity
            Not Before: Feb 14 14:36:41 2023 GMT
            Not After : Mar 15 14:36:41 2024 GMT
        Subject: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM Z and LinuxONE, CN = WSC student02 HPVS CA, emailAddress = student@notreal.email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:56:f3:c4:81:58:e0:d5:cd:87:28:38:bc:6b:
                    e3:0f:b4:c7:61:2e:bd:4e:17:b0:a2:65:2e:ad:63:
                    d1:2a:b4:a2:45:d6:f3:9d:ba:8a:0d:66:72:fd:15:
                    b1:d3:4c:08:ff:3c:8d:c0:c4:23:86:c2:65:18:19:
                    35:03:bb:3c:d5:e2:7a:66:47:4a:6e:d1:eb:37:3f:
                    f7:62:c0:35:45:5f:38:7a:2f:4a:1e:aa:f7:8b:4a:
                    55:6f:bb:b4:e3:1e:a6:62:20:55:df:1f:04:1e:70:
                    73:c5:32:b5:5e:77:6f:45:6d:43:fd:01:76:84:83:
                    6f:c8:9a:6e:20:27:81:94:af:e7:fb:7c:c0:8c:91:
                    bf:f1:47:d3:05:a7:56:69:29:bd:1b:59:0d:54:c0:
                    53:e1:d8:58:a9:f1:d1:fb:d4:c0:e1:9d:f3:f2:36:
                    51:ff:60:2a:91:28:9d:07:5e:27:5f:3a:68:f0:7e:
                    5a:29:cb:1a:5e:b1:c5:98:e1:14:fa:38:29:67:81:
                    4e:e3:4b:a2:bb:c7:c3:b5:24:c4:d4:c5:23:d8:70:
                    2b:98:97:e2:ef:26:32:5a:ea:02:ea:3f:48:90:7f:
                    a5:6f:b3:49:68:0a:31:d6:c9:18:c8:57:f7:7c:e0:
                    4d:e4:46:f7:3c:30:7a:4a:16:df:f4:c9:b7:d8:c0:
                    e7:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E3:62:2B:39:9A:DB:57:77:DE:A2:C5:7E:11:A6:76:22:5F:F7:91:9D
            X509v3 Authority Key Identifier: 
                keyid:E3:62:2B:39:9A:DB:57:77:DE:A2:C5:7E:11:A6:76:22:5F:F7:91:9D

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        88:11:95:13:b8:fb:f8:b0:67:2c:a7:8f:d5:7b:27:24:e1:77:
        45:4a:9d:af:fe:8b:34:f8:84:dc:80:69:a6:fb:50:5f:ce:86:
        5d:a2:30:f5:f0:d9:1b:7a:92:9e:c1:69:78:f3:42:65:9f:2f:
        3e:c9:61:96:bf:93:5a:4f:e9:70:16:de:b1:91:78:b7:0a:38:
        2c:54:6c:21:32:be:90:e9:b5:25:29:d7:df:b2:a5:86:2d:bc:
        04:9a:ca:ee:cb:1b:29:02:6e:59:4f:86:85:d9:06:a3:1b:8e:
        94:df:9b:9b:56:20:f2:33:02:3c:ff:17:c3:46:04:2d:db:64:
        1a:0f:9d:7b:2d:b6:af:dd:c4:5b:ad:70:89:09:5d:3b:02:b7:
        74:24:79:e2:b5:a4:1a:ed:f9:8a:55:73:f6:20:4d:4f:88:42:
        24:77:08:92:09:7d:42:2e:40:88:fa:42:1a:2b:10:b6:8f:28:
        a1:b8:33:7c:99:fa:c6:29:0f:50:85:cd:f7:e0:b1:b7:ea:14:
        0f:ac:a6:cd:16:3a:a9:7a:0e:f4:13:b5:35:f0:87:0d:5d:67:
        d3:14:c3:e8:0e:b7:b1:4f:60:0b:c5:ca:23:93:6e:38:15:ee:
        0b:e4:97:79:f9:97:43:ff:9d:42:f5:ea:80:96:d7:7b:b3:2b:
        d1:4d:7f:36

Within your ${HOME}/grep11Lab/x509Work/GREP11Server/CA directory, you are a certification authority!

If you change to this directory, you will be soon be a customer of your CA:
```
cd ${HOME}/grep11Lab/x509Work/GREP11Server/server
```
You want to create a certificate for your GREP11 Server to use for authenticating to GREP11 clients. Start by creating an RSA private key:
```
openssl genrsa -out grep11-server.key 2048
```

Create a configuration file to assist the creation of your GREP11 Server's CSR:

cat << EOF > serverCSR.cnf
# OpenSSL configuration file.
#

# Establish working directory.

dir   = .

[ ca ]
default_ca  = CA_default

[ CA_default ]
serial   = $dir/serial
default_days  = 365
default_md  = sha256
preserve  = no
email_in_dn  = no
nameopt   = default_ca
certopt   = default_ca
default_crl_days = 45
policy   = policy_match

[ policy_match ]
countryName  = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

[ req ]
default_md  = sha256
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]

C  = US
ST = Virginia
L  = Herndon
O  = IBM  
OU = Washington Systems Center - IBM Z and LinuxONE

CN = \$ENV::COMMON_NAME

EOF

Create the certificate signing request:

COMMON_NAME=${GREP11ServerIP}  openssl req -new -key grep11-server.key \
    -out grep11-server.csr -config serverCSR.cnf

In your current directory, ${HOME}/grep11Lab/x509Work/GREP11Server/server, you are a "customer" of the CA you created in ${HOME}/grep11Lab/x509Work/GREP11Server/CA. Thus, "send" your CSR to your CA:
```
cp -ipv grep11-server.csr ${HOME}/grep11Lab/x509Work/GREP11Server/CA/.
```

Put your CA hat back on and go to the CA directory:

cd ${HOME}/grep11Lab/x509Work/GREP11Server/CA/

Create a configuration file to assist the creation of your GREP11 Server certificate:

cat << EOF > server.cnf
# OpenSSL configuration file.
#

# Establish working directory.

dir   = .

[ ca ]
default_ca  = CA_default

[ CA_default ]
serial   = $dir/serial
default_days  = 365
default_md  = sha256
preserve  = no
email_in_dn  = no
nameopt   = default_ca
certopt   = default_ca
default_crl_days = 45
policy   = policy_match

[ policy_match ]
countryName  = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

[ req ]
default_md  = sha256
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
C  = US
ST = Virginia
L  = Herndon
O  = IBM  
OU = Washington Systems Center - IBM Z and LinuxONE
CN = \${ENV::COMMON_NAME}

[ server ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
nsCertType = server
crlDistributionPoints = @crl
subjectAltName = \${ENV::SUBJECT_ALT_NAME}

[ crl ]
URI=http://localhost/ca.crl

EOF

Now, create the certificate:

SUBJECT_ALT_NAME=DNS:192.168.22.64:${GREP11ServerForwardedPort},IP:192.168.22.64,DNS:${GREP11ServerIP}:9876,IP:${GREP11ServerIP} \
    COMMON_NAME=${GREP11ServerIP} openssl x509 -sha256 -req \
    -in grep11-server.csr -CA grep11-ca.pem -CAkey grep11-ca-key.pem \
    -set_serial 8086 -extfile server.cnf -extensions server \
    -days 390 -outform PEM -out grep11-server.pem

Example output from certificate creation

Signature ok
subject=C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM Z and LinuxONE, CN = 172.16.0.61
Getting CA Private Key

Display the info of the certificate you just created:

openssl x509 -noout -text -in grep11-server.pem

Your certificate will look similar to this:

Certificate info

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8086 (0x1f96)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM Z and LinuxONE, CN = WSC student02 HPVS CA, emailAddress = student@notreal.email.com.com
        Validity
            Not Before: Feb 14 14:47:20 2023 GMT
            Not After : Mar 10 14:47:20 2024 GMT
        Subject: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM Z and LinuxONE, CN = 172.16.0.61
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:16:8c:e2:82:f2:18:4d:b0:c2:6b:1e:62:93:
                    a2:6b:58:8f:eb:60:78:49:20:e1:68:64:d9:b7:a1:
                    a7:3d:ce:ae:ca:f9:86:8e:c8:bd:f8:fc:e3:b6:bb:
                    19:7d:d7:8d:59:36:c6:d6:63:44:d3:14:06:ff:92:
                    d6:ee:c9:fe:ad:4c:a0:fe:c6:96:fa:5b:29:e4:bd:
                    08:0b:da:1a:d0:38:eb:f6:90:12:a4:34:a4:b3:21:
                    63:31:06:32:19:9b:33:d6:f1:93:36:f1:b7:27:c3:
                    8f:9b:31:c7:ce:e9:b6:61:15:48:c7:a2:c6:80:18:
                    46:79:73:75:67:6d:78:d1:ec:28:19:24:fc:72:38:
                    37:49:be:05:60:54:0c:9f:fe:52:5f:a1:16:77:98:
                    fc:a3:d8:2e:fe:f3:b2:4f:eb:2f:45:ad:b1:c9:35:
                    05:f3:ab:e5:44:13:24:53:e9:67:93:47:08:a8:42:
                    f3:68:61:66:14:65:d2:c1:fe:09:05:06:3d:5f:72:
                    5c:8b:8b:6b:c4:13:3d:71:9b:f3:5b:29:95:33:e4:
                    3e:d4:1a:04:9a:93:71:07:ec:02:58:c9:f2:47:b8:
                    d3:dc:db:6f:c4:bc:ff:67:e9:b0:bb:f7:5e:f8:ca:
                    a4:cf:5e:ef:05:cf:06:25:56:1e:c4:ee:24:0d:4e:
                    c9:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Netscape Cert Type: 
                SSL Server
            X509v3 CRL Distribution Points: 

                Full Name:
                URI:http://localhost/ca.crl

            X509v3 Subject Alternative Name: 
                DNS:192.168.22.64:19878, IP Address:192.168.22.64, DNS:172.16.0.61:9876, IP Address:172.16.0.61
    Signature Algorithm: sha256WithRSAEncryption
        84:1e:74:25:f5:7b:d5:c4:d1:7a:7e:5d:c6:84:87:96:2a:75:
        7c:20:ce:40:c4:8d:54:d5:2a:cd:53:81:b6:c0:46:73:e8:55:
        88:ac:8c:21:0e:71:3c:1a:8f:3e:25:34:55:fc:aa:23:dc:9b:
        ba:0b:5f:4a:e3:c3:09:d6:c4:d7:4c:27:a1:d3:d2:0d:f0:a2:
        e0:64:d2:89:b6:61:18:1e:c9:a7:ee:66:fb:36:53:58:3d:a9:
        5c:03:4a:fa:5f:e7:10:08:5a:8b:e0:24:1a:90:48:b2:1c:5e:
        63:d9:23:60:24:80:5f:f6:27:7e:9f:6c:d9:9e:58:98:71:80:
        e3:ea:1b:fa:4a:dc:67:7e:e9:23:fe:5f:d1:09:a9:3f:bc:6e:
        9b:09:47:3a:4e:df:50:8d:26:0f:e2:75:25:ec:ce:80:1d:a7:
        38:29:ef:b2:d6:f0:4e:7d:68:c2:b4:7e:00:7a:ff:79:8f:32:
        8e:c1:79:54:38:3a:40:de:6b:d3:b7:6f:31:7d:ac:71:7e:37:
        27:ac:7c:e7:b9:7e:12:b2:78:41:68:f4:5e:35:77:8c:d9:3c:
        94:f7:0f:95:1c:1b:31:62:9c:f9:99:09:2c:60:03:7c:9c:c1:
        56:c7:a0:7e:7b:0e:c3:22:42:95:76:ee:9c:1a:b4:e5:a8:a8:
        6d:0f:b3:1f

"Send" the completed certificate to the "customer":

cp -ipv grep11-server.pem ${HOME}/grep11Lab/x509Work/GREP11Server/server/.

Also send your public certificate to the customer as they will need it to verify certificates that are sent by their connection partners. (GREP11 clients in this case).
```
cp -ipv grep11-ca.pem ${HOME}/grep11Lab/x509Work/GREP11Server/server/.
```

From the work you've done in this section, three files are referenced in the Docker Compose file you created earlier- the GREP11 Server CA's self-signed certificate, and the GREP11 Server's certificate and private key. Copy them into the same directory that holds your Docker Compose file:

cp -ipv ${HOME}/grep11Lab/x509Work/GREP11Server/server/{grep11-ca.pem,grep11-server.pem,grep11-server.key} \
${HOME}/grep11Lab/contract/workload/compose/.

Example output from cp command

'/home/student07/grep11Lab/x509Work/GREP11Server/server/grep11-ca.pem' -> '/home/student07/grep11Lab/contract/workload/compose/./grep11-ca.pem'
'/home/student07/grep11Lab/x509Work/GREP11Server/server/grep11-server.pem' -> '/home/student07/grep11Lab/contract/workload/compose/./grep11-server.pem'
'/home/student07/grep11Lab/x509Work/GREP11Server/server/grep11-server.key' -> '/home/student07/grep11Lab/contract/workload/compose/./grep11-server.key'

Create x509 material for GREP11 Server to CENA4SEE Server communication¶

Run this command to find the word volumes in the docker-compose.yml file and then print it and the next nine lines (--after-context 9):

grep --after-context 9 volumes \
${HOME}/grep11Lab/contract/workload/compose/docker-compose.yml

Expected output

                volumes:
                    - ./c16client.yaml:/etc/c16/c16client.yaml
                    - ./c16server-ca.pem:/cfg/c16server-ca.pem
                    - ./c16server-client.key:/cfg/c16server-client.key
                    - ./c16server-client.pem:/cfg/c16server-client.pem
                    - ./c16server-restricted-server.pem:/cfg/c16server-restricted-server.pem
                    - ./grep11server.yaml:/etc/ep11server/ep11server.yaml
                    - ./grep11-ca.pem:/cfg/grep11-ca.pem
                    - ./grep11-server.pem:/cfg/grep11-server.pem
                    - ./grep11-server.key:/cfg/grep11-server.key

Of the nine files, you have created five of them:

2 .yaml files
3 grep11-* files
4 c16server* files

Now it is time to create or acquire the four files called for from c16client.yaml.

There is only one CENA4SEE server that all of the lab students will use. The instructors have set this up, and have created the both the "self-signed" CA that governs communication between the CENA4SEE server and its clients (each student's GREP11 Server is a client of the CENA4SEE server), and the certificate for the CENA4SEE server itself. You need to acquire these certificates that the instructors created:
```
cp -ipv /data/lab/c16server-public/{c16server-ca.pem,c16server-restricted-server.pem} \
${HOME}/grep11Lab/contract/workload/compose/.
```
You just got the instructor-provided certificates, so now it's time to start the process of creating a certificate that will allow your GREP11 Server to make calls to the CENA4SEE. Start by creating another working directory and switching to it.
```
mkdir -p ${HOME}/grep11Lab/x509Work/CENA4SEEClient \
&& cd ${HOME}/grep11Lab/x509Work/CENA4SEEClient
```
Create an RSA private key using certtool:

Certtool

You used openssl for your previous certificate work. You will use another tool called certtool now.
```
certtool --generate-privkey --outfile c16server-client.key
```
Output from private key creation
```
Generating a 3072 bit RSA private key...
```

Create the following template file to avoid being asked questions from certtool:

cat << EOF > csr.cfg
# The common name of the certificate owner.
cn = "c16client"

# The organizational unit of the subject.
unit = "IBM WSC IBM Z and LinuxONE"

# The organization of the subject
organization = "IBM WSC"

# The location of the subject
locality = "Herndon"

# The state of the subject.
state = "Virginia"

# The country of the subject. Two letter code.
country = "US"

# The subject's domain component
dc = "bczkvm"

# A dnsname 
dns_name = ${GREP11ServerIP}

# An IP address 
ip_address = ${GREP11ServerIP}

# Use certificate for TLS client
tls_www_client
EOF

Now create a CSR:

certtool --generate-request \
    --load-privkey c16server-client.key \
    --template csr.cfg \
    --outfile c16server-client.csr

Output from creating CSR

Generating a PKCS #10 certificate request...

Display information about your CSR:

certtool --crq-info --infile c16server-client.csr

Your output should look similar to this:

Example CSR info

PKCS #10 Certificate Request Information:
        Version: 1
        Subject: DC=bczkvm,C=US,ST=Virginia,L=Herndon,O=IBM WSC,OU=IBM WSC IBM Z and LinuxONE,CN=c16client
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (3072 bits)
            Modulus (bits 3072):
                00:b8:89:6a:97:6f:fd:78:30:e0:c0:16:0e:64:42:fa
                e6:b9:6b:b1:c2:fd:25:c2:0f:f6:9d:f8:29:14:c5:38
                0f:a2:0e:57:07:30:4f:bb:23:03:af:52:fb:65:e5:5b
                e6:fe:93:21:74:8d:5c:e3:de:e0:1c:3b:47:1f:2f:4d
                c2:8d:e1:87:01:f7:6b:d9:c0:5d:c4:2e:53:d1:64:39
                90:be:a9:76:38:5b:52:14:aa:26:b1:9c:1b:24:18:f4
                7c:d7:02:27:3d:08:4a:16:b3:83:c5:70:37:d9:ae:a9
                b4:94:cf:a9:77:d0:96:19:f1:06:5d:5e:b6:ff:76:85
                d3:88:fe:b1:b3:40:a7:75:61:1b:d8:23:93:1f:01:3f
                4a:5e:a3:4b:95:26:36:37:b7:3e:14:c8:dc:c2:d1:1c
                ee:0a:60:a8:57:18:c1:ef:6f:9a:4f:e7:95:93:6a:a6
                15:41:34:d1:9c:51:f6:74:28:5c:79:cb:61:86:f2:73
                db:f0:7d:78:1b:4f:a2:08:92:c5:6d:8f:11:02:28:fd
                70:27:17:88:7f:6c:42:d5:c5:90:06:06:34:a7:bc:cd
                d9:c5:c3:4e:00:48:88:7b:d4:53:d2:63:9e:c6:6e:a8
                6e:29:a5:57:38:7d:c3:02:05:8c:ec:83:95:43:b9:5e
                28:fd:1d:a0:9d:b0:98:58:2e:31:b4:fd:78:75:e7:6a
                40:60:eb:1c:53:eb:ef:31:6a:fd:96:49:c1:db:c7:53
                c6:f8:ca:7c:db:c3:16:31:37:32:2e:25:ed:d4:96:08
                4e:bc:ce:04:b2:ed:c4:91:c1:72:1b:b0:9f:16:3d:17
                df:0f:b3:b7:4d:25:db:c4:ad:b4:42:b9:b2:a8:3c:41
                52:5c:d7:20:40:62:61:29:cf:89:0f:29:db:e9:53:17
                51:65:fc:50:0b:79:13:b5:d6:ab:cb:f8:92:e2:e9:b5
                0d:87:d3:c9:5f:d1:dc:c7:03:c4:e9:6c:ce:f2:09:22
                f1
            Exponent (bits 24):
                01:00:01
    Signature Algorithm: RSA-SHA256
        Attributes:
            Extensions:
                Subject Alternative Name (not critical):
                    DNSname: 172.16.0.61
                    IPAddress: 172.16.0.61
                Basic Constraints (critical):
                    Certificate Authority (CA): FALSE
                Key Usage (critical):
                    Digital signature.
                Key Purpose (critical):
                    TLS WWW Client.
Other Information:
        Public Key ID:
            sha1:70d0427d152be23fc9015be370581d19f3c47ff7
            sha256:8f5547027afe8e10cd64d840903692e6a703b61a63fdbaebf9e0f446013a2ee6
        Public Key PIN:
            pin-sha256:j1VHAnr+jhDNZNhAkDaS5qcDthpj/brr+eD0RgE6LuY=

Self signature: verified

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIERDCCAqwCAQAwgZgxEjAQBgNVBAMTCWMxNmNsaWVudDEmMCQGA1UECxMdSUJN
IFdTQyB6U3lzdGVtcyBhbmQgTGludXhPTkUxEDAOBgNVBAoTB0lCTSBXU0MxEDAO
BgNVBAcTB0hlcm5kb24xETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEW
MBQGCgmSJomT8ixkARkWBmJjemt2bTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC
AYoCggGBALiJapdv/Xgw4MAWDmRC+ua5a7HC/SXCD/ad+CkUxTgPog5XBzBPuyMD
r1L7ZeVb5v6TIXSNXOPe4Bw7Rx8vTcKN4YcB92vZwF3ELlPRZDmQvql2OFtSFKom
sZwbJBj0fNcCJz0IShazg8VwN9muqbSUz6l30JYZ8QZdXrb/doXTiP6xs0CndWEb
2COTHwE/Sl6jS5UmNje3PhTI3MLRHO4KYKhXGMHvb5pP55WTaqYVQTTRnFH2dChc
ecthhvJz2/B9eBtPogiSxW2PEQIo/XAnF4h/bELVxZAGBjSnvM3ZxcNOAEiIe9RT
0mOexm6obimlVzh9wwIFjOyDlUO5Xij9HaCdsJhYLjG0/Xh152pAYOscU+vvMWr9
lknB28dTxvjKfNvDFjE3Mi4l7dSWCE68zgSy7cSRwXIbsJ8WPRffD7O3TSXbxK20
QrmyqDxBUlzXIEBiYSnPiQ8p2+lTF1Fl/FALeRO11qvL+JLi6bUNh9PJX9HcxwPE
6WzO8gki8QIDAQABoGYwZAYJKoZIhvcNAQkOMVcwVTAcBgNVHREEFTATggsxNzIu
MTYuMC42MYcErBAAPTAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAwFgYD
VR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAA17uU7a2aJx
FNi2syniSomFbZSVQBBTJop7mplzpdyH+/IN/2eJU6wakXuuvCp6Yo2UYd6wMD5V
jl9AuZssXYZZRxfCzLtZ/KhCmNzFqnJIGMPpaPW5W72Jtmo3GE1VRRYEnVGZGqbx
hnUzY0uiHThT+M31P+ZwpYwsPZmWYm0zBT2NfMAPpgYC0EqXstSqUdksgK1Qxa/L
T3pede66CtIDbO+cRCv2ITWyfElZ7HZU93fDAG+R9kSMQDxNyjFQQ1H/b0F155hZ
DjkGJ/VSU5RAv59oud4ZUYkGFOFOXlH+4fRhszAGOA53mDGUxL+Oh1VuYijeWyWo
kepWkbYZ1o39pb5Zj1PEN6V2pwrLVg1My0VWNoxgnOWVJOGUnAt1jFYo+1fNMBsg
xx44AFTZKvKJmHoOnbcSw/maVqg8taeF4vyPHOddsrK9fC4lg5+ZWrLoqhh7t0Ac
TNVxGDGmyklOsttcINyIfbyQGMUTURDEDYLl7xLNX8IFTcG+xtlS1g==
-----END NEW CERTIFICATE REQUEST-----

The "self-signed" CA for the CENA4SEE server is under instructor control- since there is only one CENA4SEE for the class to share, there is only one CA. Let the instructors know that you are ready to have a client certificate created and the instructors will create a certificate for you and place it in the same directory that you are presently working in.

How the instructors will create this certificate for you

In the interests of transparency, this is the command the instructors will use to create your certificate (after setting the ${student} environment variable appropriately). Don't try to run this command as it won't work for you because you do not have access to the "self-signed" CA's private key. (You can try- if you succeed, you are either an excellent hacker, or the instructors are not excellent system administrators, or some combination thereof).

### for your information only
certtool --generate-certificate \
--load-request /home/${student}/grep11Lab/x509Work/CENA4SEEClient/c16server-client.csr \
--outfile ${student}-c16server-client.pem \
--load-ca-certificate c16server-ca.pem \
--load-ca-privkey c16server-ca.key \
--template cert.cfg 

cp -ipv ${student}-c16server-client.pem \
/home/${student}/grep11Lab/x509Work/CENA4SEEClient/c16server-client.pem

chown ${student}:hpvs_students \
/home/${student}/grep11Lab/x509Work/CENA4SEEClient/c16server-client.pem

This is also for information only- it is the contents of the configuration file cert.cfg that the instructors use in the above command:

cert.cfg

# Expiration days
expiration_days = 300

# Honor certificate request extensions 
#honor_crq_extensions

# keyUsage 
honor_crq_ext = 2.5.29.15

# extKeyUsage
honor_crq_ext = 2.5.27.39

# subjectAltName
honor_crq_ext = 2.5.29.17

# basicConstraints
honor_crq_ext = 2.5.29.19

tls_www_client

After the instructors notify you that your certificate is ready , display it:

certtool --certificate-info --infile c16server-client.pem

Your certificate will look like this:

CENA4SEE client certificate info

X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 6c8e1ecbc1ee385c441c03bd1dd64759641c5073
        Issuer: DC=hpvs1,C=US,ST=Virginia,L=Herndon,O=IBM WSC IBM Z and LinuxONE,OU=IBM WSC,CN=c16server CA
        Validity:
            Not Before: Tue Feb 14 15:41:45 UTC 2023
            Not After: Mon Dec 11 15:41:45 UTC 2023
        Subject: DC=bczkvm,C=US,ST=Virginia,L=Herndon,O=IBM WSC,OU=IBM WSC IBM Z and LinuxONE,CN=c16client
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (3072 bits)
            Modulus (bits 3072):
                00:b8:89:6a:97:6f:fd:78:30:e0:c0:16:0e:64:42:fa
                e6:b9:6b:b1:c2:fd:25:c2:0f:f6:9d:f8:29:14:c5:38
                0f:a2:0e:57:07:30:4f:bb:23:03:af:52:fb:65:e5:5b
                e6:fe:93:21:74:8d:5c:e3:de:e0:1c:3b:47:1f:2f:4d
                c2:8d:e1:87:01:f7:6b:d9:c0:5d:c4:2e:53:d1:64:39
                90:be:a9:76:38:5b:52:14:aa:26:b1:9c:1b:24:18:f4
                7c:d7:02:27:3d:08:4a:16:b3:83:c5:70:37:d9:ae:a9
                b4:94:cf:a9:77:d0:96:19:f1:06:5d:5e:b6:ff:76:85
                d3:88:fe:b1:b3:40:a7:75:61:1b:d8:23:93:1f:01:3f
                4a:5e:a3:4b:95:26:36:37:b7:3e:14:c8:dc:c2:d1:1c
                ee:0a:60:a8:57:18:c1:ef:6f:9a:4f:e7:95:93:6a:a6
                15:41:34:d1:9c:51:f6:74:28:5c:79:cb:61:86:f2:73
                db:f0:7d:78:1b:4f:a2:08:92:c5:6d:8f:11:02:28:fd
                70:27:17:88:7f:6c:42:d5:c5:90:06:06:34:a7:bc:cd
                d9:c5:c3:4e:00:48:88:7b:d4:53:d2:63:9e:c6:6e:a8
                6e:29:a5:57:38:7d:c3:02:05:8c:ec:83:95:43:b9:5e
                28:fd:1d:a0:9d:b0:98:58:2e:31:b4:fd:78:75:e7:6a
                40:60:eb:1c:53:eb:ef:31:6a:fd:96:49:c1:db:c7:53
                c6:f8:ca:7c:db:c3:16:31:37:32:2e:25:ed:d4:96:08
                4e:bc:ce:04:b2:ed:c4:91:c1:72:1b:b0:9f:16:3d:17
                df:0f:b3:b7:4d:25:db:c4:ad:b4:42:b9:b2:a8:3c:41
                52:5c:d7:20:40:62:61:29:cf:89:0f:29:db:e9:53:17
                51:65:fc:50:0b:79:13:b5:d6:ab:cb:f8:92:e2:e9:b5
                0d:87:d3:c9:5f:d1:dc:c7:03:c4:e9:6c:ce:f2:09:22
                f1
            Exponent (bits 24):
                01:00:01
        Extensions:
            Key Usage (critical):
                Digital signature.
            Subject Alternative Name (not critical):
                DNSname: 172.16.0.61
                IPAddress: 172.16.0.61
            Basic Constraints (critical):
                Certificate Authority (CA): FALSE
            Key Purpose (not critical):
                TLS WWW Client.
            Subject Key Identifier (not critical):
                70d0427d152be23fc9015be370581d19f3c47ff7
            Authority Key Identifier (not critical):
                a9a6c37c6e9d71c63f44db39cb5d5fca84228467
        Signature Algorithm: RSA-SHA256
        Signature:
            16:5d:90:43:8d:ab:7e:5a:d5:7f:3a:20:36:0c:8e:04
            5d:58:32:27:e1:80:19:f2:7e:2a:9e:9d:c1:11:50:6e
            11:03:16:f5:90:4a:32:32:73:b5:59:1d:ef:a0:2e:26
            3b:dc:09:ee:9b:c9:02:99:97:7e:54:d5:93:b1:18:5d
            42:4f:f8:29:5e:f0:60:2c:b0:51:28:52:a3:6f:5c:93
            be:e3:38:2a:cf:23:bf:3e:ce:6e:39:ff:7f:02:44:c3
            9e:2b:54:8a:a7:14:17:75:32:38:ea:e4:0f:12:db:22
            0b:07:93:bd:8f:5a:5e:00:1f:40:67:77:4a:1c:6a:5e
            bf:d2:46:53:42:80:87:d5:67:0e:54:dc:ce:60:92:9b
            15:4f:0c:eb:d2:4a:cb:5e:c0:ad:1c:00:80:66:fb:22
            b1:87:fd:cf:43:f1:21:0d:e6:76:03:ed:99:d0:01:e2
            07:fb:e3:b1:d6:a9:b3:5f:28:8e:48:4b:0b:b8:fa:b3
            3e:f6:c4:66:39:ea:2d:97:fe:56:38:69:52:bb:31:ba
            bc:04:6f:99:ee:f5:0e:02:e7:d1:56:87:22:a8:cd:09
            c2:be:1a:31:a4:87:42:ff:ba:f7:43:d5:b1:d7:f5:5d
            8c:fc:18:8d:5c:78:ef:ce:83:30:76:7c:99:dd:98:d4
            cd:3b:ba:24:5b:bf:a0:be:d4:e5:aa:c2:db:fb:ca:9a
            52:99:6d:02:f4:c7:da:bc:f0:76:d3:54:3a:91:5d:55
            37:13:84:e4:ca:71:6e:1d:24:8b:05:ad:54:15:ee:02
            9d:66:04:2a:eb:82:9e:53:a1:90:7d:43:4d:0e:ab:61
            76:2e:ba:32:4a:10:41:c5:8b:4c:e7:1f:11:0a:7b:17
            37:4b:b6:28:60:5c:69:6c:ae:ac:53:6b:6a:e4:f7:2a
            b6:d1:7d:c4:9b:ea:8c:88:d4:de:11:13:ee:15:7e:d7
            3e:4a:37:bc:19:de:8e:8e:ac:3d:e7:55:bf:8f:8d:6c
Other Information:
        Fingerprint:
            sha1:479b56297c57950ebc2a112e651f9e2031bb3e5f
            sha256:63bbb36695023e4abcb92222eccb15b43d2b8bc8d80b9e35ec9eb89ea5dd816b
        Public Key ID:
            sha1:70d0427d152be23fc9015be370581d19f3c47ff7
            sha256:8f5547027afe8e10cd64d840903692e6a703b61a63fdbaebf9e0f446013a2ee6
        Public Key PIN:
            pin-sha256:j1VHAnr+jhDNZNhAkDaS5qcDthpj/brr+eD0RgE6LuY=

-----BEGIN CERTIFICATE-----
MIIFWDCCA8CgAwIBAgIUbI4ey8HuOFxEHAO9HdZHWWQcUHMwDQYJKoZIhvcNAQEL
BQAwgZoxFTATBgNVBAMTDGMxNnNlcnZlciBDQTEQMA4GA1UECxMHSUJNIFdTQzEm
MCQGA1UEChMdSUJNIFdTQyB6U3lzdGVtcyBhbmQgTGludXhPTkUxEDAOBgNVBAcT
B0hlcm5kb24xETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEVMBMGCgmS
JomT8ixkARkWBWhwdnMxMB4XDTIzMDIxNDE1NDE0NVoXDTIzMTIxMTE1NDE0NVow
gZgxEjAQBgNVBAMTCWMxNmNsaWVudDEmMCQGA1UECxMdSUJNIFdTQyB6U3lzdGVt
cyBhbmQgTGludXhPTkUxEDAOBgNVBAoTB0lCTSBXU0MxEDAOBgNVBAcTB0hlcm5k
b24xETAPBgNVBAgTCFZpcmdpbmlhMQswCQYDVQQGEwJVUzEWMBQGCgmSJomT8ixk
ARkWBmJjemt2bTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALiJapdv
/Xgw4MAWDmRC+ua5a7HC/SXCD/ad+CkUxTgPog5XBzBPuyMDr1L7ZeVb5v6TIXSN
XOPe4Bw7Rx8vTcKN4YcB92vZwF3ELlPRZDmQvql2OFtSFKomsZwbJBj0fNcCJz0I
Shazg8VwN9muqbSUz6l30JYZ8QZdXrb/doXTiP6xs0CndWEb2COTHwE/Sl6jS5Um
Nje3PhTI3MLRHO4KYKhXGMHvb5pP55WTaqYVQTTRnFH2dChcecthhvJz2/B9eBtP
ogiSxW2PEQIo/XAnF4h/bELVxZAGBjSnvM3ZxcNOAEiIe9RT0mOexm6obimlVzh9
wwIFjOyDlUO5Xij9HaCdsJhYLjG0/Xh152pAYOscU+vvMWr9lknB28dTxvjKfNvD
FjE3Mi4l7dSWCE68zgSy7cSRwXIbsJ8WPRffD7O3TSXbxK20QrmyqDxBUlzXIEBi
YSnPiQ8p2+lTF1Fl/FALeRO11qvL+JLi6bUNh9PJX9HcxwPE6WzO8gki8QIDAQAB
o4GVMIGSMA8GA1UdDwEB/wQFAwMHgAAwHAYDVR0RBBUwE4ILMTcyLjE2LjAuNjGH
BKwQAD0wDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4E
FgQUcNBCfRUr4j/JAVvjcFgdGfPEf/cwHwYDVR0jBBgwFoAUqabDfG6dccY/RNs5
y11fyoQihGcwDQYJKoZIhvcNAQELBQADggGBABZdkEONq35a1X86IDYMjgRdWDIn
4YAZ8n4qnp3BEVBuEQMW9ZBKMjJztVkd76AuJjvcCe6byQKZl35U1ZOxGF1CT/gp
XvBgLLBRKFKjb1yTvuM4Ks8jvz7Objn/fwJEw54rVIqnFBd1Mjjq5A8S2yILB5O9
j1peAB9AZ3dKHGpev9JGU0KAh9VnDlTczmCSmxVPDOvSSstewK0cAIBm+yKxh/3P
Q/EhDeZ2A+2Z0AHiB/vjsdaps18ojkhLC7j6sz72xGY56i2X/lY4aVK7Mbq8BG+Z
7vUOAufRVociqM0Jwr4aMaSHQv+690PVsdf1XYz8GI1ceO/OgzB2fJndmNTNO7ok
W7+gvtTlqsLb+8qaUpltAvTH2rzwdtNUOpFdVTcThOTKcW4dJIsFrVQV7gKdZgQq
64KeU6GQfUNNDqthdi66MkoQQcWLTOcfEQp7FzdLtihgXGlsrqxTa2rk9yq20X3E
m+qMiNTeERPuFX7XPko3vBnejo6sPedVv4+NbA==
-----END CERTIFICATE-----

You need to copy the CENA4SEE client certificate that the instructors just created for you, along with the certificate's matching private key, into the directory where your Docker Compose file resides:
```
cp -ipv \
${HOME}/grep11Lab/x509Work/CENA4SEEClient/c16server-client.{pem,key} \
${HOME}/grep11Lab/contract/workload/compose/.
```

You have now created or obtained all nine files that are referenced in the Docker Compose file. List this directory and you should see ten files- the Docker Compose file itself and the nine files that it references in its volumes section:

ls -l ${HOME}/grep11Lab/contract/workload/compose

Expected output (dates of files will differ)

total 44
-rw-r--r-- 1 student07 hpvs_students  354 Dec  8 10:23 c16client.yaml
-rw-r--r-- 1 student07 hpvs_students 1407 Sep 26 15:23 c16server-ca.pem
-rw------- 1 student07 hpvs_students 8167 Dec  8 10:59 c16server-client.key
-rw-r--r-- 1 student07 hpvs_students 1700 Dec  8 11:05 c16server-client.pem
-rw-r--r-- 1 student07 hpvs_students 1424 Oct 31 16:09 c16server-restricted-server.pem
-rw-r--r-- 1 student07 hpvs_students  721 Dec  8 10:23 docker-compose.yml
-rw-r--r-- 1 student07 hpvs_students 1590 Dec  8 10:29 grep11-ca.pem
-rw------- 1 student07 hpvs_students 1675 Dec  8 10:32 grep11-server.key
-rw-r--r-- 1 student07 hpvs_students 1614 Dec  8 10:37 grep11-server.pem
-rw-r--r-- 1 student07 hpvs_students 1591 Dec  8 10:23 grep11server.yaml

Create a convenience script for creating workload section of contract¶

You are almost finished with the workload section. One thing to do is to add a convenience script to the workload directory. This script is not supplied with the product, but is very useful in the creation of the contract.

Switch to the directory for your workload section of the contract:
```
cd ${HOME}/grep11Lab/contract/workload
```

Run this command to create the convenience script. This command creates the script, but does not actually execute it. That comes later in the lab. Comments have been added to help explain what the script does.

cat <<-EOF > flow.workload
# Create the workload section of the contract and add the contents in the workload.yaml file.

# 
# The Docker Compose file and all supporting configuration files are assumed to be in the ./compose directory
# There should not be any unnecessary files as they will get tarred up and added to the COMPOSE_B64 variable
#
COMPOSE_B64=\$(tar -czv -C compose . | base64 -w0)

#
# This specifies an intermediate file that could be deleted at the end of the script but 
# is left intact for lab learning purposes-  it is plaintext so keeping it implies that
# you would have to protect it appropriately.  In production you'll probably want to delete it
#
WORKLOAD_PLAIN=./workload.yaml.plaintext

#
# This specifies a file will be encrypted and signed and is the primary output of this script.  
# It is combined with the encrypted and signed environment section that is created by 
# another script (flow.signature which is one directory level higher)
# Note: this file will also wind up one directory level higher
#
WORKLOAD=workload.yaml

echo "  type: workload
  compose:
    archive: \${COMPOSE_B64}" > \${WORKLOAD_PLAIN}

#
# This is the encryption certificate for Hyper Protect Container Runtime and it is
# provided with the Hyper Protect Virtual Servers v2.1.7.1 product
#
CONTRACT_KEY=/data/lab/hpvs2171Certs/ibm-hyper-protect-container-runtime-23.11.1-encrypt.crt

#
# This variable holds a random password:
#
PASSWORD_WORKLOAD="\$(openssl rand 32 | base64 -w0)"

#
# This variable holds the output of the command pipe that
# takes your plaintext workload yaml ($WORKLOAD_PLAIN) and encrypts it using the password that 
# was generated above ($PASSWORD_WORKLOAD) and then base64 encodes this encrypted workload
#
# As long as nobody else knows your random password ($PASSWORD_WORKLOAD) your data is safe.  
# But, the Hyper Protect Container Runtime has to encrypt it, so it needs your password. 
# How will it get that password securely?  Read the next set of comment lines to find out.
#
ENCRYPTED_WORKLOAD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$WORKLOAD_PLAIN" | base64 -w0)"

#
# This variable provides secure passage of your random password.  How?  
# It encrypts it with the encryption key of the Hyper Protect Container Runtime (HPCR).
# (A key that is encrypted by another key is often called a wrapped key).
# Only the HPCR image has the private key which can decrypt this. It is protected from 
# access from any administrators.  So, malicious actors cannot do anything with this
# wrapped key, even if they were able to get a hold of it.
# 
#
ENCRYPTED_WORKLOAD_PASSWORD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 -w0 )"

#
# Use the following command to get the encrypted section of the contract:
# This variable holds the output of a concatenation of a header, "hyper-protect-basic",
# Your wrapped key, and your encrypted workload. 
#
WORKLOAD_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_WORKLOAD_PASSWORD}.\${ENCRYPTED_WORKLOAD}"

#
# The above variable is echoed to the a file the directory one level above
#
echo "\$WORKLOAD_ENCRYPTED" > ../\$WORKLOAD

# 
# NOTE: In a production scenario the plaintext workload section would be 
# deleted or stored securely but it has been left here for student perusal.  
# The filename is workload.yaml.plaintext
#
EOF

Create environment section of the contract¶

Change to the directory where you will prepare for environment section of the contract:
```
cd ../environment
```

In the environment section of the contract you are going to specify the information in order to have your GREP11 Server log to the rsyslog that you configured earlier in the lab.

Switch to the directory from where you will gather some files you will need for this rsyslog configuration:
```
cd rsyslog
```
You will need the CA certificate of the rsyslog service that you created on your Ubuntu KVM guest which you can get via scp:
```
scp student@${StudentGuestIP}:x509Work/rsyslog/CA/ca.crt .
```

Copy your rsyslog client certificate from your working directory:

cp -ipv ${HOME}/grep11Lab/x509Work/rsyslogClient/grep11Lab-client.crt .

Convert the private key to PKCS#8 format

The directory you just copied the client certificate from also has your private key that you need. However, the HPCR image requires this to be in PKCS#8 (Public Key Cryptography Standard #8) format. Therefore you can't just copy it over- you need to convert it to PKCS#8 format:
```
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
    -in ${HOME}/grep11Lab/x509Work/rsyslogClient/client-key.pem \
    -out client-key-pkcs8.pem
```
Go back up one directory level:
```
cd .. && pwd
```

We have provided a convenience script to assist in creating the environment section of the contract

This script is not supplied with the product, but is very useful in the creation of the contract. Create it now and feel free to peruse it but do not run it now. It will be called later by another script. Comments have been added to help explain what the script does.

cat <<-EOF > flow.env
# Create the env section of the contract and add the contents in the env.yaml file.

#
# set some file locations at the top of the file here
#
RSYSLOG_CA_CRT="./rsyslog/ca.crt"
RSYSLOG_CLIENT_CRT="./rsyslog/grep11Lab-client.crt"
RSYSLOG_CLIENT_KEY="./rsyslog/client-key-pkcs8.pem"

#
# This specifies an intermediate file that could be deleted at the end of the script but 
# is left intact for lab learning purposes-  it is plaintext so keeping it implies that
# you would have to protect it appropriately.  In production you'll probably want to delete it
#
ENV_PLAIN="./env.yaml.plaintext"

#
# This specifies a file will be encrypted and signed and is the primary output of this script.  
# It is combined with the encrypted and signed workload section that is created by 
# another script (flow.signature which is one directory level higher)
# Note: this file will also wind up one directory level higher
#
ENV="env.yaml"

#
# This variable holds the output of taking all the newlines out of the rsyslog CA certificate and
# replacing them with the "\n" characters.  In other words, a multiple line file is squashed down 
# to one line.  The HPCR runtime image will then convert it back to the multiple line format
#
ENV_RSYSLOG_SERVER=\$(awk -vRS="\n" -vORS="\\\\\n" '1' \${RSYSLOG_CA_CRT})

#
# This variable holds the output of taking all the newlines out of the client certificate that the
# HPCR runtime uses for communicating with rsyslog and replacing them with the "\n" characters.
# In other words, a multiple line file is squashed down to one line. THe HPCR runtime image will 
# then convert it back to the multiple line format
#
ENV_RSYSLOG_CERT=\$(awk -vRS="\n" -vORS="\\\\\n" '1' \${RSYSLOG_CLIENT_CRT})

#
# This variable holds the output of taking all the newlines out of the client private key that the
# HPCR runtime uses for communicating with rsyslog and replacing them with the "\n" characters.
# In other words, a multiple line file is squashed down to one line. THe HPCR runtime image will 
# then convert it back to the multiple line format. Before this all happens, the Private Key is 
# converted to PKCS#8 format
#
ENV_RSYSLOG_KEY=\$(awk -vRS="\n" -vORS="\\\\\n" '1'  \${RSYSLOG_CLIENT_KEY})


echo "  type: env
  logging:
    syslog:
      hostname: \"\${StudentGuestIP}\"
      port: 6514
      server: \"\${ENV_RSYSLOG_SERVER}\"
      cert: \"\${ENV_RSYSLOG_CERT}\"
      key: \"\${ENV_RSYSLOG_KEY}\"" >\${ENV_PLAIN}

#
# This command adds the public signing key to the plaintext environment yaml.  This key is used inside 
# the Hyper Protect Container Runtime image to verify the signature over workload and environment sections of
# the contract. 
#
cat ./pubSigningKey.yaml >> \${ENV_PLAIN}

# This is the encryption certificate for Hyper Protect Container Runtime and it is
# provided with the Hyper Protect Virtual Servers v2.1.7.1 product
#
CONTRACT_KEY=/data/lab/hpvs2171Certs/ibm-hyper-protect-container-runtime-23.11.1-encrypt.crt

#
# This variable holds a random password:
#
PASSWORD_ENV="\$(openssl rand 32 | base64 -w0)"

#
# This variable holds the output of the command pipe that
# takes your plaintext environment yaml (\$ENV_PLAIN) and encrypts it using the password that 
# was generated above (\$PASSWORD_ENV) and then base64 encodes this encrypted environment yaml
#
# As long as nobody else knows your random password (\$PASSWORD_ENV) your data is safe.  
# But, the Hyper Protect Container Runtime has to encrypt it, so it needs your password. 
# How will it get that password securely?  Read the next set of comment lines to find out.
#
ENCRYPTED_ENV="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$ENV_PLAIN" | base64 -w0)"

#
# This variable provides secure passage for your random password.  How?  
# It encrypts it with the encryption key of the Hyper Protect Container Runtime (HPCR).
# (A key that is encrypted by another key is often called a wrapped key).
# Only the HPCR image has the private key which can decrypt this. It is protected from 
# access from any administrators.  So, malicious actors cannot do anything with this
# wrapped key, even if they were able to get a hold of it.
#
ENCRYPTED_ENV_PASSWORD="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 -w0 )"

#
# Use the following command to get the encrypted environment section of the contract:
# This variable holds the output of a concatenation of a header, "hyper-protect-basic",
# Your wrapped key, and your encrypted environment yaml.. 
#
ENV_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_ENV_PASSWORD}.\${ENCRYPTED_ENV}"
#
# The above variable writes the encrypted environment section to the directory one level above
#
echo "\$ENV_ENCRYPTED" > ../\$ENV
EOF

Backup one more directory level:
```
cd ..
```

You will create three more files that are convenience scripts, similar to flow.workload and flow.env which you have already created:

The first script will provide some preparation steps. Create it, peruse it, love it, but don't run it yet:

cat << EOF > flow.prepare

# Use the following command to generate a key pair to sign the contract 
openssl genrsa -aes128 -passout pass:test1234 -out private.pem 4096
openssl rsa -in private.pem -passin pass:test1234 -pubout -out public.pem

# The following command is an example of how you can get the signing key:
key=\$(awk -vRS="\n" -vORS="\\\\\n" '1' public.pem)
echo "  signingKey: \"\${key%\\\\n}\"" > environment/pubSigningKey.yaml
EOF

Create the second script which signs the concatenated workload and environment sections of the contract and then appends the signature as the third and final element of the contract. Don't run it yet!

cat << EOF > flow.signature
# combine workload and environment
cat workload.yaml env.yaml | tr -d '\n' > contract.yaml

# Sign the combination from workload and env being approved
echo \$( cat contract.yaml | openssl dgst -sha256 -sign private.pem -passin pass:test1234 | openssl enc -base64) | tr -d ' ' > signature.yaml

# Create user data and add signature:
echo "workload: \$(cat workload.yaml)
env: \$(cat env.yaml)
envWorkloadSignature: \$(cat signature.yaml)" > user_data.yaml

echo ""
echo "import \`pwd\`/user_data.yaml into User Data or copy and paste from below:"
echo ""

cat user_data.yaml
EOF

This script isn't strictly necessary for the lab for reasons stated in the comments in the script, but you can create it anyway:

cat << EOF > flow.clear
#
# It isn't really necessary to run this in our lab environment 
# because the other scripts will happily trod on these files 
# as necessary.
#
# It is more likely that you would run this after running the
# other scripts in order to remove these files for security
# reasons
#
# But if you ever had a need to save your signing key pair, 
# you would want to save private.pem somewhere safe.
# 
rm private.pem public.pem
rm environment/pubSigningKey.yaml environment/env.yaml.plaintext
rm workload/workload.yaml.plaintext
rm env.yaml workload.yaml contract.yaml signature.yaml user_data.yaml
EOF

Encrypt and sign the contract¶

Create a final helper script which calls the flow.* scripts you created earlier:

cat << EOF > makeContract
. ./flow.prepare
cd workload
. ./flow.workload
cd ../environment
. ./flow.env
cd ..
. ./flow.signature

EOF

Now run the helper script that you just created:
```
. ./makeContract
```

The script creates the final contract in a file named user_data.yaml. It also displays the contents of this file to the screen. At the bottom of the output you will see an envWorkloadSignature key. If there is a gobbledygook value (base64-encoded text) associated with this key then things went well.

Create the startup file for the HPVS 2.1.x GREP11 guest¶

Create a copy of the user_data.yaml file that you created

The contract that you just created is going to be packaged with some other files into a startup file for the HPVS 2.1.x guest that will run your GREP11 Server. One of the files expected is a file named user-data that is just a copy of the user_data.yaml file that was just created
```
cp -ipv user_data.yaml user-data
```
Why didn't the script just do the above copy for me

We kept user-data intact in case something went wrong in the process, in which case user_data.yaml may be rubbish but at least you haven't trampled on a good user-data that might already be in use.

Create vendor-data which is another file required by the process:

cat << EOF > vendor-data
#cloud-config
users:
- default
EOF

Create meta-data which is also required, and it will have a hostname tailored for your userid:
```
cat << EOF > meta-data
local-hostname: $(whoami)-grep11server
EOF
```

Run this command (RHEL-specific, see product documentation for Ubuntu command) in order to create the startup file, ciiso.iso:

genisoimage -output /var/lib/libvirt/images/hpcr/$(whoami)/ciiso.iso \
    -volid cidata -joliet -rock user-data meta-data vendor-data

Your output will look like this:

Output from genisoimage command

I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 414
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
203 extents written (0 MB)

Please click the Next link at the bottom of the page to continue with the lab.

Start the GREP11 Server as a Secure Execution-enabled, HPVS 2.1.x guest¶

launch the HPVS 2.1.x GREP11 server¶

You will start this section from your login session on the RHEL host, and will soon be instructed to switch to your Ubuntu KVM guest session. But until then, start from this familiar window or tab:

This fancy command figures out the last two characters of your assigned userid and is used in other commands in this section, so that the lab instructions will work for everybody:

suffix=$(temp=$(whoami) && echo ${temp: -2})

You aren't going to change anything here since it's already been defined for you by the instructors, but you can display the KVM guest definition of your HPVS 2.1.x GREP11 Server:

sudo virsh dumpxml grep11se${suffix}

Definition of KVM guest for GREP11 Server

<domain type='kvm'>
  <name>grep11se02</name>
  <uuid>2315f8ea-a340-4506-abbf-ae04cf7ea868</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>3903488</memory>
  <currentMemory unit='KiB'>3903488</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='s390x' machine='s390-ccw-virtio-rhel8.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <cpu mode='host-model' check='partial'/>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' iommu='on'/>
      <source file='/var/lib/libvirt/images/hpcr/student02/ibm-hyper-protect-container-runtime-23.11.1.qcow2'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='native' iommu='on'/>
      <source file='/var/lib/libvirt/images/hpcr/student02/ciiso.iso'/>
      <target dev='vdc' bus='virtio'/>
      <readonly/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0002'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <interface type='network'>
      <mac address='52:54:00:b1:e0:11'/>
      <source network='default'/>
      <model type='virtio'/>
      <driver name='vhost' iommu='on'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
    </interface>
    <console type='pty'>
      <target type='sclp' port='0'/>
    </console>
    <audio id='1' type='none'/>
    <memballoon model='none'/>
    <panic model='s390'/>
  </devices>
</domain>

In the example output above, observe the two highlighted lines. The first line shows the Hyper Protect Container Runtime image that is provided by Hyper Protect Virtual Servers 2.1.x. This is the Secure Execution-enabled KVM guest that will read your contract, validate its correctness and integrity, and then start your application workload. The second line shows the ciiso.iso file that you created in the previous section with the genisoimage command. The ciiso.iso file contains your contract.

Start your GREP11 Server and attach to its console. Watch the messages carefully. You should not see any failures:

sudo virsh start grep11se${suffix} --console

This is what success looks like

Domain 'grep11se02' started
Connected to domain 'grep11se02'
Escape character is ^] (Ctrl + ])
# HPL11 build:23.11.0 enabler:23.6.0
# Tue Sep  5 21:07:01 UTC 2023
# Machine Type/Plant/Serial: 8561/02/31A38
# create new root partition...
# encrypt root partition...
# create root filesystem...
# write OS to root disk...
# decrypt user-data...
2 token decrypted, 0 encrypted token ignored
# run attestation...
# set hostname...
# finish root disk setup...
# Tue Sep  5 21:07:29 UTC 2023
# HPL11 build:23.11.0 enabler:23.6.0
# HPL11099I: bootloader end
hpcr-dnslookup[729]: HPL14000I: Network connectivity check completed successfully.
hpcr-logging[871]: Configuring logging ...
hpcr-logging[872]: Version [1.1.147]
hpcr-logging[872]: Configuring logging, input [/var/hyperprotect/user-data.decrypted] ...
hpcr-logging[872]: HPL01010I: Logging has been setup successfully.
hpcr-logging[871]: Logging has been configured
hpcr-catch-success[1337]: VSI has started successfully.
hpcr-catch-success[1337]: HPL10001I: Services succeeded -> systemd triggered hpl-catch-success service

You will have to enter the Ctrl+] key-combination to break out of the console.

verify that GREP11 server log messages are received by rsyslog¶

The logging of the GREP11 server is going to the rsyslog service that you configured on your Ubuntu guest, so switch to the terminal tab or window for your KVM standard guest.

You should still be comfortably logged in on this tab or window:

The arguments to the journalctl command here aren't the most elegant in the world, but, unless midnight passed since you started your GREP11 Server, you will be able to see messages in rsyslog from when you just started up your GREP11 Server:

journalctl --since today --no-pager

There are a lot of messages logged, a veritable trove of treasure for the curious. Here is an example of what you should be able to see:

Log messages in rsyslog from starting the GREP11 Server

Nov 03 21:17:09 ubuntu2204 vpcnode[1623]: authentication probe
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Linux version 5.15.0-79-generic (buildd@bos02-s390x-016) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #86-Ubuntu SMP Mon Jul 10 16:19:54 UTC 2023 (Ubuntu 5.15.0-79.86-generic 5.15.111)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  setup: Linux is running under KVM in 64-bit mode
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  setup: Relocating AMODE31 section of size 0x00003000
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  setup: The maximum memory size is 3812MB
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  cpu: 2 configured CPUs, 0 standby CPUs
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Write protected kernel read-only data: 18692k
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Zone ranges:
Nov 03 21:17:10 ubuntu2204 kernel[1623]:    DMA      [mem 0x0000000000000000-0x000000007fffffff]
Nov 03 21:17:10 ubuntu2204 kernel[1623]:    Normal   [mem 0x0000000080000000-0x00000000ee3fffff]
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Movable zone start for each node
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Early memory node ranges
Nov 03 21:17:10 ubuntu2204 kernel[1623]:    node   0: [mem 0x0000000000000000-0x00000000ee3fffff]
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Initmem setup node 0 [mem 0x0000000000000000-0x00000000ee3fffff]
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  On node 0, zone Normal: 7168 pages in unavailable ranges
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  percpu: Embedded 32 pages/cpu s91904 r8192 d30976 u131072
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  pcpu-alloc: s91904 r8192 d30976 u131072 alloc=32*4096
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  pcpu-alloc: [0] 0 [0] 1 
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Built 1 zonelists, mobility grouping on.  Total pages: 960624
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Policy zone: Normal
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Kernel command line: panic=0 blacklist=virtio_rng swiotlb=262144 cloud-init=disabled console=ttyS0 printk.time=0 systemd.getty_auto=0 systemd.firstboot=0 module.sig_enforce=1 quiet loglevel=0 systemd.show_status=0
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Unknown kernel command line parameters "blacklist=virtio_rng cloud-init=disabled", will be passed to user space.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  mem auto-init: stack:off, heap alloc:on, heap free:off
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  software IO TLB: mapped [mem 0x000000005fffc000-0x000000007fffc000] (512MB)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Memory: 3266280K/3903488K available (11988K kernel code, 3212K rwdata, 6704K rodata, 5200K init, 1252K bss, 637208K reserved, 0K cma-reserved)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  SLUB: HWalign=256, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ftrace: allocating 34120 entries in 134 pages
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ftrace: allocated 134 pages with 3 groups
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  rcu: Hierarchical RCU implementation.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  rcu: #011RCU restricting CPUs from NR_CPUS=512 to nr_cpu_ids=2.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  #011Rude variant of Tasks RCU enabled.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  #011Tracing variant of Tasks RCU enabled.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NR_IRQS: 3, nr_irqs: 3, preallocated irqs: 3
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  clocksource: tod: mask: 0xffffffffffffffff max_cycles: 0x3b0a9be803b0a9, max_idle_ns: 1805497147909793 ns
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  random: crng init done
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Console: colour dummy device 80x25
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  printk: console [ttyS0] enabled
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  printk: console [ttysclp0] enabled
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Calibrating delay loop (skipped)... 24038.00 BogoMIPS preset
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  pid_max: default: 32768 minimum: 301
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  LSM: Security Framework initializing
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  landlock: Up and running.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Yama: becoming mindful.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  AppArmor: AppArmor initialized
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  rcu: Hierarchical SRCU implementation.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  smp: Bringing up secondary CPUs ...
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  smp: Brought up 1 node, 2 CPUs
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  devtmpfs: initialized
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  futex hash table entries: 512 (order: 5, 131072 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_NETLINK/PF_ROUTE protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: initializing netlink subsys (disabled)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=2000 audit(1699046202.087:1): state=initialized audit_enabled=0 res=1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Spectre V2 mitigation: etokens
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  HugeTLB registered 1.00 MiB page size, pre-allocated 0 pages
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  iommu: Default domain type: Translated 
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  iommu: DMA domain TLB invalidation policy: strict mode 
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  SCSI subsystem initialized
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NetLabel: Initializing
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NetLabel:  domain hash size = 128
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NetLabel:  unlabeled traffic allowed by default
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  zpci: PCI is not supported because CPU facilities 69 or 71 are not available
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  VFS: Disk quotas dquot_6.6.0
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  AppArmor: AppArmor Filesystem Enabled
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_INET protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  IP idents hash table entries: 65536 (order: 7, 524288 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  tcp_listen_portaddr_hash hash table entries: 2048 (order: 3, 32768 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  TCP established hash table entries: 32768 (order: 6, 262144 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  TCP bind hash table entries: 32768 (order: 7, 524288 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  TCP: Hash tables configured (established 32768 bind 32768)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  MPTCP token hash table entries: 4096 (order: 4, 98304 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  UDP hash table entries: 2048 (order: 4, 65536 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes, linear)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_UNIX/PF_LOCAL protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_XDP protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Trying to unpack rootfs image as initramfs...
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  kvm-s390: SIE is not available
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  hypfs: The hardware system does not support hypfs
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Initialise system trusted keyrings
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type blacklist registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  workingset: timestamp_bits=45 max_order=20 bucket_order=0
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  zbud: loaded
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  squashfs: version 4.0 (2009/01/31) Phillip Lougher
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  fuse: init (API version 7.34)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  integrity: Platform Keyring initialized
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type asymmetric registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Asymmetric key parser 'x509' registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  io scheduler mq-deadline registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  hvc_iucv: The z/VM IUCV HVC device driver cannot be used without z/VM
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  loop: module loaded
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  tun: Universal TUN/TAP device driver, 1.6
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  device-mapper: uevent: version 1.0.3
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  drop_monitor: Initializing network drop monitor service
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_INET6 protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Freeing initrd memory: 9828K
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Segment Routing with IPv6
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  In-situ OAM (IOAM) with IPv6
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  NET: Registered PF_PACKET protocol family
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type dns_resolver registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  cio: Channel measurement facility initialized using format extended (mode autodetected)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  sclp_sd: Store Data request failed (eq=2, di=3, response=0x40f0, flags=0x00, status=0, rc=-5)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ap: The hardware system does not support AP instructions
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  registered taskstats version 1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loading compiled-in X.509 certificates
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Build time autogenerated kernel key: 033cfe156234b615233dffd1cb0a66d4b6280b04'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  blacklist: Loading compiled-in revocation X.509 certificates
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  zswap: loaded using pool lzo/zbud
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type .fscrypt registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type fscrypt-provisioning registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Key type encrypted registered
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  AppArmor: AppArmor sha1 policy hashing enabled
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ima: No TPM chip found, activating TPM-bypass!
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loading compiled-in module X.509 certificates
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Loaded X.509 cert 'Build time autogenerated kernel key: 033cfe156234b615233dffd1cb0a66d4b6280b04'
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ima: Allocated hash algorithm: sha1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ima: No architecture policies found
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: Initialising EVM extended attributes:
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.selinux
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.SMACK64
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.SMACK64EXEC
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.SMACK64TRANSMUTE
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.SMACK64MMAP
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.apparmor
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.ima
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: security.capability
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  evm: HMAC attrs: 0x1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Freeing unused kernel image (initmem) memory: 5200K
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Write protected read-only-after-init data: 136k
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Checked W+X mappings: passed, no unexpected W+X pages found
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Run /init as init process
Nov 03 21:17:10 ubuntu2204 kernel[1623]:    with arguments:
Nov 03 21:17:10 ubuntu2204 kernel[1623]:      /init
Nov 03 21:17:10 ubuntu2204 kernel[1623]:    with environment:
Nov 03 21:17:10 ubuntu2204 kernel[1623]:      HOME=/
Nov 03 21:17:10 ubuntu2204 kernel[1623]:      TERM=linux
Nov 03 21:17:10 ubuntu2204 kernel[1623]:      blacklist=virtio_rng
Nov 03 21:17:10 ubuntu2204 kernel[1623]:      cloud-init=disabled
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  virtio_blk virtio0: [vda] 209715200 512-byte logical blocks (107 GB/100 GiB)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  GPT:Primary header thinks Alt. header is not at the end of the disk.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  GPT:8388607 != 209715199
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  GPT:Alternate GPT header not at the end of the disk.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  GPT:8388607 != 209715199
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  GPT: Use GNU Parted to correct GPT errors.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:   vda: vda1
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  virtio_blk virtio1: [vdb] 816 512-byte logical blocks (418 kB/408 KiB)
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ISO 9660 Extensions: Microsoft Joliet Level 3
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  ISO 9660 Extensions: RRIP_1991A
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  EXT4-fs (dm-0): re-mounted. Opts: (null). Quota mode: none.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  systemd 249.11-0ubuntu3.9 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Detected virtualization kvm.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Detected architecture s390x.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Hostname set to <student03-grep11server>.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Initializing machine ID from random generator.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Installed transient /etc/machine-id file.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  /lib/systemd/system/verify-disk-encryption-invoker.service:6: Special user nobody configured, this is not safe!
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  /lib/systemd/system/se-dnslookup.service:10: Special user nobody configured, this is not safe!
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  /lib/systemd/system/hpl-catch-success.service:13: Special user nobody configured, this is not safe!
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  /lib/systemd/system/hpl-catch-failed.service:10: Special user nobody configured, this is not safe!
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found ordering cycle on basic.target/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on sockets.target/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on docker.socket/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on se-registry-auth.service/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on hpl-logging.target/verify-active
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on se-logging-sync.target/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Found dependency on se-logging.service/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  se-logging.service: Job sockets.target/start deleted to break ordering cycle starting with se-logging.service/start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Queued start job for default target Multi-User System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Created slice Slice /system/modprobe.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Created slice Slice /system/systemd-fsck.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Created slice User and Session Slice.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Dispatch Password Requests to Console Directory Watch.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Forward Password Requests to Wall Directory Watch.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Set up automount Arbitrary Executable File Formats File System Automount Point.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Local Encrypted Volumes.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Path Units.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Remote File Systems.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Slice Units.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Swaps.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Local Verity Protected Volumes.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Syslog Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on fsck to fsckd communication Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on initctl Compatibility Named Pipe.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Journal Audit Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Journal Socket (/dev/log).
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Journal Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Network Service Netlink Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on udev Control Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on udev Kernel Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting Huge Pages File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting POSIX Message Queue File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting Kernel Debug File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting Kernel Trace File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Journal Service...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set the console keyboard layout...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Create List of Static Device Nodes...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module chromeos_pstore...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module configfs...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module drm...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module efi_pstore...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module fuse...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module pstore_blk...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module pstore_zone...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Module ramoops...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in OpenVSwitch configuration for cleanup being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting File System Check on Root Device...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load Kernel Modules...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Coldplug All udev Devices...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted Huge Pages File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted POSIX Message Queue File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted Kernel Debug File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted Kernel Trace File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Create List of Static Device Nodes.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@chromeos_pstore.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module chromeos_pstore.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@configfs.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module configfs.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@efi_pstore.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module efi_pstore.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@fuse.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module fuse.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished File System Check on Root Device.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting FUSE Control File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting Kernel Configuration File System...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started File System Check Daemon to report status.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Remount Root and Kernel File Systems...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@pstore_zone.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module pstore_zone.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Modules.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted FUSE Control File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Apply Kernel Variables...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted Kernel Configuration File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@ramoops.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module ramoops.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  EXT4-fs (dm-0): re-mounted. Opts: errors=remount-ro. Quota mode: none.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@pstore_blk.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module pstore_blk.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Remount Root and Kernel File Systems.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in Platform Persistent Storage Archival being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load/Save Random Seed...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Create System Users...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Coldplug All udev Devices.
Nov 03 21:17:10 ubuntu2204 systemd-journald[1623]:  Journal started
Nov 03 21:17:10 ubuntu2204 systemd-journald[1623]:  Runtime Journal (/run/log/journal/b184ee684aa14b2c84d630c3ba938847) is 4.0M, max 32.0M, 28.0M free.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Flush Journal to Persistent Storage...
Nov 03 21:17:10 ubuntu2204 systemd-fsck[1623]:  /dev/mapper/luks-7006b45c-452a-4138-af93-842ceeb387dc: clean, 26377/6291456 files, 808671/25161728 blocks
Nov 03 21:17:10 ubuntu2204 systemd-journald[1623]:  Time spent on flushing to /var/log/journal/b184ee684aa14b2c84d630c3ba938847 is 1.769ms for 268 entries.
Nov 03 21:17:10 ubuntu2204 systemd-journald[1623]:  System Journal (/var/log/journal/b184ee684aa14b2c84d630c3ba938847) is 8.0M, max 4.0G, 3.9G free.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Journal Service.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load/Save Random Seed.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in First Boot Complete being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Create System Users.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Create Static Device Nodes in /dev...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Apply Kernel Variables.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Create Static Device Nodes in /dev.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Rule-based Manager for Device Events and Files...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  modprobe@drm.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load Kernel Module drm.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Rule-based Manager for Device Events and Files.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Network Configuration...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Flush Journal to Persistent Storage.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  VFIO - User Level meta-driver version: 0.3
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  lo: Link UP
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  lo: Gained carrier
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  Enumeration completed
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Network Configuration.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Wait for Network to be Configured...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set the console keyboard layout.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Preparation for Local File Systems.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Wait for Network to be Configured.
Nov 03 21:17:10 ubuntu2204 systemd-udevd[1623]:  Using default interface naming scheme 'v249'.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  virtio_net virtio2 enc1: renamed from eth0
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  eth0: Interface name change detected, renamed to enc1.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Found device /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting File System Check on /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70...
Nov 03 21:17:10 ubuntu2204 systemd-udevd[1623]:  Using default interface naming scheme 'v249'.
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  enc1: Link UP
Nov 03 21:17:10 ubuntu2204 systemd-fsck[1623]:  /dev/vda1: clean, 13/262144 files, 140195/1048064 blocks
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished File System Check on /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting /boot...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted /boot.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Local File Systems.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Load AppArmor profiles...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set console font and keymap...
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set Up Additional Binary Formats...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in Store a System Token in an EFI Variable being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Commit a transient machine-id on disk...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Create Volatile Files and Directories...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set console font and keymap.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  proc-sys-fs-binfmt_misc.automount: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 707 (systemd-binfmt)
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounting Arbitrary Executable File Formats File System...
Nov 03 21:17:10 ubuntu2204 apparmor.systemd[1623]:  Restarting AppArmor
Nov 03 21:17:10 ubuntu2204 apparmor.systemd[1623]:  Reloading AppArmor profiles
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Create Volatile Files and Directories.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Network Name Resolution...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Network Time Synchronization...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Record System Boot/Shutdown in UTMP...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Record System Boot/Shutdown in UTMP.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Mounted Arbitrary Executable File Formats File System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set Up Additional Binary Formats.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Commit a transient machine-id on disk.
Nov 03 21:17:10 ubuntu2204 systemd-resolved[1623]:  Positive Trust Anchors:
Nov 03 21:17:10 ubuntu2204 systemd-resolved[1623]:  . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Nov 03 21:17:10 ubuntu2204 systemd-resolved[1623]:  Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test
Nov 03 21:17:10 ubuntu2204 systemd-resolved[1623]:  Using system hostname 'student03-grep11server'.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Network Name Resolution.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Network.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Network is Online.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Host and Network Name Lookups.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Network Time Synchronization.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target System Time Set.
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=721 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=721 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=720 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 apparmor.systemd[1623]:  Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046227.987:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=721 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046227.987:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=721 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046227.987:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=720 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Load AppArmor profiles.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target System Initialization.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Daily apt download activities.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Daily apt upgrade and clean activities.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Daily dpkg database backup timer.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Periodic ext4 Online Metadata Check for All Filesystems.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Discard unused blocks once a week.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Daily rotation of log files.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Message of the Day.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Podman auto-update timer.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Daily Cleanup of Temporary Directories.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in Ubuntu Pro Timer for running repeated jobs being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Timer for calling verify disk encryption invoker service.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Basic System.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Timer Units.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on D-Bus System Message Bus Socket.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Podman API Socket.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046228.267:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046228.267:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046228.267:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046228.267:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=723 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting containerd container runtime...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started D-Bus System Message Bus.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Save initial kernel messages after boot.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Remove Stale Online ext4 Metadata Check Snapshots...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in getty on tty2-tty6 if dbus and logind are not available being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Login Prompts.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Dispatcher daemon for systemd-networkd...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Podman auto-update service...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Podman Start All Containers With Restart Policy Set To Always...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Podman API Service...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Logging Configuration...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting User Login Management...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Permit User Sessions...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in Ubuntu Pro reboot cmds being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Condition check resulted in Ubuntu Pro Background Auto Attach being skipped.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Podman API Service.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Permit User Sessions.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set console scheme...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set console scheme.
Nov 03 21:17:10 ubuntu2204 dbus-daemon[1623]:  [system] AppArmor D-Bus mediation is enabled
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  e2scrub_reap.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Remove Stale Online ext4 Metadata Check Snapshots.
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.397232251Z" level=info msg="starting containerd" revision= version=1.7.2
Nov 03 21:17:10 ubuntu2204 systemd-logind[1623]:  New seat seat0.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started User Login Management.
Nov 03 21:17:10 ubuntu2204 networkd-dispatcher[1623]:  No valid path found for iwconfig
Nov 03 21:17:10 ubuntu2204 networkd-dispatcher[1623]:  No valid path found for iw
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Dispatcher daemon for systemd-networkd.
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="/usr/bin/podman filtering at log level info"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="/usr/bin/podman filtering at log level info"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.458819954Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." type=io.containerd.snapshotter.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.458933679Z" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." error="path /var/lib/containerd/io.containerd.snapshotter.v1.btrfs (ext4) must be a btrfs filesystem to be used with the btrfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.458946844Z" level=info msg="loading plugin \"io.containerd.content.v1.content\"..." type=io.containerd.content.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.459001557Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.native\"..." type=io.containerd.snapshotter.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.459047059Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.overlayfs\"..." type=io.containerd.snapshotter.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.459165530Z" level=info msg="loading plugin \"io.containerd.metadata.v1.bolt\"..." type=io.containerd.metadata.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.459199711Z" level=info msg="metadata content store policy set" policy=shared
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468338746Z" level=info msg="loading plugin \"io.containerd.differ.v1.walking\"..." type=io.containerd.differ.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468359708Z" level=info msg="loading plugin \"io.containerd.event.v1.exchange\"..." type=io.containerd.event.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468370061Z" level=info msg="loading plugin \"io.containerd.gc.v1.scheduler\"..." type=io.containerd.gc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468395192Z" level=info msg="loading plugin \"io.containerd.lease.v1.manager\"..." type=io.containerd.lease.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468406115Z" level=info msg="loading plugin \"io.containerd.nri.v1.nri\"..." type=io.containerd.nri.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468413904Z" level=info msg="NRI interface is disabled by configuration."
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468422012Z" level=info msg="loading plugin \"io.containerd.runtime.v2.task\"..." type=io.containerd.runtime.v2
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468479297Z" level=info msg="loading plugin \"io.containerd.runtime.v2.shim\"..." type=io.containerd.runtime.v2
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468489651Z" level=info msg="loading plugin \"io.containerd.sandbox.store.v1.local\"..." type=io.containerd.sandbox.store.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468499792Z" level=info msg="loading plugin \"io.containerd.sandbox.controller.v1.local\"..." type=io.containerd.sandbox.controller.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468509604Z" level=info msg="loading plugin \"io.containerd.streaming.v1.manager\"..." type=io.containerd.streaming.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468519809Z" level=info msg="loading plugin \"io.containerd.service.v1.introspection-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.468747972Z" level=info msg="loading plugin \"io.containerd.service.v1.containers-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472324256Z" level=info msg="loading plugin \"io.containerd.service.v1.content-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472337832Z" level=info msg="loading plugin \"io.containerd.service.v1.diff-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472348826Z" level=info msg="loading plugin \"io.containerd.service.v1.images-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472360634Z" level=info msg="loading plugin \"io.containerd.service.v1.namespaces-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472370176Z" level=info msg="loading plugin \"io.containerd.service.v1.snapshots-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.472382214Z" level=info msg="loading plugin \"io.containerd.runtime.v1.linux\"..." type=io.containerd.runtime.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.473948655Z" level=info msg="loading plugin \"io.containerd.monitor.v1.cgroups\"..." type=io.containerd.monitor.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474155862Z" level=info msg="loading plugin \"io.containerd.service.v1.tasks-service\"..." type=io.containerd.service.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474179083Z" level=info msg="loading plugin \"io.containerd.grpc.v1.introspection\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474190243Z" level=info msg="loading plugin \"io.containerd.transfer.v1.local\"..." type=io.containerd.transfer.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474209104Z" level=info msg="loading plugin \"io.containerd.internal.v1.restart\"..." type=io.containerd.internal.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474247865Z" level=info msg="loading plugin \"io.containerd.grpc.v1.containers\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474258782Z" level=info msg="loading plugin \"io.containerd.grpc.v1.content\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474272365Z" level=info msg="loading plugin \"io.containerd.grpc.v1.diff\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474282507Z" level=info msg="loading plugin \"io.containerd.grpc.v1.events\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474293747Z" level=info msg="loading plugin \"io.containerd.grpc.v1.healthcheck\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474305823Z" level=info msg="loading plugin \"io.containerd.grpc.v1.images\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474314783Z" level=info msg="loading plugin \"io.containerd.grpc.v1.leases\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474324198Z" level=info msg="loading plugin \"io.containerd.grpc.v1.namespaces\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.474337486Z" level=info msg="loading plugin \"io.containerd.internal.v1.opt\"..." type=io.containerd.internal.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527101685Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandbox-controllers\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527118835Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandboxes\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527129089Z" level=info msg="loading plugin \"io.containerd.grpc.v1.snapshots\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527138210Z" level=info msg="loading plugin \"io.containerd.grpc.v1.streaming\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527147657Z" level=info msg="loading plugin \"io.containerd.grpc.v1.tasks\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527158396Z" level=info msg="loading plugin \"io.containerd.grpc.v1.transfer\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527167768Z" level=info msg="loading plugin \"io.containerd.grpc.v1.version\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527175905Z" level=info msg="loading plugin \"io.containerd.grpc.v1.cri\"..." type=io.containerd.grpc.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527262827Z" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[BinaryName: CriuImagePath: CriuPath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false NoPivotRoot:false Root: ShimCgroup: SystemdCgroup:false] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:podsandbox}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.8 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:false EnableUnprivilegedICMP:false EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:1m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/containerd ContainerdEndpoint:/run/containerd/containerd.sock RootDir:/var/lib/containerd/io.containerd.grpc.v1.cri StateDir:/run/containerd/io.containerd.grpc.v1.cri}"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527307831Z" level=info msg="Connect containerd service"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527324794Z" level=info msg="using legacy CRI server"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527329246Z" level=info msg="using experimental NRI integration - disable nri plugin to prevent this"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527345561Z" level=info msg="Get image filesystem path \"/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs\""
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527775095Z" level=info msg="loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." type=io.containerd.tracing.processor.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527792640Z" level=info msg="skip loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." error="no OpenTelemetry endpoint: skip plugin" type=io.containerd.tracing.processor.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527802232Z" level=info msg="loading plugin \"io.containerd.internal.v1.tracing\"..." type=io.containerd.internal.v1
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527811011Z" level=info msg="skipping tracing processor initialization (no tracing plugin)" error="no OpenTelemetry endpoint: skip plugin"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527863354Z" level=info msg="Start subscribing containerd event"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527904732Z" level=info msg="Start recovering state"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527948018Z" level=info msg="Start event monitor"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527960047Z" level=info msg="Start snapshots syncer"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527965955Z" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527984042Z" level=info msg=serving... address=/run/containerd/containerd.sock
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527967814Z" level=info msg="Start cni network conf syncer for default"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.527999417Z" level=info msg="Start streaming server"
Nov 03 21:17:10 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:08.528355247Z" level=info msg="containerd successfully booted in 0.138453s"
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started containerd container runtime.
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="[graphdriver] using prior storage driver: overlay"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  2023-11-03 21:17:08.56829009 +0000 UTC m=+0.254283797 system refresh
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="Setting parallel job count to 7"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="Setting parallel job count to 7"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="using systemd socket activation to determine API endpoint"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="using API endpoint: ''"
Nov 03 21:17:10 ubuntu2204 podman[1623]:  time="2023-11-03T21:17:08Z" level=info msg="API service listening on \"/run/podman/podman.sock\""
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  etc-machine\x2did.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Podman Start All Containers With Restart Policy Set To Always.
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  enc1: Gained carrier
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  IPv6: ADDRCONF(NETDEV_CHANGE): enc1: link becomes ready
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  enc1: DHCPv4 address 172.16.0.63/24 via 172.16.0.1
Nov 03 21:17:10 ubuntu2204 dbus-daemon[1623]:  [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.2' (uid=100 pid=641 comm="/lib/systemd/systemd-networkd " label="unconfined")
Nov 03 21:17:10 ubuntu2204 systemd-timesyncd[1623]:  Network configuration changed, trying to establish connection.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Hostname Service...
Nov 03 21:17:10 ubuntu2204 dbus-daemon[1623]:  [system] Successfully activated service 'org.freedesktop.hostname1'
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Hostname Service.
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  Could not set hostname: Access denied
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  podman-auto-update.service: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Podman auto-update service.
Nov 03 21:17:10 ubuntu2204 systemd-timesyncd[1623]:  Initial synchronization to time server 185.125.190.58:123 (ntp.ubuntu.com).
Nov 03 21:17:10 ubuntu2204 hpcr-dnslookup[1623]:  HPL14000I: Network connectivity check completed successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Logging Configuration.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Early Initialization.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Logging to remote monitoring server is initiated..
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Logging Configuration...
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  Configuring logging ...
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  Version [1.1.145]
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  Configuring logging, input [/var/hyperprotect/user-data.decrypted] ...
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  ValidateContractE ...
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  config written: /etc/rsyslog.d/22-logging.conf
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  HPL01010I: Logging has been setup successfully.
Nov 03 21:17:10 ubuntu2204 hpcr-logging[1623]:  Logging has been configured
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Logging Configuration.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting System Logging Service...
Nov 03 21:17:10 ubuntu2204 rsyslogd[1623]:  rsyslogd's groupid changed to 111
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started System Logging Service.
Nov 03 21:17:10 ubuntu2204 rsyslogd[1623]:  rsyslogd's userid changed to 104
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Synchronizes the Logging Target.
Nov 03 21:17:10 ubuntu2204 rsyslogd[1623]:  [origin software="rsyslogd" swVersion="8.2112.0" x-pid="882" x-info="https://www.rsyslog.com"] start
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Logging to remote log server is initiated..
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that does validation of contract...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting HPCR Registry Authentication...
Nov 03 21:17:10 ubuntu2204 rsyslogd[1623]:  imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory [v8.2112.0 try https://www.rsyslog.com/e/2040 ]
Nov 03 21:17:10 ubuntu2204 hpcr-registry-auth[1623]:  Starting Registry Authentication ...
Nov 03 21:17:10 ubuntu2204 hpcr-registry-auth[1623]:  Version [1.0.70]
Nov 03 21:17:10 ubuntu2204 hpcr-registry-auth[1623]:  Writing auth config: /root/.docker/config.json
Nov 03 21:17:10 ubuntu2204 hpcr-registry-auth[1623]:  Registry Authentication started
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished HPCR Registry Authentication.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Docker Socket for the API...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Listening on Docker Socket for the API.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Docker Application Container Engine...
Nov 03 21:17:10 ubuntu2204 hpcr-contract[1623]:  Welcome to SE Contract Validator
Nov 03 21:17:10 ubuntu2204 hpcr-contract[1623]:  Contract file passed is:  /var/hyperprotect/user-data.decrypted
Nov 03 21:17:10 ubuntu2204 rsyslogd[1623]:  imjournal: journal files changed, reloading...  [v8.2112.0 try https://www.rsyslog.com/e/0 ]
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.575115627Z" level=info msg="Starting up"
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.576881278Z" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 audit[1623]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=907 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.666341245Z" level=info msg="parsed scheme: \"unix\"" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.666350343Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.666366055Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.666373355Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  audit: type=1400 audit(1699046229.648:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=907 comm="apparmor_parser"
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.667559573Z" level=info msg="parsed scheme: \"unix\"" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.667571887Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.667582900Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.667593568Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.739086044Z" level=info msg="Loading containers: start."
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Bridge firewalling registered
Nov 03 21:17:10 ubuntu2204 hpcr-contract[1623]:  Contract file is valid.
Nov 03 21:17:10 ubuntu2204 hpcr-contract[1623]:  Extracting workload from /var/hyperprotect/user-data.decrypted to /var/hyperprotect/workload-data.decrypted
Nov 03 21:17:10 ubuntu2204 hpcr-contract[1623]:  Extraction completed
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Service that does validation of contract.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that does signature validation of Env Workload of contract...
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Welcome to SE ENV Workload Signature Validator
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Decrypted Contract file passed is:  /var/hyperprotect/workload-data.decrypted
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Encrypted Contract file passed is:  /var/hyperprotect/cidata/user-data
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Check Dependency params Public key and EnvWorkload signature
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Access Public key and EnvWorkload signature
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Create combined EnvWorkload contract content
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Verify signing key, signature and combined EnvWorkload contract
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Verified OK
Nov 03 21:17:10 ubuntu2204 hpcr-signature[1623]:  Successfully verified contract with signature and signing key
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Service that does signature validation of Env Workload of contract.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Contract is unpacked and ready for consumption..
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that waits until the user devices are ready...
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set podman image policy...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  Waiting for devices ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  Version [1.0.112]
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  WaitForDevices input=[/var/hyperprotect/user-data.decrypted], timeout=[2023-11-03 21:32:09.840358244 +0000 UTC m=+900.009364631]
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  ParseContract ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  ValidateContract ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  MergeVolumes ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-standby[1623]:  Waiting for devices is completed
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Service that waits until the user devices are ready.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that mounts the data volumes after they are ready...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  Mounting volumes ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  Version [1.0.112]
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  MountVolumes input=[/var/hyperprotect/user-data.decrypted]
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  ParseContract ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  ValidateContract ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  MergeVolumes ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  Mounting volumes ...
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  Volume config ..
Nov 03 21:17:10 ubuntu2204 hpcr-disk-mount[1623]:  HPL07003I: Mounting volumes done
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Service that mounts the data volumes after they are ready.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Reached target Data volumes are mounted ready to be used..
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Service that verifies all disks are encrypted and logs output to systemd journal.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Service that periodically logs entry to trigger verify disk encryption service.
Nov 03 21:17:10 ubuntu2204 verify-disk-encryption[1623]:  Verify disk encryption started...
Nov 03 21:17:10 ubuntu2204 kernel[1623]:  Initializing XFRM netlink socket
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:09.941735406Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Nov 03 21:17:10 ubuntu2204 networkd-dispatcher[1623]:  WARNING:Unknown index 3 seen, reloading interface list
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Getting image source signatures
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Copying blob sha256:66d62867ae2452322f4769f943913be00b22e73039d1902e8f785b9f49838193
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  docker0: Link UP
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:10.008006157Z" level=info msg="Loading containers: done."
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:10.053088827Z" level=info msg="Docker daemon" commit="20.10.25-0ubuntu1~22.04.2" graphdriver(s)=overlay2 version=20.10.25
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:10.053138638Z" level=info msg="Daemon has completed initialization"
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Copying config sha256:9eca761232387055827db0a9f2232f2635bc8c6d5f23ecfb39d34bb4ab0dca09
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Writing manifest to image destination
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Storing signatures
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Started Docker Application Container Engine.
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:10.081309751Z" level=info msg="API listen on /run/docker.sock"
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Loaded image(s): k8s.gcr.io/pause:3.5
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Set docker image policy...
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Starting image service...
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Contract yaml file: /var/hyperprotect/workload-data.decrypted
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Extracting image contract
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Successfully extracted Image contract
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Extracting container contract
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Checking for image with digest
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  No image for DCT verification
Nov 03 21:17:10 ubuntu2204 hpcr-image[1623]:  Image service completed successfully
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set docker image policy.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that creates a set of containers...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Starting container service...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Validating contract...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Compose folder /data1/compose created
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Contract yaml file: /var/hyperprotect/workload-data.decrypted
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Compose folder: /data1/compose
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Validation completed
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Parsing contract...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Parsing of the Contract File completed successfully
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Extracting compose...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Extracting done...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Extracting the ENV Contents...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Writing new env file /data1/compose/.env ...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Reading existing env file /data1/compose/.env ...
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Extracting of environment contents done
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Check if docker is ready
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  docker-compose.yml file is present in the directory
Nov 03 21:17:10 ubuntu2204 hpcr-container[1623]:  Starting workload containers...
Nov 03 21:17:10 ubuntu2204 podman[1623]:  2023-11-03 21:17:09.987464201 +0000 UTC m=+0.156960970 image loadfromarchive  /usr/local/se-image-play/pause.tar
Nov 03 21:17:10 ubuntu2204 sudo[1623]:      root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/se-image-play
Nov 03 21:17:10 ubuntu2204 sudo[1623]:  pam_unix(sudo:session): session opened for user nobody(uid=65534) by (uid=0)
Nov 03 21:17:10 ubuntu2204 hpcr-image-play[1623]:  Version [1.1.112]
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Set podman image policy.
Nov 03 21:17:10 ubuntu2204 sudo[1623]:  pam_unix(sudo:session): session closed for user nobody
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Starting Service that creates a set of containers...
Nov 03 21:17:10 ubuntu2204 sudo[1623]:      root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/se-container-play
Nov 03 21:17:10 ubuntu2204 sudo[1623]:  pam_unix(sudo:session): session opened for user nobody(uid=65534) by (uid=0)
Nov 03 21:17:10 ubuntu2204 hpcr-container-play[1623]:  Version [1.1.116]
Nov 03 21:17:10 ubuntu2204 sudo[1623]:  pam_unix(sudo:session): session closed for user nobody
Nov 03 21:17:10 ubuntu2204 hpcr-container-play[1623]:  HPL15004I: The pod started successfully.
Nov 03 21:17:10 ubuntu2204 hpcr-container-play[1623]:  HPL15006I: No pod definitions found.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  Finished Service that creates a set of containers.
Nov 03 21:17:10 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:10.342435060Z" level=warning msg="reference for unknown type: " digest="sha256:1ebda8a7124c99735f5e7743dfc7ff335dd3e68f7b75f5ca9a41fed6e409d513" remote="quay.io/bsilliman/grep11server@sha256:1ebda8a7124c99735f5e7743dfc7ff335dd3e68f7b75f5ca9a41fed6e409d513"
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  var-lib-docker-overlay2-opaque\x2dbug\x2dcheck224199160-merged.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd[1623]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Nov 03 21:17:10 ubuntu2204 systemd-networkd[1623]:  enc1: Gained IPv6LL
Nov 03 21:17:12 ubuntu2204 networkd-dispatcher[1623]:  WARNING:Unknown index 4 seen, reloading interface list
Nov 03 21:17:12 ubuntu2204 systemd-networkd[1623]:  br-cd39c66a7dab: Link UP
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  var-lib-docker-overlay2-77e9a4f23d5acf016c56589279b3f0e99df2c1d147692202f00c7c2e138ec96c\x2dinit-merged.mount: Deactivated successfully.
Nov 03 21:17:13 ubuntu2204 systemd-udevd[1623]:  Using default interface naming scheme 'v249'.
Nov 03 21:17:13 ubuntu2204 networkd-dispatcher[1623]:  WARNING:Unknown index 5 seen, reloading interface list
Nov 03 21:17:13 ubuntu2204 systemd-networkd[1623]:  veth2cbfbb7: Link UP
Nov 03 21:17:13 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:13.141237481Z" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Nov 03 21:17:13 ubuntu2204 dockerd[1623]:  time="2023-11-03T21:17:13.141386294Z" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered blocking state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered disabled state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  device veth2cbfbb7 entered promiscuous mode
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered blocking state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered forwarding state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered disabled state
Nov 03 21:17:13 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:13.191880223Z" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
Nov 03 21:17:13 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:13.191936390Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.pause\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Nov 03 21:17:13 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:13.191960133Z" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
Nov 03 21:17:13 ubuntu2204 containerd[1623]:  time="2023-11-03T21:17:13.191969961Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Started libcontainer container 17cd821b28ff5ce5d19935577579a4a50a9bc2dc169d76f5e1dfc954069a6296.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  dmesg.service: Deactivated successfully.
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  eth0: renamed from veth9c911d0
Nov 03 21:17:13 ubuntu2204 systemd-networkd[1623]:  veth2cbfbb7: Gained carrier
Nov 03 21:17:13 ubuntu2204 systemd-networkd[1623]:  br-cd39c66a7dab: Gained carrier
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  IPv6: ADDRCONF(NETDEV_CHANGE): veth2cbfbb7: link becomes ready
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered blocking state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  br-cd39c66a7dab: port 1(veth2cbfbb7) entered forwarding state
Nov 03 21:17:13 ubuntu2204 kernel[1623]:  IPv6: ADDRCONF(NETDEV_CHANGE): br-cd39c66a7dab: link becomes ready
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Docker Compose Logs:
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:   student03-ep11server Pulling
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Pulling fs layer
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Waiting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Downloading [=================================>                 ]     602B/891B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Downloading [==================================================>]     891B/891B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Extracting [==================================================>]     891B/891B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Extracting [==================================================>]     891B/891B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  21e3243b9c65 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Downloading [>                                                  ]   1.98kB/121.3kB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Downloading [==================================================>]  121.3kB/121.3kB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Extracting [=============>                                     ]  32.77kB/121.3kB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Extracting [==================================================>]  121.3kB/121.3kB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Extracting [==================================================>]  121.3kB/121.3kB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d6b978c9eb5e Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Downloading [==================================================>]     167B/167B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Downloading [>                                                  ]  73.99kB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Downloading [>                                                  ]    148kB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Downloading [=========>                                         ]  2.881MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Downloading [==================================================>]     173B/173B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Downloading [==================================>                ]  10.07MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Downloading [==================================================>]     156B/156B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Extracting [>                                                  ]  163.8kB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Extracting [=========>                                         ]  2.949MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Downloading [==================================================>]     138B/138B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Extracting [===================>                               ]  5.898MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Downloading [==============>                                    ]  2.111MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Extracting [===================================>               ]  10.49MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Extracting [==================================================>]   14.8MB/14.8MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Downloading [================================================>  ]  6.793MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  36f5e25998cd Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Extracting [>                                                  ]   98.3kB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Downloading [==================================================>]     141B/141B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Downloading [==================================================>]     144B/144B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Verifying Checksum
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Download complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Extracting [===================>                               ]  2.753MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Extracting [=============================================>     ]  6.488MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Extracting [==================================================>]  7.055MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Extracting [==================================================>]  7.055MB/7.055MB
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  476f8c03ea25 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Extracting [==================================================>]     167B/167B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Extracting [==================================================>]     167B/167B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  880f5aff73f5 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Extracting [==================================================>]     173B/173B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Extracting [==================================================>]     173B/173B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  811cce5aca48 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Extracting [==================================================>]     156B/156B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Extracting [==================================================>]     156B/156B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  419807452f87 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Extracting [==================================================>]     138B/138B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Extracting [==================================================>]     138B/138B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  cd975f3ecadc Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Extracting [==================================================>]     144B/144B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Extracting [==================================================>]     144B/144B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  a77a1a63fd9a Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Extracting [==================================================>]     141B/141B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Extracting [==================================================>]     141B/141B
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  d4c9ed9a08b7 Pull complete
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  student03-ep11server Pulled
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Network compose_default  Creating
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Network compose_default  Created
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Container compose-student03-ep11server-1  Creating
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Container compose-student03-ep11server-1  Created
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Container compose-student03-ep11server-1  Starting
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Container compose-student03-ep11server-1  Started
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module config  
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module keyprotect 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module util    
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module pgx     
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module ep11server 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module storeserver 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module pgnotify 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module storage 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module entry   
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module rotation 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module main    
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.568] Setting log level [debug] for module postgres 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service directiamauthtemplate not found       #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service ep11manager not found                 #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service connectiontemplate not found          #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service postgrestemplate not found            #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service recoverykeyseedtemplate not found     #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service domaintemplate not found              #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service logging not found                     #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service basevoteridtemplate not found         #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service clientconnectiontemplate not found    #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service remoteconfig not found                #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.569] Service tls not found                         #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.579] Starting GREP11 server [dev]                  #033[36mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.579] TLS is enabled                                #033[36mmodule#033[0m=config
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.579] Creating new listener for *config.EP11CryptoOpts  #033[37mmodule#033[0m=entry
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] hostname:port=192.168.22.80:9001
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16OpenAdapter: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16OpenAdapter: server_idx=0
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::makeNewC16ClientStub: target_str=192.168.22.80:9001
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::C16ClientStub::check server certificate in stub...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::ServeIdentityChecking: Checking server identity...
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Docker compose result:
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:   CONTAINER ID   IMAGE                            COMMAND                 CREATED        STATUS                  PORTS                                                  NAMES
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  17cd821b28ff   quay.io/bsilliman/grep11server   "/usr/bin/ep11server"   1 second ago   Up Less than a second   0.0.0.0:9876->9876/tcp, :::9876->9876/tcp, 50052/tcp   compose-student03-ep11server-1
Nov 03 21:17:13 ubuntu2204 hpcr-container[1623]:  Container service completed successfully
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::GetEP11Targets::try to get server certificate.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Finished Service that creates a set of containers.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Reached target Workload is up and running..
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::GetEP11Targets::get server certificate during ssl connection.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::GetEP11Targets: Success
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::GetEP11Targets: Adding module_id=10, domain_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::GetEP11Targets: Adding module_id=8, domain_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::ServerIdentityChecking:: get server certificate in config file 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:   -----BEGIN CERTIFICATE-----
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MIID7jCCAtagAwIBAgICH5YwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwHSGVybmRvbjEMMAoGA1UECgwD
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  SUJNMRAwDgYDVQQLDAdJQk0gV1NDMRIwEAYDVQQDDAljMTZzZXJ2ZXIxGDAWBgkq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  hkiG9w0BCQEWCWMxNnNlcnZlcjAeFw0yMzEwMzEyMDA5MDZaFw0yNTEwMzAyMDA5
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MDZaMF4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  DAtMb3MgQW5nZWxlczEMMAoGA1UECgwDSUJNMRYwFAYDVQQDDA0xOTIuMTY4LjIy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LjgwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0TpNwhJcUYoSN6u
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  bPZsME0j+FpT+kAihG/anTx53Q6W+BhJWh+uhT296p6NSxT4T/YdI2fwIL8g6wN2
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  T9knyvZboijJwgwoG5t/gn5ACvY2vN5wWp075xHAEdF9zSrutoDySjhBil/wuLVy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  QNojY8X5IyhHmbUi1wb2mb4EDD1vudNsvNMt4AAWdCF9QK7z7619tGlUEkKDu9IT
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LZMR+AwoNVlYx5dmK5yUTMhozjpBWIzSOkQ6LAbQxMxQYmjlJ+YPMZ0qPbCgV/Dg
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  TIJoCF+8LXsbw4ngOxw98r8vlHf3TyfLE5xFaShRSJJGv1YmW6xbvXQ6ENr3DsB3
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  346WJQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMBMGA1UdJQQM
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAoBgNVHR8EITAfMB2gG6AZ
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  hhdodHRwOi8vbG9jYWxob3N0L2NhLmNybDAjBgNVHREEHDAaghIxOTIuMTY4LjIy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LjgwOjkwMDGHBMCoFlAwDQYJKoZIhvcNAQELBQADggEBAGurn+547jZBscqema0S
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  Qd0wUn7Hc0NN/px0Y+OiS1BT3SgUNSysRsX4yqnMM2qZAoRGL+v+FsIDdCAKSt46
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  4oRc5X9l6pAGd/qIf9oDvIYPjIKtznCt/JT+sg+bdQYuypPo+cknjta5IJNZGtsq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  ZMR5wClAbbAUSrronp3MpFZ5xB0treRZtvgpdcdDzZLF4iJ83wMJP5lHS0ocfSlq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  fnCUbtuloLYPvJc4XHKJDKaf1tvCFkgFrquDK36e+YobTBw+wk4s4c9Bj2ih4xWu
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  Vo1ndBJ/ppta1szgPqoSgQsUK1kVcD8w99FmeaSD1ujBeeHd3ynAe5BkZR9j54na
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  +lE=
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  -----END CERTIFICATE-----
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::ServerIdentityChecking:: get server certificate in stub 
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:   -----BEGIN CERTIFICATE-----
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MIID7jCCAtagAwIBAgICH5YwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlVT
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MREwDwYDVQQIDAhWaXJnaW5pYTEQMA4GA1UEBwwHSGVybmRvbjEMMAoGA1UECgwD
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  SUJNMRAwDgYDVQQLDAdJQk0gV1NDMRIwEAYDVQQDDAljMTZzZXJ2ZXIxGDAWBgkq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  hkiG9w0BCQEWCWMxNnNlcnZlcjAeFw0yMzEwMzEyMDA5MDZaFw0yNTEwMzAyMDA5
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MDZaMF4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  DAtMb3MgQW5nZWxlczEMMAoGA1UECgwDSUJNMRYwFAYDVQQDDA0xOTIuMTY4LjIy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LjgwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy0TpNwhJcUYoSN6u
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  bPZsME0j+FpT+kAihG/anTx53Q6W+BhJWh+uhT296p6NSxT4T/YdI2fwIL8g6wN2
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  T9knyvZboijJwgwoG5t/gn5ACvY2vN5wWp075xHAEdF9zSrutoDySjhBil/wuLVy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  QNojY8X5IyhHmbUi1wb2mb4EDD1vudNsvNMt4AAWdCF9QK7z7619tGlUEkKDu9IT
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LZMR+AwoNVlYx5dmK5yUTMhozjpBWIzSOkQ6LAbQxMxQYmjlJ+YPMZ0qPbCgV/Dg
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  TIJoCF+8LXsbw4ngOxw98r8vlHf3TyfLE5xFaShRSJJGv1YmW6xbvXQ6ENr3DsB3
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  346WJQIDAQABo4GSMIGPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMBMGA1UdJQQM
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  MAoGCCsGAQUFBwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAoBgNVHR8EITAfMB2gG6AZ
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  hhdodHRwOi8vbG9jYWxob3N0L2NhLmNybDAjBgNVHREEHDAaghIxOTIuMTY4LjIy
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  LjgwOjkwMDGHBMCoFlAwDQYJKoZIhvcNAQELBQADggEBAGurn+547jZBscqema0S
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  Qd0wUn7Hc0NN/px0Y+OiS1BT3SgUNSysRsX4yqnMM2qZAoRGL+v+FsIDdCAKSt46
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  4oRc5X9l6pAGd/qIf9oDvIYPjIKtznCt/JT+sg+bdQYuypPo+cknjta5IJNZGtsq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  ZMR5wClAbbAUSrronp3MpFZ5xB0treRZtvgpdcdDzZLF4iJ83wMJP5lHS0ocfSlq
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  fnCUbtuloLYPvJc4XHKJDKaf1tvCFkgFrquDK36e+YobTBw+wk4s4c9Bj2ih4xWu
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  Vo1ndBJ/ppta1szgPqoSgQsUK1kVcD8w99FmeaSD1ujBeeHd3ynAe5BkZR9j54na
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  +lE=
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  -----END CERTIFICATE-----
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::ServerIdentityChecking: Success to verify server identity
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16OpenAdapter: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 37
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 54
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 46
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 438
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 58
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 254
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 339
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.623] admin.ep11.go:ep11server.(*CryptoServer).rawQueryDomainImporterCert:387: m_admin returned an error within the QueryNextWK  #033[36merror code#033[0m=CKR_KEY_HANDLE_INVALID #033[36mmodule#033[0m=util
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Starting Phase2 Catch Service...
Nov 03 21:17:13 ubuntu2204 hpcr-catch-success[1623]:  VSI has started successfully.
Nov 03 21:17:13 ubuntu2204 hpcr-catch-success[1623]:  HPL10001I: Services succeeded -> systemd triggered hpl-catch-success service
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Finished Phase2 Catch Service.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Reached target Multi-User System.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Starting Record Runlevel Change in UTMP...
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  systemd-update-utmp-runlevel.service: Deactivated successfully.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Finished Record Runlevel Change in UTMP.
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  Startup finished in 26.473s (kernel) + 6.172s (userspace) = 32.646s.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 374
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 375
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:13 ubuntu2204 systemd[1623]:  podman.service: Deactivated successfully.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 350
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 338
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:13 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 432
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 systemd[1623]:  run-docker-runtime\x2drunc-moby-17cd821b28ff5ce5d19935577579a4a50a9bc2dc169d76f5e1dfc954069a6296-runc.WEpO8O.mount: Deactivated successfully.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 339
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 397
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 338
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 367
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 338
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.864] admin.ep11.go:ep11server.(*CryptoServer).rawQueryWKOrigins:547: m_admin returned an error within the QueryNextWK  #033[36merror code#033[0m=CKR_KEY_HANDLE_INVALID #033[36mmodule#033[0m=util
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 411
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Entering ...
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Checking target i=0, ap_id=8, dom_id=22
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target still on same server
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client:c16DoEP11Request: Target list check passed. (server_idx=0)
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: targets_num: 1
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: req_len: 74
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] C16ClientStub::DoRequest: Setting resp_len: 338
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  [c16client][debug] c16client::c16DoEP11Request: Done.
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.911] admin.ep11.go:ep11server.(*CryptoServer).rawQueryImporterCert:667: Received error after deserializing query response: EOF  #033[36merror code#033[0m=CKR_IBM_GREP11_CANNOT_UNMARSHAL #033[36mmodule#033[0m=util
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[37mDEBU#033[0m[2023-11-03 21:17:13.911] Creating service backing server for *config.EP11CryptoOpts  #033[37mmodule#033[0m=entry
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.912] Loading ep11crypto service                    #033[36mmodule#033[0m=entry
Nov 03 21:17:14 ubuntu2204 compose-student03-ep11server-1[1623]:  #033[36mINFO#033[0m[2023-11-03 21:17:13.912] GRPC Server listening on [::]:9876 with TLS enabled  #033[36mmodule#033[0m=entry
Nov 03 21:17:14 ubuntu2204 systemd-networkd[1623]:  br-cd39c66a7dab: Gained IPv6LL
Nov 03 21:17:14 ubuntu2204 systemd-networkd[1623]:  veth2cbfbb7: Gained IPv6LL
Nov 03 21:17:14 ubuntu2204 verify-disk-encryption[1623]:  HPL13000I: Verify LUKS Encryption
Nov 03 21:17:14 ubuntu2204 systemd[1623]:  verify-disk-encryption-invoker.service: Deactivated successfully.
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value for disk-encrypt: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Executed cmd: ('lsblk', '-b', '-n', '-o', 'NAME,SIZE')
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Stdout: vda                                           107374182400
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  ├─vda1                                          4292870144
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  └─vda2                                        103079215104
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:    └─luks-7006b45c-452a-4138-af93-842ceeb387dc 103062437888
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  vdb                                                 417792
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  List of volumes greater than or equal to 10GB are: ['/dev/vda']
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Updated Volumes list: ['/dev/vda2']
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Executed cmd: ('lsblk', '/dev/vda2', '-b', '-n', '-o', 'NAME,MOUNTPOINT')
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Stdout: vda2
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  └─luks-7006b45c-452a-4138-af93-842ceeb387dc /
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Boot volume is /dev/vda2
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Volume /dev/vda2 has mount point /
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  List of mounted volumes are: ['/dev/vda2']
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Verifying the boot disk /dev/vda2 is encrypted or not
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Executed cmd: ('lsblk', '/dev/vda2', '-b', '-n', '-o', 'NAME,TYPE')
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Stdout: vda2                                        part
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  └─luks-7006b45c-452a-4138-af93-842ceeb387dc crypt
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Executed cmd: ('cryptsetup', 'isLuks', '/dev/vda2')
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Executed cmd: ('cryptsetup', 'luksDump', '/dev/vda2')
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  Return value: 0
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  HPL13003I: Checked for mount point /, LUKS encryption with 1 key slot found
Nov 03 21:17:15 ubuntu2204 verify-disk-encryption[1623]:  HPL13001I: Boot volume and all the mounted data volumes are encrypted
Nov 03 21:17:38 ubuntu2204 systemd[1623]:  systemd-fsckd.service: Deactivated successfully.
Nov 03 21:17:39 ubuntu2204 systemd[1623]:  systemd-hostnamed.service: Deactivated successfully.

Congratulations! You have reached a significant milestone in the lab. You have successfully configured and launched your HPVS 2.1.x GREP11 Server. Now all that is left is to test its functionality with some sample GREP11 client code. You will set that up on your Ubuntu KVM guest. Click Next at the bottom right of the page to continue.

Run GREP11 Client code¶

Overview of this section¶

You have done a lot of work in this lab, have learned so much, and yet have had so much fun! It doesn't get any better than this!

Let's recap the highlights:

You configured an rsyslog service on your Ubuntu KVM guest.

You did the X509 work to enable communication between the GREP11 server and the rsyslog service.

You did the X509 work to enable the GREP11 Server to communicate with the CENA4SEE server.

You did the server side of the X509 work to enable the GREP11 Server to communicate with GREP11 clients.

You created the contract expected by HPVS 2.1.x.

You successfully launched the GREP11 server as a Secure Execution-protected HPVS 2.1.x KVM Guest!

Your last task is to run some GREP11 client code to verify that everything is working from end-to-end!

In this section you will:

Install Go on your Ubuntu KVM guest
Download the GREP11 client code from GitHub
Do the client side of the X509 work to enable communication between your GREP11 Server and this GREP11 client code
Modify the GREP11 client code to point to your GREP11 Server
Run the GREP11 client code

Start this section in your Ubuntu KVM guest session¶

This section starts out in your Ubuntu KVM guest, which is where you should be if you have been doing the lab in order in one sitting.

If you are not logged in, the command to log in is ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Install Go¶

The Go language compiler is not installed on your system. Prove that with this command:

go version

You'll be given some ideas on how to install it:

Output when go is not installed

sudo snap install go         # version 1.21.4, or
sudo apt  install golang-go  # version 2:1.18~0ubuntu2
sudo apt  install gccgo-go   # version 2:1.18~0ubuntu2
See 'snap info go' for additional versions.

Please pick the second option to avoid breaking this lab's warranty as that is the option the instructors used when creating the lab.

sudo apt install golang-go

Type Y when prompted to continue. The output from the installation will look like this:

Output from installation of golang-go

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  bzip2 cpp cpp-11 fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base golang-1.18-go golang-1.18-src golang-src libasan6
  libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdeflate0 libdpkg-perl libfile-fcntllock-perl libfontconfig1
  libfreetype6 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 libmpc3 libnsl-dev libstdc++-11-dev libtiff5
  libtirpc-dev libubsan1 libwebp7 libxpm4 linux-libc-dev manpages-dev pkg-config rpcsvc-proto
Suggested packages:
  bzip2-doc cpp-doc gcc-11-locales g++-multilib g++-11-multilib gcc-11-doc gcc-multilib make autoconf automake libtool flex bison gdb
  gcc-doc gcc-11-multilib bzr | brz mercurial subversion glibc-doc debian-keyring bzr libgd-tools libstdc++-11-doc dpkg-dev
The following NEW packages will be installed:
  bzip2 cpp cpp-11 fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base golang-1.18-go golang-1.18-src golang-go
  golang-src libasan6 libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdeflate0 libdpkg-perl libfile-fcntllock-perl
  libfontconfig1 libfreetype6 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 libmpc3 libnsl-dev
  libstdc++-11-dev libtiff5 libtirpc-dev libubsan1 libwebp7 libxpm4 linux-libc-dev manpages-dev pkg-config rpcsvc-proto
0 upgraded, 46 newly installed, 0 to remove and 12 not upgraded.
Need to get 127 MB of archives.
After this operation, 592 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x bzip2 s390x 1.0.8-5build1 [34.4 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x gcc-11-base s390x 11.3.0-1ubuntu1~22.04 [20.8 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libisl23 s390x 0.24-2build1 [701 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libmpc3 s390x 1.2.1-2build1 [47.7 kB]
Get:5 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x cpp-11 s390x 11.3.0-1ubuntu1~22.04 [7848 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x cpp s390x 4:11.2.0-1ubuntu1 [27.7 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x fonts-dejavu-core all 2.37-2build1 [1041 kB]
Get:8 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x fontconfig-config all 2.13.1-4.2ubuntu5 [29.1 kB]
Get:9 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libcc1-0 s390x 12.1.0-2ubuntu1~22.04 [46.3 kB]
Get:10 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libgomp1 s390x 12.1.0-2ubuntu1~22.04 [123 kB]
Get:11 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libitm1 s390x 12.1.0-2ubuntu1~22.04 [29.9 kB]
Get:12 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libatomic1 s390x 12.1.0-2ubuntu1~22.04 [9008 B]
Get:13 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libasan6 s390x 11.3.0-1ubuntu1~22.04 [2242 kB]
Get:14 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libubsan1 s390x 12.1.0-2ubuntu1~22.04 [967 kB]
Get:15 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libgcc-11-dev s390x 11.3.0-1ubuntu1~22.04 [825 kB]
Get:16 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x gcc-11 s390x 11.3.0-1ubuntu1~22.04 [15.7 MB]
Get:17 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x gcc s390x 4:11.2.0-1ubuntu1 [5118 B]
Get:18 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libc-dev-bin s390x 2.35-0ubuntu3.1 [20.0 kB]
Get:19 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x linux-libc-dev s390x 5.15.0-60.66 [1338 kB]
Get:20 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libcrypt-dev s390x 1:4.4.27-1 [114 kB]
Get:21 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x rpcsvc-proto s390x 1.4.2-0ubuntu6 [64.7 kB]
Get:22 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libtirpc-dev s390x 1.3.2-2ubuntu0.1 [189 kB]
Get:23 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libnsl-dev s390x 1.3.0-2build2 [70.9 kB]
Get:24 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libc6-dev s390x 2.35-0ubuntu3.1 [1499 kB]
Get:25 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libstdc++-11-dev s390x 11.3.0-1ubuntu1~22.04 [2089 kB]
Get:26 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x g++-11 s390x 11.3.0-1ubuntu1~22.04 [9169 kB]
Get:27 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x g++ s390x 4:11.2.0-1ubuntu1 [1408 B]
Get:28 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x golang-1.18-src all 1.18.1-1ubuntu1 [16.2 MB]
Get:29 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x golang-1.18-go s390x 1.18.1-1ubuntu1 [62.6 MB]
Get:30 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x golang-src all 2:1.18~0ubuntu2 [4438 B]
Get:31 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x golang-go s390x 2:1.18~0ubuntu2 [41.8 kB]
Get:32 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libfreetype6 s390x 2.11.1+dfsg-1ubuntu0.1 [382 kB]
Get:33 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libfontconfig1 s390x 2.13.1-4.2ubuntu5 [133 kB]
Get:34 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libjpeg-turbo8 s390x 2.1.2-0ubuntu1 [119 kB]
Get:35 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libjpeg8 s390x 8c-2ubuntu10 [2264 B]                                           
Get:36 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libdeflate0 s390x 1.10-2 [72.1 kB]                                             
Get:37 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libjbig0 s390x 2.1-3.1ubuntu0.22.04.1 [29.9 kB]                        
Get:38 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libwebp7 s390x 1.2.2-2 [167 kB]                                                
Get:39 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libtiff5 s390x 4.3.0-6ubuntu0.3 [178 kB]                               
Get:40 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libxpm4 s390x 1:3.5.12-1ubuntu0.22.04.1 [36.7 kB]                      
Get:41 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libgd3 s390x 2.3.0-2ubuntu2 [131 kB]                                           
Get:42 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libc-devtools s390x 2.35-0ubuntu3.1 [29.2 kB]                          
Get:43 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x libdpkg-perl all 1.21.1ubuntu2.1 [237 kB]                              
Get:44 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x libfile-fcntllock-perl s390x 0.22-3build7 [33.6 kB]                            
Get:45 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x manpages-dev all 5.10-1ubuntu1 [2309 kB]                                       
Get:46 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x pkg-config s390x 0.29.2-1ubuntu3 [47.3 kB]                                     
Fetched 127 MB in 7s (17.1 MB/s)                                                                                                            
Extracting templates from packages: 100%
Selecting previously unselected package bzip2.
(Reading database ... 56573 files and directories currently installed.)
Preparing to unpack .../00-bzip2_1.0.8-5build1_s390x.deb ...
Unpacking bzip2 (1.0.8-5build1) ...
Selecting previously unselected package gcc-11-base:s390x.
Preparing to unpack .../01-gcc-11-base_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking gcc-11-base:s390x (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package libisl23:s390x.
Preparing to unpack .../02-libisl23_0.24-2build1_s390x.deb ...
Unpacking libisl23:s390x (0.24-2build1) ...
Selecting previously unselected package libmpc3:s390x.
Preparing to unpack .../03-libmpc3_1.2.1-2build1_s390x.deb ...
Unpacking libmpc3:s390x (1.2.1-2build1) ...
Selecting previously unselected package cpp-11.
Preparing to unpack .../04-cpp-11_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking cpp-11 (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package cpp.
Preparing to unpack .../05-cpp_4%3a11.2.0-1ubuntu1_s390x.deb ...
Unpacking cpp (4:11.2.0-1ubuntu1) ...
Selecting previously unselected package fonts-dejavu-core.
Preparing to unpack .../06-fonts-dejavu-core_2.37-2build1_all.deb ...
Unpacking fonts-dejavu-core (2.37-2build1) ...
Selecting previously unselected package fontconfig-config.
Preparing to unpack .../07-fontconfig-config_2.13.1-4.2ubuntu5_all.deb ...
Unpacking fontconfig-config (2.13.1-4.2ubuntu5) ...
Selecting previously unselected package libcc1-0:s390x.
Preparing to unpack .../08-libcc1-0_12.1.0-2ubuntu1~22.04_s390x.deb ...
Unpacking libcc1-0:s390x (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package libgomp1:s390x.
Preparing to unpack .../09-libgomp1_12.1.0-2ubuntu1~22.04_s390x.deb ...
Unpacking libgomp1:s390x (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package libitm1:s390x.
Preparing to unpack .../10-libitm1_12.1.0-2ubuntu1~22.04_s390x.deb ...
Unpacking libitm1:s390x (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package libatomic1:s390x.
Preparing to unpack .../11-libatomic1_12.1.0-2ubuntu1~22.04_s390x.deb ...
Unpacking libatomic1:s390x (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package libasan6:s390x.
Preparing to unpack .../12-libasan6_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking libasan6:s390x (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package libubsan1:s390x.
Preparing to unpack .../13-libubsan1_12.1.0-2ubuntu1~22.04_s390x.deb ...
Unpacking libubsan1:s390x (12.1.0-2ubuntu1~22.04) ...
Selecting previously unselected package libgcc-11-dev:s390x.
Preparing to unpack .../14-libgcc-11-dev_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking libgcc-11-dev:s390x (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package gcc-11.
Preparing to unpack .../15-gcc-11_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking gcc-11 (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package gcc.
Preparing to unpack .../16-gcc_4%3a11.2.0-1ubuntu1_s390x.deb ...
Unpacking gcc (4:11.2.0-1ubuntu1) ...
Selecting previously unselected package libc-dev-bin.
Preparing to unpack .../17-libc-dev-bin_2.35-0ubuntu3.1_s390x.deb ...
Unpacking libc-dev-bin (2.35-0ubuntu3.1) ...
Selecting previously unselected package linux-libc-dev:s390x.
Preparing to unpack .../18-linux-libc-dev_5.15.0-60.66_s390x.deb ...
Unpacking linux-libc-dev:s390x (5.15.0-60.66) ...
Selecting previously unselected package libcrypt-dev:s390x.
Preparing to unpack .../19-libcrypt-dev_1%3a4.4.27-1_s390x.deb ...
Unpacking libcrypt-dev:s390x (1:4.4.27-1) ...
Selecting previously unselected package rpcsvc-proto.
Preparing to unpack .../20-rpcsvc-proto_1.4.2-0ubuntu6_s390x.deb ...
Unpacking rpcsvc-proto (1.4.2-0ubuntu6) ...
Selecting previously unselected package libtirpc-dev:s390x.
Preparing to unpack .../21-libtirpc-dev_1.3.2-2ubuntu0.1_s390x.deb ...
Unpacking libtirpc-dev:s390x (1.3.2-2ubuntu0.1) ...
Selecting previously unselected package libnsl-dev:s390x.
Preparing to unpack .../22-libnsl-dev_1.3.0-2build2_s390x.deb ...
Unpacking libnsl-dev:s390x (1.3.0-2build2) ...
Selecting previously unselected package libc6-dev:s390x.
Preparing to unpack .../23-libc6-dev_2.35-0ubuntu3.1_s390x.deb ...
Unpacking libc6-dev:s390x (2.35-0ubuntu3.1) ...
Selecting previously unselected package libstdc++-11-dev:s390x.
Preparing to unpack .../24-libstdc++-11-dev_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking libstdc++-11-dev:s390x (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package g++-11.
Preparing to unpack .../25-g++-11_11.3.0-1ubuntu1~22.04_s390x.deb ...
Unpacking g++-11 (11.3.0-1ubuntu1~22.04) ...
Selecting previously unselected package g++.
Preparing to unpack .../26-g++_4%3a11.2.0-1ubuntu1_s390x.deb ...
Unpacking g++ (4:11.2.0-1ubuntu1) ...
Selecting previously unselected package golang-1.18-src.
Preparing to unpack .../27-golang-1.18-src_1.18.1-1ubuntu1_all.deb ...
Unpacking golang-1.18-src (1.18.1-1ubuntu1) ...
Selecting previously unselected package golang-1.18-go.
Preparing to unpack .../28-golang-1.18-go_1.18.1-1ubuntu1_s390x.deb ...
Unpacking golang-1.18-go (1.18.1-1ubuntu1) ...
Selecting previously unselected package golang-src.
Preparing to unpack .../29-golang-src_2%3a1.18~0ubuntu2_all.deb ...
Unpacking golang-src (2:1.18~0ubuntu2) ...
Selecting previously unselected package golang-go:s390x.
Preparing to unpack .../30-golang-go_2%3a1.18~0ubuntu2_s390x.deb ...
Unpacking golang-go:s390x (2:1.18~0ubuntu2) ...
Selecting previously unselected package libfreetype6:s390x.
Preparing to unpack .../31-libfreetype6_2.11.1+dfsg-1ubuntu0.1_s390x.deb ...
Unpacking libfreetype6:s390x (2.11.1+dfsg-1ubuntu0.1) ...
Selecting previously unselected package libfontconfig1:s390x.
Preparing to unpack .../32-libfontconfig1_2.13.1-4.2ubuntu5_s390x.deb ...
Unpacking libfontconfig1:s390x (2.13.1-4.2ubuntu5) ...
Selecting previously unselected package libjpeg-turbo8:s390x.
Preparing to unpack .../33-libjpeg-turbo8_2.1.2-0ubuntu1_s390x.deb ...
Unpacking libjpeg-turbo8:s390x (2.1.2-0ubuntu1) ...
Selecting previously unselected package libjpeg8:s390x.
Preparing to unpack .../34-libjpeg8_8c-2ubuntu10_s390x.deb ...
Unpacking libjpeg8:s390x (8c-2ubuntu10) ...
Selecting previously unselected package libdeflate0:s390x.
Preparing to unpack .../35-libdeflate0_1.10-2_s390x.deb ...
Unpacking libdeflate0:s390x (1.10-2) ...
Selecting previously unselected package libjbig0:s390x.
Preparing to unpack .../36-libjbig0_2.1-3.1ubuntu0.22.04.1_s390x.deb ...
Unpacking libjbig0:s390x (2.1-3.1ubuntu0.22.04.1) ...
Selecting previously unselected package libwebp7:s390x.
Preparing to unpack .../37-libwebp7_1.2.2-2_s390x.deb ...
Unpacking libwebp7:s390x (1.2.2-2) ...
Selecting previously unselected package libtiff5:s390x.
Preparing to unpack .../38-libtiff5_4.3.0-6ubuntu0.3_s390x.deb ...
Unpacking libtiff5:s390x (4.3.0-6ubuntu0.3) ...
Selecting previously unselected package libxpm4:s390x.
Preparing to unpack .../39-libxpm4_1%3a3.5.12-1ubuntu0.22.04.1_s390x.deb ...
Unpacking libxpm4:s390x (1:3.5.12-1ubuntu0.22.04.1) ...
Selecting previously unselected package libgd3:s390x.
Preparing to unpack .../40-libgd3_2.3.0-2ubuntu2_s390x.deb ...
Unpacking libgd3:s390x (2.3.0-2ubuntu2) ...
Selecting previously unselected package libc-devtools.
Preparing to unpack .../41-libc-devtools_2.35-0ubuntu3.1_s390x.deb ...
Unpacking libc-devtools (2.35-0ubuntu3.1) ...
Selecting previously unselected package libdpkg-perl.
Preparing to unpack .../42-libdpkg-perl_1.21.1ubuntu2.1_all.deb ...
Unpacking libdpkg-perl (1.21.1ubuntu2.1) ...
Selecting previously unselected package libfile-fcntllock-perl.
Preparing to unpack .../43-libfile-fcntllock-perl_0.22-3build7_s390x.deb ...
Unpacking libfile-fcntllock-perl (0.22-3build7) ...
Selecting previously unselected package manpages-dev.
Preparing to unpack .../44-manpages-dev_5.10-1ubuntu1_all.deb ...
Unpacking manpages-dev (5.10-1ubuntu1) ...
Selecting previously unselected package pkg-config.
Preparing to unpack .../45-pkg-config_0.29.2-1ubuntu3_s390x.deb ...
Unpacking pkg-config (0.29.2-1ubuntu3) ...
Setting up gcc-11-base:s390x (11.3.0-1ubuntu1~22.04) ...
Setting up manpages-dev (5.10-1ubuntu1) ...
Setting up libxpm4:s390x (1:3.5.12-1ubuntu0.22.04.1) ...
Setting up libfile-fcntllock-perl (0.22-3build7) ...
Setting up libdeflate0:s390x (1.10-2) ...
Setting up linux-libc-dev:s390x (5.15.0-60.66) ...
Setting up libgomp1:s390x (12.1.0-2ubuntu1~22.04) ...
Setting up bzip2 (1.0.8-5build1) ...
Setting up libjbig0:s390x (2.1-3.1ubuntu0.22.04.1) ...
Setting up libasan6:s390x (11.3.0-1ubuntu1~22.04) ...
Setting up libtirpc-dev:s390x (1.3.2-2ubuntu0.1) ...
Setting up rpcsvc-proto (1.4.2-0ubuntu6) ...
Setting up libfreetype6:s390x (2.11.1+dfsg-1ubuntu0.1) ...
Setting up libmpc3:s390x (1.2.1-2build1) ...
Setting up libatomic1:s390x (12.1.0-2ubuntu1~22.04) ...
Setting up fonts-dejavu-core (2.37-2build1) ...
Setting up golang-1.18-src (1.18.1-1ubuntu1) ...
Setting up libjpeg-turbo8:s390x (2.1.2-0ubuntu1) ...
Setting up libdpkg-perl (1.21.1ubuntu2.1) ...
Setting up libwebp7:s390x (1.2.2-2) ...
Setting up libubsan1:s390x (12.1.0-2ubuntu1~22.04) ...
Setting up libnsl-dev:s390x (1.3.0-2build2) ...
Setting up libcrypt-dev:s390x (1:4.4.27-1) ...
Setting up libisl23:s390x (0.24-2build1) ...
Setting up libc-dev-bin (2.35-0ubuntu3.1) ...
Setting up golang-src (2:1.18~0ubuntu2) ...
Setting up libcc1-0:s390x (12.1.0-2ubuntu1~22.04) ...
Setting up libitm1:s390x (12.1.0-2ubuntu1~22.04) ...
Setting up libjpeg8:s390x (8c-2ubuntu10) ...
Setting up cpp-11 (11.3.0-1ubuntu1~22.04) ...
Setting up fontconfig-config (2.13.1-4.2ubuntu5) ...
Setting up golang-1.18-go (1.18.1-1ubuntu1) ...
Setting up pkg-config (0.29.2-1ubuntu3) ...
Setting up libgcc-11-dev:s390x (11.3.0-1ubuntu1~22.04) ...
Setting up gcc-11 (11.3.0-1ubuntu1~22.04) ...
Setting up cpp (4:11.2.0-1ubuntu1) ...
Setting up libc6-dev:s390x (2.35-0ubuntu3.1) ...
Setting up libtiff5:s390x (4.3.0-6ubuntu0.3) ...
Setting up libfontconfig1:s390x (2.13.1-4.2ubuntu5) ...
Setting up golang-go:s390x (2:1.18~0ubuntu2) ...
Setting up gcc (4:11.2.0-1ubuntu1) ...
Setting up libgd3:s390x (2.3.0-2ubuntu2) ...
Setting up libstdc++-11-dev:s390x (11.3.0-1ubuntu1~22.04) ...
Setting up libc-devtools (2.35-0ubuntu3.1) ...
Setting up g++-11 (11.3.0-1ubuntu1~22.04) ...
Setting up g++ (4:11.2.0-1ubuntu1) ...
update-alternatives: using /usr/bin/g++ to provide /usr/bin/c++ (c++) in auto mode
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Scanning processes...                                                                                                                        
Scanning linux images...                                                                                                                     

Running kernel seems to be up-to-date (ABI upgrades are not detected).

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Now convince yourself that you have installed Go correctly:

go version

Go has been installed if you see this:

go version go1.18.1 linux/s390x

The version of go that you see may differ slightly if a newer version has become available.

Download the GREP11 code repo¶

Go to your home directory:

cd ~

The instructor has created a fork of a GitHub repo that is provided by an IBM Cloud GitHub repo. The instructor could have just pointed you to the IBM Cloud GitHub repo, but, had he done that, you can be assured that a file that had not been changed in nineteen months would have changed an hour before you started the lab, breaking this section, frustrating you, humiliating the instructor, and by creating his own fork he can ensure he has complete control of the code, and you probably think he's being paranoid and that this sort of thing would never have happened to him during a live demo (on a different product) in front of an audience of hundreds of people. Nope, that would never happen. Fortunately it was only an IBM internal audience. The instructor has since recovered.

Having said that, clone the instructor's GitHub repo:

git clone https://github.com/silliman/hpcs-grep11-go

Example output from git clone

Cloning into 'hpcs-grep11-go'...
remote: Enumerating objects: 61, done.
remote: Counting objects: 100% (61/61), done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 61 (delta 22), reused 56 (delta 20), pack-reused 0
Receiving objects: 100% (61/61), 121.04 KiB | 8.07 MiB/s, done.
Resolving deltas: 100% (22/22), done.

The git clone created a directory named hpcs-grep11-go, change into it:

cd hpcs-grep11-go

List the contents of the cert directory, see that there is a single file named README

ls -l certs/

READ IT (weeping is optional):

cat certs/README

You read that right- more X509 work!!

Create TLS certificate and key for your GREP11 Client¶

Create a working directory to use for the creation of a certificate to allow you to be a client of the GREP11 Server, and then change into it:
```
mkdir -p ~/x509Work/GREP11Client \
&& cd ~/x509Work/GREP11Client
```
Create an RSA private key
```
openssl genrsa -out client.key 2048
```

Create a configuration file to avoid interrogation by openssl:

cat << EOF > client.cnf
RANDFILE               = \$ENV::HOME/.rnd

[ req ]
default_bits           = 2048
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = US
ST                     = Virginia
L                      = Herndon
O                      = IBM
OU                     = Washington Systems Center - IBM IBM Z and LinuxONE
CN                     = Lab Student
emailAddress           = student@not.real.email.com

[ req_attributes ]
challengePassword              = A challenge password

[ x509_extensions ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints       = critical,CA:TRUE
EOF

Create a certificate signing request:

openssl req -new -key client.key -out client.csr -config client.cnf

Display the CSR that you created:

openssl req -noout -text -in client.csr

It will look like this:

Example CSR display

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM IBM Z and LinuxONE, CN = Lab Student, emailAddress = student@not.real.email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:07:f9:43:c6:6b:fd:2c:39:d4:ef:b4:cb:db:
                    f5:06:b1:82:bc:48:1a:a1:57:3c:1d:05:a9:fe:65:
                    c2:bb:a0:ed:12:58:51:e0:95:2f:44:95:5c:be:88:
                    82:a0:c0:4d:28:62:c4:32:90:66:2e:aa:bc:77:cc:
                    a0:bc:04:3f:22:01:37:58:0a:44:ab:29:9f:4c:01:
                    8b:24:33:21:a5:bf:27:5d:4e:1e:a3:14:15:79:f1:
                    8d:02:61:7b:4d:9f:18:d9:4a:5e:b9:62:d9:c3:96:
                    79:cd:2c:82:f2:f1:3e:8f:ca:29:89:6a:45:b7:48:
                    b5:54:4a:bc:0d:0e:1c:22:8b:f7:8d:e4:72:54:9e:
                    8e:ef:b7:2e:d3:3b:e3:10:9e:1c:35:79:eb:57:1b:
                    aa:61:15:d7:19:6a:89:76:2e:63:19:07:c1:db:92:
                    98:bb:48:2b:e7:55:8b:cb:74:e1:00:76:f5:0a:8e:
                    e8:1a:69:a6:14:bf:7c:7f:eb:a8:ee:ad:b1:f0:df:
                    92:cc:0c:10:3d:42:b3:02:0d:7c:0d:55:38:70:49:
                    ab:84:da:d0:1e:52:1b:19:47:6e:26:b9:8c:cf:0e:
                    12:17:b1:cd:d8:bd:55:2f:fd:6b:6e:12:f1:8b:c4:
                    60:96:67:c4:55:a3:03:43:1b:70:a2:d7:0e:73:c6:
                    79:23
                Exponent: 65537 (0x10001)
        Attributes:
            challengePassword        :A challenge password
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3d:ef:35:37:b6:aa:e4:33:cb:fe:17:aa:18:a5:77:d2:23:3b:
        b7:01:ac:6e:65:0c:0c:68:a6:80:37:04:8d:d2:7e:e8:9b:57:
        9d:63:8f:82:06:22:07:7f:bc:6b:b3:60:1c:3f:a1:3d:75:c5:
        3a:d5:f6:74:5c:93:9a:60:9e:40:4a:95:09:bf:38:6b:fb:fb:
        1a:6a:91:be:6d:4d:15:46:79:b4:e1:19:cb:9d:00:97:95:75:
        c1:3a:1d:4b:10:0f:c0:90:5b:f0:b9:5a:e6:b8:6d:11:84:d3:
        0b:aa:7c:eb:07:51:4c:0c:c3:7d:e5:7e:d0:5a:81:f8:0e:3f:
        08:db:3b:78:3d:aa:38:a0:65:60:60:f5:19:4f:47:fe:08:2d:
        4a:af:f9:40:1d:ff:2b:92:67:91:99:eb:b1:8c:cf:d1:2a:c1:
        c0:0d:6c:38:2b:ca:69:d2:40:7e:9d:84:c6:7a:2c:33:d0:28:
        b0:09:97:19:e7:3c:e9:fe:dc:bf:71:a3:00:2f:46:19:f4:1a:
        7c:fc:0f:ff:18:1f:38:77:78:17:49:0e:3e:e7:8a:f0:29:bb:
        a2:37:f4:4a:12:48:e2:ea:1f:14:cc:31:ac:19:6d:b5:bf:98:
        2b:91:aa:a8:71:07:62:54:48:79:55:72:11:9e:87:86:36:3d:
        5d:24:b0:9b

Your GREP11 CA is on your account on the RHEL host. Send your CSR to it:

scp client.csr \
${StudentID}@192.168.22.64:grep11Lab/x509Work/GREP11Server/clients/.

Switch to your terminal tab or window for your RHEL host session.:

Change to your GREP11 CA working directory:

cd ${HOME}/grep11Lab/x509Work/GREP11Server/CA

Display the CSR that the client sent you:
```
openssl req -noout -text -in ../clients/client.csr
```
Note: The output is not shown here as it should look the same as when you displayed this same certificate moments ago when you were in "client" mode.

Create the certificate for the client:

openssl x509 -req -days 300 \
-in ../clients/client.csr \
-CA grep11-ca.pem \
-CAcreateserial \
-CAkey grep11-ca-key.pem \
-out ../clients/client.pem

Output from certificate creation

Signature ok
subject=C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM IBM Z and LinuxONE, CN = Lab Student, emailAddress = student@not.real.email.com
Getting CA Private Key

Display the certificate before sending it to the client:

openssl x509 -noout -text -in ../clients/client.pem

Display of GREP11 client certificate

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            79:dd:5b:25:cc:24:f9:71:e5:e0:71:23:db:f8:9e:b8:92:b9:2d:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM IBM Z and LinuxONE, CN = WSC student02 HPVS CA, emailAddress = student@notreal.email.com.com
        Validity
            Not Before: Feb 15 16:07:56 2023 GMT
            Not After : Dec 12 16:07:56 2023 GMT
        Subject: C = US, ST = Virginia, L = Herndon, O = IBM, OU = Washington Systems Center - IBM IBM Z and LinuxONE, CN = Lab Student, emailAddress = student@not.real.email.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e4:07:f9:43:c6:6b:fd:2c:39:d4:ef:b4:cb:db:
                    f5:06:b1:82:bc:48:1a:a1:57:3c:1d:05:a9:fe:65:
                    c2:bb:a0:ed:12:58:51:e0:95:2f:44:95:5c:be:88:
                    82:a0:c0:4d:28:62:c4:32:90:66:2e:aa:bc:77:cc:
                    a0:bc:04:3f:22:01:37:58:0a:44:ab:29:9f:4c:01:
                    8b:24:33:21:a5:bf:27:5d:4e:1e:a3:14:15:79:f1:
                    8d:02:61:7b:4d:9f:18:d9:4a:5e:b9:62:d9:c3:96:
                    79:cd:2c:82:f2:f1:3e:8f:ca:29:89:6a:45:b7:48:
                    b5:54:4a:bc:0d:0e:1c:22:8b:f7:8d:e4:72:54:9e:
                    8e:ef:b7:2e:d3:3b:e3:10:9e:1c:35:79:eb:57:1b:
                    aa:61:15:d7:19:6a:89:76:2e:63:19:07:c1:db:92:
                    98:bb:48:2b:e7:55:8b:cb:74:e1:00:76:f5:0a:8e:
                    e8:1a:69:a6:14:bf:7c:7f:eb:a8:ee:ad:b1:f0:df:
                    92:cc:0c:10:3d:42:b3:02:0d:7c:0d:55:38:70:49:
                    ab:84:da:d0:1e:52:1b:19:47:6e:26:b9:8c:cf:0e:
                    12:17:b1:cd:d8:bd:55:2f:fd:6b:6e:12:f1:8b:c4:
                    60:96:67:c4:55:a3:03:43:1b:70:a2:d7:0e:73:c6:
                    79:23
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        66:9c:1a:d8:75:5b:52:1c:8c:f7:d7:63:f6:ea:1e:4e:b1:fa:
        92:78:1a:ab:83:11:7d:73:50:b9:ce:34:2b:33:d1:97:1f:90:
        f6:c7:85:45:20:9f:95:6d:f7:16:f9:64:fd:7b:3d:48:44:33:
        af:9e:dc:5a:f4:56:dd:50:27:6f:3e:9e:75:f2:52:d1:cf:fe:
        76:52:98:8a:0b:cd:62:a6:68:49:34:43:f9:d2:e3:ab:f6:b3:
        3f:fd:ff:3a:92:06:32:2b:c0:64:29:b5:00:c4:b8:66:57:07:
        de:64:8a:7a:88:0b:27:79:5a:6d:8f:4d:52:bf:cc:5e:03:53:
        4a:40:4d:22:e5:e7:0f:c3:1e:6c:2a:cf:79:f2:d5:4b:b3:13:
        be:dd:51:c7:2f:2d:8b:f5:97:1e:3f:86:2e:6c:13:c5:43:0f:
        a6:49:ed:a4:a2:7e:ec:3f:f9:9b:f4:65:f1:ff:d5:9c:60:0f:
        90:a8:18:a7:e0:2a:e4:b9:f2:4c:36:d9:f7:94:c9:a5:71:10:
        bf:56:0d:df:d7:3e:71:a7:f7:d0:cc:dc:52:49:bf:c1:71:72:
        e3:46:89:d6:5d:d4:60:04:a3:5b:46:84:ef:9f:de:02:8c:c8:
        69:89:5a:ef:49:5a:48:fc:72:af:09:21:dd:22:f7:91:b5:57:
        3b:50:e3:58

Send the certificate back to the client that requested it:

scp ../clients/client.pem \
student@${StudentGuestIP}:./x509Work/GREP11Client/.

Your work as a CA registrar is done for the remainder of the lab!

Switch to your terminal tab or window for your Ubuntu KVM guest session:
Ensure you're in the directory that has your certificates and key:
```
cd ${HOME}/x509Work/GREP11Client
```
Display the client certificate that your CA registrar sent you:
```
openssl x509 -noout -text -in client.pem
```
You know that you know what it should look like so we won't repeat the output here.
Now that you have your GREP11 client certificate, copy it, along with its corresponding private key, into the directory where your sample code will be looking for it:
```
cp -ipv client.pem client.key ${HOME}/hpcs-grep11-go/certs/.
```

Get your CA's public certificate so that you can authenticate your connection with the GREP11 Server:

scp ${StudentID}@192.168.22.64:grep11Lab/x509Work/GREP11Server/CA/grep11-ca.pem \
${HOME}/hpcs-grep11-go/certs/.

Modify GREP11 code for authentication to your GREP11 Server¶

Switch to this directory:
```
cd ${HOME}/hpcs-grep11-go/examples
```

Run this command to see the one line you need to change in the source code you downloaded:

grep --after-context 3 STUDENT server_test.go

Your output will look like this:

The line you need to change, plus the files you just made

const Address = "STUDENT_GREP11SERVER_IP:9876"
const cert = "../certs/client.pem"
const key = "../certs/client.key"
const ca = "../certs/grep11-ca.pem"

This command changes the generic placeholder string STUDENT_GREPSERVER_IP with the IP of your GREP11 Server, which the instructors stored in an environment variable in your bash login profile at ~/.bashrc:
```
sed -i -e "s/STUDENT_GREP11SERVER_IP/${GREP11ServerIP}/g" server_test.go
```

Run this command to ensure that you made the change correctly:

grep --after-context 3 ${GREP11ServerIP} server_test.go

Expected output (your IP will differ, example shown for student02)

const Address = "172.16.0.62:9876"
const cert = "../certs/client.pem"
const key = "../certs/client.key"
const ca = "../certs/grep11-ca.pem"

Run the GREP11 client code¶

Drum roll please...

Enter this command to test your GREP11 client code:

go test -v

Your output should look like this. If it does, you have achieved great success in the lab!!!

Expected output from testing the GREP11 client code

go: downloading google.golang.org/grpc v1.34.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/golang/protobuf v1.4.3
go: downloading golang.org/x/net v0.0.0-20201021035429-f5854403a974
go: downloading google.golang.org/genproto v0.0.0-20201001141541-efaab9d3c4f7
go: downloading google.golang.org/protobuf v1.25.0
go: downloading golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
go: downloading golang.org/x/text v0.3.3
=== RUN   Test_signAndVerifyUsingDilithiumKeyPair
Generated Dilithium key pair
Data signed
Verified
--- PASS: Test_signAndVerifyUsingDilithiumKeyPair (0.05s)
=== RUN   Test_rewrapKeyBlob
    server_test.go:1375: 

        Skipping the rewrapKeyBlob test. To enable, comment out the t.Skipf and message lines within the Test_rewrapKeyBlob test

        NOTE: This test contains two pauses that require the user to type CTRL-c after ensuring
            that the stated pre-requisite activity has been completed.  There needs to be 
            coordination with your HPCS cloud service contact in order to place your HSM
            into the required states.

--- SKIP: Test_rewrapKeyBlob (0.00s)
=== RUN   Example_getMechanismInfo
--- PASS: Example_getMechanismInfo (0.01s)
=== RUN   Example_generateGenericKey
--- PASS: Example_generateGenericKey (0.01s)
=== RUN   Example_encryptAndDecryptUsingAES
--- PASS: Example_encryptAndDecryptUsingAES (0.02s)
=== RUN   Example_digest
--- PASS: Example_digest (0.01s)
=== RUN   Example_signAndVerifyUsingRSAKeyPair
--- PASS: Example_signAndVerifyUsingRSAKeyPair (0.04s)
=== RUN   Example_signAndVerifyUsingDSAKeyPair
--- PASS: Example_signAndVerifyUsingDSAKeyPair (0.54s)
=== RUN   Example_deriveKeyUsingDHKeyPair
--- PASS: Example_deriveKeyUsingDHKeyPair (1.51s)
=== RUN   Example_signAndVerifyUsingECDSAKeyPair
--- PASS: Example_signAndVerifyUsingECDSAKeyPair (0.02s)
=== RUN   Example_signAndVerifyToTestErrorHandling
--- PASS: Example_signAndVerifyToTestErrorHandling (0.02s)
=== RUN   Example_wrapAndUnwrapKey
--- PASS: Example_wrapAndUnwrapKey (0.04s)
=== RUN   Example_deriveKey
--- PASS: Example_deriveKey (0.04s)
=== RUN   Example_wrapAndUnwrapAttributeBoundKey
--- PASS: Example_wrapAndUnwrapAttributeBoundKey (0.03s)
=== RUN   Example_tls
--- PASS: Example_tls (0.03s)
PASS
ok      github.com/IBM-Cloud/hpcs-grep11-go/examples    2.373s

Before you go, check out the your rsyslog log messages to see evidence of the test you just ran:
```
journalctl --since "-5 minutes " --output short-full --no-pager
```
The above command assumes you ran this within five minutes of running the test. If you missed the boat, then just rerun the test again or change the argument to --since to show a longer timeframe of messages.

Demonstrate the protection of the Secure Execution-enabled HPVS 2.1.x guest¶

Overview of this section¶

In this section you will demonstrate the protection offered by the Secure Execution-enabled HPVS 2.1.x guest in contrast to the ease in which a malicious insider can eavesdrop on a standard KVM guest.

Log out of your Ubuntu KVM guest¶

All of the work in this section is performed on the RHEL 8.5 host, so log out of your Ubuntu KVM guest. You have finished your work in the Ubuntu KVM guest for this lab:

exit

Switch to your RHEL host terminal session¶

Switch to your terminal tab or window for your RHEL host session:

You should be logged in still if you have been following the lab in order in one sitting, but if you need to log in again the command is ssh -l ${StudentID} 192.168.22.64

Snoop into your standard KVM guest with ease¶

A systems administrator at the host level does not have a difficult time getting into a standard KVM guest's business. Try this command to dump the entire address space of your Ubuntu KVM guest in the home directory of your lab userid:

cd ${HOME} && sudo virsh dump $(whoami) $(whoami).dump

This will take a little while but you have just dumped the entire memory of your KVM guest.

Look at the file size:

ls -lh $(whoami).dump

We suspect that a malicious actor might have a few more tools in their toolbag than what we will show you here, but try this command:

sudo strings $(whoami).dump

The above command will print out all of the strings it recognizes in the memory dump. You are probably getting tired of seeing them pass by on your terminal screen, so type Ctrl-C when you want your command prompt back.

Try this command to see how many strings were found in the file:

sudo strings $(whoami).dump | wc --lines

Your output may differ, but when we tried this command while writing up the lab, we had 2,397,409 strings found in our dump. Now we didn't dig much deeper than this, but it's possible that a motivated hacker might find something among those millions of strings with which to make mischief.

Go ahead and try to hack me says the HPVS 2.1.x guest¶

Try to snoop on your Secure Execution-enabled Hyper Protect Virtual Servers 2.1.x guest that is running your GREP11 Server. See what happens:

suffix=$(temp=$(whoami) && echo ${temp: -2}) ; \
sudo virsh dump grep11se${suffix} grep11se${suffix}.dump

Shot down in flames, ain't it a shame

error: Failed to core dump domain 'grep11se01' to grep11se01.dump
error: internal error: unable to execute QEMU command 'migrate': protected VMs are currently not migrateable.

If your name or address or credit card number or social security number or bank card PIN code or cryptocurrency wallet was in memory, would you have preferred it to be in memory in a standard KVM guest or in a Secure Execution-enabled Hyper Protect Virtual Servers guest? If you answered standard KVM guest, then please return to the beginning of the lab and start over. If you chose SE-enabled HPVS guest, then congratulations, you have successfully completed the lab!! (Except for cleanup).

Please proceed to the next section of the lab for lab cleanup.

Clean up the resources you created during the lab¶

All of the work in this section is performed on the RHEL 8.5 host:

You should already be logged in to it if you have been following this lab in order.

Shut down your standard Ubuntu KVM guest¶

Enter this command to shut down your standard Ubuntu KVM guest:

sudo virsh shutdown $(whoami)

Shut down your HPVS 2.1.x guest (your GREP11 server):¶

suffix=$(temp=$(whoami) && echo ${temp: -2}) ; \
sudo virsh shutdown grep11se${suffix}

Delete the dump in the home directory of your userid on the RHEL 8.5 host:¶

cd ${HOME} && rm -vf $(whoami).dump

Log out of the RHEL host:¶

exit

Thank you for cleaning up and congratulations on finishing this lab! We hope you enjoyed it and learned from it and we welcome your feedback on how to make it better.

If you wish to do the PayNow Lab then click the link on the lower right of the page. Otherwise, no further action is necessary on your part.

There is no need to click the Next link at the bottom as that will take you to a page that is for instructor usage. Feel free to check it out though, as it will give you insight into the tools that we use to create and update the lab documentation.

Ended: GREP11 with CENA4SEE Lab

PayNow Lab ↵

PayNow Lab Overview¶

Lab environment topology¶

Hyper Protect Virtual Servers 2.1.x provides an IBM-provided and -supported Secure Execution-enabled KVM image that runs on a Linux LPAR on an IBM Z or LinuxONE server.

Hyper Protect Virtual Servers (HPVS) requires you to specify your workload via a "contract" that you define.

Within the contract you specify an OCI-compliant image that provides your workload.

For our lab this LPAR is running RHEL 8.5. You can use any distribution on IBM Z or LinuxONE that supports Secure Execution- i.e., recent versions of Ubuntu and SUSE as well as RHEL.

In the lab, you will run the a demonstration application called the PayNow Demo in two places- you will run it once in a standard KVM guest, and you will run it once in an HPVS KVM guest protected by Secure Execution.

You will access both instances of the PayNow demo from a web browser and enter data representing sensitive information such as name, credit card number, credit card security code, etc. This should be fictitious data that you make up for learning purposes in the lab.

From each instance of PayNow you will take a memory dump of the KVM guest and by following the lab instructions you will see that an insider attack from a malicious system administrator could extract sensitve data from the standard KVM guest, and then you will see that this insider attack fails when attempted against an HPVS KVM guest, mitigating against the insider attack, thus demonstrating the value of Confidential Computing as implemented by Hyper Protect Virtual Servers 2.1.x.

Your HPVS KVM guest that will run PayNow will be configured to write log messages to an rsyslog service. For the lab, you will configure this rsyslog service on the same standard KVM guest that you are using for running the "unprotected" version of PayNow

During the lab you will log in to two servers:

The RHEL 8.5 host. From here you will launch your Ubuntu KVM guest. You will also use your host login to define the "contract" that HPVS expects so that you can launch your HPVS KVM Guest for the PayNow demo.
You will log in to your Ubuntu KVM guest for configuring the rsyslog service and for running the PayNow demo

You will not log in directly to your HPVS KVM Guest for the PayNow demo, but you will be accessing the PayNow demo from a web browser.

Lab logistics¶

Except for the RHEL Jumpbox, the systems used in the lab are in the IBM Washington Systems Center (WSC) in the WSC's private network. Access to the WSC private network is through a virtual private network (VPN) client running on the RHEL Jumpbox. The instructors access each student's RHEL Jumpbox in order to log in via the VPN client. Students access their jumpbox from a web browser- other than a modern web browser, no additional software is required on the student's laptop or workstation.

During the lab, students will be directed to open two terminal windows on their jumpbox- one will be designated for working on the RHEL host and the other will be designated for working on their KVM standard Ubuntu guest. Two separate terminal profiles have been created on the jumpbox- one for the RHEL host and one for the KVM standard Ubuntu guest- which have different background and text colors which will help the student more easily differentiate between the two windows. The student may wish to use a single terminal window with two tabs- one with each terminal profile- instead of two different windows. It is fine to do so.

Terminal profiles we have defined in your jumpbox¶

The terminal profile we have set up for you to run commands in the RHEL host looks like this:

The terminal profile we have set up for you to run commands in your Ubuntu KVM Guest looks like this:

You are free to change the look and feel of the terminal profiles to what suits you, but the lab is written with the assumption that you are using the profiles we have set up for you. This matters only in that we may show images in the lab in an effort to help ensure you are working on the correct system when you are entering commands.

Start Ubuntu KVM Guest¶

Overview of this page¶

This page will help you verify that your jumpbox is configured properly and then guide you to logging in to the RHEL Host from which you will start your student-assigned KVM standard Ubuntu guest.

Verify the student-specific environment variables on your jumpbox¶

You will first ensure that two crucial environment variables are set on your jumpbox. Under most circumstances, the instructors will have already set these variables for you. These variables will enable you to enter all of the commands in this lab without modification- where student-specific information is required in a command, the command will contain environment variables that will be resolved with the student-specific information.

Environment variables are set in three places:

On your jumpbox. In most cases, the instructors will have configured your jumpbox with your student-specific environment variables
You will have a userid on the RHEL host, and this userid has been configured with student-specific environment variables
You will have your own KVM standard guest running Ubuntu, and this guest is also configured with student-specific environment variables

Verify the environment variable on your jumpbox for your student ID¶

The instructors should have guided you through the process of obtaining a RHEL Jumpbox where you will perform the lab.

Note

The jumpbox is running the RHEL operating system, but the OS on the jumpbox is largely irrelevant, and in order to avoid confusion with the RHEL host (the Linux LPAR on the IBM z15 server in the Washington Systems Center data center in Herndon, Virgina, USA) that you will use during the lab, we will drop the 'RHEL' and refer to the RHEL jumpbox as just jumpbox from now on.

On your jumpbox, open a terminal window. You can do this by clicking on Activities in the upper left corner of your jumpbox and then clicking the icon that looks like a terminal window. This will bring up a window using the RHEL Host terminal profile, so your terminal window should have a dark background with a green prompt for the font, similar to the image shown in the previous section of the lab. You will use this window to perform work on the RHEL host, but before logging in you will ensure that an environment variable specifying your unique student ID has been set properly.

Each student has a unique userid assigned to them. It is likely set for you already. In an instructor-led class, your instructors will let you know if this has been set for you already.

Check this by entering this echo command:

echo ${StudentID}

Example output for student02 [click to expand me]

silliman@nat-147 ~ % echo ${StudentID}
student02

If a value starting with student and ending with a two-digit number is returned to you, then your jumpbox has been configured properly and you may continue in the lab. If you are not shown this value then please ask your lab instructor or demo guide for assistance.

Log in to the RHEL 8.5 host¶

You will now sign into our z15 LPAR running Red Hat Enterprise Linux 8.5. This is a system that has been enabled for Secure Execution and so can run workloads provisioned with IBM Hyper Protect Virtual Servers 2.1.x.

Use your terminal tab or window set aside for doing work on the RHEL host- the one that (by default) looks like this:

Run this command:

ssh -l ${StudentID} 192.168.22.64

One of two things should happen:

a. If you are on an instructor-provided system and the instructors have had the time to load it with an appropriate RSA private key that matches an RSA public key that has been loaded into your assigned userid's account on the RHEL host:

you will be able to sign in without a password!

OR

b. If you are not on an instructor-provided system or we did not have a chance to load the parts of the RSA key pair in the appropriate locations

you will be prompted to enter a password. Your instructor will provide you a password by some clandestine means, surely we're not going to put it on a page on the Internet !

Example messages upon login [Click me]

*
*  IBM Washington Systems Center (WSC)   .....
*    IBM Z and LinuxONE                 C C  /
*                                      /<   /
*                       ___ __________/_#__=o
*                      /(- /(\_\________   \
*                      \ ) \ )_      \o     \
*                      /|\ /|\       |'     |
*                                    |     _|
*  Red Hat Enterprise Linux 8.5      /o   __\
*                                   / '     |
*                                  / /      |
*                                 /_/\______|
*                                (   _(    <
*  KVM Hypervisor for Blockchain  \    \    \
*       and Hyper Protect          \    \    \
*       and Digital Assets          \____\____\
*    on IBM Z and LinuxONE        ____\_\__\_\
*                                /`   /`     o\
*           "It's alive!"        |___ |_______|..o-o-o-(#)
*
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Feb 13 16:50:14 2023 from 192.168.215.147
[student02@bczkvm(192.168.22.64) ~ [19:11:51] (0)]$

Start your Ubuntu KVM guest¶

A KVM Guest has been defined for each student by the instructors. This guest has the Ubuntu 22.04.2 operating system installed on it. A very straightforward installation path was taken with no additional software packages selected during the installation. You will add additional software packages as necessary during the lab. This guest does not take advantage of the additional protection offered by Secure Execution and HPVS. It could have, but you will already be creating another KVM Guest that is protected by Secure Execution and HPVS. This also helps to make the point that you can run "standard", i.e., non-Secure Execution-protected guests, and Secure Execution-protected guests on the same LPAR.

Display your KVM guest's definition with this command:

sudo virsh dumpxml $(whoami)

We named your Ubuntu KVM guest the same as your userid on the RHEL host, which is why you can use the whoami command.

Example virsh dumpxml output [Click me]

<domain type='kvm'>
  <name>student02</name>
  <uuid>531199d9-3671-424e-a9c9-74ff5ca3980b</uuid>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='s390x' machine='s390-ccw-virtio-rhel8.6.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <cpu mode='host-model' check='partial'/>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/hpvslab/student02/student02-ubuntu22.04.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <target dev='sda' bus='scsi'/>
      <readonly/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
    </disk>
    <controller type='scsi' index='0' model='virtio-scsi'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0002'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'/>
    <controller type='virtio-serial' index='0'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0003'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:67:e5:c1'/>
      <source network='default'/>
      <model type='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
    </interface>
    <console type='pty'>
      <target type='sclp' port='0'/>
    </console>
    <channel type='unix'>
      <target type='virtio' name='org.qemu.guest_agent.0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <audio id='1' type='none'/>
    <memballoon model='virtio'>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0004'/>
    </memballoon>
    <panic model='s390'/>
  </devices>
</domain>

Look for the your userid in the output of the virsh dumpxml command. You'll see it in two places- at the top where it names your guest, and then within the filepath and filename of the qcow2 image that provides your KVM guest.

Run this command to start your Ubuntu KVM guest:

sudo virsh start $(whoami)

Expected output (for student02)

Domain 'student02' started

Your domain (i.e., your KVM guest) has startedYour domain didn't start for whatever reason

You are off to a smashing start!

Continue to the next section of the lab where you'll be directed to open a new terminal window or tab using the terminal profile named KVM Standard Guest. and given considerations for whether to create a new window or a new tab- it is a matter of personal preference. Throughout the remainder of the lab you'll be directed to use this new tab or window when doing work on your KVM Ubuntu guest and you'll be directed to use your original terminal tab or window when doing work on the RHEL host.

You have departed from the happy path...

Please ask your instructor for help.

Please click the Next link at the lower right of this page to continue to the next section of the lab.

Download PayNow GitHub Repo¶

Open a new terminal window or tab with the KVM Standard Guest profile¶

From your terminal window with the RHEL Host profile, click on File in the menu bar and then, according to your preferences, select either New Tab or New Window, and, from either choice, select 1. KVM Standard Guest

Choosing a new tab offers compactness but you won't be able to see both the RHEL Host tab and the KVM Standard Guest tab at the same time- you have to switch back and forth by clicking the appropriate tab header at the top. Choosing a new window allows you to drag your windows or otherwise rearrange them so that you can see both windows on your screen. The choice is yours. Advanced students may wish to open more windows and tabs but the lab is written with the assumption that you have just one window or tab with the RHEL Host profile and just one window or tab with the KVM Standard Guest profile.

Your window or tab should like like this (unless you customized the profile we provided you):

You're now ready to log in to your Ubuntu KVM guest:

ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Example messages logging into Ubuntu KVM guest

silliman@nat-147 ~ % ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Last login: Thu Feb  9 19:32:09 2023 from 192.168.215.147
student@ubuntu2204:~$

Download the PayNow demo from GitHub:

git clone https://github.com/ibm-hyper-protect/paynow-website

Example output from git clone

Cloning into 'paynow-website'...
remote: Enumerating objects: 126, done.
remote: Counting objects: 100% (30/30), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 126 (delta 10), reused 14 (delta 4), pack-reused 96
Receiving objects: 100% (126/126), 1.53 MiB | 7.89 MiB/s, done.
Resolving deltas: 100% (43/43), done.

Switch to the paynow-website directory which was just created by the git clone comamand:

cd paynow-website && pwd

Example output after switching directories

/home/student/paynow-website

You may proceed to the next section of the lab by clicking the Next link at the bottom right of this page.

Create OCI Image¶

You will be performing this section from your Ubuntu KVM guest.

Your window or tab should like like this (unless you customized the profile we provided you):

Install Docker¶

You will need to install Docker on your guest. You can see that it is not currently installed by running the following command:

which docker || echo 'Docker is not found'

Output showing Docker is not found

Docker is not found

See what version of Docker is available to install with this command:

sudo apt-cache policy docker.io

You can see from the output that docker.io is not currently installed and that version 24.0.5 is the candidate, or suggested, version to install:

Output showing Docker version to install

docker.io:
  Installed: (none)
  Candidate: 24.0.5-0ubuntu1~22.04.1
  Version table:
     24.0.5-0ubuntu1~22.04.1 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/universe s390x Packages
     20.10.21-0ubuntu1~22.04.3 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/universe s390x Packages
     20.10.12-0ubuntu4 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x Packages

Install Docker with this command:

sudo apt install docker.io

Type Y and press Return when asked if you want to continue with the installation.

Output from Docker installation

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  bridge-utils containerd dns-root-data dnsmasq-base pigz runc ubuntu-fan
Suggested packages:
  ifupdown aufs-tools cgroupfs-mount | cgroup-lite debootstrap docker-doc rinse zfs-fuse | zfsutils
The following NEW packages will be installed:
  bridge-utils containerd dns-root-data dnsmasq-base docker.io pigz runc ubuntu-fan
0 upgraded, 8 newly installed, 0 to remove and 112 not upgraded.
Need to get 54.8 MB of archives.
After this operation, 232 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x pigz s390x 2.6-1 [67.2 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x bridge-utils s390x 1.7-1ubuntu3 [34.3 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x runc s390x 1.1.7-0ubuntu1~22.04.1 [4118 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x containerd s390x 1.7.2-0ubuntu1~22.04.1 [28.0 MB]
Get:5 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x dns-root-data all 2021011101 [5256 B]
Get:6 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x dnsmasq-base s390x 2.86-1.1ubuntu0.3 [348 kB]
Get:7 http://ports.ubuntu.com/ubuntu-ports jammy-updates/universe s390x docker.io s390x 24.0.5-0ubuntu1~22.04.1 [22.2 MB]
Get:8 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x ubuntu-fan all 0.12.16 [35.2 kB]
Fetched 54.8 MB in 2s (24.1 MB/s)      
Preconfiguring packages ...
Selecting previously unselected package pigz.
(Reading database ... 78375 files and directories currently installed.)
Preparing to unpack .../0-pigz_2.6-1_s390x.deb ...
Unpacking pigz (2.6-1) ...
Selecting previously unselected package bridge-utils.
Preparing to unpack .../1-bridge-utils_1.7-1ubuntu3_s390x.deb ...
Unpacking bridge-utils (1.7-1ubuntu3) ...
Selecting previously unselected package runc.
Preparing to unpack .../2-runc_1.1.7-0ubuntu1~22.04.1_s390x.deb ...
Unpacking runc (1.1.7-0ubuntu1~22.04.1) ...
Selecting previously unselected package containerd.
Preparing to unpack .../3-containerd_1.7.2-0ubuntu1~22.04.1_s390x.deb ...
Unpacking containerd (1.7.2-0ubuntu1~22.04.1) ...
Selecting previously unselected package dns-root-data.
Preparing to unpack .../4-dns-root-data_2021011101_all.deb ...
Unpacking dns-root-data (2021011101) ...
Selecting previously unselected package dnsmasq-base.
Preparing to unpack .../5-dnsmasq-base_2.86-1.1ubuntu0.3_s390x.deb ...
Unpacking dnsmasq-base (2.86-1.1ubuntu0.3) ...
Selecting previously unselected package docker.io.
Preparing to unpack .../6-docker.io_24.0.5-0ubuntu1~22.04.1_s390x.deb ...
Unpacking docker.io (24.0.5-0ubuntu1~22.04.1) ...
Selecting previously unselected package ubuntu-fan.
Preparing to unpack .../7-ubuntu-fan_0.12.16_all.deb ...
Unpacking ubuntu-fan (0.12.16) ...
Setting up dnsmasq-base (2.86-1.1ubuntu0.3) ...
Setting up runc (1.1.7-0ubuntu1~22.04.1) ...
Setting up dns-root-data (2021011101) ...
Setting up bridge-utils (1.7-1ubuntu3) ...
Setting up pigz (2.6-1) ...
Setting up containerd (1.7.2-0ubuntu1~22.04.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/containerd.service → /lib/systemd/system/containerd.service.
Setting up ubuntu-fan (0.12.16) ...
Created symlink /etc/systemd/system/multi-user.target.wants/ubuntu-fan.service → /lib/systemd/system/ubuntu-fan.service.
Setting up docker.io (24.0.5-0ubuntu1~22.04.1) ...
Adding group `docker' (GID 121) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /lib/systemd/system/docker.service.
Created symlink /etc/systemd/system/sockets.target.wants/docker.socket → /lib/systemd/system/docker.socket.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...                                                                                                              
Scanning linux images...                                                                                                           

Running kernel seems to be up-to-date (ABI upgrades are not detected).

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Repeat this command from earlier and you'll now see that Docker is installed:

sudo apt-cache policy docker.io

Output showing docker.io is installed

docker.io:
  Installed: 24.0.5-0ubuntu1~22.04.1
  Candidate: 24.0.5-0ubuntu1~22.04.1
  Version table:
 *** 24.0.5-0ubuntu1~22.04.1 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/universe s390x Packages
        100 /var/lib/dpkg/status
     20.10.21-0ubuntu1~22.04.3 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/universe s390x Packages
     20.10.12-0ubuntu4 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/universe s390x Packages

Run this command to see where the docker binary lives:

which docker && echo Docker is found!

Output showing where the docker binary resides

/usr/bin/docker
Docker is found!

Run this command to display the Docker version:

docker version

Besides noting the version, note the permission error at the bottom of the output:

Docker version info, plus a permission error

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/s390x
 Context:           default
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version": dial unix /var/run/docker.sock: connect: permission denied

You need to add your userid to the docker group in order to have permission to use Docker:

sudo usermod -aG docker student

(There is no output from the above command when it works).

You will need to log out and then log back in in order for your updated permissions to take effect.

Log out:

exit

Log back in:

ssh -p ${Student_SSH_Port} -l student 192.168.22.64

Now repeat docker version and you should not see any errors and you should see more information as well:

docker version

Output when your permissions are correct

Client:
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.3
 Git commit:        24.0.5-0ubuntu1~22.04.1
 Built:             Mon Aug 21 19:50:14 2023
 OS/Arch:           linux/s390x
 Context:           default

Server:
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.3
  Git commit:       24.0.5-0ubuntu1~22.04.1
  Built:            Mon Aug 21 19:50:14 2023
  OS/Arch:          linux/s390x
  Experimental:     false
 containerd:
  Version:          1.7.2
  GitCommit:        
 runc:
  Version:          1.1.7-0ubuntu1~22.04.1
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:

Build OCI Image for PayNow demo¶

Switch to the proper directory:

cd ~/paynow-website && pwd

Before you get started, run this command to see that you currently have no OCI images on your system:

docker images

Expected output

REPOSITORY   TAG       IMAGE ID   CREATED   SIZE

Now, build your OCI image containing the PayNow Demo.

docker build -t paynow .

You can ignore any warning messages. Example output is shown below.

Example output

DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

Sending build context to Docker daemon  2.846MB
Step 1/7 : FROM node:19
19: Pulling from library/node
44d1d02f9172: Pull complete 
e4000487deec: Pull complete 
71c736ce76be: Pull complete 
c037e6c2d715: Pull complete 
294c8876dcdb: Pull complete 
33a351284190: Pull complete 
5ac921848b31: Pull complete 
86b7a0ecd4be: Pull complete 
Digest: sha256:92f06fc13bcc09f1ddc51f6ebf1aa3d21a6532b74f076f224f188bc6b9317570
Status: Downloaded newer image for node:19
 ---> f2e8386523b1
Step 2/7 : WORKDIR /app
 ---> Running in de71bb50b43a
Removing intermediate container de71bb50b43a
 ---> 25f7fababad3
Step 3/7 : COPY app/package*.json ./
 ---> 6c01e8cc8944
Step 4/7 : RUN npm install
 ---> Running in f4a6ec88dc55
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 

added 65 packages, and audited 66 packages in 2s

7 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice 
npm notice New major version of npm available! 9.6.3 -> 10.0.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.0.0>
npm notice Run `npm install -g npm@10.0.0` to update!
npm notice 
Removing intermediate container f4a6ec88dc55
 ---> a5b9897de6c8
Step 5/7 : COPY app/ .
 ---> 50c2cc75996f
Step 6/7 : EXPOSE 8443
 ---> Running in 6a9c4f0be331
Removing intermediate container 6a9c4f0be331
 ---> 306e777a7247
Step 7/7 : CMD npm start
 ---> Running in c8d6a6817780
Removing intermediate container c8d6a6817780
 ---> fd801119534e
Successfully built fd801119534e
Successfully tagged paynow:latest

Please click the Next link at the lower right to continue in the lab.

Run OCI image¶

You will be performing this section from your Ubuntu KVM guest.

Your window or tab should like like this (unless you customized the profile we provided you):

List your OCI image¶

Run this command to see the OCI image that you created, as well as an image (node:19) that was pulled down and used as the base image of your paynow:latest image:

docker images

Your output will look like this:

Example output

REPOSITORY   TAG       IMAGE ID       CREATED              SIZE
paynow       latest    fd801119534e   About a minute ago   934MB
node         19        f2e8386523b1   3 months ago         926MB

Run the OCI image¶

Run this command to start the PayNow app as a Docker container:

CONTAINER_ID=$(docker run -itd --rm -p 8443:8443 paynow)

The above command should have produced no visible output. That is because we assigned the output of the docker run... command to the environment variable CONTAINER_ID instead of letting the output go to your terminal. The output is simply the unique identifier Docker assigned to the container.

This next command will show you the container ID:

echo ${CONTAINER_ID}

You will see output similar to this- 64 hex characters- but it will be different than the example shown here:

Example Container ID

8ebe1f2020951b01986a3974944a8e7689982d6ac44e45a6f360e79da9d0fd50

Note: If your output from above is different in format, then it is probably an error message and you should seek help from an instructor if necessary.

Now you can display the log messages from your container with this command:

docker logs ${CONTAINER_ID}

You should see the following messages which indicate that the PayNow application successfully started:

Log messages from starting the PayNow app

> hyper-protect-pay-now@1.0.0 start
> node app.js

Please click Next on the bottom right of the page to continue.

Use the PayNow demo app¶

In your KVM Standard Guest session, enter this command:

echo https://192.168.22.64:${Student_PayNow_Port}

This will fill out the URL with your student specific port for your PayNow demo that you just started up in the previous section. Your port has been specified in an environment variable specified in your guest's login profile. It should be a number from 28444 to 28463. For those who like arithmetic, the formula is 28443 plus the two digit suffix of your RHEL host login id.

Right-click on the completed URL and choose Open Link and it will open up the PayNow demo in another tab in your Firefox browser on your jumpbox.

The demo uses a self-signed X509 certificate which your browser will not recognize, so you will have to "click through" any warnings that appear. For a "real world", production application, this would not be an acceptable setup, but it is okay for the purposes of this demo app- the certificate will provide encryption of data that travels through the network, it just doesn't have the pre-established trust from your browser that it would have if it had been signed by a certificate authority that your browser or operating system was configured to trust.

Click either the PayNow link at the top right of the page or the PayNow button in the middle of the page.

You will be shown a "Payment Form" that has fields to enter a name, email address, credit card number, CVV, and amount, respectively. You can, and should, enter fake values for everything. Just enter any 16 digits for credit card number and any 3 digits for CVV. Click the "Pay Now" button just underneath the payment amount field.

You will see a new icon underneath that contains the name and payment amount you entered, and a randomly chosen picture displayed underneath- you may find that the picture shown under your name is radically different from what you look like in real life. (I told you to use a fake name!). Note that these pictures are randomly chosen each time the page refreshes. (Did I mention that this is just a demo?)

Feel free to add another payment or two- one is really enough for demo purposes, but it won't cause harm to enter more than one payment.

Click the Next link at the bottom right of this page to continue with the lab.

Find sensitive data in core dump¶

Switch to your RHEL host terminal session¶

Switch to your terminal tab or window for your RHEL host session:

Take a core dump of your KVM guest:

sudo /usr/local/bin/gcoreMyGuest.sh

Sample output from dumping your KVM guest

my guest Pid is 3198082
[New LWP 3198127]
[New LWP 3198132]
[New LWP 3198133]
[New LWP 3198134]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x000003ffae7f11f4 in ppoll () from target:/lib64/libc.so.6
Saved corefile core.3198082
[Inferior 1 (process 3198082) detached]

Optional: Display the contents of the script you just ran if you are curious as to how it worked:

cat /usr/local/bin/gcoreMyGuest.sh

Contents of the gcoreMyGuest.sh script

#!/bin/sh

myPid=$(ps aux | grep qemu | grep guest=${SUDO_USER} | awk '{print $2}')

echo my guest Pid is ${myPid}

/opt/rh/gcc-toolset-9/root/usr/bin/gcore ${myPid} 2>/dev/null

chown ${SUDO_USER}:hpvs_students /home/${SUDO_USER}/core.${myPid}

The script runs with root authority- it lists processes, grabs the process ID for your Ubuntu KVM guest, takes a core (memory) dump of the process, and then assigns your userid ownership of the dump file.

Set an environment variable for the process ID for your Ubuntu KVM guest. The script you ran did this as well but it was only set for the duration of the script execution, so you need to do it again:

myPid=$(ps aux | grep qemu | grep $(whoami) | awk '{print $2}')
echo My Ubuntu KVM Guest process id is ${myPid}

Pick out sensitive credit information from the core dump:

strings core.${myPid} | grep creditCard

You should recognize the sensitve information that you entered in the PayNow demo app. This demonstrates how a malicious system administrator on the KVM host can look at sensitive information from a standard KVM guest. An HPVS 2.1.x KVM guest, which is protected by Secure Execution, prevents this from occurring, as you will see from completing the remainder of this lab.

Please click Next below to continue

Configure rsyslog service¶

Overview of this page¶

The HPVS 2.1.x-protected PayNow application that you will create later in the lab will log its output to an rsyslog service on the Ubuntu KVM guest that you just started in the previous section. Rsyslog on your Ubuntu KVM guest is initially not set up for this, so you will configure rsyslog in this section of the lab. You may, however, have already set some of this up if you did the GREP11 with CENA4SEE Lab prior to doing this PayNow Lab. Carefully follow the instructions as they are written to succeed in either scenario if you follow them closely!

Logging to IBM Log Analysis on IBM Cloud

You can also log the output of an HPVS 2.1.x guest to an IBM Log Analysis instance on IBM Cloud. That is not covered in this lab but if you are interested in this, it is covered in the product documentation.

Switch to your terminal window or tab with the KVM Standard Guest profile¶

Your window or tab should like like this (unless you customized the profile we provided you):

Continue to enter commands in your KVM Standard Guest terminal tab or window until directed to switch to your other tab or window.

Install rsyslog-gnutls package¶

The initial installation of Ubuntu installed an rsyslog service. Display it with this command:

sudo systemctl status rsyslog

Example output

● rsyslog.service - System Logging Service
   Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2023-02-14 00:24:49 UTC; 12min ago
TriggeredBy: ● syslog.socket
     Docs: man:rsyslogd(8)
           man:rsyslog.conf(5)
           https://www.rsyslog.com/doc/
 Main PID: 654 (rsyslogd)
    Tasks: 4 (limit: 2350)
   Memory: 2.2M
      CPU: 8ms
   CGroup: /system.slice/rsyslog.service
           └─654 /usr/sbin/rsyslogd -n -iNONE

Feb 14 00:24:49 ubuntu2204 systemd[1]: Starting System Logging Service...
Feb 14 00:24:49 ubuntu2204 systemd[1]: Started System Logging Service.
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (f>
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: rsyslogd's groupid changed to 115
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: rsyslogd's userid changed to 107
Feb 14 00:24:49 ubuntu2204 rsyslogd[654]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="654" x->
Feb 14 00:24:49 ubuntu2204 systemd[1]: rsyslog.service: Sent signal SIGHUP to main process 654 (rsyslogd)>
Feb 14 00:34:49 ubuntu2204 rsyslogd[654]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="654" x->
lines 1-22/22 (END)

If you're having trouble getting back to a command prompt, press q (for quit).

The default implementation of rsyslog uses the rsyslog package. Run this command to see which version of this packge is installed: Prove to yourself that the rsyslog package has already been installed (by the "bare-bones" default Ubuntu setup):

sudo apt-cache policy rsyslog

Output showing rsyslog is already installed

rsyslog:
    Installed: 8.2112.0-2ubuntu2.2
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
*** 8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
        100 /var/lib/dpkg/status
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

The default implementation of rsyslog needs to be modified to allow it to receive messages sent across the network using the TCP protocol and with mutual TLS authentication. This will require the installation of the rsyslog-gnutls package.

Run this command to see if the rsyslog-gnutls package is installed:

sudo apt-cache policy rsyslog-gnutls

The second line of your output will indicate whether or not rsyslog-gnutls is already installed. Choose the tab below that matches your output and follow the instructions.

Output showing rsyslog-gnutls is not installedOutput showing rsyslog-gnutls is installed

rsyslog-gnutls:
    Installed: (none)
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
    8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

Run the following command to install rsyslog-gnutls:

sudo apt-get install rsyslog-gnutls

Your output should look like this:

Output from installing rsyslog-gnutls

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
    gnutls-bin
The following NEW packages will be installed:
    rsyslog-gnutls
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 17.8 kB of archives.
After this operation, 90.1 kB of additional disk space will be used.
Get:1 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x rsyslog-gnutls s390x 8.2112.0-2ubuntu2.2 [17.8 kB]
Fetched 17.8 kB in 0s (71.9 kB/s)         
Selecting previously unselected package rsyslog-gnutls.
(Reading database ... 56568 files and directories currently installed.)
Preparing to unpack .../rsyslog-gnutls_8.2112.0-2ubuntu2.2_s390x.deb ...
Unpacking rsyslog-gnutls (8.2112.0-2ubuntu2.2) ...
Setting up rsyslog-gnutls (8.2112.0-2ubuntu2.2) ...
Scanning processes...                                                                                     
Scanning linux images...                                                                                  

Running kernel seems to be up-to-date (ABI upgrades are not detected).

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

Return to the beginning of this step (step 3) and rerun the sudo apt-cache policy... command.

rsyslog-gnutls:
    Installed: 8.2112.0-2ubuntu2.2
    Candidate: 8.2112.0-2ubuntu2.2
    Version table:
    8.2112.0-2ubuntu2.2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy-updates/main s390x Packages
        500 http://ports.ubuntu.com/ubuntu-ports jammy-security/main s390x Packages
    8.2112.0-2ubuntu2 500
        500 http://ports.ubuntu.com/ubuntu-ports jammy/main s390x Packages

Proceed to the next step.

Configure rsyslog to listen for TLS-enabled connections on port 6514¶

Run this command to see if your rsyslog server has already been configured to listen for TLS-enabled connections on port 6514:

cat /etc/rsyslog.d/server.conf

Choose the tab below based on your output from the above command:

Your configuration file does not existYour configuration file already exists

cat: /etc/rsyslog.d/server.conf: No such file or directory

Become the root user:

sudo su -

Example output when becoming root

student@ubuntu2204:~$ sudo su -
root@ubuntu2204:~#

Run this command which will create the configuration file:

cat << EOF > /etc/rsyslog.d/server.conf
# output to journal
module(load="omjournal")
template(name="journal" type="list") {
# can add other metadata here
property(outname="PRIORITY" name="pri")
property(outname="SYSLOG_FACILITY" name="syslogfacility")
property(outname="SYSLOG_IDENTIFIER" name="app-name")
property(outname="HOSTNAME" name="hostname")
property(outname="MESSAGE"  name="msg")
}

ruleset(name="journal-output") {
action(type="omjournal" template="journal")
}

# make gtls driver the default and set certificate files
\$DefaultNetstreamDriver "gtls"
\$DefaultNetstreamDriverCAFile /var/lib/rsyslog/x509/ca.crt
\$DefaultNetstreamDriverCertFile /var/lib/rsyslog/x509/server.crt
\$DefaultNetstreamDriverKeyFile /var/lib/rsyslog/x509/server-key.pem

# load TCP listener
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/certvalid"
)

# start up listener at port 6514
input(
type="imtcp"
port="6514"
ruleset="journal-output"
)

EOF

Exit from being the root user:
```
exit
```
Your command prompt should now end with a dollar sign ($) indicating you are operating with regular authority as userid student, as opposed to the hash sign (#) prompt that you had when you were operating with root authority.
Return to the beginning of this step (step 1) and rerun the cat /etc/rsyslog.d/server.conf command.

    # output to journal
    module(load="omjournal")
    template(name="journal" type="list") {
    # can add other metadata here
    property(outname="PRIORITY" name="pri")
    property(outname="SYSLOG_FACILITY" name="syslogfacility")
    property(outname="SYSLOG_IDENTIFIER" name="app-name")
    property(outname="HOSTNAME" name="hostname")
    property(outname="MESSAGE"  name="msg")
    }

    ruleset(name="journal-output") {
    action(type="omjournal" template="journal")
    }

    # make gtls driver the default and set certificate files
    $DefaultNetstreamDriver "gtls"
    $DefaultNetstreamDriverCAFile /var/lib/rsyslog/x509/ca.crt
    $DefaultNetstreamDriverCertFile /var/lib/rsyslog/x509/server.crt
    $DefaultNetstreamDriverKeyFile /var/lib/rsyslog/x509/server-key.pem

    # load TCP listener
    module(
    load="imtcp"
    StreamDriver.Name="gtls"
    StreamDriver.Mode="1"
    StreamDriver.Authmode="x509/certvalid"
    )

    # start up listener at port 6514
    input(
    type="imtcp"
    port="6514"
    ruleset="journal-output"
    )

Take a look at the bottom of the file

There are three sections of interest that are highlighted in the above code block. If these lines could speak to you, they would say, "We are going to receive TCP messages on port 6514, and we will use TLS to authenticate with the sender of these messages and to enable encryption of the messages, and here are the certificate and keys needed to enable this to work".

Proceed to the next step.

Create a Certification Authority (CA) for your rsyslog service¶

For this configuration file to work, you'll need to create the certificate and keys and put them where the configuration file says you put them- in the /var/lib/rsyslog/x509/ directory.

Background Information¶

The TLS authentication for communication with the rysyslog service requires an X509 certificate and private key. An X509 certificate contains a public key that goes with the private key. An X509 certificate also contains metadata including the identification of the holder of the certificate, the purposes the certificate is intended for, and more. Think of a public key as a yummy cake baked with yellow dough, it's moist and tastes pretty good- but the X509 certificate wrapped around it is like the chocolate icing and the rainbow sprinkles- it's delicious! (Break time!!) If you haven't given up on the analogy, think of the private key as the secret recipe to bake the cake that nobody but you knows about. For a slightly more technical (but still just scratching the surface), but perhaps not as tasty, description of public key cryptography check out this description from one of our earlier labs.

An X509 certificate needs to be created and signed by a certification authority (CA).

The authority prefers certification

Most people call a CA a "certificate authority" but actually the Internet Request for Comment (RFC) that defines the X509 standard uses the term "certification authority". Imagine that!

For the lab you will create your own CA- what is often called a "self-signed" CA. A utility called openssl can be used to do this. A CA signs certificates that it creates. In order to digitally sign something, you use a private key. In simple terms, a publicly known algorithm- which can be poked at and prodded at by researchers and academics in an effort to prove its security or to hopefully win a large bounty by proving its insecurity- is run against a private key that nobody else knows, and produces a unique output, or signature. This signature can be verified algorithmically by anybody who holds the private key's corresponding public key.

Who holds the public key?

That's right, the public ! It is safe to share your public key with others- it is your private key that you must protect from loss, theft or exposure.

If you receive a piece of digital information that is signed, and the public key that corresponds to the private key used to create the signature, you can prove that whoever signed this had to have held the private key in order to create the signature. Okay, cool. But what if a malicious actor had the private key and gave you the public key? Would you feel so great knowing you verified the signer if they were malicious? No! That is where a CA comes in. The idea is that the following process occurs:

An individual or organization submits a request for a certificate (CSR) with their public key.
The CA takes the effort to verify that the owner of the public key is a good actor and is who they say they are and can be trusted.
The CA creates the certificate that holds the public key, essentially stating "I am a CA and you can trust me and the holder of this certificate that I just signed is a good person and they are who they say they are, so you can trust this certificate and anything it signs".

How is that working out for us?

The X509 Certification Authority protocol is outstanding in theory. In practice its vulnerability lies in the need for the holders of private keys to protect them with diligence. Losing your private key is akin to losing your wallet or your house key or your drivers license or ... you get the picture. Attacks such as software supply chain attacks are often accomplished by malicious actors who have stolen others' private keys. This is why initiatives like Confidential Computing and technologies like Hardware Security Modules are important.

In real world practice, for external, customer-facing applications an enterprise will ask a well-known and trusted third-party CA to issue its certificates. In many cases an enterprise may run its own internal CA for certificates for internal applications. In this lab you're going to create your own CAs. Hopefully, you trust yourself enough to feel comfortable with this...

Create the Certificate Authority for your rsyslog service if it doesn't exist yet¶

Run this command to see if these files already exist:
```
ls -l ${HOME}/x509Work/rsyslog/CA/{ca.crt,ca-key.pem}
```
Choose the tab below that resembles your output from the above command:
Your CA for rsyslog does not yet existYour CA for rsyslog exists
ls: cannot access '/home/student/x509Work/rsyslog/CA/ca.crt': No such file or directory ls: cannot access '/home/student/x509Work/rsyslog/CA/ca-key.pem': No such file or directory
1. Run this command sequence (which we've split across multiple lines for readability):
  
  cd ${HOME} && \ mkdir -p x509Work/rsyslog/{CA,server,clients} && \ cd x509Work/rsyslog/CA
  
  It accomplishes the following:
  
  Ensures you are in your home directory (which you already are in unless you wandered off on your own)
  
  Creates a fresh directory structure, if it doesn't yet exist, that you'll work in for this activity (and also later in the lab)
  
  Switches to the directory intended for use in creating a self-signed CA- in fact, while the command should not have produced any output, you should notice that your command prompt shows that you are now in your ~/x509Work/rsyslog/CA directory
2. Create a private key. It will be the private key your self-signed CA for rsyslog will use and we'll call it ca-key.pem:
  
  openssl genrsa -out ca-key.pem 4096
3. Run the following command to create a configuration file for your CA:
  
  cat << EOF > ca.cnf [ req ] default_bits = 2048 default_md = sha256 prompt = no encrypt_key = no distinguished_name = dn [ dn ] C = US O = IBM WSC IBM Z and LinuxONE CN = CA for rsyslog for SE-enabled KVM guests EOF
  
  Why are we using .cnf configuration files?
  
  Some openssl commands have a tendency to ask a bunch of questions which can be tedious and error-prone when typing the answers, but you can avoid that by creating a configuration file that provides the answers and thus avoids the questions. You'll see this pattern throughout the lab.
4. A CA itself has a certificate that it can send or make available to others (others being people, or computer processes, or whomever). You don't have one yet- all you have is a private key. A certificate signing request (CSR) can be created from a private key- it derives the public key from the private key and creates an object called a Certificate Signing Request (CSR) that contains the public key and other identifying information and can be sent to a CA. Create your CSR:
  
  openssl req -config ca.cnf -key ca-key.pem -new -out ca-req.csr
  
  Certificate Signing Request (CSR)
  
  The RSA algorithm is a magical mystery tour to most mortals, but the algorithm is such that the public key can be extracted from a private key. You will use the private key as input to a command that will create what is known as a CSR. A CSR is a file that contains the public key (the yellow dough) and other information (the icing and the sprinkles) that you then send to the CA and say "please, please, I'm a good person and you can trust me and please create a real certificate for me". A CSR is like a caterpillar and the resulting certificate is like a beautiful butterfly .
  
  Now you have a certificate signing request.
  
  So you normally send a CSR to a CA to sign. There's a "chicken or the egg" problem here. If a CA needs a Certificate, and a Certificate has to be created by another CA, then how did that CA get created? By another CA? Yes, possibly. But, does the chain go on forever? No- at some point in the chain the CA's certificate was signed by its own private key, and not a higher CA. This is the root of the chain, and it is self-signed. In real life, a chain could be many layers deep, but it eventually has to stop. Think of it like a management chain in an organization's org chart- there are first-line managers, second-line managers, and so forth up to the CEO. The Root certificate is like the CEO.
5. Since you're the boss of your lab, and the worker, you don't need a big long chain of CA's. Just one will do fine. So you'll build a single root, or self-signed, CA, and you'll like it! :
  
  openssl x509 -signkey ca-key.pem -in ca-req.csr -req -days 365 -out ca.crt
  
  Output from creating self-signed CA certificate
  
  Certificate request self-signature ok subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
6. Return to the beginning of this step (step 1) to rerun the ls command to ensure you completed these instructions successfully.
-rw------- 1 student student 3268 Dec 7 22:46 /home/student/x509Work/rsyslog/CA/ca-key.pem -rw-rw-r-- 1 student student 1903 Dec 7 22:47 /home/student/x509Work/rsyslog/CA/ca.crt
Congratulations! Continue to the next step in the lab.

Create a certificate and key for your rsyslog service¶

Process Overview¶

In real life, a CA will probably issue lots of certificates- it's how they make money. Your CA is only going to create a couple:

a certificate for the rsyslog service which you will create next.
a certificate for the client (your future GREP11 Server) of the rsyslog service, which you will create later in the lab.
if you also do the PayNow Lab you will create a separate client certificate in that lab (or maybe you already created it if you did that lab first).

In this section we will create the certificate for the rsyslog service. The process is the same as what you just went through for creating your CA for steps 1-3 below, and differs slightly for step 4:

Create a private key
Create a configuration file to answer questions ahead of time
Use the key and the config file to create a CSR
This time you'll have your "self-signed" CA create and sign the certificate that your rsyslog service uses

Creation time¶

Check to see if the rsyslog certificate and key has already been created:

ls -l ${HOME}/x509Work/rsyslog/server/{server-key.pem,server.crt}

Choose the tab below that resembles your output from the above command:

Your rsyslog server certificate and key do not yet existYour rsyslog server certificate and key exist

ls: cannot access '/home/student/x509Work/rsyslog/server/server-key.pem': No such file or directory
ls: cannot access '/home/student/x509Work/rsyslog/server/server.crt': No such file or directory

Change to the directory that you will use for the rsyslog service's certificate and key:
```
cd ${HOME}/x509Work/rsyslog/server
```
Create a private key that your rsyslog service will use:
```
openssl genrsa -out server-key.pem 4096
```
Create the configuration file to preemptively answer the inevitable questions. We've used a command pipe to extract your guest's IP address into a variable and then we use that variable in two places in the configuration file. If you borrow this technique for your system please ensure that this command pipe works on your system:
```
export ip="$(ip route get 1.1.1.1 | grep -oP 'src \K[^ ]+')" && \
cat << EOF > server.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ server ]
subjectAltName = IP:${ip}
extendedKeyUsage = serverAuth

[ dn ]
C = US
O = Rsyslog Service
CN = ${ip}
EOF
```
Optional: You know you can't resist looking at the output file to see if that IP magic worked, so just do it:
```
cat server.cnf
```

Create the rsyslog service's Certificate Signing Request:

openssl req -config server.cnf \
-key server-key.pem \
-new \
-out server-req.csr

You will use the rsyslog "self-signed" CA to create the certificate for your rsyslog server, by running this command:

openssl x509 -req \
-in server-req.csr \
-days 365 \
-CA ../CA/ca.crt \
-CAkey ../CA/ca-key.pem \
-CAcreateserial \
-extfile server.cnf \
-extensions server \
-out server.crt

Example output from certificate creation

Certificate request self-signature ok
subject=C = US, O = Rsyslog Test Server, CN = 172.16.0.42

Run this command to display the rsyslog service's certificate in a form that a human can comprehend:

openssl x509 -noout -text -in server.crt

Example human-readable display of certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            72:1b:54:77:9d:c9:28:b0:7c:f0:b8:d6:dc:24:e1:b1:60:fa:59:f7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:18:18 2023 GMT
            Not After : Feb 14 01:18:18 2024 GMT
        Subject: C = US, O = Rsyslog Test Server, CN = 172.16.0.42
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:ed:d0:83:3c:65:8c:6c:4d:f5:bc:bc:56:e9:
                    3c:57:ab:b8:3c:29:14:2a:73:d6:ca:a0:7e:0c:00:
                    fc:4f:cc:28:88:1c:01:e9:26:9e:5e:0b:60:5e:ee:
                    69:f3:c7:c8:f9:26:19:71:a7:1a:c1:54:3a:3d:6b:
                    01:4a:e2:20:ab:89:a5:31:a7:f4:a2:39:71:30:21:
                    29:17:4f:04:15:73:1d:b7:b6:c2:81:c2:f1:d9:a8:
                    29:d8:ca:c9:d6:97:f3:37:8e:17:9d:a7:b1:30:c8:
                    5c:1c:be:e2:75:5e:9f:88:08:76:54:5a:ee:40:d4:
                    90:26:2b:74:35:71:a2:d1:4d:86:db:46:bf:18:38:
                    0a:fb:e4:1a:ab:ef:f6:49:1e:7b:bc:76:71:3a:b7:
                    5e:e8:c0:c7:3d:db:74:2d:87:20:5b:e6:5e:27:67:
                    1a:e9:e1:ea:20:b8:d2:fc:5e:2d:79:c0:e5:46:22:
                    cf:6e:26:54:c6:00:d1:d0:05:46:0b:9d:97:8c:cb:
                    68:e7:a4:b2:9a:47:21:67:e5:56:32:cb:ba:c3:0e:
                    c8:f3:f4:17:02:ca:ee:ac:37:0e:f3:40:cf:a4:56:
                    98:9d:b3:e3:e2:c2:43:d7:3b:a5:c1:09:92:2b:e9:
                    fb:5b:a6:73:d0:83:97:c9:70:7f:f8:84:59:b3:b6:
                    4f:e8:40:98:92:74:5c:8c:9f:db:27:7f:94:4b:00:
                    a6:cf:06:9b:0f:a9:f4:35:17:01:e6:d6:6d:c2:78:
                    f8:41:59:f6:f6:f2:11:d1:52:28:b5:06:78:ba:db:
                    12:f2:3f:c6:ef:14:64:cd:85:49:ce:8e:fc:91:b8:
                    2a:c3:25:6a:cc:3c:46:9d:e8:10:aa:30:fd:3b:55:
                    3a:26:97:00:8b:62:c4:d6:89:f0:36:68:13:63:19:
                    ba:18:f4:0c:4f:bc:5d:34:c8:24:d9:8e:2f:4b:e5:
                    d9:dd:9f:39:8d:00:54:fe:d9:00:d7:f1:71:6b:8b:
                    9c:ed:66:de:6a:26:3f:48:cb:3a:4a:fc:9c:50:12:
                    f5:da:dc:e7:e5:08:6c:0a:6d:60:73:cf:e6:b2:3e:
                    06:59:98:00:2c:97:25:38:01:50:2e:c2:c6:35:fa:
                    e4:d5:20:01:fb:9d:ca:4c:78:3f:7a:ad:c7:5d:db:
                    5e:04:c7:0f:e2:9f:a1:e9:27:f8:f2:a9:9f:00:07:
                    58:68:c9:3f:d6:41:5b:46:90:f5:26:6a:04:2c:cf:
                    44:c9:f8:1e:5d:38:95:95:71:e2:30:57:d5:83:41:
                    73:a4:00:88:6b:99:84:71:d3:60:ce:32:9c:bb:3b:
                    39:46:a7:77:fd:7e:ed:1c:81:02:e3:da:83:85:2c:
                    c9:60:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                IP Address:172.16.0.42
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                CC:01:AD:BA:8C:5F:31:B9:58:A9:2D:4E:05:C7:B1:B7:82:10:90:05
            X509v3 Authority Key Identifier: 
                DirName:/C=US/O=IBM WSC IBM Z and LinuxONE/CN=CA for rsyslog for SE-enabled KVM guests
                serial:0B:4A:84:C6:84:00:F8:7F:B7:0A:F0:82:FD:4E:C1:F2:99:C2:63:BC
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4c:a3:7a:76:21:0d:8f:db:e9:3a:a6:3f:6b:3a:9a:5d:bb:ac:
        7e:75:5c:ed:69:3c:b9:2b:6e:84:1c:fc:1f:56:47:ff:b3:38:
        92:fe:0f:5b:2c:87:32:0e:8f:60:c3:33:ff:d5:89:26:61:9a:
        7f:ce:ae:f3:6b:cc:77:1b:4d:d0:59:5f:d9:09:e1:fa:21:5c:
        6a:6f:b3:71:45:10:98:4f:6e:fe:08:7f:31:42:e6:dd:83:9a:
        11:de:2d:eb:b5:b9:40:4d:80:86:7f:f8:88:cc:87:60:38:d4:
        e2:9a:89:9d:ec:43:61:ad:34:96:38:93:ca:4a:63:8d:cc:b7:
        33:98:33:e2:63:c1:7b:04:98:80:b3:e1:54:df:f6:24:57:82:
        98:c4:e8:64:8a:3b:d2:af:65:56:d7:97:c0:c3:dc:45:06:c9:
        4f:ce:5b:d3:49:7f:2b:28:83:27:57:b9:bf:1a:46:81:68:4c:
        6b:85:d7:db:f0:d4:25:7b:3d:92:63:d0:91:b5:ec:df:cb:e4:
        6b:6c:b0:c4:47:3c:c6:91:64:33:f6:11:6b:5b:f7:70:bd:e1:
        71:ef:a6:28:57:b2:a0:e0:2e:ef:ab:34:7a:c4:b8:24:18:88:
        5f:92:0b:92:ca:14:a2:b6:62:ab:2c:e6:c2:bb:27:91:54:de:
        84:56:1e:ed:f3:7d:b7:e8:34:b4:78:76:2c:1f:af:d9:61:b7:
        6e:59:fa:e8:33:38:b4:5e:30:69:71:06:4d:df:fe:cb:46:03:
        ba:69:7c:85:3c:f0:73:f7:d8:4e:b0:39:aa:79:72:1f:52:2e:
        05:cb:81:9f:e3:62:6b:66:55:7c:92:13:21:62:dc:fd:9d:8f:
        f8:77:dd:d2:b6:61:c4:8f:fa:fa:a0:74:95:fa:9d:f2:5d:d2:
        7d:d4:41:95:d8:41:50:99:7d:80:3d:36:28:75:28:62:67:05:
        11:a3:95:c7:85:8f:20:37:d6:b8:b5:8a:f6:8a:e3:d0:85:6e:
        cd:2a:41:f9:e7:48:bb:b0:b7:54:dc:6b:df:c9:a2:5e:f7:61:
        c2:3a:4c:82:7e:6b:e9:82:cf:c6:3a:7f:a2:ae:39:00:d9:ac:
        bf:8a:84:72:e6:ae:c1:75:e0:92:60:5e:cd:4b:64:1f:5a:44:
        3a:09:15:2c:95:b8:c3:ca:44:ec:79:1e:d5:96:bc:20:9a:7a:
        cf:6b:e4:cf:e0:91:f2:c2:e6:fd:f1:8a:66:c4:ae:eb:90:90:
        f4:ec:64:66:9a:9a:11:8d:11:ab:ef:05:d2:42:fb:e5:2c:78:
        8a:db:16:b7:96:ae:06:b8:42:b4:c7:23:26:b2:9a:c2:85:d8:
        6b:6d:d8:4e:84:0e:ab:a1

Return to the beginning of this step (step 1) to rerun the ls command to ensure you completed these instructions successfully.

-rw------- 1 student student 3272 Dec  7 23:06 /home/student/x509Work/rsyslog/server/server-key.pem
-rw-rw-r-- 1 student student 2151 Dec  7 23:17 /home/student/x509Work/rsyslog/server/server.crt

Congratulations! Continue to the next step in the lab.

Copy certificates and private key to the location specified in the /etc/rsyslog.d/server.conf file¶

You used directories under ${HOME}/x509Work/rsyslog to create your rsyslog CA and your rsyslog service's certficate. The rsyslog CA's certificate and both the certificate and key for the rsyslog service need to be in the /var/lib/rsyslog/x509/ directory, because that's the location you specified in rsyslog's configuration file.

In this section you'll check to see if they are already present in /var/lib/rsyslog/x509/, and if they aren't, the instructions will get them there for you!

Run this command to see if these files are already in their proper place:

ls -l /var/lib/rsyslog/x509/{ca.crt,server.crt,server-key.pem}

Choose the tab below that resembles your output from the above command:

The files are not thereThe files are in their proper place

ls: cannot access '/var/lib/rsyslog/x509/ca.crt': No such file or directory
ls: cannot access '/var/lib/rsyslog/x509/server.crt': No such file or directory
ls: cannot access '/var/lib/rsyslog/x509/server-key.pem': No such file or directory

Run the following command to copy the files to where they belong and to set the ownership of the files to the user and group that the rsyslog service runs under:

sudo mkdir -p /var/lib/rsyslog/x509 && \
sudo cp -ipv ../CA/ca.crt /var/lib/rsyslog/x509/. && \
sudo cp -ipv server.crt /var/lib/rsyslog/x509/. && \
sudo cp -ipv server-key.pem /var/lib/rsyslog/x509/. && \
sudo chown -R syslog:syslog /var/lib/rsyslog

Output from copying files

'../CA/ca.crt' -> '/var/lib/rsyslog/x509/./ca.crt'
'server.crt' -> '/var/lib/rsyslog/x509/./server.crt'
'server-key.pem' -> '/var/lib/rsyslog/x509/./server-key.pem'

Return to the top of this step (step 1) to repeat the ls command to ensure these instructions succeeded.

-rw-rw-r-- 1 syslog syslog 1903 Dec  7 22:47 /var/lib/rsyslog/x509/ca.crt
-rw------- 1 syslog syslog 3272 Dec  7 23:06 /var/lib/rsyslog/x509/server-key.pem
-rw-rw-r-- 1 syslog syslog 2151 Dec  7 23:17 /var/lib/rsyslog/x509/server.crt

Continue to the next section.

Restart your rsyslog service¶

You'll truly know that you configured everything correctly later in the lab when you try to write messages to it from your yet-to-be-created HPVS 2.1.x GREP11 Server. But for now, you will verify it somewhat by checking which TCP ports on your system are listening and looking in the output to see if rsyslog is listening on port 6514.

Run this command:

sudo lsof -nP -iTCP -sTCP:LISTEN

Choose the appropriate tab depending on whether you see port 6514 in your command output:

Port 6514 not in outputrsyslog is listening on port 6514

systemd-r 578 systemd-resolve   14u  IPv4  14169      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd      719            root    3u  IPv4  16746      0t0  TCP *:22 (LISTEN)
sshd      719            root    4u  IPv6  16757      0t0  TCP *:22 (LISTEN)

Restart the rsyslog service:
```
sudo systemctl restart rsyslog
```
No news is good news on the above command- it's pretty quiet when it works.

Display the rsyslog service's status and notice it hasn't been active very long, since it was just restarted:

sudo systemctl status rsyslog

Output showing rsyslog status after restart

● rsyslog.service - System Logging Service
    Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2023-02-14 01:30:47 UTC; 13s ago
TriggeredBy: ● syslog.socket
        Docs: man:rsyslogd(8)
            man:rsyslog.conf(5)
            https://www.rsyslog.com/doc/
    Main PID: 1439 (rsyslogd)
        Tasks: 9 (limit: 2350)
    Memory: 1.8M
        CPU: 1.008s
    CGroup: /system.slice/rsyslog.service
            └─1439 /usr/sbin/rsyslogd -n -iNONE

Feb 14 01:30:46 ubuntu2204 systemd[1]: Starting System Logging Service...
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (>
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: rsyslogd's groupid changed to 115
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: rsyslogd's userid changed to 107
Feb 14 01:30:47 ubuntu2204 rsyslogd[1439]: [origin software="rsyslogd" swVersion="8.2112.0" x-pid="1439" >
Feb 14 01:30:47 ubuntu2204 systemd[1]: Started System Logging Service.

Return to the top of this step (step 1) to repeat the sudo lsof ... command to ensure these instructions succeeded.

COMMAND    PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  602 systemd-resolve   14u  IPv4  15472      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd       709            root    3u  IPv4  16871      0t0  TCP *:22 (LISTEN)
sshd       709            root    4u  IPv6  16882      0t0  TCP *:22 (LISTEN)
rsyslogd  1439          syslog    6u  IPv4  22401      0t0  TCP *:6514 (LISTEN)
rsyslogd  1439          syslog    7u  IPv6  22402      0t0  TCP *:6514 (LISTEN)

Notice that rsyslogd is listening on port 6514. You have configured the rsyslog service correctly and may continue in the lab.

Switch to your terminal tab or window for your session with the RHEL host, as you will start the next section of the lab working on the RHEL host.

Please proceed to the next section of the lab by clicking the Next link on the bottom right of this page.

Create rsyslog client certificate for your HPVS KVM guest for the PayNow demo¶

Overview of this section¶

In the last section you created the following:

self-signed CA for the rsyslog service
server certificate for the rsyslog service

Your HPVS KVM guest will be a client to the rsyslog service, so in this section you will use your self-signed CA (1 above) to create a client certificate for your soon-to-be-created HPVS 2.1.x KVM guest for the PayNow Demo.

Please read the instructions carefully

You'll be switching between both of your userids in this section:

your studentnn userid on the RHEL host where nn is unique to you and between 01 and 20
your student userid on your Ubuntu KVM guest

We'll do our part by telling you when to switch. Please do your part by reading the instructions carefully!

If necessary, log in to the RHEL host¶

Switch to the correct terminal tab or window for your session on the RHEL host, the one that looks like this:

You should already be logged in, but, if you need to log in for any reason, the command is ssh -l ${StudentID} 192.168.22.64

Create certificate for client access to rsyslog¶

Steps 1 through 5 will be performed on the RHEL host.

Create a working directory and switch to it:

mkdir -p ~/paynowLab/x509Work/rsyslogClient \
&& cd ~/paynowLab/x509Work/rsyslogClient

Create a new private key:

openssl genrsa -out client-key.pem 4096

Example output when creating RSA private key

Generating RSA private key, 4096 bit long modulus (2 primes)
..++++
................................................................................++++
e is 65537 (0x010001)

You should see output similar to what is shown above on the RHEL 8.5 host. This same command was very quiet on your Ubuntu KVM guest.

Create a configuration file:

cat << EOF > client.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn

[ dn ]
C = US
O = IBM WSC IBM Z and LinuxONE
CN = SE-enabled HPVS KVM guest for PayNow demo

EOF

Create a certificate signing request (CSR):

openssl req \
-config client.cnf \
-key client-key.pem \
-new \
-out paynowLab-client-req.csr

Now you are going to use a pattern that is similar to a real-world pattern:

You are going to send your CSR, which you just created on the RHEL host, to the Rsyslog CA which you created on your Ubuntu KVM guest:
```
scp paynowLab-client-req.csr \
student@${StudentGuestIP}:./x509Work/rsyslog/clients/.
```
Example prompt and output when sending file
```
paynowLab-client-req.csr                                                          100% 1691     9.2MB/s   00:00 
```
Switch to your terminal tab or window for your KVM Ubuntu guest. Yes, this one:
If you are doing the lab in one sitting, in order, then you are probably already logged in. If you need to login for any reason the command is ssh -p ${Student_SSH_Port} -l student 192.168.22.64. Steps 8 through 12 will be performed on your Ubuntu KVM guest.
You are now the CA registrar. Switch to your working directory and find the certificate signing request(CSR) that your customer (i.e., you) sent to you.
```
cd ${HOME}/x509Work/rsyslog/clients && ls -l paynowLab-client*.csr
```
Make sure your csr is listed
```
-rw-r--r-- 1 student student 1691 Feb 14 01:47 paynowLab-client-req.csr
```

You will do your due diligence and check the contents of the CSR:

openssl req -noout -text -in paynowLab-client-req.csr

Example human-readable display of CSR

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS KVM guest for PayNow demo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8d:0b:7b:fd:eb:6b:04:85:4f:b6:a8:81:8f:03:77:aa:26:7d:
        58:44:3a:af:1b:de:fe:73:52:38:7c:8b:e9:2d:47:34:93:31:
        9d:04:0b:08:3a:3c:92:72:cf:60:c6:3b:83:6c:9a:8d:7b:08:
        4b:13:44:8b:3c:14:58:f7:b6:26:8c:c8:d5:29:f7:f8:fb:98:
        a6:9f:78:6a:9a:f4:10:88:16:55:b8:83:ee:7d:1b:95:4c:02:
        77:10:9c:ca:61:01:c7:33:7f:65:81:6e:5e:18:25:a7:68:26:
        e0:5e:b5:6d:89:00:31:ed:21:bf:32:c8:13:4b:00:c6:a3:b5:
        5f:4d:13:4c:86:51:31:59:02:92:fd:88:30:3a:1f:ac:da:8b:
        82:25:b2:3d:7e:1d:1f:e3:55:aa:7a:26:1f:85:b6:86:87:34:
        9a:36:5e:55:0b:a9:6b:dd:77:56:4f:54:3e:27:ec:ac:a7:aa:
        ea:bb:86:40:a2:e8:af:88:77:5b:41:ec:42:0f:06:1e:7a:36:
        85:5f:36:14:d4:02:30:3c:27:8d:85:61:0c:93:83:a0:0d:cd:
        e7:c3:ac:02:d9:49:2e:58:a5:a1:24:33:56:a6:6c:e1:dc:dc:
        5b:11:32:65:84:08:70:7e:b2:52:2f:34:5e:83:46:45:8e:91:
        dc:4a:2d:31:2d:3e:3a:4a:03:a2:c4:02:d9:7f:6a:89:42:10:
        da:a4:7a:24:c2:2a:b5:fb:25:c8:1b:45:5f:f1:85:91:ca:0a:
        44:74:8f:60:44:86:e5:49:ab:d9:d1:d8:fa:0c:6d:1f:a8:7c:
        7c:6f:3f:66:0b:d9:46:5a:5c:4d:6e:79:7a:c2:eb:d2:02:a9:
        80:1e:66:53:b9:fd:5d:cf:6e:86:e7:58:7f:a4:74:31:cd:9f:
        b6:c2:b0:24:69:70:2f:9e:6e:4f:2d:74:53:8b:15:74:6c:08:
        bd:f0:b9:d2:e4:e0:a4:14:cf:b1:77:4d:6d:88:8a:ee:c7:6c:
        4b:15:c9:91:85:7d:a2:fa:cd:10:27:b3:27:fc:3b:f2:d1:86:
        57:33:0d:27:02:f2:c6:ab:46:8e:00:de:88:1f:59:d0:fd:6f:
        30:39:94:ba:af:17:89:37:df:0d:9e:1a:a7:d6:49:de:f5:40:
        61:e3:fa:52:70:3d:57:76:9f:fa:15:30:be:64:85:27:61:b0:
        02:9f:f6:20:c3:2d:1a:84:44:48:f6:08:db:f8:80:b9:ea:38:
        16:52:fe:2a:c0:f1:d9:8f:80:37:9f:fd:e2:ec:1e:99:c3:01:
        2d:b6:11:dd:5a:29:c8:02:2c:aa:d7:3f:78:c5:f2:fe:29:d7:
        98:f4:d1:1d:7e:9e:5d:8d

Time to mint the certificate

Due diligence check

For the purposes of this lab assume you've done a background check on the customer, checked their reviews on Yelp and NextDoor, looked at their Facebook page and LinkedIn profiles. You're a little concerned with some of those college fraternity party pictures on Facebook, but, what the heck, their check has cleared the bank, so you decide to go ahead and mint the certificate.
```
openssl x509 -req -in paynowLab-client-req.csr \
      -days 365 -CA ../CA/ca.crt -CAkey ../CA/ca-key.pem \
      -CAcreateserial -out paynowLab-client.crt
```
Output from creating the certificate
```
Certificate request self-signature ok
subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS KVM guest for PayNow demo
```

Your quality control department asks you to display the certificate before sending it to the customer:

openssl x509 -noout -text -in paynowLab-client.crt

It should look similar to this [click to expand]

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            29:4a:dd:c7:66:81:ab:5a:1d:bb:20:76:a0:25:34:90:21:93:40:6b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:58:14 2023 GMT
            Not After : Feb 14 01:58:14 2024 GMT
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS KVM guest for PayNow demo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        9f:41:62:18:0f:db:0a:84:f6:59:bc:cd:22:e4:73:d6:18:b0:
        d0:4e:2a:da:8f:5c:46:06:f1:80:f3:4b:5d:cf:fe:a2:a3:97:
        cc:bd:96:8e:d2:d4:58:ab:ac:56:dd:6f:12:3b:52:a8:df:e5:
        4b:26:8e:92:b3:ed:28:9a:c3:28:6d:8b:f9:13:b0:01:fa:ed:
        8f:48:08:08:07:ac:8f:61:00:fc:53:41:9e:d2:53:c5:b8:d7:
        f4:f2:c9:cc:87:58:2d:48:f3:34:be:fe:0d:dc:9e:b6:11:74:
        18:da:92:db:db:b3:c6:4f:10:63:6c:4c:fb:5f:86:36:9a:a8:
        58:a9:d3:d9:7c:e0:8d:2f:96:f3:64:85:bf:8d:39:28:d2:06:
        8b:63:93:d6:42:e3:ad:6d:5b:2e:d3:5a:3d:3c:af:1e:a2:61:
        a0:d7:c7:a0:4f:b7:16:f1:3b:94:44:23:d8:16:6f:d7:38:36:
        84:10:31:ac:e7:17:43:2a:24:04:26:5b:46:50:03:05:7c:8d:
        cc:77:f5:c1:c1:e3:a2:04:4a:6d:7c:b2:c7:1e:e3:68:b0:4e:
        24:92:63:dd:bd:87:3c:af:8c:63:a5:ea:2f:41:90:67:79:e3:
        31:89:41:54:be:aa:44:89:45:65:85:2e:5e:b9:8c:af:7c:7e:
        0f:08:9a:9b:97:7c:6f:fc:9f:30:e8:0c:30:c4:be:7a:0c:7d:
        d0:45:71:f2:a7:35:c3:f9:f1:b7:2c:9e:1d:a1:da:3b:70:59:
        5b:05:93:a3:fc:59:41:c5:db:bf:0f:20:ec:15:ef:64:61:7e:
        52:3b:6a:a1:69:0b:73:93:52:a4:a3:79:ca:b3:0c:b8:cd:2b:
        59:b5:19:03:2e:21:b8:b5:d3:8d:05:2e:d6:0d:b0:9a:7d:e9:
        f9:e7:2b:96:3a:a5:e3:05:b6:d8:0a:e2:ea:2f:b0:02:42:ba:
        a5:9c:1d:d8:29:7f:3b:bd:7c:73:1a:4a:ae:ca:3a:1d:50:16:
        3a:42:3c:0c:23:6a:15:ed:57:01:88:f3:dc:b7:e3:3e:55:48:
        31:07:4f:38:9c:dc:10:71:e8:8c:82:d3:9e:a6:97:ca:70:20:
        e9:70:31:b2:46:09:79:03:20:93:b0:16:af:07:67:eb:0c:4f:
        b0:c0:a9:e8:eb:bc:ab:74:37:93:76:89:92:82:f3:48:a5:a1:
        16:62:39:2d:d5:79:67:e2:ea:6e:a9:6e:40:e1:7f:da:01:df:
        f0:4f:6f:a0:36:80:ae:ab:a2:4d:07:6e:ba:14:bf:85:82:50:
        e1:3d:df:64:bc:91:3d:60:c4:90:8c:3b:6f:0f:11:31:a6:5f:
        4f:36:5a:69:04:05:88:b5

Now you send the certificate to the customer:

scp paynowLab-client.crt \
${StudentID}@192.168.22.64:./paynowLab/x509Work/rsyslogClient/.

Example prompt and output from sending file

client.crt                                                              100% 1907     9.7MB/s   00:00

Now switch back to your terminal tab or window for your session on the RHEL host. A gentle reminder of what that tab or window looks like:
If you are doing the lab in one sitting, in order, then you are still logged in on the RHEL host. If you need to login for any reason the command is ssh -l ${StudentID} 192.168.22.64. Steps 15 and 16 will be performed on the RHEL 8.5 host.

Switch to the directory where the CA "sent" your new certificate and list the files:

cd ${HOME}/paynowLab/x509Work/rsyslogClient/ && ls -ltr

File listing shows your client certificate (client.crt)

total 16
-rw------- 1 student02 hpvs_students 3247 Feb 13 20:42 client-key.pem
-rw-r--r-- 1 student02 hpvs_students  192 Feb 13 20:44 client.cnf
-rw-r--r-- 1 student02 hpvs_students 1691 Feb 13 20:45 paynowLab-client-req.csr
-rw-r--r-- 1 student02 hpvs_students 1907 Feb 13 21:06 paynowLab-client.crt

Display your certificate in human-readable form to make sure your CA did their job correctly:

openssl x509 -noout -text -issuer -subject -in paynowLab-client.crt

Example display of certificate

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            29:4a:dd:c7:66:81:ab:5a:1d:bb:20:76:a0:25:34:90:21:93:40:6b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
        Validity
            Not Before: Feb 14 01:58:14 2023 GMT
            Not After : Feb 14 01:58:14 2024 GMT
        Subject: C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS KVM guest for PayNow demo
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b0:38:b1:27:ee:a2:9f:35:10:dd:74:b2:46:e6:
                    b8:2a:e4:c9:7f:7d:b3:1d:45:96:7d:bc:9d:5a:90:
                    06:64:da:b8:23:73:f3:99:46:54:a3:2a:a8:8e:db:
                    10:96:7e:de:04:65:81:ee:68:f1:5e:4d:a1:3d:db:
                    2e:44:3a:ff:e2:fe:60:86:ad:90:b9:91:f1:4b:94:
                    c9:43:4a:85:56:32:2a:ab:c9:2a:71:de:b7:fc:40:
                    e2:1b:aa:17:08:3a:65:4a:b8:70:d8:5c:b4:b6:ca:
                    4f:8d:a1:d0:03:04:20:4e:7e:23:26:20:85:45:e4:
                    21:ec:bb:f8:38:64:36:6d:7c:a1:8a:d8:af:14:1b:
                    72:bf:e8:cd:2f:2d:2c:0b:5a:39:4e:53:41:f8:a0:
                    33:91:be:90:64:18:1c:cf:c2:d9:a0:bf:78:db:88:
                    19:6b:be:0c:10:76:fc:96:fb:01:14:f5:90:8a:4d:
                    a8:0c:0b:10:29:1d:fb:45:e1:f2:59:b5:33:e5:20:
                    f8:76:22:c8:4d:d1:55:dc:de:10:79:66:b8:ff:fa:
                    ee:e4:03:a5:77:9d:50:a1:f2:60:35:84:e1:44:ef:
                    f4:be:be:a9:1b:17:5e:26:4a:ea:24:7d:ff:80:d2:
                    d6:95:4f:1b:b6:5e:22:c6:f2:81:17:bb:fe:ce:f6:
                    44:29:79:4e:ad:76:04:db:a7:8d:a4:db:8c:e3:cd:
                    bf:48:37:99:4c:1c:e0:26:0f:9f:8b:a4:1f:48:71:
                    44:d0:5f:ae:c6:93:83:ab:b8:7b:7b:b8:f3:1d:f1:
                    7d:34:3b:d5:32:f0:74:d9:ee:0b:cd:e7:a9:54:49:
                    2b:23:dc:1a:57:ae:a3:03:d8:9c:47:14:75:0c:47:
                    c6:be:e3:84:61:e7:15:b8:fe:0b:5f:53:a0:f6:a8:
                    92:e4:2c:c9:51:43:de:3f:be:0f:a6:c7:44:1f:81:
                    c9:c0:9d:d3:3a:42:2f:b0:52:59:47:c6:da:96:93:
                    ba:e7:11:f4:dd:ba:75:46:86:b5:ef:ee:49:34:92:
                    36:03:32:00:99:71:ed:83:1a:cd:3f:e3:79:7b:ee:
                    04:49:59:aa:01:ce:4d:67:0e:0f:88:e6:62:82:1e:
                    0b:07:01:cf:74:38:20:7b:0d:69:f5:2e:09:e5:84:
                    20:f3:82:15:7f:a4:0d:ae:35:da:de:f2:a9:30:6e:
                    3e:e3:72:26:b3:18:10:6c:d7:df:4c:fc:bf:e3:33:
                    8c:c6:e3:83:04:db:c9:a9:a8:41:d2:97:be:a0:ec:
                    bd:f1:89:18:eb:c5:e7:0b:fc:47:30:c8:e1:cd:e6:
                    54:cd:f1:e7:c3:23:51:48:4f:fd:89:49:43:6d:96:
                    e0:cc:69
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        9f:41:62:18:0f:db:0a:84:f6:59:bc:cd:22:e4:73:d6:18:b0:
        d0:4e:2a:da:8f:5c:46:06:f1:80:f3:4b:5d:cf:fe:a2:a3:97:
        cc:bd:96:8e:d2:d4:58:ab:ac:56:dd:6f:12:3b:52:a8:df:e5:
        4b:26:8e:92:b3:ed:28:9a:c3:28:6d:8b:f9:13:b0:01:fa:ed:
        8f:48:08:08:07:ac:8f:61:00:fc:53:41:9e:d2:53:c5:b8:d7:
        f4:f2:c9:cc:87:58:2d:48:f3:34:be:fe:0d:dc:9e:b6:11:74:
        18:da:92:db:db:b3:c6:4f:10:63:6c:4c:fb:5f:86:36:9a:a8:
        58:a9:d3:d9:7c:e0:8d:2f:96:f3:64:85:bf:8d:39:28:d2:06:
        8b:63:93:d6:42:e3:ad:6d:5b:2e:d3:5a:3d:3c:af:1e:a2:61:
        a0:d7:c7:a0:4f:b7:16:f1:3b:94:44:23:d8:16:6f:d7:38:36:
        84:10:31:ac:e7:17:43:2a:24:04:26:5b:46:50:03:05:7c:8d:
        cc:77:f5:c1:c1:e3:a2:04:4a:6d:7c:b2:c7:1e:e3:68:b0:4e:
        24:92:63:dd:bd:87:3c:af:8c:63:a5:ea:2f:41:90:67:79:e3:
        31:89:41:54:be:aa:44:89:45:65:85:2e:5e:b9:8c:af:7c:7e:
        0f:08:9a:9b:97:7c:6f:fc:9f:30:e8:0c:30:c4:be:7a:0c:7d:
        d0:45:71:f2:a7:35:c3:f9:f1:b7:2c:9e:1d:a1:da:3b:70:59:
        5b:05:93:a3:fc:59:41:c5:db:bf:0f:20:ec:15:ef:64:61:7e:
        52:3b:6a:a1:69:0b:73:93:52:a4:a3:79:ca:b3:0c:b8:cd:2b:
        59:b5:19:03:2e:21:b8:b5:d3:8d:05:2e:d6:0d:b0:9a:7d:e9:
        f9:e7:2b:96:3a:a5:e3:05:b6:d8:0a:e2:ea:2f:b0:02:42:ba:
        a5:9c:1d:d8:29:7f:3b:bd:7c:73:1a:4a:ae:ca:3a:1d:50:16:
        3a:42:3c:0c:23:6a:15:ed:57:01:88:f3:dc:b7:e3:3e:55:48:
        31:07:4f:38:9c:dc:10:71:e8:8c:82:d3:9e:a6:97:ca:70:20:
        e9:70:31:b2:46:09:79:03:20:93:b0:16:af:07:67:eb:0c:4f:
        b0:c0:a9:e8:eb:bc:ab:74:37:93:76:89:92:82:f3:48:a5:a1:
        16:62:39:2d:d5:79:67:e2:ea:6e:a9:6e:40:e1:7f:da:01:df:
        f0:4f:6f:a0:36:80:ae:ab:a2:4d:07:6e:ba:14:bf:85:82:50:
        e1:3d:df:64:bc:91:3d:60:c4:90:8c:3b:6f:0f:11:31:a6:5f:
        4f:36:5a:69:04:05:88:b5
issuer=C = US, O = IBM WSC IBM Z and LinuxONE, CN = CA for rsyslog for SE-enabled KVM guests
subject=C = US, O = IBM WSC IBM Z and LinuxONE, CN = SE-enabled HPVS KVM guest for PayNow demo

Click the Next link at the bottom of the page to continue to the next part of the lab, where you will create the contract that HPVS 2.1.x expects, so that you can run the PayNow demo in your HPVS KVM guest.

Create contract for HPVS guest¶

Overview of this section¶

IBM provides the Secure Execution feature on z15 and newer generations of its IBM Z and LinuxONE servers. Currently, that's z15 and LinuxONE III for the "z15" generation and z16 and LinuxONE Emperor 4 for the "z16" generation.

You could create your own Secure Execution-enabled KVM guests and run a workload in it without Hyper Protect Virtual Servers 2.1.x. However, there's non-trivial work involved in setting this up. HPVS 2.1.x has done that hard work for you, and provided a KVM guest image that will run your application workload as an OCI-compliant (again, think "Docker" in the popular vernacular) container within the HPVS 2.1.x KVM guest. There is still some work involved in setting up the contract that HPVS 2.1.x expects- but this is work closer to the application or business level. There is also added value in HPVS 2.1.x in areas such as:

This lab covers the features that are checked in the list above. (We won't rest on our laurels until we've built this lab out to cover everything under the sun, but, as the saying goes, Rome wasn't built in a day).

One of the things we just mentioned in the previous paragraph was separation of duties. In a real world situation, multiple personas could create different portions of the contract:

an application owner deployer might create the workload section of the contract
a systems administrator might create the environment section of the contract

Then, you could imagine the following scenario taking place:

application owner can encrypt their piece of the contract such that it can only be decrypted within the HPVS 2.1.x runtime
application owner passes their encrypted piece of the contract to the systems administrator
the systems administrator encrypts their own section
the systems administrator combines the two sections and signs the resultant contract so that it can be verified by the HPVS 2.1.x runtime.

Your inquiring mind may say, well that's all well and good, but what about the disk storage of the machine?

If your workload requires persistent disk storage (to survive a container restart) then each of the two personas supplies part of a seed that is used in the calculation of an encryption key for the persistent disk. Neither persona has knowledge of the other's part of the seed if it is passed between parties encrypted, so that no human has the ability to decrypt the persistent disk. The HPVS developers have thought through security very carefully!

Now this lab does not include all of the above features- for example, in this lab we are not using persistent disk storage. And for this lab, you have and will continue to wear many hats, including both the application owner workload deployer and the system administrator environment deployer, performing many roles that in the "real world" are likely to be delegated to multiple individuals. We are not going to cover attestation in this lab either, but hope to do so in a future lab.

Creation of directory structure for contract¶

This section starts where the last section left off- on your session with the RHEL host:

Create a directory structure for creating an HPVS 2.1.x contract:

mkdir -p ${HOME}/paynowLab/contract/{environment/rsyslog,workload/play}

Now see the directory structure you just created:

cd ${HOME} && tree paynowLab/contract

Expected output from tree command

  [student03@bczkvm(192.168.22.64) ~ [12:23:58] (0)]$ tree paynowLab/contract
  paynowLab/contract
  ├── environment
  │   └── rsyslog
  └── workload
      └── play

  4 directories, 0 files

Read about the directory structure and the purpose of each directory:

Directory	Purpose
paynowLab/contract	Top-level directory for the contract for the PayNow application. Typically, the "workload deployer" signs the concatenation of the encrypted "environment" section that they create and the encrypted "workload" section that the "workload provider" creates.
environment	Used by the "workload deployer" persona to hold an encrypted environment section of the contract
rsyslog	Used to hold the artifacts needed to construct the logging subsection of the environment section
workload	Used by the "workload provider" to hold an encrypted workload section of the contract
play	Used to hold the pod descriptor file specifying the application image and supporting files

A contract requires a workload section and an environment section, and they each get their own directory. Then the sections are packaged together, and signed, and the signature is added as the third section. This final result- the contract- will be stored in your ${HOME}/paynowLab/contract directory.

While creating the contract in this lab, you will be performing the role of workload provider and workload deployer. In most production scenarios these two roles would be performed by different persons or processes. The following diagram shows at a high level how these two roles cooperate to form the contract:

flowchart LR
  A["Workload provider
  creates
  workload section"];
  B["Workload deployer
  creates
  environment section"]
  C["Workload provider
  gives workload section
  to Workload deployer"]
  A --> C
  D["Workload deployer
  signs combined
  environment and
  workload sections"]
  B --> D
  C --> D

Create workload section of the contract¶

HPVS expects the contract to specify an OCI container specified by a Docker Compose file or pod descriptor(s). A Docker Compose file specifies an OCI image to run and other information necessary to configure the resulting container. A pod descriptor works much the same way but Hyper Protect supports using one or more OCI images with a pod descriptor as opposed to one image with a Docker Compose file. Since this makes pod descriptors more versatile, we will be using the new hotness, pod descriptors, in our lab as opposed to the the OG Docker Compose file format. Having said that, both are currently valid. Your workload is the PayNow Demo. You created an OCI image for that on your standard KVM guest earlier in the lab. In order to allow you to perform the lab without having to have an account at Docker or Quay.io or another image registry service, the instructors have created an OCI image that is hosted in Quay.io and is used for this section of the lab. This OCI image was created in the exact same way you created the image on your standard KVM guest.

Create play subsection¶

Switch to the directory that will hold your pod descriptors:

cd ${HOME}/paynowLab/contract/workload/play

Play time

The pod descriptors use the play subsection which should conjure up thoughts of the podman play kube subcommand.

Create the pod descriptor:

cat << EOF > pod.yml
apiVersion: v1
kind: Pod
metadata:
  name: paynow
spec:
  containers:
  - name: paynow
    image: quay.io/bsilliman/paynow@sha256:6c0d9c82bd051f4c2641d4ed9d4a3c577075894ad3bf1494f2c742a5751b93d9
    ports:
    - containerPort: 8443
      hostPort: 8443
  restartPolicy: Always
EOF

Notice the value of the image key. This is the PayNow Demo image created by the instructor and hosted on Red Hat's Quay.io registry service.

Add a convenience script to create the workload section¶

You are almost finished with the workload section. One thing to do is to add a convenience script to the workload directory. This script is not supplied with the product, but is very useful in the creation of the contract. Create it now and feel free to peruse it but do not run it now. It will be called later by another script. Comments have been added to help explain what the script does.

Switch directories:

cd ${HOME}/paynowLab/contract/workload/

Create the convenience script:

cat <<-EOF > flow.workload
# Create the workload section of the contract and add the contents in the workload.yaml file.

# 
# The pod descriptor and all supporting configuration files are assumed to be in the ./play directory
# There should not be any unnecessary files as they will get tarred up and added to the PLAY_B64 variable
#
PLAY_B64=\$(tar -czv -C play . | base64 -w0)

#
# This specifies an intermediate file that could be deleted at the end of the script but 
# is left intact for lab learning purposes-  it is plaintext so keeping it implies that
# you would have to protect it appropriately.  In production you'll probably want to delete it
#
WORKLOAD_PLAIN=./workload.yaml.plaintext

#
# This specifies a file will be encrypted and signed and is the primary output of this script.  
# It is combined with the encrypted and signed environment section that is created by 
# another script (flow.signature which is one directory level higher)
# Note: this file will also wind up one directory level higher
#
WORKLOAD=workload.yaml

echo "  type: workload
  play:
    archive: \${PLAY_B64}" > \${WORKLOAD_PLAIN}

#
# This is the encryption certificate for Hyper Protect Container Runtime and it is
# provided with the Hyper Protect Virtual Servers v2.1.7.1 product
#
CONTRACT_KEY=/data/lab/hpvs2171Certs/ibm-hyper-protect-container-runtime-23.11.1-encrypt.crt

#
# This variable holds a random password:
#
PASSWORD_WORKLOAD="\$(openssl rand 32 | base64 -w0)"

#
# This variable holds the output of the command pipe that
# takes your plaintext workload yaml ($WORKLOAD_PLAIN) and encrypts it using the password that 
# was generated above ($PASSWORD_WORKLOAD) and then base64 encodes this encrypted workload
#
# As long as nobody else knows your random password ($PASSWORD_WORKLOAD) your data is safe.  
# But, the Hyper Protect Container Runtime has to encrypt it, so it needs your password. 
# How will it get that password securely?  Read the next set of comment lines to find out.
#
ENCRYPTED_WORKLOAD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$WORKLOAD_PLAIN" | base64 -w0)"

#
# This variable provides secure passage of your random password.  How?  
# It encrypts it with the encryption key of the Hyper Protect Container Runtime (HPCR).
# (A key that is encrypted by another key is often called a wrapped key).
# Only the HPCR image has the private key which can decrypt this. It is protected from 
# access from any administrators.  So, malicious actors cannot do anything with this
# wrapped key, even if they were able to get a hold of it.
# 
#
ENCRYPTED_WORKLOAD_PASSWORD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 -w0 )"

#
# Use the following command to get the encrypted section of the contract:
# This variable holds the output of a concatenation of a header, "hyper-protect-basic",
# Your wrapped key, and your encrypted workload. 
#
WORKLOAD_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_WORKLOAD_PASSWORD}.\${ENCRYPTED_WORKLOAD}"

#
# The above variable is echoed to the a file the directory one level above
#
echo "\$WORKLOAD_ENCRYPTED" > ../\$WORKLOAD

# 
# NOTE: In a production scenario the plaintext workload section would be 
# deleted or stored securely but it has been left here for student perusal.  
# The filename is workload.yaml.plaintext
#
EOF

Create environment section of the contract¶

Change to the directory where you will prepare for environment section of the contract:
```
cd ../environment
```

In the environment section of the contract you are going to specify the information in order to have your HPVS KVM Guest log to the rsyslog service that you configured earlier in the lab.

Switch to the directory from where you will gather some files you will need for this rsyslog configuration:
```
cd rsyslog
```
You will need the CA certificate of the rsyslog service that you created on your Ubuntu KVM guest which you can get via scp:
```
scp student@${StudentGuestIP}:x509Work/rsyslog/CA/ca.crt .
```

Copy your rsyslog client certificate from your working directory:

cp -ipv ${HOME}/paynowLab/x509Work/rsyslogClient/paynowLab-client.crt .

Convert the private key to PKCS#8 format

The directory you just copied the client certificate from also has your private key that you need. However, the HPCR image requires this to be in PKCS#8 (Public Key Cryptography Standard #8) format. Therefore you can't just copy it over- you need to convert it to PKCS#8 format:
```
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
    -in ${HOME}/paynowLab/x509Work/rsyslogClient/client-key.pem \
    -out client-key-pkcs8.pem
```
Go back up one directory level:
```
cd .. && pwd
```

We have provided a convenience script to assist in creating the environment section of the contract

This script is not supplied with the product, but is very useful in the creation of the contract. Create it now and feel free to peruse it but do not run it now. It will be called later by another script. Comments have been added to help explain what the script does.

cat <<-EOF > flow.env
# Create the env section of the contract and add the contents in the env.yaml file.

#
# set some file locations at the top of the file here
#
RSYSLOG_CA_CRT="./rsyslog/ca.crt"
RSYSLOG_CLIENT_CRT="./rsyslog/paynowLab-client.crt"
RSYSLOG_CLIENT_KEY="./rsyslog/client-key-pkcs8.pem"

#
# This specifies an intermediate file that could be deleted at the end of the script but 
# is left intact for lab learning purposes-  it is plaintext so keeping it implies that
# you would have to protect it appropriately.  In production you'll probably want to delete it
#
ENV_PLAIN="./env.yaml.plaintext"

#
# This specifies a file will be encrypted and signed and is the primary output of this script.  
# It is combined with the encrypted and signed workload section that is created by 
# another script (flow.signature which is one directory level higher)
# Note: this file will also wind up one directory level higher
#
ENV="env.yaml"

#
# This variable holds the output of taking all the newlines out of the rsyslog CA certificate and
# replacing them with the "\n" characters.  In other words, a multiple line file is squashed down 
# to one line.  The HPCR runtime image will then convert it back to the multiple line format
#
ENV_RSYSLOG_SERVER=\$(awk -vRS="\n" -vORS="\\\\\n" '1' \${RSYSLOG_CA_CRT})

#
# This variable holds the output of taking all the newlines out of the client certificate that the
# HPCR runtime uses for communicating with rsyslog and replacing them with the "\n" characters.
# In other words, a multiple line file is squashed down to one line. THe HPCR runtime image will 
# then convert it back to the multiple line format
#
ENV_RSYSLOG_CERT=\$(awk -vRS="\n" -vORS="\\\\\n" '1' \${RSYSLOG_CLIENT_CRT})

#
# This variable holds the output of taking all the newlines out of the client private key that the
# HPCR runtime uses for communicating with rsyslog and replacing them with the "\n" characters.
# In other words, a multiple line file is squashed down to one line. THe HPCR runtime image will 
# then convert it back to the multiple line format. Before this all happens, the Private Key is 
# converted to PKCS#8 format
#
ENV_RSYSLOG_KEY=\$(awk -vRS="\n" -vORS="\\\\\n" '1'  \${RSYSLOG_CLIENT_KEY})


echo "  type: env
  logging:
    syslog:
      hostname: \"\${StudentGuestIP}\"
      port: 6514
      server: \"\${ENV_RSYSLOG_SERVER}\"
      cert: \"\${ENV_RSYSLOG_CERT}\"
      key: \"\${ENV_RSYSLOG_KEY}\"" >\${ENV_PLAIN}

#
# This command adds the public signing key to the plaintext environment yaml.  This key is used inside 
# the Hyper Protect Container Runtime image to verify the signature over workload and environment sections of
# the contract. 
#
cat ./pubSigningKey.yaml >> \${ENV_PLAIN}

# This is the encryption certificate for Hyper Protect Container Runtime and it is
# provided with the Hyper Protect Virtual Servers v2.1.7.1 product
#
CONTRACT_KEY=/data/lab/hpvs2171Certs/ibm-hyper-protect-container-runtime-23.11.1-encrypt.crt

#
# This variable holds a random password:
#
PASSWORD_ENV="\$(openssl rand 32 | base64 -w0)"

#
# This variable holds the output of the command pipe that
# takes your plaintext environment yaml (\$ENV_PLAIN) and encrypts it using the password that 
# was generated above (\$PASSWORD_ENV) and then base64 encodes this encrypted environment yaml
#
# As long as nobody else knows your random password (\$PASSWORD_ENV) your data is safe.  
# But, the Hyper Protect Container Runtime has to encrypt it, so it needs your password. 
# How will it get that password securely?  Read the next set of comment lines to find out.
#
ENCRYPTED_ENV="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$ENV_PLAIN" | base64 -w0)"

#
# This variable provides secure passage for your random password.  How?  
# It encrypts it with the encryption key of the Hyper Protect Container Runtime (HPCR).
# (A key that is encrypted by another key is often called a wrapped key).
# Only the HPCR image has the private key which can decrypt this. It is protected from 
# access from any administrators.  So, malicious actors cannot do anything with this
# wrapped key, even if they were able to get a hold of it.
#
ENCRYPTED_ENV_PASSWORD="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 -w0 )"

#
# Use the following command to get the encrypted environment section of the contract:
# This variable holds the output of a concatenation of a header, "hyper-protect-basic",
# Your wrapped key, and your encrypted environment yaml.. 
#
ENV_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_ENV_PASSWORD}.\${ENCRYPTED_ENV}"
#
# The above variable writes the encrypted environment section to the directory one level above
#
echo "\$ENV_ENCRYPTED" > ../\$ENV
EOF

Backup one more directory level:
```
cd ..
```

You will create three more files that are convenience scripts, similar to flow.workload and flow.env which you have already created:

The first script will provide some preparation steps. Create it, peruse it, love it, but don't run it yet:

cat << EOF > flow.prepare

# Use the following command to generate a key pair to sign the contract 
openssl genrsa -aes128 -passout pass:test1234 -out private.pem 4096
openssl rsa -in private.pem -passin pass:test1234 -pubout -out public.pem

# The following command is an example of how you can get the signing key:
key=\$(awk -vRS="\n" -vORS="\\\\\n" '1' public.pem)
echo "  signingKey: \"\${key%\\\\n}\"" > environment/pubSigningKey.yaml
EOF

Create the second script which signs the concatenated workload and environment sections of the contract and then appends the signature as the third and final element of the contract. Don't run it yet!

cat << EOF > flow.signature
# combine workload and environment
cat workload.yaml env.yaml | tr -d '\n' > contract.yaml

# Sign the combination from workload and env being approved
echo \$( cat contract.yaml | openssl dgst -sha256 -sign private.pem -passin pass:test1234 | openssl enc -base64) | tr -d ' ' > signature.yaml

# Create user data and add signature:
echo "workload: \$(cat workload.yaml)
env: \$(cat env.yaml)
envWorkloadSignature: \$(cat signature.yaml)" > user_data.yaml

echo ""
echo "import \`pwd\`/user_data.yaml into User Data or copy and paste from below:"
echo ""

cat user_data.yaml
EOF

This script isn't strictly necessary for the lab for reasons stated in the comments in the script, but you can create it anyway:

cat << EOF > flow.clear
#
# It isn't really necessary to run this in our lab environment 
# because the other scripts will happily trod on these files 
# as necessary.
#
# It is more likely that you would run this after running the
# other scripts in order to remove these files for security
# reasons
#
# But if you ever had a need to save your signing key pair, 
# you would want to save private.pem somewhere safe.
# 
rm private.pem public.pem
rm environment/pubSigningKey.yaml environment/env.yaml.plaintext
rm workload/workload.yaml.plaintext
rm env.yaml workload.yaml contract.yaml signature.yaml user_data.yaml
EOF

Encrypt and sign the contract¶

Create a final helper script which calls the flow.* scripts you created earlier:

cat << EOF > makeContract
. ./flow.prepare
cd workload
. ./flow.workload
cd ../environment
. ./flow.env
cd ..
. ./flow.signature

EOF

Now run the helper script that you just created:
```
. ./makeContract
```

The script creates the final contract in a file named user_data.yaml. It also displays the contents of this file to the screen. At the bottom of the output you will see an envWorkloadSignature key. If there is a gobbledygook value (base64-encoded text) associated with this key then things went well.

Create the startup file for the HPVS KVM guest¶

Create a copy of the user_data.yaml file that your created

The contract that you just created is going to be packaged with some other files into a startup file for your HPVS KVM guest that will run the PayNow demo. One of the files expected is a file named user-data that is just a copy of the user_data.yaml file that was just created
```
cp -ipv user_data.yaml user-data
```
Why didn't the script just do the above copy for me

We kept user-data intact in case something went wrong in the process, in which case user_data.yaml may be rubbish but at least you haven't trampled on a good user-data that might already be in use.

Create vendor-data which is another file required by the process:

cat << EOF > vendor-data
#cloud-config
users:
- default
EOF

Create meta-data which is also required, and it will have a hostname tailored for your userid:
```
cat << EOF > meta-data
local-hostname: $(whoami)-paynowdemo
EOF
```

Run this command (RHEL-specific, see product documentation for Ubuntu command) in order to create the startup file, ciiso.iso:

genisoimage -output /var/lib/libvirt/images/labs/paynow/$(whoami)/ciiso.iso \
    -volid cidata -joliet -rock user-data meta-data vendor-data

Your output will look like this:

Output from genisoimage command

I: -input-charset not specified, using utf-8 (detected in locale settings)
Total translation table size: 0
Total rockridge attributes bytes: 414
Total directory bytes: 0
Path table size(bytes): 10
Max brk space used 0
203 extents written (0 MB)

Please click the Next link at the bottom of the page to continue with the lab.

Launch HPVS guest for PayNow¶

You will start this section from your login session on the RHEL host. Start from this familiar window or tab:

launch the HPVS 2.1.x KVM guest¶

This fancy command figures out (and displays) the last two characters of your assigned userid and is used in other commands in this section, so that the lab instructions will work for everybody:

suffix=$(temp=$(whoami) && echo ${temp: -2}) \
&& echo Your student suffix is ${suffix}

You aren't going to change anything here since it's already been defined for you by the instructors, but you can display the definition of your HPVS 2.1.x KVM guest for the PayNow demo:

sudo virsh dumpxml paynowse${suffix}

Definition of HPVS KVM guest for PayNow Demo

<domain type='kvm'>
  <name>paynowse04</name>
  <uuid>2315f8ea-a340-4506-abbf-ae04cf7ea868</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://ubuntu.com/ubuntu/20.04"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>3903488</memory>
  <currentMemory unit='KiB'>3903488</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <os>
    <type arch='s390x' machine='s390-ccw-virtio-rhel8.2.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <cpu mode='host-model' check='partial'/>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' iommu='on'/>
      <source file='/var/lib/libvirt/images/labs/paynow/student04/ibm-hyper-protect-container-runtime-23.11.1.qcow2'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0000'/>
    </disk>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw' cache='none' io='native' iommu='on'/>
      <source file='/var/lib/libvirt/images/labs/paynow/student04/ciiso.iso'/>
      <target dev='vdc' bus='virtio'/>
      <readonly/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0002'/>
    </disk>
    <controller type='pci' index='0' model='pci-root'/>
    <interface type='network'>
      <mac address='52:54:00:fc:6c:a8'/>
      <source network='default'/>
      <model type='virtio'/>
      <driver name='vhost' iommu='on'/>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x0001'/>
    </interface>
    <console type='pty'>
      <target type='sclp' port='0'/>
    </console>
    <audio id='1' type='none'/>
    <memballoon model='none'/>
    <panic model='s390'/>
  </devices>
</domain>

Start your HPVS Guest for the PayNow Demo and attach to its console. Watch the messages carefully. You should not see any failures:

sudo virsh start paynowse${suffix} --console

This is what success looks like

Domain 'paynowse02' started
Connected to domain 'paynowse02'
Escape character is ^] (Ctrl + ])
# HPL11 build:23.11.0 enabler:23.6.0
# Tue Sep  5 22:22:00 UTC 2023
# Machine Type/Plant/Serial: 8561/02/31A38
# create new root partition...
# encrypt root partition...
# create root filesystem...
# write OS to root disk...
# decrypt user-data...
2 token decrypted, 0 encrypted token ignored
# run attestation...
# set hostname...
# finish root disk setup...
# Tue Sep  5 22:22:27 UTC 2023
# HPL11 build:23.11.0 enabler:23.6.0
# HPL11099I: bootloader end
hpcr-dnslookup[890]: HPL14000I: Network connectivity check completed successfully.
hpcr-logging[1038]: Configuring logging ...
hpcr-logging[1039]: Version [1.1.147]
hpcr-logging[1039]: Configuring logging, input [/var/hyperprotect/user-data.decrypted] ...
hpcr-logging[1039]: HPL01010I: Logging has been setup successfully.
hpcr-logging[1038]: Logging has been configured
hpcr-catch-success[1541]: VSI has started successfully.
hpcr-catch-success[1541]: HPL10001I: Services succeeded -> systemd triggered hpl-catch-success service

You will have to enter the Ctrl+] key-combination to break out of the console and return to your command prompt.

verify that messages from your HPVS KVM guest are received by rsyslog¶

The logging of the HPVS KVM guest is going to the rsyslog service that you configured on your Ubuntu guest, so switch to the terminal tab or window for your KVM standard guest.

You should still be comfortably logged in on this tab or window:

The arguments to the journalctl command here aren't the most elegant in the world, but, unless midnight passed since you started your HPVS KVM guest for PayNow, you will be able to see messages in rsyslog from when you just started up your HPVS KVM guest:

journalctl --since today --no-pager

There are a lot of messages logged, a veritable trove of treasure for the curious. Here is an example of what you should be able to see:

Log messages in rsyslog from starting your HPVS KVM guest for the PayNow demo

Sep 05 22:22:29 ubuntu2204 vpcnode[26262]: authentication probe
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Linux version 5.15.0-79-generic (buildd@bos02-s390x-016) (gcc (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #86-Ubuntu SMP Mon Jul 10 16:19:54 UTC 2023 (Ubuntu 5.15.0-79.86-generic 5.15.111)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  setup: Linux is running under KVM in 64-bit mode
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  setup: Relocating AMODE31 section of size 0x00003000
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  setup: The maximum memory size is 3812MB
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  cpu: 2 configured CPUs, 0 standby CPUs
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Write protected kernel read-only data: 18692k
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Zone ranges:
Sep 05 22:22:30 ubuntu2204 kernel[26262]:    DMA      [mem 0x0000000000000000-0x000000007fffffff]
Sep 05 22:22:30 ubuntu2204 kernel[26262]:    Normal   [mem 0x0000000080000000-0x00000000ee3fffff]
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Movable zone start for each node
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Early memory node ranges
Sep 05 22:22:30 ubuntu2204 kernel[26262]:    node   0: [mem 0x0000000000000000-0x00000000ee3fffff]
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Initmem setup node 0 [mem 0x0000000000000000-0x00000000ee3fffff]
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  On node 0, zone Normal: 7168 pages in unavailable ranges
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  percpu: Embedded 32 pages/cpu s91904 r8192 d30976 u131072
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  pcpu-alloc: s91904 r8192 d30976 u131072 alloc=32*4096
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  pcpu-alloc: [0] 0 [0] 1 
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Built 1 zonelists, mobility grouping on.  Total pages: 960624
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Policy zone: Normal
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Kernel command line: panic=0 blacklist=virtio_rng swiotlb=262144 cloud-init=disabled console=ttyS0 printk.time=0 systemd.getty_auto=0 systemd.firstboot=0 module.sig_enforce=1 quiet loglevel=0 systemd.show_status=0
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Unknown kernel command line parameters "blacklist=virtio_rng cloud-init=disabled", will be passed to user space.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  mem auto-init: stack:off, heap alloc:on, heap free:off
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  software IO TLB: mapped [mem 0x00000000435a4000-0x00000000635a4000] (512MB)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Memory: 3266284K/3903488K available (11988K kernel code, 3212K rwdata, 6704K rodata, 5200K init, 1252K bss, 637204K reserved, 0K cma-reserved)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  SLUB: HWalign=256, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ftrace: allocating 34120 entries in 134 pages
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ftrace: allocated 134 pages with 3 groups
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  rcu: Hierarchical RCU implementation.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  rcu: #011RCU restricting CPUs from NR_CPUS=512 to nr_cpu_ids=2.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  #011Rude variant of Tasks RCU enabled.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  #011Tracing variant of Tasks RCU enabled.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NR_IRQS: 3, nr_irqs: 3, preallocated irqs: 3
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  clocksource: tod: mask: 0xffffffffffffffff max_cycles: 0x3b0a9be803b0a9, max_idle_ns: 1805497147909793 ns
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  random: crng init done
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Console: colour dummy device 80x25
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  printk: console [ttyS0] enabled
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  printk: console [ttysclp0] enabled
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Calibrating delay loop (skipped)... 24038.00 BogoMIPS preset
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  pid_max: default: 32768 minimum: 301
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  LSM: Security Framework initializing
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  landlock: Up and running.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Yama: becoming mindful.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  AppArmor: AppArmor initialized
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  rcu: Hierarchical SRCU implementation.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  smp: Bringing up secondary CPUs ...
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  smp: Brought up 1 node, 2 CPUs
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  devtmpfs: initialized
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  futex hash table entries: 512 (order: 5, 131072 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_NETLINK/PF_ROUTE protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: initializing netlink subsys (disabled)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=2000 audit(1693952520.204:1): state=initialized audit_enabled=0 res=1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Spectre V2 mitigation: etokens
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  HugeTLB registered 1.00 MiB page size, pre-allocated 0 pages
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  iommu: Default domain type: Translated 
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  iommu: DMA domain TLB invalidation policy: strict mode 
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  SCSI subsystem initialized
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NetLabel: Initializing
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NetLabel:  domain hash size = 128
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NetLabel:  unlabeled traffic allowed by default
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  zpci: PCI is not supported because CPU facilities 69 or 71 are not available
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  VFS: Disk quotas dquot_6.6.0
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  AppArmor: AppArmor Filesystem Enabled
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_INET protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  IP idents hash table entries: 65536 (order: 7, 524288 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  tcp_listen_portaddr_hash hash table entries: 2048 (order: 3, 32768 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  TCP established hash table entries: 32768 (order: 6, 262144 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  TCP bind hash table entries: 32768 (order: 7, 524288 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  TCP: Hash tables configured (established 32768 bind 32768)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  MPTCP token hash table entries: 4096 (order: 4, 98304 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  UDP hash table entries: 2048 (order: 4, 65536 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes, linear)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_UNIX/PF_LOCAL protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_XDP protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Trying to unpack rootfs image as initramfs...
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  kvm-s390: SIE is not available
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  hypfs: The hardware system does not support hypfs
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Initialise system trusted keyrings
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type blacklist registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  workingset: timestamp_bits=45 max_order=20 bucket_order=0
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  zbud: loaded
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  squashfs: version 4.0 (2009/01/31) Phillip Lougher
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  fuse: init (API version 7.34)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  integrity: Platform Keyring initialized
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type asymmetric registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Asymmetric key parser 'x509' registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  io scheduler mq-deadline registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  hvc_iucv: The z/VM IUCV HVC device driver cannot be used without z/VM
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  loop: module loaded
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  tun: Universal TUN/TAP device driver, 1.6
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  device-mapper: uevent: version 1.0.3
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  drop_monitor: Initializing network drop monitor service
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_INET6 protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Freeing initrd memory: 9828K
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Segment Routing with IPv6
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  In-situ OAM (IOAM) with IPv6
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  NET: Registered PF_PACKET protocol family
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type dns_resolver registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  cio: Channel measurement facility initialized using format extended (mode autodetected)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  sclp_sd: Store Data request failed (eq=2, di=3, response=0x40f0, flags=0x00, status=0, rc=-5)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ap: The hardware system does not support AP instructions
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  registered taskstats version 1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loading compiled-in X.509 certificates
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Build time autogenerated kernel key: 033cfe156234b615233dffd1cb0a66d4b6280b04'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  blacklist: Loading compiled-in revocation X.509 certificates
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  zswap: loaded using pool lzo/zbud
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type .fscrypt registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type fscrypt-provisioning registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Key type encrypted registered
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  AppArmor: AppArmor sha1 policy hashing enabled
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ima: No TPM chip found, activating TPM-bypass!
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loading compiled-in module X.509 certificates
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Loaded X.509 cert 'Build time autogenerated kernel key: 033cfe156234b615233dffd1cb0a66d4b6280b04'
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ima: Allocated hash algorithm: sha1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ima: No architecture policies found
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: Initialising EVM extended attributes:
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.selinux
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.SMACK64
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.SMACK64EXEC
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.SMACK64TRANSMUTE
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.SMACK64MMAP
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.apparmor
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.ima
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: security.capability
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  evm: HMAC attrs: 0x1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Freeing unused kernel image (initmem) memory: 5200K
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Write protected read-only-after-init data: 136k
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Checked W+X mappings: passed, no unexpected W+X pages found
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Run /init as init process
Sep 05 22:22:30 ubuntu2204 kernel[26262]:    with arguments:
Sep 05 22:22:30 ubuntu2204 kernel[26262]:      /init
Sep 05 22:22:30 ubuntu2204 kernel[26262]:    with environment:
Sep 05 22:22:30 ubuntu2204 kernel[26262]:      HOME=/
Sep 05 22:22:30 ubuntu2204 kernel[26262]:      TERM=linux
Sep 05 22:22:30 ubuntu2204 kernel[26262]:      blacklist=virtio_rng
Sep 05 22:22:30 ubuntu2204 kernel[26262]:      cloud-init=disabled
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  virtio_blk virtio0: [vda] 209715200 512-byte logical blocks (107 GB/100 GiB)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  GPT:Primary header thinks Alt. header is not at the end of the disk.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  GPT:8388607 != 209715199
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  GPT:Alternate GPT header not at the end of the disk.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  GPT:8388607 != 209715199
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  GPT: Use GNU Parted to correct GPT errors.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:   vda: vda1
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  virtio_blk virtio1: [vdb] 760 512-byte logical blocks (389 kB/380 KiB)
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ISO 9660 Extensions: Microsoft Joliet Level 3
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  ISO 9660 Extensions: RRIP_1991A
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  EXT4-fs (dm-0): re-mounted. Opts: (null). Quota mode: none.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  systemd 249.11-0ubuntu3.9 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Detected virtualization kvm.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Detected architecture s390x.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Hostname set to <student02-paynowdemo>.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Initializing machine ID from random generator.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Installed transient /etc/machine-id file.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  /lib/systemd/system/verify-disk-encryption-invoker.service:6: Special user nobody configured, this is not safe!
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  /lib/systemd/system/se-dnslookup.service:10: Special user nobody configured, this is not safe!
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  /lib/systemd/system/hpl-catch-success.service:13: Special user nobody configured, this is not safe!
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  /lib/systemd/system/hpl-catch-failed.service:10: Special user nobody configured, this is not safe!
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  se-registry-auth.service: Found ordering cycle on basic.target/start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  se-registry-auth.service: Found dependency on sockets.target/start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  se-registry-auth.service: Found dependency on docker.socket/start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  se-registry-auth.service: Found dependency on se-registry-auth.service/start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  se-registry-auth.service: Job sockets.target/start deleted to break ordering cycle starting with se-registry-auth.service/start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Queued start job for default target Multi-User System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Created slice Slice /system/modprobe.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Created slice Slice /system/systemd-fsck.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Created slice User and Session Slice.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Dispatch Password Requests to Console Directory Watch.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Forward Password Requests to Wall Directory Watch.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Set up automount Arbitrary Executable File Formats File System Automount Point.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Local Encrypted Volumes.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Path Units.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Remote File Systems.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Slice Units.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Swaps.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Local Verity Protected Volumes.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Syslog Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on fsck to fsckd communication Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on initctl Compatibility Named Pipe.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Journal Audit Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Journal Socket (/dev/log).
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Journal Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Network Service Netlink Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on udev Control Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on udev Kernel Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting Huge Pages File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting POSIX Message Queue File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting Kernel Debug File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting Kernel Trace File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Journal Service...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set the console keyboard layout...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Create List of Static Device Nodes...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module chromeos_pstore...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module configfs...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module drm...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module efi_pstore...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module fuse...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module pstore_blk...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module pstore_zone...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Module ramoops...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in OpenVSwitch configuration for cleanup being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting File System Check on Root Device...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load Kernel Modules...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Coldplug All udev Devices...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted Huge Pages File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted POSIX Message Queue File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted Kernel Debug File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted Kernel Trace File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Create List of Static Device Nodes.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@chromeos_pstore.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module chromeos_pstore.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@configfs.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module configfs.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@fuse.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module fuse.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@pstore_zone.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module pstore_zone.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting FUSE Control File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting Kernel Configuration File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Modules.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted FUSE Control File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted Kernel Configuration File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Apply Kernel Variables...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@pstore_blk.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module pstore_blk.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@ramoops.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module ramoops.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@efi_pstore.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module efi_pstore.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Coldplug All udev Devices.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started File System Check Daemon to report status.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Apply Kernel Variables.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished File System Check on Root Device.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Remount Root and Kernel File Systems...
Sep 05 22:22:30 ubuntu2204 systemd-journald[26262]:  Journal started
Sep 05 22:22:30 ubuntu2204 systemd-journald[26262]:  Runtime Journal (/run/log/journal/96ad71740ae743c79acd51c6f69413fb) is 4.0M, max 32.0M, 28.0M free.
Sep 05 22:22:30 ubuntu2204 systemd-fsck[26262]:  /dev/mapper/luks-655145dd-f4d0-4127-93ce-e1906a668299: clean, 26377/6291456 files, 808668/25161728 blocks
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Journal Service.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  EXT4-fs (dm-0): re-mounted. Opts: errors=remount-ro. Quota mode: none.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Remount Root and Kernel File Systems.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  modprobe@drm.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load Kernel Module drm.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Flush Journal to Persistent Storage...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in Platform Persistent Storage Archival being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load/Save Random Seed...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Create System Users...
Sep 05 22:22:30 ubuntu2204 systemd-journald[26262]:  Time spent on flushing to /var/log/journal/96ad71740ae743c79acd51c6f69413fb is 2.551ms for 269 entries.
Sep 05 22:22:30 ubuntu2204 systemd-journald[26262]:  System Journal (/var/log/journal/96ad71740ae743c79acd51c6f69413fb) is 8.0M, max 4.0G, 3.9G free.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Create System Users.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Create Static Device Nodes in /dev...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load/Save Random Seed.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in First Boot Complete being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Create Static Device Nodes in /dev.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Rule-based Manager for Device Events and Files...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Flush Journal to Persistent Storage.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set the console keyboard layout.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Preparation for Local File Systems.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Rule-based Manager for Device Events and Files.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Network Configuration...
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  VFIO - User Level meta-driver version: 0.3
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  lo: Link UP
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  lo: Gained carrier
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  Enumeration completed
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Network Configuration.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Wait for Network to be Configured...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Wait for Network to be Configured.
Sep 05 22:22:30 ubuntu2204 systemd-udevd[26262]:  Using default interface naming scheme 'v249'.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  virtio_net virtio2 enc1: renamed from eth0
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Found device /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70.
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  eth0: Interface name change detected, renamed to enc1.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting File System Check on /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70...
Sep 05 22:22:30 ubuntu2204 systemd-udevd[26262]:  Using default interface naming scheme 'v249'.
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  enc1: Link UP
Sep 05 22:22:30 ubuntu2204 systemd-fsck[26262]:  /dev/vda1: clean, 13/262144 files, 140195/1048064 blocks
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished File System Check on /dev/disk/by-uuid/4d7e976d-b69c-48ec-9a8a-a47cd2e28e70.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting /boot...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted /boot.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Local File Systems.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Load AppArmor profiles...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set console font and keymap...
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set Up Additional Binary Formats...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in Store a System Token in an EFI Variable being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Commit a transient machine-id on disk...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Create Volatile Files and Directories...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set console font and keymap.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  proc-sys-fs-binfmt_misc.automount: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 863 (systemd-binfmt)
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounting Arbitrary Executable File Formats File System...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Mounted Arbitrary Executable File Formats File System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set Up Additional Binary Formats.
Sep 05 22:22:30 ubuntu2204 apparmor.systemd[26262]:  Restarting AppArmor
Sep 05 22:22:30 ubuntu2204 apparmor.systemd[26262]:  Reloading AppArmor profiles
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Create Volatile Files and Directories.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Network Name Resolution...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Network Time Synchronization...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Record System Boot/Shutdown in UTMP...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Record System Boot/Shutdown in UTMP.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Commit a transient machine-id on disk.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Network Time Synchronization.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target System Time Set.
Sep 05 22:22:30 ubuntu2204 systemd-resolved[26262]:  Positive Trust Anchors:
Sep 05 22:22:30 ubuntu2204 systemd-resolved[26262]:  . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Sep 05 22:22:30 ubuntu2204 systemd-resolved[26262]:  Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test
Sep 05 22:22:30 ubuntu2204 systemd-resolved[26262]:  Using system hostname 'student02-paynowdemo'.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Network Name Resolution.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Network.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Network is Online.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Host and Network Name Lookups.
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=879 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=879 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.024:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=879 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.024:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=879 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=878 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 apparmor.systemd[26262]:  Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.034:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=878 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Load AppArmor profiles.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target System Initialization.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Daily apt download activities.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Daily apt upgrade and clean activities.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Daily dpkg database backup timer.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Periodic ext4 Online Metadata Check for All Filesystems.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.294:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.294:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.294:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952548.294:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=880 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Discard unused blocks once a week.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Daily rotation of log files.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Message of the Day.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Podman auto-update timer.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Daily Cleanup of Temporary Directories.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in Ubuntu Pro Timer for running repeated jobs being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Timer for calling verify disk encryption invoker service.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Basic System.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Timer Units.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on D-Bus System Message Bus Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Podman API Socket.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting containerd container runtime...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started D-Bus System Message Bus.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Save initial kernel messages after boot.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Remove Stale Online ext4 Metadata Check Snapshots...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in getty on tty2-tty6 if dbus and logind are not available being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Login Prompts.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Dispatcher daemon for systemd-networkd...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Podman auto-update service...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Podman Start All Containers With Restart Policy Set To Always...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Podman API Service...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Logging Configuration...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting User Login Management...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Permit User Sessions...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in Ubuntu Pro reboot cmds being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Condition check resulted in Ubuntu Pro Background Auto Attach being skipped.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Podman API Service.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Permit User Sessions.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set console scheme...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set console scheme.
Sep 05 22:22:30 ubuntu2204 dbus-daemon[26262]:  [system] AppArmor D-Bus mediation is enabled
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.429144732Z" level=info msg="starting containerd" revision= version=1.7.2
Sep 05 22:22:30 ubuntu2204 systemd-logind[26262]:  New seat seat0.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started User Login Management.
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.481841275Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." type=io.containerd.snapshotter.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.481966874Z" level=info msg="skip loading plugin \"io.containerd.snapshotter.v1.btrfs\"..." error="path /var/lib/containerd/io.containerd.snapshotter.v1.btrfs (ext4) must be a btrfs filesystem to be used with the btrfs snapshotter: skip plugin" type=io.containerd.snapshotter.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.481980901Z" level=info msg="loading plugin \"io.containerd.content.v1.content\"..." type=io.containerd.content.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.482038824Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.native\"..." type=io.containerd.snapshotter.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.482094169Z" level=info msg="loading plugin \"io.containerd.snapshotter.v1.overlayfs\"..." type=io.containerd.snapshotter.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.482208824Z" level=info msg="loading plugin \"io.containerd.metadata.v1.bolt\"..." type=io.containerd.metadata.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.482262894Z" level=info msg="metadata content store policy set" policy=shared
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.490944229Z" level=info msg="loading plugin \"io.containerd.differ.v1.walking\"..." type=io.containerd.differ.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.490961416Z" level=info msg="loading plugin \"io.containerd.event.v1.exchange\"..." type=io.containerd.event.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.490975325Z" level=info msg="loading plugin \"io.containerd.gc.v1.scheduler\"..." type=io.containerd.gc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.490997777Z" level=info msg="loading plugin \"io.containerd.lease.v1.manager\"..." type=io.containerd.lease.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491010169Z" level=info msg="loading plugin \"io.containerd.nri.v1.nri\"..." type=io.containerd.nri.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491043531Z" level=info msg="NRI interface is disabled by configuration."
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491053578Z" level=info msg="loading plugin \"io.containerd.runtime.v2.task\"..." type=io.containerd.runtime.v2
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491119236Z" level=info msg="loading plugin \"io.containerd.runtime.v2.shim\"..." type=io.containerd.runtime.v2
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491134201Z" level=info msg="loading plugin \"io.containerd.sandbox.store.v1.local\"..." type=io.containerd.sandbox.store.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491145659Z" level=info msg="loading plugin \"io.containerd.sandbox.controller.v1.local\"..." type=io.containerd.sandbox.controller.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491156719Z" level=info msg="loading plugin \"io.containerd.streaming.v1.manager\"..." type=io.containerd.streaming.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491167561Z" level=info msg="loading plugin \"io.containerd.service.v1.introspection-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491181095Z" level=info msg="loading plugin \"io.containerd.service.v1.containers-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491193104Z" level=info msg="loading plugin \"io.containerd.service.v1.content-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491203846Z" level=info msg="loading plugin \"io.containerd.service.v1.diff-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491214358Z" level=info msg="loading plugin \"io.containerd.service.v1.images-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491224386Z" level=info msg="loading plugin \"io.containerd.service.v1.namespaces-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491237314Z" level=info msg="loading plugin \"io.containerd.service.v1.snapshots-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491247146Z" level=info msg="loading plugin \"io.containerd.runtime.v1.linux\"..." type=io.containerd.runtime.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491294104Z" level=info msg="loading plugin \"io.containerd.monitor.v1.cgroups\"..." type=io.containerd.monitor.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491477745Z" level=info msg="loading plugin \"io.containerd.service.v1.tasks-service\"..." type=io.containerd.service.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491502174Z" level=info msg="loading plugin \"io.containerd.grpc.v1.introspection\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491513583Z" level=info msg="loading plugin \"io.containerd.transfer.v1.local\"..." type=io.containerd.transfer.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491529769Z" level=info msg="loading plugin \"io.containerd.internal.v1.restart\"..." type=io.containerd.internal.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491570098Z" level=info msg="loading plugin \"io.containerd.grpc.v1.containers\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491581805Z" level=info msg="loading plugin \"io.containerd.grpc.v1.content\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491591976Z" level=info msg="loading plugin \"io.containerd.grpc.v1.diff\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491640808Z" level=info msg="loading plugin \"io.containerd.grpc.v1.events\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491653827Z" level=info msg="loading plugin \"io.containerd.grpc.v1.healthcheck\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491663601Z" level=info msg="loading plugin \"io.containerd.grpc.v1.images\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491672810Z" level=info msg="loading plugin \"io.containerd.grpc.v1.leases\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491681803Z" level=info msg="loading plugin \"io.containerd.grpc.v1.namespaces\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.491691621Z" level=info msg="loading plugin \"io.containerd.internal.v1.opt\"..." type=io.containerd.internal.v1
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  e2scrub_reap.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Remove Stale Online ext4 Metadata Check Snapshots.
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494518335Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandbox-controllers\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494533930Z" level=info msg="loading plugin \"io.containerd.grpc.v1.sandboxes\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494545431Z" level=info msg="loading plugin \"io.containerd.grpc.v1.snapshots\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494555781Z" level=info msg="loading plugin \"io.containerd.grpc.v1.streaming\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494569019Z" level=info msg="loading plugin \"io.containerd.grpc.v1.tasks\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494580297Z" level=info msg="loading plugin \"io.containerd.grpc.v1.transfer\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494589947Z" level=info msg="loading plugin \"io.containerd.grpc.v1.version\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494598932Z" level=info msg="loading plugin \"io.containerd.grpc.v1.cri\"..." type=io.containerd.grpc.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494691551Z" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[BinaryName: CriuImagePath: CriuPath: CriuWorkPath: IoGid:0 IoUid:0 NoNewKeyring:false NoPivotRoot:false Root: ShimCgroup: SystemdCgroup:false] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:podsandbox}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/opt/cni/bin NetworkPluginConfDir:/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath: Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:0 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:registry.k8s.io/pause:3.8 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:false EnableUnprivilegedICMP:false EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:1m0s DrainExecSyncIOTimeout:0s} ContainerdRootDir:/var/lib/containerd ContainerdEndpoint:/run/containerd/containerd.sock RootDir:/var/lib/containerd/io.containerd.grpc.v1.cri StateDir:/run/containerd/io.containerd.grpc.v1.cri}"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494737417Z" level=info msg="Connect containerd service"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494756121Z" level=info msg="using legacy CRI server"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494761467Z" level=info msg="using experimental NRI integration - disable nri plugin to prevent this"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.494807386Z" level=info msg="Get image filesystem path \"/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs\""
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.495959683Z" level=info msg="loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." type=io.containerd.tracing.processor.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.495974989Z" level=info msg="skip loading plugin \"io.containerd.tracing.processor.v1.otlp\"..." error="no OpenTelemetry endpoint: skip plugin" type=io.containerd.tracing.processor.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.495985324Z" level=info msg="loading plugin \"io.containerd.internal.v1.tracing\"..." type=io.containerd.internal.v1
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496006364Z" level=info msg="Start subscribing containerd event"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496037713Z" level=info msg="Start recovering state"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496080616Z" level=info msg="Start event monitor"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496090938Z" level=info msg="Start snapshots syncer"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496097604Z" level=info msg="Start cni network conf syncer for default"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496102877Z" level=info msg="Start streaming server"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496256044Z" level=info msg="skipping tracing processor initialization (no tracing plugin)" error="no OpenTelemetry endpoint: skip plugin"
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496399091Z" level=info msg=serving... address=/run/containerd/containerd.sock.ttrpc
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.496419905Z" level=info msg=serving... address=/run/containerd/containerd.sock
Sep 05 22:22:30 ubuntu2204 networkd-dispatcher[26262]:  No valid path found for iwconfig
Sep 05 22:22:30 ubuntu2204 networkd-dispatcher[26262]:  No valid path found for iw
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Dispatcher daemon for systemd-networkd.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started containerd container runtime.
Sep 05 22:22:30 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:28.508349412Z" level=info msg="containerd successfully booted in 0.079960s"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="/usr/bin/podman filtering at log level info"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="/usr/bin/podman filtering at log level info"
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  etc-machine\x2did.mount: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  var-lib-containers-storage-overlay-metacopy\x2dcheck1945055672-merged.mount: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="[graphdriver] using prior storage driver: overlay"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  2023-09-05 22:22:28.729521205 +0000 UTC m=+0.354964756 system refresh
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="Setting parallel job count to 7"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="Setting parallel job count to 7"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="using systemd socket activation to determine API endpoint"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="using API endpoint: ''"
Sep 05 22:22:30 ubuntu2204 podman[26262]:  time="2023-09-05T22:22:28Z" level=info msg="API service listening on \"/run/podman/podman.sock\""
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  enc1: Gained carrier
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  IPv6: ADDRCONF(NETDEV_CHANGE): enc1: link becomes ready
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Podman Start All Containers With Restart Policy Set To Always.
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  enc1: DHCPv4 address 172.16.0.82/24 via 172.16.0.1
Sep 05 22:22:30 ubuntu2204 dbus-daemon[26262]:  [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=100 pid=806 comm="/lib/systemd/systemd-networkd " label="unconfined")
Sep 05 22:22:30 ubuntu2204 systemd-timesyncd[26262]:  Network configuration changed, trying to establish connection.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Hostname Service...
Sep 05 22:22:30 ubuntu2204 dbus-daemon[26262]:  [system] Successfully activated service 'org.freedesktop.hostname1'
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Hostname Service.
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  Could not set hostname: Access denied
Sep 05 22:22:30 ubuntu2204 systemd-timesyncd[26262]:  Initial synchronization to time server 185.125.190.58:123 (ntp.ubuntu.com).
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  podman-auto-update.service: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Podman auto-update service.
Sep 05 22:22:30 ubuntu2204 hpcr-dnslookup[26262]:  HPL14000I: Network connectivity check completed successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Logging Configuration.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Early Initialization.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Logging to remote monitoring server is initiated..
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Logging Configuration...
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  Configuring logging ...
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  Version [1.1.145]
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  Configuring logging, input [/var/hyperprotect/user-data.decrypted] ...
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  ValidateContractE ...
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  config written: /etc/rsyslog.d/22-logging.conf
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  HPL01010I: Logging has been setup successfully.
Sep 05 22:22:30 ubuntu2204 hpcr-logging[26262]:  Logging has been configured
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Logging Configuration.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting System Logging Service...
Sep 05 22:22:30 ubuntu2204 rsyslogd[26262]:  rsyslogd's groupid changed to 111
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started System Logging Service.
Sep 05 22:22:30 ubuntu2204 rsyslogd[26262]:  rsyslogd's userid changed to 104
Sep 05 22:22:30 ubuntu2204 rsyslogd[26262]:  [origin software="rsyslogd" swVersion="8.2112.0" x-pid="1044" x-info="https://www.rsyslog.com"] start
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Synchronizes the Logging Target.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Logging to remote log server is initiated..
Sep 05 22:22:30 ubuntu2204 rsyslogd[26262]:  imjournal: No statefile exists, /var/spool/rsyslog/journal_state will be created (ignore if this is first run): No such file or directory [v8.2112.0 try https://www.rsyslog.com/e/2040 ]
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that does validation of contract...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting HPCR Registry Authentication...
Sep 05 22:22:30 ubuntu2204 hpcr-contract[26262]:  Welcome to SE Contract Validator
Sep 05 22:22:30 ubuntu2204 hpcr-contract[26262]:  Contract file passed is:  /var/hyperprotect/user-data.decrypted
Sep 05 22:22:30 ubuntu2204 hpcr-registry-auth[26262]:  Starting Registry Authentication ...
Sep 05 22:22:30 ubuntu2204 hpcr-registry-auth[26262]:  Version [1.0.70]
Sep 05 22:22:30 ubuntu2204 rsyslogd[26262]:  imjournal: journal files changed, reloading...  [v8.2112.0 try https://www.rsyslog.com/e/0 ]
Sep 05 22:22:30 ubuntu2204 hpcr-registry-auth[26262]:  Writing auth config: /root/.docker/config.json
Sep 05 22:22:30 ubuntu2204 hpcr-registry-auth[26262]:  Registry Authentication started
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished HPCR Registry Authentication.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Docker Socket for the API...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Listening on Docker Socket for the API.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Docker Application Container Engine...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.672740594Z" level=info msg="Starting up"
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.684275456Z" level=info msg="detected 127.0.0.53 nameserver, assuming systemd-resolved, so using resolv.conf: /run/systemd/resolve/resolv.conf"
Sep 05 22:22:30 ubuntu2204 audit[26262]:  AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=1068 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.749209491Z" level=info msg="parsed scheme: \"unix\"" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.749278826Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.749315855Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.749349509Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.751021396Z" level=info msg="parsed scheme: \"unix\"" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.751057665Z" level=info msg="scheme \"unix\" not registered, fallback to default scheme" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.751086981Z" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/containerd/containerd.sock  <nil> 0 <nil>}] <nil> <nil>}" module=grpc
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.751114718Z" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  audit: type=1400 audit(1693952549.735:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=1068 comm="apparmor_parser"
Sep 05 22:22:30 ubuntu2204 hpcr-contract[26262]:  Contract file is valid.
Sep 05 22:22:30 ubuntu2204 hpcr-contract[26262]:  Extracting workload from /var/hyperprotect/user-data.decrypted to /var/hyperprotect/workload-data.decrypted
Sep 05 22:22:30 ubuntu2204 hpcr-contract[26262]:  Extraction completed
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Service that does validation of contract.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that does signature validation of Env Workload of contract...
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Welcome to SE ENV Workload Signature Validator
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:29.835870657Z" level=info msg="Loading containers: start."
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Decrypted Contract file passed is:  /var/hyperprotect/workload-data.decrypted
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Encrypted Contract file passed is:  /var/hyperprotect/cidata/user-data
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Check Dependency params Public key and EnvWorkload signature
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Access Public key and EnvWorkload signature
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Create combined EnvWorkload contract content
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Verify signing key, signature and combined EnvWorkload contract
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Bridge firewalling registered
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Verified OK
Sep 05 22:22:30 ubuntu2204 hpcr-signature[26262]:  Successfully verified contract with signature and signing key
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Service that does signature validation of Env Workload of contract.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Contract is unpacked and ready for consumption..
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that waits until the user devices are ready...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set podman image policy...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  Waiting for devices ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  Version [1.0.112]
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  WaitForDevices input=[/var/hyperprotect/user-data.decrypted], timeout=[2023-09-05 22:37:29.889691719 +0000 UTC m=+900.024319178]
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  ParseContract ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  ValidateContract ...
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  enc1: Gained IPv6LL
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  MergeVolumes ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-standby[26262]:  Waiting for devices is completed
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Service that waits until the user devices are ready.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that mounts the data volumes after they are ready...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  Mounting volumes ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  Version [1.0.112]
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  MountVolumes input=[/var/hyperprotect/user-data.decrypted]
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  ParseContract ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  ValidateContract ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  MergeVolumes ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  Mounting volumes ...
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  Volume config ..
Sep 05 22:22:30 ubuntu2204 hpcr-disk-mount[26262]:  HPL07003I: Mounting volumes done
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Service that mounts the data volumes after they are ready.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Reached target Data volumes are mounted ready to be used..
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Service that verifies all disks are encrypted and logs output to systemd journal.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Service that periodically logs entry to trigger verify disk encryption service.
Sep 05 22:22:30 ubuntu2204 verify-disk-encryption[26262]:  Verify disk encryption started...
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Getting image source signatures
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Copying blob sha256:66d62867ae2452322f4769f943913be00b22e73039d1902e8f785b9f49838193
Sep 05 22:22:30 ubuntu2204 kernel[26262]:  Initializing XFRM netlink socket
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.064508356Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"
Sep 05 22:22:30 ubuntu2204 networkd-dispatcher[26262]:  WARNING:Unknown index 3 seen, reloading interface list
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Copying config sha256:9eca761232387055827db0a9f2232f2635bc8c6d5f23ecfb39d34bb4ab0dca09
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Writing manifest to image destination
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Storing signatures
Sep 05 22:22:30 ubuntu2204 systemd-networkd[26262]:  docker0: Link UP
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.140157723Z" level=info msg="Loading containers: done."
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Loaded image(s): k8s.gcr.io/pause:3.5
Sep 05 22:22:30 ubuntu2204 podman[26262]:  2023-09-05 22:22:29.991201384 +0000 UTC m=+0.127793409 image loadfromarchive  /usr/local/se-image-play/pause.tar
Sep 05 22:22:30 ubuntu2204 sudo[26262]:      root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/se-image-play
Sep 05 22:22:30 ubuntu2204 sudo[26262]:  pam_unix(sudo:session): session opened for user nobody(uid=65534) by (uid=0)
Sep 05 22:22:30 ubuntu2204 hpcr-image-play[26262]:  Version [1.1.112]
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.212277099Z" level=info msg="Docker daemon" commit="20.10.25-0ubuntu1~22.04.2" graphdriver(s)=overlay2 version=20.10.25
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.212332016Z" level=info msg="Daemon has completed initialization"
Sep 05 22:22:30 ubuntu2204 sudo[26262]:  pam_unix(sudo:session): session closed for user nobody
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set podman image policy.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that creates a set of containers...
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Started Docker Application Container Engine.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Set docker image policy...
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Starting image service...
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Contract yaml file: /var/hyperprotect/workload-data.decrypted
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Extracting image contract
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Successfully extracted Image contract
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Extracting container contract
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Checking for image with digest
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  No image for DCT verification
Sep 05 22:22:30 ubuntu2204 hpcr-image[26262]:  Image service completed successfully
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Set docker image policy.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Starting Service that creates a set of containers...
Sep 05 22:22:30 ubuntu2204 sudo[26262]:      root : PWD=/ ; USER=nobody ; COMMAND=/usr/local/bin/se-container-play
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Starting container service...
Sep 05 22:22:30 ubuntu2204 sudo[26262]:  pam_unix(sudo:session): session opened for user nobody(uid=65534) by (uid=0)
Sep 05 22:22:30 ubuntu2204 hpcr-container-play[26262]:  Version [1.1.116]
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Validating contract...
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Compose folder /data1/compose created
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Contract yaml file: /var/hyperprotect/workload-data.decrypted
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Compose folder: /data1/compose
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Validation completed
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Parsing contract...
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Parsing of the Contract File completed successfully
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Extracting compose...
Sep 05 22:22:30 ubuntu2204 sudo[26262]:  pam_unix(sudo:session): session closed for user nobody
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Extracting done...
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Extracting the ENV Contents...
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Writing new env file /data1/compose/.env ...
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Reading existing env file /data1/compose/.env ...
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.270893886Z" level=info msg="API listen on /run/docker.sock"
Sep 05 22:22:30 ubuntu2204 hpcr-container-play[26262]:  HPL15004I: The pod started successfully.
Sep 05 22:22:30 ubuntu2204 hpcr-container-play[26262]:  HPL15006I: No pod definitions found.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  Finished Service that creates a set of containers.
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Extracting of environment contents done
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Check if docker is ready
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  docker-compose.yml file is present in the directory
Sep 05 22:22:30 ubuntu2204 hpcr-container[26262]:  Starting workload containers...
Sep 05 22:22:30 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:30.471972387Z" level=warning msg="reference for unknown type: " digest="sha256:b0921f4009b33b926aeae931fef2b0536514e7a62ae013cee6c345b1ac7f11bb" remote="quay.io/bsilliman/paynow@sha256:b0921f4009b33b926aeae931fef2b0536514e7a62ae013cee6c345b1ac7f11bb"
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  var-lib-docker-overlay2-opaque\x2dbug\x2dcheck3647899609-merged.mount: Deactivated successfully.
Sep 05 22:22:30 ubuntu2204 systemd[26262]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Sep 05 22:22:33 ubuntu2204 systemd[26262]:  dmesg.service: Deactivated successfully.
Sep 05 22:22:34 ubuntu2204 systemd[26262]:  var-lib-containers-storage-overlay.mount: Deactivated successfully.
Sep 05 22:22:34 ubuntu2204 systemd[26262]:  podman.service: Deactivated successfully.
Sep 05 22:22:35 ubuntu2204 verify-disk-encryption[26262]:  HPL13000I: Verify LUKS Encryption
Sep 05 22:22:35 ubuntu2204 systemd[26262]:  verify-disk-encryption-invoker.service: Deactivated successfully.
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value for disk-encrypt: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Executed cmd: ('lsblk', '-b', '-n', '-o', 'NAME,SIZE')
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Stdout: vda                                           107374182400
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  ├─vda1                                          4292870144
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  └─vda2                                        103079215104
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:    └─luks-655145dd-f4d0-4127-93ce-e1906a668299 103062437888
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  vdb                                                 389120
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  List of volumes greater than or equal to 10GB are: ['/dev/vda']
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Updated Volumes list: ['/dev/vda2']
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Executed cmd: ('lsblk', '/dev/vda2', '-b', '-n', '-o', 'NAME,MOUNTPOINT')
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Stdout: vda2
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  └─luks-655145dd-f4d0-4127-93ce-e1906a668299 /
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Boot volume is /dev/vda2
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Volume /dev/vda2 has mount point /
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  List of mounted volumes are: ['/dev/vda2']
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Verifying the boot disk /dev/vda2 is encrypted or not
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Executed cmd: ('lsblk', '/dev/vda2', '-b', '-n', '-o', 'NAME,TYPE')
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Stdout: vda2                                        part
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  └─luks-655145dd-f4d0-4127-93ce-e1906a668299 crypt
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Executed cmd: ('cryptsetup', 'isLuks', '/dev/vda2')
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Executed cmd: ('cryptsetup', 'luksDump', '/dev/vda2')
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  Return value: 0
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  HPL13003I: Checked for mount point /, LUKS encryption with 1 key slot found
Sep 05 22:22:36 ubuntu2204 verify-disk-encryption[26262]:  HPL13001I: Boot volume and all the mounted data volumes are encrypted
Sep 05 22:22:51 ubuntu2204 systemd-udevd[26262]:  Using default interface naming scheme 'v249'.
Sep 05 22:22:51 ubuntu2204 networkd-dispatcher[26262]:  WARNING:Unknown index 4 seen, reloading interface list
Sep 05 22:22:51 ubuntu2204 systemd-networkd[26262]:  br-18668bffa6c4: Link UP
Sep 05 22:22:51 ubuntu2204 systemd[26262]:  var-lib-docker-overlay2-f3c1a612a8c718d9bedf6660b26f19d716c7209957913735e391abaf24f79bfe\x2dinit-merged.mount: Deactivated successfully.
Sep 05 22:22:52 ubuntu2204 systemd-udevd[26262]:  Using default interface naming scheme 'v249'.
Sep 05 22:22:52 ubuntu2204 networkd-dispatcher[26262]:  WARNING:Unknown index 5 seen, reloading interface list
Sep 05 22:22:52 ubuntu2204 systemd-udevd[26262]:  Using default interface naming scheme 'v249'.
Sep 05 22:22:52 ubuntu2204 systemd-networkd[26262]:  veth5f369da: Link UP
Sep 05 22:22:52 ubuntu2204 kernel[26262]:  br-18668bffa6c4: port 1(veth5f369da) entered blocking state
Sep 05 22:22:52 ubuntu2204 kernel[26262]:  br-18668bffa6c4: port 1(veth5f369da) entered disabled state
Sep 05 22:22:52 ubuntu2204 kernel[26262]:  device veth5f369da entered promiscuous mode
Sep 05 22:22:52 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:52.390932760Z" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"
Sep 05 22:22:52 ubuntu2204 dockerd[26262]:  time="2023-09-05T22:22:52.391093655Z" level=info msg="IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]"
Sep 05 22:22:52 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:52.444170398Z" level=info msg="loading plugin \"io.containerd.internal.v1.shutdown\"..." runtime=io.containerd.runc.v2 type=io.containerd.internal.v1
Sep 05 22:22:52 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:52.444224119Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.pause\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Sep 05 22:22:52 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:52.444243857Z" level=info msg="loading plugin \"io.containerd.event.v1.publisher\"..." runtime=io.containerd.runc.v2 type=io.containerd.event.v1
Sep 05 22:22:52 ubuntu2204 containerd[26262]:  time="2023-09-05T22:22:52.444258768Z" level=info msg="loading plugin \"io.containerd.ttrpc.v1.task\"..." runtime=io.containerd.runc.v2 type=io.containerd.ttrpc.v1
Sep 05 22:22:52 ubuntu2204 systemd[26262]:  Started libcontainer container dc86fe6e55dae4e9803d3362e55ed084ee06c785e89bcd1dd547eb0e058cbfe1.
Sep 05 22:22:52 ubuntu2204 kernel[26262]:  eth0: renamed from veth8e0c9a3
Sep 05 22:22:53 ubuntu2204 systemd-networkd[26262]:  veth5f369da: Gained carrier
Sep 05 22:22:53 ubuntu2204 systemd-networkd[26262]:  br-18668bffa6c4: Gained carrier
Sep 05 22:22:53 ubuntu2204 kernel[26262]:  IPv6: ADDRCONF(NETDEV_CHANGE): veth5f369da: link becomes ready
Sep 05 22:22:53 ubuntu2204 kernel[26262]:  br-18668bffa6c4: port 1(veth5f369da) entered blocking state
Sep 05 22:22:53 ubuntu2204 kernel[26262]:  br-18668bffa6c4: port 1(veth5f369da) entered forwarding state
Sep 05 22:22:53 ubuntu2204 kernel[26262]:  IPv6: ADDRCONF(NETDEV_CHANGE): br-18668bffa6c4: link becomes ready
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Docker Compose Logs:
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:   paynow Pulling
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Pulling fs layer
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Waiting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [>                                                  ]  540.7kB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [=========>                                         ]  9.697MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Downloading [>                                                  ]  51.93kB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [=================>                                 ]  18.79MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Downloading [>                                                  ]  110.1kB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Downloading [=================>                                 ]  1.767MB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [========================>                          ]  25.78MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Downloading [==================================================>]  5.149MB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Downloading [=========>                                         ]  2.066MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [=================================>                 ]  35.99MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Downloading [=====================>                             ]  4.708MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Downloading [==========================================>        ]  45.67MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Downloading [================================>                  ]  6.891MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Downloading [=========================================>         ]   8.96MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [>                                                  ]  557.1kB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [>                                                  ]  540.7kB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===>                                               ]  3.342MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [=======>                                           ]  8.059MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [======>                                            ]  6.685MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [=============>                                     ]  15.02MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [========>                                          ]   9.47MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [====================>                              ]  21.96MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [>                                                  ]  538.4kB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===========>                                       ]  12.26MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=>                                                 ]   3.75MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Downloading [======>                                            ]     581B/4.203kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Downloading [==================================================>]  4.203kB/4.203kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [=========================>                         ]  27.85MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [=============>                                     ]  14.48MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [===>                                               ]  10.73MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===============>                                   ]  16.71MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [================================>                  ]  34.85MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [====>                                              ]  17.14MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [=====================================>             ]  40.77MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [==================>                                ]  20.05MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [======>                                            ]  22.51MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [=========================================>         ]  44.54MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [=====================>                             ]   23.4MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [>                                                  ]  475.1kB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [========================>                          ]  26.18MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Downloading [==============================================>    ]  49.92MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [======>                                            ]  6.134MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=======>                                           ]   26.8MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [==========================>                        ]  27.85MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [===============>                                   ]  14.14MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=========>                                         ]  33.23MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===================================>               ]  37.32MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [=======================>                           ]  21.22MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [==========>                                        ]  37.55MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [=========================>                         ]   23.1MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [======================================>            ]  40.67MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [============>                                      ]  44.53MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [========================================>          ]  42.89MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [===============>                                   ]  53.66MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [========================================>          ]  43.45MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=================>                                 ]  60.63MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [==========================>                        ]  24.03MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [===================>                               ]  68.69MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [=============================>                     ]  26.86MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [=========================================>         ]  44.01MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [======================>                            ]  76.22MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [===================================>               ]  32.52MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===========================================>       ]  46.24MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [========================>                          ]  83.18MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [=======================================>           ]  36.29MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [=============================================>     ]  48.46MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=========================>                         ]  89.63MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [=============================================>     ]  41.99MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [===============================================>   ]  50.69MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=============================>                     ]  100.3MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Downloading [==============================================>    ]  42.45MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [===============================>                   ]  108.4MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [================================================>  ]  51.81MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [==================================>                ]  118.1MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Downloading [>                                                  ]  23.84kB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [====================================>              ]  127.7MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Downloading [=====>                                             ]    260kB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [=================================================> ]  52.36MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [========================================>          ]  138.5MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Downloading [==================================================>]     452B/452B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Downloading [================>                                  ]  767.9kB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Extracting [==================================================>]  53.28MB/53.28MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [==========================================>        ]  147.6MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Downloading [======================================>            ]  1.763MB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [=============================================>     ]  157.2MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Downloading [================================================>  ]  168.5MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Downloading [====>                                              ]     613B/6.827kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Downloading [==================================================>]  6.827kB/6.827kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Downloading [==================================================>]     126B/126B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Downloading [>                                                  ]   21.9kB/2.143MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Downloading [>                                                  ]  9.583kB/902.5kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Downloading [=============>                                     ]  243.6kB/902.5kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Verifying Checksum
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Download complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  51f6de0debe6 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Extracting [>                                                  ]  65.54kB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Extracting [====================================>              ]  3.736MB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Extracting [==================================================>]  5.149MB/5.149MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  6404e912b557 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Extracting [>                                                  ]  131.1kB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Extracting [==============>                                    ]  3.146MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Extracting [===============================================>   ]  10.22MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Extracting [==================================================>]  10.77MB/10.77MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0561ee66ff6a Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [>                                                  ]  557.1kB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [====>                                              ]  4.456MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=======>                                           ]  8.356MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [==========>                                        ]   11.7MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=============>                                     ]  15.04MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [================>                                  ]  17.83MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [===================>                               ]  20.61MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=====================>                             ]  22.84MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=======================>                           ]  25.62MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [==========================>                        ]  28.41MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [============================>                      ]   31.2MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [===============================>                   ]  34.54MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [===================================>               ]  37.88MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [======================================>            ]  41.78MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=========================================>         ]  45.12MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [============================================>      ]  48.46MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [==============================================>    ]  50.69MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [================================================>  ]  52.92MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [=================================================> ]  53.48MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Extracting [==================================================>]  54.06MB/54.06MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7a6c7ccf7cb5 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [>                                                  ]  557.1kB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=>                                                 ]  3.899MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==>                                                ]  7.242MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===>                                               ]  11.14MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===>                                               ]  12.26MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [====>                                              ]  14.48MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [====>                                              ]  16.15MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=====>                                             ]  17.83MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=====>                                             ]   19.5MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [======>                                            ]  21.17MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=======>                                           ]  25.07MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [========>                                          ]  28.97MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=========>                                         ]  32.31MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==========>                                        ]  36.21MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===========>                                       ]  39.55MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [============>                                      ]  42.34MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=============>                                     ]  46.24MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==============>                                    ]  50.14MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===============>                                   ]  52.36MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===============>                                   ]  55.15MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=================>                                 ]  59.05MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==================>                                ]  62.39MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===================>                               ]  65.73MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===================>                               ]  69.07MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [====================>                              ]  72.42MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=====================>                             ]  75.76MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [======================>                            ]   79.1MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [========================>                          ]     83MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=========================>                         ]   86.9MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==========================>                        ]   90.8MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===========================>                       ]   94.7MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [============================>                      ]   98.6MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=============================>                     ]  101.9MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==============================>                    ]  105.3MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===============================>                   ]  108.6MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [================================>                  ]  110.9MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [================================>                  ]    112MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [================================>                  ]  113.6MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=================================>                 ]  116.4MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==================================>                ]  119.8MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===================================>               ]  123.1MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [====================================>              ]  126.5MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=====================================>             ]  129.2MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=======================================>           ]  135.4MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=========================================>         ]  144.8MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [============================================>      ]  153.2MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=============================================>     ]  157.1MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==============================================>    ]  160.4MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [===============================================>   ]  163.2MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [================================================>  ]    166MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [================================================>  ]  169.3MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=================================================> ]    171MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [=================================================> ]  172.7MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Extracting [==================================================>]  172.8MB/172.8MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  2854c5c8fd87 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Extracting [==================================================>]  4.203kB/4.203kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Extracting [==================================================>]  4.203kB/4.203kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  65a3fb6c13d7 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [>                                                  ]  491.5kB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [====>                                              ]  3.932MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [========>                                          ]  7.373MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===========>                                       ]  10.81MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===============>                                   ]  14.25MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===================>                               ]  17.69MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [=======================>                           ]  21.63MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [============================>                      ]  26.05MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [================================>                  ]  29.49MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===================================>               ]  32.93MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [======================================>            ]  35.39MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [========================================>          ]  37.36MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [==========================================>        ]  39.32MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===========================================>       ]   40.3MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [=============================================>     ]  41.78MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [===============================================>   ]  43.75MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [================================================>  ]  44.73MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [=================================================> ]  45.71MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Extracting [==================================================>]  46.04MB/46.04MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  c9fe958b3ae4 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Extracting [>                                                  ]  32.77kB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Extracting [================================================>  ]  2.195MB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Extracting [==================================================>]  2.277MB/2.277MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  5c31cf8345fa Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Extracting [==================================================>]     452B/452B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Extracting [==================================================>]     452B/452B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  7b32651b0169 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Extracting [==================================================>]     126B/126B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Extracting [==================================================>]     126B/126B
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  0d117aef64cc Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Extracting [==================================================>]  6.827kB/6.827kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Extracting [==================================================>]  6.827kB/6.827kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  197acf2cade1 Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Extracting [>                                                  ]  32.77kB/2.143MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Extracting [=========================>                         ]  1.114MB/2.143MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Extracting [==================================================>]  2.143MB/2.143MB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  d78e4d77283b Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Extracting [=>                                                 ]  32.77kB/902.5kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Extracting [==================================================>]  902.5kB/902.5kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Extracting [==================================================>]  902.5kB/902.5kB
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  8b3975218acc Pull complete
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  paynow Pulled
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Network compose_default  Creating
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Network compose_default  Created
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Container compose-paynow-1  Creating
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Container compose-paynow-1  Created
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Container compose-paynow-1  Starting
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Container compose-paynow-1  Started
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Docker compose result:
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:   CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS                  PORTS                                       NAMES
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  dc86fe6e55da   quay.io/bsilliman/paynow   "docker-entrypoint.s…"   2 seconds ago   Up Less than a second   0.0.0.0:8443->8443/tcp, :::8443->8443/tcp   compose-paynow-1
Sep 05 22:22:53 ubuntu2204 hpcr-container[26262]:  Container service completed successfully
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Finished Service that creates a set of containers.
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Reached target Workload is up and running..
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Starting Phase2 Catch Service...
Sep 05 22:22:53 ubuntu2204 hpcr-catch-success[26262]:  VSI has started successfully.
Sep 05 22:22:53 ubuntu2204 hpcr-catch-success[26262]:  HPL10001I: Services succeeded -> systemd triggered hpl-catch-success service
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Finished Phase2 Catch Service.
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Reached target Multi-User System.
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Starting Record Runlevel Change in UTMP...
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  systemd-update-utmp-runlevel.service: Deactivated successfully.
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Finished Record Runlevel Change in UTMP.
Sep 05 22:22:53 ubuntu2204 systemd[26262]:  Startup finished in 28.387s (kernel) + 25.442s (userspace) = 53.830s.
Sep 05 22:22:53 ubuntu2204 compose-paynow-1[26262]:  
Sep 05 22:22:53 ubuntu2204 compose-paynow-1[26262]:  > hyper-protect-pay-now@1.0.0 start
Sep 05 22:22:53 ubuntu2204 compose-paynow-1[26262]:  > node app.js
Sep 05 22:22:53 ubuntu2204 compose-paynow-1[26262]:  
Sep 05 22:22:54 ubuntu2204 systemd-networkd[26262]:  br-18668bffa6c4: Gained IPv6LL
Sep 05 22:22:54 ubuntu2204 systemd-networkd[26262]:  veth5f369da: Gained IPv6LL

Please click the Next link at the bottom right of the page to continue with the lab.

Use the HPVS-based PayNow demo app¶

In your RHEL host terminal session, enter this command:

echo https://192.168.22.64:${Student_HPVS_PayNow_Port}

This will fill out the URL with your student specific port for your HPVS Guest that runs the PayNow demo, which you just started up in the previous section. Your port has been specified in an environment variable specified in your RHEL host login id's profile. It should be a number from 29444 to 29463. The formula is 29443 plus the two digit suffix of your RHEL host login id.

Right-click on the completed URL and choose Open Link and it will open up the PayNow demo in another tab in your Firefox browser on your jumpbox.

The demo uses a self-signed X509 certificate which your browser will not recognize, so you will have to "click through" any warnings that appear. For a "real world", production application, this would not be an acceptable setup, but it is okay for the purposes of this demo app- the certificate will provide encryption of data that travels through the network, it just doesn't have the pre-established trust from your browser that it would have if it had been signed by a certificate authority that your browser or operating system was configured to trust.

This is the exact same application that you already worked with in a regular KVM guest, so the user interface is the same. Add one or more fake payments- if you need a refresher on using the UI, continue to read the below paragraphs which are repeats from a previous section when you used the app in your standard KVM guest.

Click either the PayNow link at the top right of the page or the PayNow button in the middle of the page.

You will be shown a "Payment Form" that has fields to enter a name, email address, credit card number, CVV, and amount, respectively. You can, and should, enter fake values for everything. Just enter any 16 digits for credit card number and any 3 digits for CVV. Click the "Pay Now" button just underneath the payment amount field.

You will see a new icon underneath that contains the name and payment amount you entered, and a randomly chosen picture displayed underneath- you may find that the picture shown under your name is radically different from what you look like in real life. Note that these pictures are randomly chosen each time the page refreshes.

Feel free to add another payment or two- one is really enough for demo purposes, but it won't cause harm to enter more than one payment.

Click the Next link at the bottom right of this page to continue with the lab.

Try to find sensitive data in core dump¶

Switch to your RHEL host terminal session¶

Switch to your terminal tab or window for your RHEL host session:

Switch to your home directory:

cd ${HOME}

Take a core dump of your HPVS KVM guest running the PayNow demo:

sudo /usr/local/bin/gcoreMyPaynowGuest.sh

Sample output from dumping your HPVS KVM guest

my PayNow HPVS guest Pid is 3200448
[New LWP 3200500]
[New LWP 3200505]
[New LWP 3200506]
[New LWP 3200507]
[New LWP 3201027]
[New LWP 3201028]
[New LWP 3201029]
[New LWP 3201030]
[New LWP 3201031]
[New LWP 3201032]
[New LWP 3201033]
[New LWP 3201034]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
0x000003ff8e1711f4 in ppoll () from target:/lib64/libc.so.6
Saved corefile core.3200448
[Inferior 1 (process 3200448) detached]

Optional: Display the contents of the script you just ran if you are curious as to how it worked:

cat /usr/local/bin/gcoreMyPaynowGuest.sh

Contents of the gcoreMyPaynowGuest.sh script

#!/bin/sh

myPid=$(ps aux | grep qemu | grep guest=paynowse$(temp=${SUDO_USER} && echo ${temp: -2}) | awk '{print $2}')

echo my PayNow HPVS guest Pid is ${myPid}

/opt/rh/gcc-toolset-9/root/usr/bin/gcore ${myPid} 2>/dev/null

chown ${SUDO_USER}:hpvs_students /home/${SUDO_USER}/core.${myPid}

The script runs with root authority- it lists processes, grabs the process ID for your HPVS guest running PayNow, takes a core (memory) dump of the process, and then assigns your userid ownership of the dump file.

Set an environment variable for the process ID for your Ubuntu KVM guest. The script you ran did this as well but it was only set for the duration of the script execution, so you need to do it again:

myHPVSPaynowPid=$(ps aux | grep qemu \
| grep paynowse$(temp=$(whoami) \
&& echo ${temp: -2}) | awk '{print $2}')
echo My HPVS Guest for PayNow demo process id is ${myHPVSPaynowPid}

Attempt to pick out sensitive credit information from the core dump:

strings core.${myHPVSPaynowPid} | grep creditCard

In contrast to what you saw when performing the above procedure against a standard KVM guest that was running the PayNow demo app, this time you do not see any sensitive data, due to the protection offered by Hyper Protect Virtual Servers 2.1.x!! You are protected from malicious insider attacks!

Please click the Next button at the lower right of the page in order to perform lab cleanup.

Clean up the resources you created during the lab¶

All of the work in this section is performed on the RHEL 8.5 host:

You should already be logged in to it if you have been following this lab in order.

Shut down your HPVS 2.1.x guest that was running PayNow demo¶

suffix=$(temp=$(whoami) && echo ${temp: -2}) ;\
sudo virsh shutdown paynowse${suffix}

Shut down your standard Ubuntu KVM guest¶

Enter this command to shut down your standard Ubuntu KVM guest:

sudo virsh shutdown $(whoami)

Delete the core dumps in the home directory of your userid on the RHEL 8.5 host:¶

cd ${HOME} && rm -vf core.*

Log out of the RHEL host:¶

exit

Thank you for cleaning up and congratulations on finishing the PayNow Lab! We hope you enjoyed it and learned from it and we welcome your feedback on how to make it better.

If you haven't yet taken the GREP11 with CENA4SEE Lab, consider doing that lab now.

If you have an IBM Cloud account, you are free at any time to do the IBM Cloud-based labs which are available from the Next link at the lower right of this page. Please read the instructions carefully and be aware that your IBM Cloud account may incur modest charges as a result of doing those labs.

Ended: PayNow Lab

Ended: On-premises Labs

IBM Cloud-based labs ↵

IBM Cloud-based labs¶

This is a set of four labs that will introduce the student to IBM Hyper Protect Virtual Servers for Virtual Private Cloud.

We will often refer to this service throughout these labs with the shorthand of Hyper Protect Virtual Servers. This service is based on IBM's Secure Execution for Linux technology, which is IBM's strategic foundation for implementing confidential computing within the IBM Z and LinuxONE brands.

There is an earlier version of Hyper Protect Virtual Servers that is based on an older, but still viable, technology called Secure Service Containers and is still available in IBM Cloud as a service named Hyper Protect Virtual Server for Classic.

This lab focuses on the newer, strategic IBM Hyper Protect Virtual Servers for Virtual Private Cloud service, so our shorthand of Hyper Protect Virtual Servers should be interpreted as a reference to the newer service. References to the earlier service will be explicitly referred to as IBM Hyper Protect Virtual Server for Classic.

Overview and Prerequisites ↵

Overview and Pre-reqs¶

Overview¶

These labs provide a gentle introduction to the art of creating a contract for a Hyper Protect Virtual Servers instance. The contract you specify to a Hyper Protect Virtual Servers instance specifies the application workload you wish to run and the environmental characteristics such as where to send log messages from your instance.

A best practice is to specify a contract that is encrypted and signed. These labs start simple- with an unsigned, plain text contract. Such a contract would be hard to justify in a production environment, but is a great starting point for learning what is involved with creating a contract.

Then each subsequent lab increases the complexity of the contract such that our final lab guides you to the best practice of creating an encrypted and signed contract.

Caution- you may incur charges from IBM Cloud for activities performed in these labs

You may incur charges for the artifacts created during the lab. If you do the labs in one sitting and delete your lab-related resources after the lab then any charges should be negligible. These charges are your responsibility. Each lab ends with instructions to delete these lab artifacts in order to minimize any costs you might incur.

The flow of the labs can be summarized as:

Create prerequisite resources on IBM Cloud such as a Virtual Private Cloud and an IBM Log Analysis instance.
Create a Hyper Protect Virtual Server instance using a plain text contract.
Create a Hyper Protect Virtual Server instance where the workload provider encrypts their portion of the contract but the environment provider provides their portion in plain text.
Create a Hyper Protect Virtual Server instance where both the workload provider encrypts their portion of the contract and the environment provider encrypts their portion of the contract.
Create a Hyper Protect Virtual Server instance where both portions of the contract are encrypted and then signed by the environment provider.
Delete the resources created during the labs.

Prerequisites¶

IBM Cloud account¶

These labs assume that you have an IBM Cloud account and have the authorization needed to create the artifacts required by the labs.

All IBM Cloud resources are created with the IBM Cloud web UI from your web browser.

You must be able to create the following IBM Cloud artifacts in order to complete this lab.

Resource	Comments
IBM Log Analysis	required as a target for log messages from your Hyper Protect Virtual Server instances
Virtual Private Cloud	Must reside in London, Madrid, Sao Paulo, Tokyo, Toronto or Washington, D.C
Subnets for VPC	created when you create your Virtual Private Cloud
Public gateways for VPC	needed so that your instances can communicate with your IBM Log Analysis instance
Access control lists for VPC	created automatically when you create your Virtual Private Cloud
Security groups for VPC	created automatically when you create your Virtual Private Cloud
Virtual Server for VPC	The resource type of your Hyper Protect Virtual Server instances
Block storage volumes for VPC	Used to provide persistent disk storage
Hyper Protect Virtual Server for Classic	Optional- can be used as a prep system if you can provide an SSH key pair
Virtual Server for Classic	Optional- can be used as a prep system if you cannot provide an SSH key pair

Prep system to prepare contracts for Hyper Protect Virtual Server instances¶

You must have access to a Linux or MacOS system in order to create the contracts required by the lab.

If your laptop or workstation is not running Linux or MacOS there are some alternatives available to you:

If you have a Windows system you can try to use the Windows Subsystem for Linux or you can create a Linux server elsewhere.
We provide instructions on how to create a Linux server using Hyper Protect Virtual Server for Classic in a subsequent section of the lab. This is a server running on LinuxONE servers in IBM Cloud and uses IBM's earlier, Secure Service Container-based implementation of Confidential Computing. You may be able to provision this for free- each account can have two free instances at any point in time. You must provide the public key portion of your SSH key pair when provisioning this.

An attempt at clarification

This lab focuses on the newer, Secure Execution-based implementation of Hyper Protect Virtual Server for IBM Cloud VPC- not the earlier, Secure Service Container-based implementation of Hyper Protect Virtual Server for Classic that we are suggesting may be used as your prep system. We'd prefer that you use your own system for the prep system if possible. Why? Because it will be easier for you to save the lab artifacts that way. At the risk of confusing you, we suggest Hyper Protect Virtual Server for Classic as a prep system for a key reason- you can (probably) provision one for free!
If you cannot provide your SSH key pair's public key portion, you can provision a Linux server using Virtual Server for Classic that will enable access via a password instead of an SSH key. This is a server running on x86 architecture and you may incur charges for this service.

Create a Virtual Private Cloud¶

We advise you to create a new Virtual Private Cloud for these labs

These labs assume you are starting with an account that has no Virtual Private Cloud (VPC) resources defined when you start the lab. If your account has existing VPC resources then it is up to you to decide whether to use those existing resources when available or whether to create new resources for all parts of the labs. Using existing resources may help to avoid incurring costs, but at the risk of inadvertently impacting existing users of these resources- an essential consideraton if these resources are being used in production! You'd also have to take extra care when deleting resources at the end of the labs.

Navigate to IBM Cloud and log in to the IBM Cloud Web UI.

Click on the Navigation Menu icon (often informally referred to as the "hamburger" icon) in the upper left of the IBM Cloud Web UI. From there, navigate to VPC Infrastructure and VPC Layout as shown here:

The labs are written with the assumption that all resources used for the labs are created in the lab and then deleted at the end of the lab. You'll have to tailor your implementation of the lab directions appropriately if you do use existing resources.

Here's a screen snippet showing the VPC Layout screen when the account has no existing VPC infrastructure at the start of the labs:

Click the Create a VPC link.

Choose one of the following six locations which support Hyper Protect Virtual Server for IBM Cloud VPC: London, Madrid, Sao Paulo, Tokyo, Toronto or Washington, D.C. These labs' instructions and screen snippets will show the Washington, D.C. region (us-east) in use, but you may use one of the other aforementioned regions as well- tailor your implementation of the directions appropriately if you do.

The screen snippet below shows after we've chosen the Washington DC region in the North America geography and given the new VPC the name lab-was-vpc. Throughout the labs we will often be using the naming convention lab-region-resource type-optional description. If you perform the lab in the Washington, D.C., region you will be able to use the instructions almost verbatim. If you choose to use another region you can choose to use our naming convention and tailor the portion of the name appropriately, or you may choose any other naming convention that suits you.

Scroll down to see the list of subnets offered to you- by default you will be offered three subnets- one for each of the three availability zones within a region. For our labs, in an effort to minimize costs, we've deleted two of the three subnets as we will limit our lab activities to a single availability zone. If you wish to do likewise then click the rightmost icon of the two subnets you want to get rid of, as indicated in the below screen snippet:

Your subnet section will look similar to this if you choose to work with only one subnet:

You are now ready to click the blue Create virtual private cloud button on the lower right of your page. If this button is not enabled then you probably forgot to enter some required information such as a name for your VPC:

After clicking the button, your new VPC will be created and you'll be taken to a screen like this. Notice that a Default Access Control List (ACL) and a Default Security Group will be created for you, both of which will have meaningless randomly-generated names. You can accept them as-is for the labs.

Click the Next link at the lower right of this page so you can move to the next section where you will create a public gateway within your new VPC.

Create a public gateway¶

You need a public gateway so that the Hyper Protect Virtual Servers for IBM Cloud VPC instances that you will create in the labs can send log messages to your IBM Log Analysis instance which is running outside of your VPC.

Click the Public gateways link on the left and you should see that you currently have no public gateways defined.
Click the blue Create button in the upper right:

Choose the correct geography (not shown in the screen snippet below), region, and zone. Give your public gateway a name, we've chosen lab-was-pubgw. Ensure that your virtual private cloud is selected, and then click the blue Create button.

As shown below, you'll be shown your new public gateway. Note that in the Attached subnet column there is no entry. You need to attach a subnet to this public gateway. To do so, click the vertical dots icon on the right and choose the Attach popup menu item, as indicated here:

Ensure that your subnet is selected and click the blue Attach button:

You should see that your subnet is now attached to your public gateway:

Click the Next link at the lower right to go to your next task, which is to create an IBM Log Analysis instance.

Create an IBM Log Analysis instance and save connection information¶

Create an IBM Log Analysis instance¶

Note: You may use an existing IBM Log Analysis instance if you already have one. It can be in any IBM Cloud region and availability zone. If you are creating a new IBM Log Analysis instance for the lab, we suggest you create it in the same region and availability zone in which you created your virtual private cloud in the previous sections.

Click the Catalog link at the top of your IBM Cloud web UI
In the search box, start typing IBM Log Analysis until it appears in the list of search results
Click on it in that list

Choose your location for the logging instance, the plan you prefer- the free Lite plan is sufficient for the labs- and accept the terms and conditions and then click the blue Create button:

You'll see a screen like below. (The name of this IBM Log Analysis instance is the default name provided when we created it- unlike the resources we're creating within our virtual private cloud, we're not concerned about following a naming convention for this resource).

Click the blue Open Dashboard button in the upper right.

Retrieve your IBM Log Analysis instance's ingestion key¶

Click the Install instructions icon (that looks like a question mark) in the lower left of your IBM Log Analysis dashboard:

In the window that opens up, click the icon highlighted below in order to copy your IBM Log Analysis instance's ingestion key into your clipboard. Paste it into a safe place for use later in the lab. Treat this ingestion key with care like you would a password, especially if you are using an already existing IBM Log Analysis instance. (You do have the ability to return to this screen to retrieve it later if you lose track of where you paste it). See the below screen snippet:

Retrieve your IBM Log Analysis instance's host name¶

Scroll down on this same window and choose rsyslog
Use copy and paste to save the information that corresponds to the information highlighted in the screen snippet below. (This information will not be highlighted on your screen until you select it as we did prior to taking this screenshot). You will be using this information later in the labs. This information does not have to be kept secret.

You do not have to follow the instructions that the popup window is giving you, you only needed to copy the information as directed here in the lab. You can click the X in the upper right corner of the popup window or just click outside of the popup window so that it goes away.

Click the Next link in the lower right to continue.

Establish a prep system for creating contracts¶

Here are our suggestions for what to use for your prep system. When you find a solution that works for you, you can move on the next section by clicking the Next link at the lower right of the page.

The lab authors have tested the lab instructions using the following prep systems:

Operating System	Architecture	Comments
MacOS	Apple M1 Silicon
Linux	Apple M1 Silicon	running as Ubuntu guest under MacOS
Linux	s390x	Hyper Protect Virtual Server for Classic free instance on IBM Cloud
Linux	x86-64	Virtual Server for Classic paid instance on IBM Cloud
Windows 11	x86-64	using Windows Subsystem for Linux 2 with Ubuntu 22.04 installed

Use your workstation if it is running Linux or MacOS¶

If you already have access to a Linux system or to a MacOS system we encourage you to use it as your prep system. prep system is a term we've coined in these labs to refer to the system on which you will create the contracts for your Hyper Protect Virtual Server instance. This could certainly be your laptop or workstation if you are running a Linux distribution or MacOS.

If you are running Windows¶

If you have a Windows system you could try one of the following options.

Caution

Although it should be a viable option, Option 1 has not been tested by the lab instructors.

You could run a Linux virtual machine under a virtualization hypervisor such as VMware or VirtualBox
You could run the Windows Subsystem for Linux under more recent versions of Windows such as Windows 10 or Windows 11

If your own laptop or workstation is not running Linux or MacOS or if you have Windows but are unable or unwilling to try one of the two suggestions from above, keep reading..

Create a Hyper Protect Virtual Server for Classic instance on IBM Cloud¶

If you do not have a suitable system already or would like to, you can create a Hyper Protect Virtual Server for Classic instance for free that will provide an Ubuntu system for you. You will need to provide the public key portion of an SSH key pair when you provision this instance.

NOTE: Whether you already have a suitable system or choose to create one with the directions below, we will refer to this system as your prep system in the lab instructions, since you will use this system to prepare your contracts.

To create this instance:

We beg your pardon

If you are reading this, it means that we have yet to add some screenshots to these instructions. Hopefully the text is sufficient to guide you to successful completion of this task. If not, let us know.

Click on the Catalog link at the top of the page.
Start typing Hyper Protect Virtual Server in the search box until Hyper Protect Virtual Server for Classic appears in the search results and then select it.
Choose the Free plan- select the region and zone you prefer. We prefer to use the same zone that we used for our virtual private cloud, if possible. (This instance will not be running inside a VPC.)
Provide your SSH public key.

Once your Hyper Protect Virtual Server for Classic instance is available, you need to install two packages:

Log in to your instance via ssh.
Enter the following command:
```
apt install -y curl vim
```

Create a Virtual Server for Classic instance on IBM Cloud¶

If for some reason you cannot create an SSH key pair, a Virtual Server for Classic instance allows you to log in with a password that it creates for you at provisioning time. Using a password for logon is less secure than using an SSH key, and this service does not appear to offer a free tier, so this is our suggestion of last resort.

The steps to create an instance are:

From the IBM Cloud Catalog, search for Virtual Server for Classic and then select it.
It doesn't matter where you provision it. This instance does not run in your VPC.
Choose the Ubuntu 22.04 operating system.
On the provisioning screen, leave the SSH key field blank.
Click the Create button to create the instance.

After the instance is provisioned:

From the Resource List, expand the Compute category.
Select your new instance
Note your instance's public IP address
Click the tab for passwords and click the icon to show your root userid's password
Log in with this command: ssh -l root <your instance's public IP>
Enter root's password when prompted

Set up environment variables used throughout the four IBM Cloud-based labs¶

A note about support for these labs

The official documentation states often to use an Ubuntu system to enter commands for contract preparation. We have written the lab to work on Linux and MacOS.

There are so many Linux distributions that it is impossible to test on all of them, but we think that this lab should work on many distributions besides Ubuntu. We will attempt to help if you are having problems on a Linux distribution other than Ubuntu, but we reserve the right to ask you to use an Ubuntu system.

Similarly, since we have Apple laptops we wrote the lab to work on MacOS as well. Since it works for us on MacOS we suspect it could work for you as well, but, again, we reserve the right to ask you to use an Ubuntu system if you ask for our help in troubleshooting.

These labs are for educational purposes at a beginning or intermediate level and do not demonstrate all product features, and may demonstrate practices not suitable for a production environment. Usage of these labs for any purposes other than education is at your own discretion and risk.

Support for these labs is solely in an educational context, and solely from the lab authors on a best-effort basis. In other words, there is no guarantee of timeliness of response from the authors to inquiries, nor even a guarantee that the authors will ever resolve any problems you have with these labs. This informal support is outside of any official IBM support channels.

On your prep system, there are some environment variables that will be used in the four labs.

Variable name	Description
LAB_WORKDIR	working directory for contract preparation
LAB_TAR	The variant of tar used on the prep system
LAB_WRAP	Wrap arguments to base64 on Linux; typically unset on MacOS
LOG_INGESTION_KEY	The ingestion key for your IBM Log Analysis instance
LOG_HOSTNAME	The hostname on IBM Cloud that hosts your IBM Log Analysis instance

Note

Our instructions set these variables only for the duration of your terminal session. If you do not finish the labs in one terminal session, then you will need to revisit this section to set these variables again when you resume. Advanced shell users may be interested in setting these variables permanently in their shell if they plan to do the lab in more than one session, but setting this up is not covered here.

Set LAB_WORKDIR¶

In order to avoid interference with other work, we want you to create a brand new directory for these labs- each of the four labs will use a subdirectory underneath the new directory.

This next instruction sets the environment variable to ${HOME}/cloudlabs.
```
LAB_WORKDIR=${HOME}/cloudlabs
```

This next set of commands will either successfully create this new directory and then change to it, or it will warn you to try again. (If you are warned, retry step 1 above with a different name and then try these commands again.)

if [[ -e ${LAB_WORKDIR} ]]; then
   echo ${LAB_WORKDIR} already exists
   echo "  This may be appropriate if you are"
   echo "  resuming these labs in a new terminal session"
   echo "  and have already created this directory structure"
   echo
   echo Otherwise, choose a new value for LAB_WORKDIR
   echo "  or rename ${LAB_WORKDIR}"
   echo "  and try again"
else
    mkdir ${LAB_WORKDIR} && \
    echo Fresh lab working directory created \
    && cd ${LAB_WORKDIR} && \
    echo Changed to working directory ${LAB_WORKDIR}
fi

SET LOG_TAR¶

On most Linux distributions you will have tar and it will be fine.

On most MacOS systems the default tar command is less desirable than a version of tar provided by the GNU project, called gtar. gtar is preferred for the labs.

Follow these instructions on your prep system. The environment variables set by these instructions are in effect only for the terminal session in which you enter the commands. If you finish the labs in one sitting within the same terminal session, you will only have to enter these instructions once. Otherwise, you can repeat these instructions as necessary.

Note

The following set of commands will set an environment variable that will be used throughout the labs. It will point to either tar or gtar or it will print an error message if it cannot find either one.

if [[ -n "${LAB_TAR}" ]]; then
for i in {1..6} ; do echo '******************' ; done
echo ''
echo "CAUTION: Prior value of LAB_TAR was ${LAB_TAR}"
echo "   Take note of this value in the unlikely event it was"
echo "   already set by another application on your system"
echo "   in which case you may need to restore this value later"
echo ''
for i in {1..6} ; do echo '******************' ; done
fi
unset LAB_TAR && which tar 1>/dev/null 2>&1 && LAB_TAR=tar
which gtar 1>/dev/null 2>&1 && LAB_TAR=gtar
echo ''
if [[ -z "${LAB_TAR}" ]]; then 
echo "ERROR:  neither tar nor gtar was found" 
else
echo You will use ${LAB_TAR} for the labs
fi

Set LAB_WRAP if necessary¶

The following set of commands will set an environment variable that will be used throughout the labs if the base64 command supports the wrap option. (Typically, the wrap option will be supported on Linux systems but not on MacOS.)

if [[ -n "${LAB_WRAP}" ]]; then
  for i in {1..6} ; do echo '******************' ; done
  echo ''
  echo "CAUTION: Prior value of LAB_WRAP was ${LAB_WRAP}"
  echo "   Take note of this value in the unlikely event it was"
  echo "   already set by another application on your system"
  echo "   in which case you may need to restore this value later"
  echo ''
  for i in {1..6} ; do echo '******************' ; done
fi
LAB_WRAP="--wrap 0"
echo test | base64 ${LAB_WRAP} 1>/dev/null 2>&1 || unset LAB_WRAP 
if [[ -z "${LAB_WRAP}" ]]; then
  echo "No wrap argument to base64 will be used in the labs"
else  
  echo "wrap argument ${LAB_WRAP} to base64 will be used in the labs"
fi

Set LOG_INGESTION_KEY¶

This command differs based on whether or not you are using bash or zsh. If you are unsure of which shell you are using, enter the command echo $0 from your shell.

Set an environment variable for your IBM Log Analysis ingestion key. You saved this somewhere safe earlier in the lab. If you lost track of it, revisit the section Create an IBM Log Analysis instance for the steps to retrieve it. Enter the command appropriate to your shell and you will be prompted to enter your IBM Log Analysis Ingestion Key.
bashzsh
read -sp "Log Ingestion Key: " LOG_INGESTION_KEY && echo
read -s "LOG_INGESTION_KEY?Log Ingestion Key: " && echo

Set LOG_HOSTNAME¶

This command differs based on whether or not you are using bash or zsh. If you are unsure of which shell you are using, enter the command echo $0 from your shell.

Set an environment variable for the hostname of your IBM Log Analysis instance. You saved this somewhere safe earlier in the lab. If you lost track of it, revisit the section Create an IBM Log Analysis instance for the steps to retrieve it. Enter the command appropriate for your shell and you will be prompted to enter the hostname of your IBM Log Analysis instance.
bashzsh
read -p "Log Hostname: " LOG_HOSTNAME
read "LOG_HOSTNAME?Log Hostname: "

Click the Next link in the lower right to begin the first lab.

Ended: Overview and Prerequisites

Lab 1 - simple plaintext contract ↵

Lab 1 - simple plaintext contract¶

In the first lab, you will provide a simple, plaintext contract in order to get a clear view of what a Hyper Protect Virtual Servers contract looks like. This is for learning purposes- most production use cases will require an encrypted, and possibly signed, contract.

The lab will also introduce you to persistent disk volumes.

Your first step will be to prepare the contract on your prep system. Click the Next link at the lower right to continue.

Prepare the contract¶

Ensure necessary environment variables are set¶

Go to a command prompt on your prep system
You should have each of these environment variables set on your prep system:
```
echo LAB_WORKDIR is ${LAB_WORKDIR}
echo LAB_TAR is ${LAB_TAR}
echo LOG_INGESTION_KEY is ${LOG_INGESTION_KEY}
echo LOG_HOSTNAME is ${LOG_HOSTNAME}
```
If any of the above commands do not display a value after the is then revisit the section on setting environment variables.

Make the directory hierarchy for Lab 1¶

Make a fresh directory structure and change in to it:

mkdir -p ${LAB_WORKDIR}/lab1/play && cd ${LAB_WORKDIR}/lab1

Create a Pod descriptor to specify the application workload¶

Switch to the directory that will hold a Pod descriptor:
```
cd play
```

Create the Pod descriptor::

cat << EOF > play.yml    
  play:
    resources:
      - apiVersion: v1
        kind: Pod
        metadata:
          name: busybox
        spec:
          containers:
          - name: main
            image: docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83
            command: ["/bin/sh", "-c"]
            args:
            - mkdir -p /data/cloudlabs ;
              env | tee -a /data/cloudlabs/env.out ;
              cat /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/greetings.out ;
              tail -20 /data/cloudlabs/greetings.out ;
              while true ;
              do echo Hi \${name:-World} the time is \$(date) | tee -a /data/cloudlabs/greetings.out ;
              sleep \${interval:-60} ; 
              done
            envFrom:
            - configMapRef:
                name: contract.config.map
                optional: false
            volumeMounts: 
              - mountPath: /data
                name: data-vol
                readOnly: false
          restartPolicy: Never
          volumes:
            - hostPath:
                path: /mnt/data
                type: Directory
              name: data-vol
EOF

Display the file's content.
```
cat play.yml
```

Create the contract¶

Change to the directory one level higher than your current location (and display it):
```
cd .. && pwd
```

Create the contract.

cat << EOF > user_data.yaml
env: |
  type: env
  logging:
    logDNA:
      hostname: ${LOG_HOSTNAME}
      ingestionKey: ${LOG_INGESTION_KEY}
      port: 6514
  volumes:
    data:
      seed: seed-supplied-by-env-persona
  env:
    name: Lab 1 Student
    interval: "30"
workload: |
  type: workload
  volumes:
    data:
      filesystem: ext4
      mount: /mnt/data
      seed: seed-supplied-by-workload-persona
$(cat play/play.yml)
EOF

Display your contract data. Keep your terminal session handy- later on in the next section you will be directed to copy these contents into the IBM Cloud Web UI.
```
cat user_data.yaml
```

Proceed to the next section to create your Hyper Protect Virtual Servers for IBM Cloud VPC instance.

Create an instance¶

Note: There are often multiple ways to perform a task. The lab instructions may describe a particular way to go about things, but if you have prior experience with the IBM Cloud Web user interface and can perform the same task through different methods, feel free to do so. The lab instructions themselves may provide alternative ways to accomplish the tasks in different sections of the labs.

These instructions assume you are logged in to the IBM Cloud Web UI. If not, please log in before proceeding.

Go to your VPC

One way to do this is to start by clicking the "hamburger" menu in the top left (the icon will then turn into an "x" as shown in the screen snippet below), then click VPC Infrastucture and then VPCs:

Then, select the link for your VPC from the list that is shown:
Click the link to create a virtual server instance

You may have to scroll down on the page- find and click on the "Create a virtual server instance" link:
In the Location section, ensure that you select the Zone that contains your subnet. Give your instance a name in the Name field in the Details section. We chose lab-was-hpvs-lab1 in the screen shot below:
Scroll down and click the Change image link to select it:
On the Select an image screen, perform the following actions:
1. Click the IBM Z, Linux ONE box.
2. Toggle the slider on for "Run your workload with an OS and a profile for Secure Execution".
3. Select the most recent image, ibm-hyper-protect-container-runtime-1-0-s390x-13.
4. Click the blue Save button.
These labs are going to demonstrate data persistence across virtual server instances, and for this you will need a data volume. You will create the data volume in this lab and then reuse it in subsequent labs. In the Storage section, click the Create button in the Data volumes section:

In the Create data volume panel that slides in from the right, give your new data volume a name, give it the smallest possible size (10 GB) and then click the blue Create button:

You should then see the volume you just created listed in the Data volumes subsection of the Storage section:
Scroll down and in the Advanced options section, within the Instance configuration subsection, click the arrow at the right of the User data item. Drag the lower right corner of the User data box that appears in order to enlarge it a bit, like we've done in the screen shot below:
At the end of the previous section of the lab, Prepare the contract, in the very last instruction, you displayed the contents of your user_data.yaml, on your prep system. Go back to your prep system and copy the file contents that you displayed to your clipboard. Then paste them into the user data box. It should look similar to what is shown below- we've redacted our IBM Log Analysis ingestion key from the screen shot, but you'll want your actual ingestion key to be in there. Also, for the purposes of the screen shot, we enlarged our User data box to be large enough to show more of the contract. Don't worry if your entire contract can't be displayed in the User data box since you can scroll in this area to see the entirety of what you pasted. See the screenshot below:
Go to your IBM Log Analysis Dashboard so you can verify that you receive log messages from the instance that you're about to create.

Open another tab in your browser and go to cloud.ibm.com. Log in if necessary. Assuming you're logged in, the below screenshot provides guidance on one way to get to your list of IBM Log Analysis instances:

From the list, click the Open dashboard link:
Now, go back to the tab where you were setting up your virtual server instance- click the blue Create virtual server button in the lower right. Reminder: you may incur costs for this action, and these costs are your responsibility. We will provide instructions to delete resources that are no longer needed to help you minimize any costs you might incur.
Verify that your instance came up successfully.

Within a couple of minutes of starting your instance, you should see many messages appear in your IBM Log Analysis Dashboard. After startup completes, you should see some simple messages every thirty seconds greeting Lab 1 Student and telling them what time it is. Our workload is rather simple isn't it, but it is useful for demonstrating disk persistence.

If something went wrong in your setup of the contract that the hyper protect container runtime detects, your instance will automatically be stopped in five minutes. So if you receive no messages within five minutes of starting your instance, it is time to contact your instructor.
Delete your instance.

Your instance either started successfully- as evidenced by greetings to Lab 1 Student, or it failed to start successfully. In either case you will want to delete your instance at this point. Future labs will use the data volume that you created, but your current instance is no longer needed- in fact, leaving it around hinders subsequent labs- you won't be able to reuse your disk volume if it is still attached to this instance.

The screenshot below shows how you can delete this instance if you are currently displaying it- by clicking the blue Actions button in the upper right, then choosing Delete. From there, follow the instructions to confirm your intention to delete the instance.
Proceed to lab 2 if your instance was successful or seek help from the instructors if your instance creation was not successful.

Ended: Lab 1 - simple plaintext contract

Lab 2 - partially encrypted contract ↵

Lab 2 - partially encrypted contract¶

This lab builds upon lab 1 by encrypting part of the contract, illustrating separation of responsibilities. It also demonstrates data persistence by using the same data volume used in lab 1.

Prepare the contract¶

Ensure necessary environment variables are set¶

Go to a command prompt on your prep system
You should have each of these environment variables set on your prep system:
```
echo LAB_WORKDIR is ${LAB_WORKDIR}
echo LAB_TAR is ${LAB_TAR}
echo LOG_INGESTION_KEY is ${LOG_INGESTION_KEY}
echo LOG_HOSTNAME is ${LOG_HOSTNAME}
```
If any of the above commands do not display a value after the is then revisit the section on setting environment variables.

Make a new directory hierarchy for Lab 2¶

Make a fresh directory structure and change in to it:

mkdir -p ${LAB_WORKDIR}/lab2/workload/play && cd ${LAB_WORKDIR}/lab2

Create a Pod descriptor to specify the application workload¶

Switch to the directory that will hold a Pod descriptor:
```
cd workload/play
```

Create the Pod descriptor::

cat << EOF > play.yml    
  play:
    resources:
      - apiVersion: v1
        kind: Pod
        metadata:
          name: busybox
        spec:
          containers:
          - name: main
            image: docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83
            command: ["/bin/sh", "-c"]
            args:
            - mkdir -p /data/cloudlabs ;
              env | tee -a /data/cloudlabs/env.out ;
              cat /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/greetings.out ;
              tail -20 /data/cloudlabs/greetings.out ;
              while true ;
              do echo Hi \${name:-World} the time is \$(date) | tee -a /data/cloudlabs/greetings.out ;
              sleep \${interval:-60} ; 
              done
            envFrom:
            - configMapRef:
                name: contract.config.map
                optional: false
            volumeMounts: 
              - mountPath: /data
                name: data-vol
                readOnly: false
          restartPolicy: Never
          volumes:
            - hostPath:
                path: /mnt/data
                type: Directory
              name: data-vol
EOF

Display the file's content.
```
cat play.yml
```
Optional. This command will show that you are indeed using the same pod descriptor in this lab (lab2) as you did in the previous lab (lab1). We could have had you just copy that file over instead of using the cat command in the prior step.
```
diff --report-identical-files \
  ${LAB_WORKDIR}/lab1/play/play.yml \
  ${LAB_WORKDIR}/lab2/workload/play/play.yml
```
Change to the directory one level higher than your current location (and display it):
```
cd .. && pwd
```

Create encrypted workload section of the contract¶

Create this convenience script to encrypt the workload portion of the contract:

cat << EOF > flow.workload
# Create the workload section of the contract and add the contents in the workload.yaml file.

WORKLOAD_PLAIN=./workload.yaml.plaintext
WORKLOAD=workload.yaml

echo "  type: workload
  volumes:
    data:
      filesystem: ext4
      mount: /mnt/data
      seed: seed-supplied-by-workload-persona
\$(cat play/play.yml)" > \${WORKLOAD_PLAIN}

# Download certificate to encrypt contract for Hyper Protect Container Runtime:
HPCR_rev=13
CONTRACT_KEY=./ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt
curl https://cloud.ibm.com/media/docs/downloads/hyper-protect-container-runtime/ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt > \${CONTRACT_KEY}


# Use the following command to create a random password:
PASSWORD_WORKLOAD="\$(openssl rand 32 | base64 \${LAB_WRAP})"

# Use the following command to encrypt password with the Hyper Protect Container Runtime Contract Encryption Key:
ENCRYPTED_WORKLOAD_PASSWORD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 \${LAB_WRAP})"

# Use the following command to encrypt the workload.yaml file with a random password:
ENCRYPTED_WORKLOAD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$WORKLOAD_PLAIN" | base64 \${LAB_WRAP})"

# Use the following command to get the encrypted section of the contract:
WORKLOAD_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_WORKLOAD_PASSWORD}.\${ENCRYPTED_WORKLOAD}"

echo ""
echo "See `pwd`/workload.yaml.plaintext to see what was encrypted for the workload section of your contract"
echo ""

echo "\$WORKLOAD_ENCRYPTED" > ../\$WORKLOAD
EOF

Run the script you just created:
```
. ./flow.workload
```
Back up one directory:
```
cd ..
```
Display the encrypted workload section you just created:
```
cat workload.yaml
```

Add a plaintext environment section to the encrypted workload section¶

This command combines the workload section (which is encrypted) with a plain text environment section. The contract is the output file, user_data.yaml.

cat << EOF > user_data.yaml
workload: $(cat workload.yaml)
env: |
  type: env
  logging:
    logDNA:
      hostname: ${LOG_HOSTNAME}
      ingestionKey: ${LOG_INGESTION_KEY}
      port: 6514
  volumes:
    data:
      seed: seed-supplied-by-env-persona
  env:
    name: Lab 2 Student
    interval: "30"
EOF

Display your contract data:
```
cat user_data.yaml
```

Proceed to the next section to create your Hyper Protect Virtual Server for VPC instance.

Create an instance¶

Note: There are often multiple ways to perform a task. The lab instructions may describe a particular way to go about things, but if you have prior experience with the IBM Cloud Web user interface and can perform the same task through different methods, feel free to do so. The lab instructions themselves may provide alternative ways to accomplish the tasks in different sections of the labs.

These instructions assume you are logged in to the IBM Cloud Web UI. If not, please log in before proceeding.

Go to your VPC

One way to do this is to start by clicking the "hamburger" menu in the top left (the icon will then turn into an "x" as shown in the screen snippet below), then click VPC Infrastucture and then VPCs:

Then, select the link for your VPC from the list that is shown:
Click the link to create a virtual server instance

You may have to scroll down on the page- find and click on the "Create a virtual server instance" link:
In the Location section, ensure that you select the Zone that contains your subnet. Give your instance a name in the Name field in the Details section. We chose lab-was-hpvs-lab2 in the screen shot below:
Scroll down and click the Change image link to select it:
On the Select an image screen, perform the following actions:
1. Click the IBM Z, Linux ONE box.
2. Toggle the slider on for "Run your workload with an OS and a profile for Secure Execution".
3. Select the most recent image, ibm-hyper-protect-container-runtime-1-0-s390x-13.
4. Click the blue Save button.
At this point in lab 1, you created a data volume that you will use across the labs. You will not be able to attach that data volume until after you start your virtual server instance, so, continue with the next instruction.
Scroll down and in the Advanced options section, within the Instance configuration subsection, click the arrow at the right of the User data item. Drag the lower right corner of the User data box that appears in order to enlarge it a bit, like we've done in the screen shot below:
At the end of the previous section of the lab, Prepare the contract, in the very last instruction, you displayed the contents of your user_data.yaml, on your prep system. Go back to your prep system and copy the file contents that you displayed to your clipboard. Then paste them into the user data box. It should look similar to what is shown below- we've redacted our IBM Log Analysis ingestion key from the screen shot, but you'll want your actual ingestion key to be in there. The screen shot below does not show the entire contract- the top of the encrypted workload section is not visible in the screen shot, but we are showing the entire unencrypted environment section:
Go to your IBM Log Analysis Dashboard so you can verify that you receive log messages from the instance that you're about to create.

Open another tab in your browser and go to cloud.ibm.com. Log in if necessary. Assuming you're logged in, the below screenshot provides guidance on one way to get to your list of IBM Log Analysis instances:

From the list, click the Open dashboard link:
Now, go back to the tab where you were setting up your virtual server instance- click the blue Create virtual server button in the lower right. Reminder: you may incur costs for this action, and these costs are your responsibility. We will provide instructions to delete resources that are no longer needed to help you minimize any costs you might incur.
Verify that your instance has started to come up.

Within a couple of minutes of starting your instance, you should see many messages appear in your IBM Log Analysis Dashboard. However, unlike the previous lab, the instance will not come up completely until you take further action- specifically, you need to attach the data volume that you created in the previous lab. Continue with these instructions.
Attach the disk volume that you created in lab:

Click on the link for your instance in the list under Virtual server instances for VPC:

Scroll down to the Storage volumes section and click the blue Attach button:

On the Attach storage volume screen, select the Block volume that you created in the previous lab (lab-was-datavol if you used the same name we used in these instructions) and then click the blue Save button at the bottom:

Now back on the screen displaying your instance information, you should see this data volume in the list of Storage volumes, similar to the screen shot below:
Now that you have attached the disk volume, startup continues and completes. Within your IBM Log Analysis Dashboard you should be able to see some messages greeting Lab 1 Student- this is data written from your earlier instance from lab 1. (You may need to scroll up to find them.) Then, this instance will provide similar greetings to Lab 2 Student- this provides a demonstration of successfully reusing a data volume to provide data persistence across different virtual server instances.

If something went wrong in your setup of the contract that the hyper protect container runtime detects, your instance will automatically be stopped in five minutes. So if you receive no messages within five minutes of starting your instance, it is time to contact your instructor.
Delete your instance.

Your instance either started successfully- as evidenced by the display of earlier greetings to Lab 1 Student and then periodic greetings to Lab 2 Student, or it failed to start successfully. In either case you will want to delete your instance at this point. Future labs will use the data volume that you created, but your current instance is no longer needed- in fact, leaving it around hinders subsequent labs- you won't be able to reuse your disk volume if it is still attached to this instance.

The screenshot below shows how you can delete an instance if you are currently displaying it- by clicking the blue Actions button in the upper right, then choosing Delete. From there, follow the instructions to confirm your intention to delete the instance. (This screen snippet is from the instance created in lab 1, but the process to delete the instance is the same.)
Proceed to lab 3 if your instance was successful or seek help from the instructors if your instance creation was not successful.

Ended: Lab 2 - partially encrypted contract

Lab 3 - encrypted contract ↵

Lab 3 - encrypted contract¶

Lab 3 builds on the first two contracts. It shows encryption of both the workload section and the environment section of the contract.

Prepare the contract¶

Ensure necessary environment variables are set¶

Go to a command prompt on your prep system
You should have each of these environment variables set on your prep system:
```
echo LAB_WORKDIR is ${LAB_WORKDIR}
echo LAB_TAR is ${LAB_TAR}
echo LOG_INGESTION_KEY is ${LOG_INGESTION_KEY}
echo LOG_HOSTNAME is ${LOG_HOSTNAME}
```
If any of the above commands do not display a value after the is then revisit the section on setting environment variables.

Make a new directory hierarchy for Lab 3¶

Make a fresh directory structure and change in to it:

mkdir -p ${LAB_WORKDIR}/lab3/{environment,workload/play} && cd ${LAB_WORKDIR}/lab3

Create a Pod descriptor to specify the application workload¶

Switch to the directory which will hold a Pod descriptor and then switch to it:
```
cd workload/play
```

Create the Pod descriptor::

cat << EOF > play.yml    
  play:
    resources:
      - apiVersion: v1
        kind: Pod
        metadata:
          name: busybox
        spec:
          containers:
          - name: main
            image: docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83
            command: ["/bin/sh", "-c"]
            args:
            - mkdir -p /data/cloudlabs ;
              env | tee -a /data/cloudlabs/env.out ;
              cat /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/greetings.out ;
              tail -20 /data/cloudlabs/greetings.out ;
              while true ;
              do echo Hi \${name:-World} the time is \$(date) | tee -a /data/cloudlabs/greetings.out ;
              sleep \${interval:-60} ; 
              done
            envFrom:
            - configMapRef:
                name: contract.config.map
                optional: false
            volumeMounts: 
              - mountPath: /data
                name: data-vol
                readOnly: false
          restartPolicy: Never
          volumes:
            - hostPath:
                path: /mnt/data
                type: Directory
              name: data-vol
EOF

Display the file's content.
```
cat play.yml
```
Optional. This command will show that you are indeed using the same pod descriptor in this lab (lab3) as you did in the previous lab (lab2). We could have had you just copy that file over instead of using the cat command in the prior step.
```
diff --report-identical-files \
  ${LAB_WORKDIR}/lab2/workload/play/play.yml \
  ${LAB_WORKDIR}/lab3/workload/play/play.yml
```
Change to the directory one level higher than your current location (and display it):
```
cd .. && pwd
```
Create encrypted workload section of the contract¶

Create this convenience script to encrypt the workload portion of the contract:

cat << EOF > flow.workload
# Create the workload section of the contract and add the contents in the workload.yaml file.

WORKLOAD_PLAIN=./workload.yaml.plaintext
WORKLOAD=workload.yaml

echo "  type: workload
  volumes:
    data:
      filesystem: ext4
      mount: /mnt/data
      seed: seed-supplied-by-workload-persona
\$(cat play/play.yml)" > \${WORKLOAD_PLAIN}

# Download certificate to encrypt contract for Hyper Protect Container Runtime:
HPCR_rev=13
CONTRACT_KEY=./ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt
curl https://cloud.ibm.com/media/docs/downloads/hyper-protect-container-runtime/ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt > \${CONTRACT_KEY}


# Use the following command to create a random password:
PASSWORD_WORKLOAD="\$(openssl rand 32 | base64 \${LAB_WRAP})"

# Use the following command to encrypt password with the Hyper Protect Container Runtime Contract Encryption Key:
ENCRYPTED_WORKLOAD_PASSWORD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 \${LAB_WRAP})"

# Use the following command to encrypt the workload.yaml file with a random password:
ENCRYPTED_WORKLOAD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$WORKLOAD_PLAIN" | base64 \${LAB_WRAP})"

# Use the following command to get the encrypted section of the contract:
WORKLOAD_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_WORKLOAD_PASSWORD}.\${ENCRYPTED_WORKLOAD}"

echo ""
echo "See `pwd`/workload.yaml.plaintext to see what was encrypted for the workload section of your contract"
echo ""

echo "\$WORKLOAD_ENCRYPTED" > ../\$WORKLOAD
EOF

Run the script you just created:
```
. ./flow.workload
```
Back up one directory:
```
cd ..
```
Display the encrypted workload section you just created:
```
cat workload.yaml
```

Create encrypted environment section of the contract¶

Switch to the environment directory:
```
cd environment
```

Create this convenience script to encrypt the environment portion of the contract:

cat << EOF > flow.env
# Create the env section of the contract and add the contents in the env.yaml file.
ENV_PLAIN="./env.yaml.plaintext"
ENV="env.yaml"

echo "  type: env
  logging:
    logDNA:
      hostname: \${LOG_HOSTNAME}
      ingestionKey: \${LOG_INGESTION_KEY}
      port: 6514
  env:
    name: Lab 3 Student
    interval: \"30\"
  volumes:
    data:
      seed: seed-supplied-by-env-persona" > \${ENV_PLAIN}

# Download certificate to encrypt contract for Hyper Protect Container Runtime:
HPCR_rev=13
CONTRACT_KEY=./ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt
curl https://cloud.ibm.com/media/docs/downloads/hyper-protect-container-runtime/\$CONTRACT_KEY > \$CONTRACT_KEY


# Use the following command to create a random password:
PASSWORD_ENV="\$(openssl rand 32 | base64 \${LAB_WRAP})"

#  Use the following command to encrypt password with the Hyper Protect Container Runtime Contract Encryption Key:
ENCRYPTED_ENV_PASSWORD="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 \${LAB_WRAP} )"

# Use the following command to encrypt env.yaml with a random password:
ENCRYPTED_ENV="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$ENV_PLAIN" | base64 \${LAB_WRAP})"

# Use the following command to get the encrypted section of the contract:
ENV_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_ENV_PASSWORD}.\${ENCRYPTED_ENV}"

echo ""
echo "See `pwd`/env.yaml.plaintext to see what was encrypted for the env section of your contract"
echo ""

echo "\$ENV_ENCRYPTED" > ../\$ENV
EOF

Run the script you just created:
```
. ./flow.env
```
Back up one directory:
```
cd ..
```
Display the encrypted environment section you just created:
```
cat env.yaml
```
Combine the encrypted workload section with the encrypted environment section¶
This command combines the workload section (which is encrypted) with the environment section (which is also encrypted). The contract is the output file, user_data.yaml..
```
cat << EOF > user_data.yaml
workload: $(cat workload.yaml)
env: $(cat env.yaml)
EOF
```
Display your contract data:
```
cat user_data.yaml
```

Proceed to the next section to create your Hyper Protect Virtual Server for VPC instance.

Create an instance¶

Note: There are often multiple ways to perform a task. The lab instructions may describe a particular way to go about things, but if you have prior experience with the IBM Cloud Web user interface and can perform the same task through different methods, feel free to do so. The lab instructions themselves may provide alternative ways to accomplish the tasks in different sections of the labs.

These instructions assume you are logged in to the IBM Cloud Web UI. If not, please log in before proceeding.

Go to your VPC

One way to do this is to start by clicking the "hamburger" menu in the top left (the icon will then turn into an "x" as shown in the screen snippet below), then click VPC Infrastucture and then VPCs:

Then, select the link for your VPC from the list that is shown:
Click the link to create a virtual server instance

You may have to scroll down on the page- find and click on the "Create a virtual server instance" link:
In the Location section, ensure that you select the Zone that contains your subnet. Give your instance a name in the Name field in the Details section. We chose lab-was-hpvs-lab3 in the screen shot below:
Scroll down and click the Change image link to select it:
On the Select an image screen, perform the following actions:
1. Click the IBM Z, Linux ONE box.
2. Toggle the slider on for "Run your workload with an OS and a profile for Secure Execution".
3. Select the most recent image, ibm-hyper-protect-container-runtime-1-0-s390x-13.
4. Click the blue Save button.
Scroll down and in the Advanced options section, within the Instance configuration subsection, click the arrow at the right of the User data item. Drag the lower right corner of the User data box that appears in order to enlarge it a bit, like we've done in the screen shot below:
At the end of the previous section of the lab, Prepare the contract, in the very last instruction, you displayed the contents of your user_data.yaml, on your prep system. Go back to your prep system and copy the file contents that you displayed to your clipboard. Then paste them into the user data box. It should look similar to what is shown below. The screen shot below does not show the entire contract- the top of the encrypted workload section is not visible in the screen shot, but we are showing the entire encrypted environment section:
Go to your IBM Log Analysis Dashboard so you can verify that you receive log messages from the instance that you're about to create.

Open another tab in your browser and go to cloud.ibm.com. Log in if necessary. Assuming you're logged in, the below screenshot provides guidance on one way to get to your list of IBM Log Analysis instances:

From the list, click the Open dashboard link:
Now, go back to the tab where you were setting up your virtual server instance- click the blue Create virtual server button in the lower right. Reminder: you may incur costs for this action, and these costs are your responsibility. We will provide instructions to delete resources that are no longer needed to help you minimize any costs you might incur.
Verify that your instance has started to come up.

Within a couple of minutes of starting your instance, you should see many messages appear in your IBM Log Analysis Dashboard. However, unlike the previous lab, the instance will not come up completely until you take further action- specifically, you need to attach the data volume that you created in the previous lab. Continue with these instructions.
Attach the disk volume that you created in lab:

Note: The screen shots in this instruction are taken from the section for lab 2 but the process is exactly the same for your lab 3 instance, so don't be confused if you see 'lab 2' in some of these screen snippets.

Click on the link for your instance in the list under Virtual server instances for VPC:

Scroll down to the Storage volumes section and click the blue Attach button:

On the Attach storage volume screen, select the Block volume that you created in the previous lab (lab-was-datavol if you used the same name we used in these instructions) and then click the blue Save button at the bottom:

Now back on the screen displaying your instance information, you should see this data volume in the list of Storage volumes, similar to the screen shot below:
Now that you have attached the disk volume, startup continues and completes. Within your IBM Log Analysis Dashboard you should be able to see some messages greeting Lab 1 Student and some messages greeting Lab 2 Student- this is data written from your earlier instances from labs 1 and 2. (You may need to scroll up to find them.) Then, this instance will provide similar greetings to Lab 3 Student- this provides a demonstration of successfully reusing a data volume to provide data persistence across different virtual server instances.

If something went wrong in your setup of the contract that the hyper protect container runtime detects, your instance will automatically be stopped in five minutes. So if you receive no messages within five minutes of starting your instance, it is time to contact your instructor.
Delete your instance.

Your instance either started successfully- as evidenced by the display of earlier greetings to Lab 1 Student and Lab 2 Student and then periodic greetings to Lab 3 Student, or it failed to start successfully. In either case you will want to delete your instance at this point. Future labs will use the data volume that you created, but your current instance is no longer needed- in fact, leaving it around hinders subsequent labs- you won't be able to reuse your disk volume if it is still attached to this instance.

The screenshot below shows how you can delete an instance if you are currently displaying it- by clicking the blue Actions button in the upper right, then choosing Delete. From there, follow the instructions to confirm your intention to delete the instance. (This screen snippet is from the instance created in lab 1, but the process to delete the instance is the same.)
Proceed to lab 4 if your instance was successful or seek help from the instructors if your instance creation was not successful.

Ended: Lab 3 - encrypted contract

Lab 4 - encrypted and signed contract ↵

Lab 4 - encrypted and signed contract¶

This lab demonstrates the best practice of having a contract that is encrypted and signed.

Prepare the contract¶

Ensure necessary environment variables are set¶

Go to a command prompt on your prep system
You should have each of these environment variables set on your prep system:
```
echo LAB_WORKDIR is ${LAB_WORKDIR}
echo LAB_TAR is ${LAB_TAR}
echo LOG_INGESTION_KEY is ${LOG_INGESTION_KEY}
echo LOG_HOSTNAME is ${LOG_HOSTNAME}
```
If any of the above commands do not display a value after the is then revisit the section on setting environment variables.

Make a new directory hierarchy for Lab 4¶

Make a fresh directory structure and change in to it:

mkdir -p ${LAB_WORKDIR}/lab4/{environment,workload/play} && cd ${LAB_WORKDIR}/lab4

Create a Pod descriptor to specify the application workload¶

Switch to the directory with will hold a Pod descriptor:
```
cd workload/play
```

Create the Pod descriptor::

cat << EOF > play.yml    
  play:
    resources:
      - apiVersion: v1
        kind: Pod
        metadata:
          name: busybox
        spec:
          containers:
          - name: main
            image: docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83
            command: ["/bin/sh", "-c"]
            args:
            - mkdir -p /data/cloudlabs ;
              env | tee -a /data/cloudlabs/env.out ;
              cat /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/env.out ;
              head -20 /data/cloudlabs/greetings.out ;
              tail -20 /data/cloudlabs/greetings.out ;
              while true ;
              do echo Hi \${name:-World} the time is \$(date) | tee -a /data/cloudlabs/greetings.out ;
              sleep \${interval:-60} ; 
              done
            envFrom:
            - configMapRef:
                name: contract.config.map
                optional: false
            volumeMounts: 
              - mountPath: /data
                name: data-vol
                readOnly: false
          restartPolicy: Never
          volumes:
            - hostPath:
                path: /mnt/data
                type: Directory
              name: data-vol
EOF

Display the file's content.
```
cat play.yml
```

Create a convenience script to encrypt the workload section¶

Backup one directory level:
```
cd ..
```

Create this convenience script to encrypt the workload portion of the contract:

cat << EOF > flow.workload
# Create the workload section of the contract and add the contents in the workload.yaml file.

WORKLOAD_PLAIN=./workload.yaml.plaintext
WORKLOAD=workload.yaml

echo "  type: workload
  volumes:
    data:
      filesystem: ext4
      mount: /mnt/data
      seed: seed-supplied-by-workload-persona
\$(cat play/play.yml)" > \${WORKLOAD_PLAIN}

# Download certificate to encrypt contract for Hyper Protect Container Runtime:
HPCR_rev=13
CONTRACT_KEY=./ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt
curl https://cloud.ibm.com/media/docs/downloads/hyper-protect-container-runtime/ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt > \${CONTRACT_KEY}


# Use the following command to create a random password:
PASSWORD_WORKLOAD="\$(openssl rand 32 | base64 \${LAB_WRAP})"

# Use the following command to encrypt password with the Hyper Protect Container Runtime Contract Encryption Key:
ENCRYPTED_WORKLOAD_PASSWORD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 \${LAB_WRAP})"

# Use the following command to encrypt the workload.yaml file with a random password:
ENCRYPTED_WORKLOAD="\$(echo -n "\$PASSWORD_WORKLOAD" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$WORKLOAD_PLAIN" | base64 \${LAB_WRAP})"

# Use the following command to get the encrypted section of the contract:
WORKLOAD_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_WORKLOAD_PASSWORD}.\${ENCRYPTED_WORKLOAD}"

echo ""
echo "See `pwd`/workload.yaml.plaintext to see what was encrypted for the workload section of your contract"
echo ""

echo "\$WORKLOAD_ENCRYPTED" > ../\$WORKLOAD
EOF

Create a convenience script to encrypt the environment section¶

Change to the directory used for the environment section display it:
```
cd ../environment && pwd
```

Create this convenience script to encrypt the environment portion of the contract:

cat << EOF > flow.env
# Create the env section of the contract and add the contents in the env.yaml file.
ENV_PLAIN="./env.yaml.plaintext"
ENV="env.yaml"

echo "  type: env
  logging:
    logDNA:
      hostname: \${LOG_HOSTNAME}
      ingestionKey: \${LOG_INGESTION_KEY}
      port: 6514
  env:
    name: Lab 4 Student
    interval: \"30\"
  volumes:
    data:
      seed: seed-supplied-by-env-persona" > \${ENV_PLAIN}

cat ./pubSigningKey.yaml >> \${ENV_PLAIN}

# Download certificate to encrypt contract for Hyper Protect Container Runtime:
HPCR_rev=13
CONTRACT_KEY=./ibm-hyper-protect-container-runtime-1-0-s390x-\${HPCR_rev}-encrypt.crt
curl https://cloud.ibm.com/media/docs/downloads/hyper-protect-container-runtime/\$CONTRACT_KEY > \$CONTRACT_KEY


# Use the following command to create a random password:
PASSWORD_ENV="\$(openssl rand 32 | base64 \${LAB_WRAP})"

#  Use the following command to encrypt password with the Hyper Protect Container Runtime Contract Encryption Key:
ENCRYPTED_ENV_PASSWORD="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl rsautl -encrypt -inkey \$CONTRACT_KEY -certin | base64 \${LAB_WRAP} )"

# Use the following command to encrypt env.yaml with a random password:
ENCRYPTED_ENV="\$(echo -n "\$PASSWORD_ENV" | base64 -d | openssl enc -aes-256-cbc -pbkdf2 -pass stdin -in "\$ENV_PLAIN" | base64 \${LAB_WRAP})"

# Use the following command to get the encrypted section of the contract:
ENV_ENCRYPTED="hyper-protect-basic.\${ENCRYPTED_ENV_PASSWORD}.\${ENCRYPTED_ENV}"

echo ""
echo "See `pwd`/env.yaml.plaintext to see what was encrypted for the env section of your contract"
echo ""

echo "\$ENV_ENCRYPTED" > ../\$ENV
EOF

Create convenience scripts to facilitate signing the contract¶

Move up one directory level:
```
cd .. && pwd
```

Create the following convenience script that will create an RSA key pair that you will use to sign the contract.

cat << EOF > flow.prepare
# Use the following command to generate key pair to sign the contract 
openssl genrsa -aes128 -passout pass:test1234 -out private.pem 4096
openssl rsa -in private.pem -passin pass:test1234 -pubout -out public.pem

# The following command is an example of how you can get the signing key:
key=\$(awk -vRS="\n" -vORS="\\\\\n" '1' public.pem)
# echo "  signingKey: \"\${key%\\\\n}\"" > environment/pubSigningKey.yaml
printf "%s" "  signingKey: \"\${key%\\\\n}\"" > environment/pubSigningKey.yaml
EOF

Create the following convenience script that will sign the encrypted contract.

cat << EOF > flow.signature
# combine workload and environment
cat workload.yaml env.yaml | tr -d '\n' > contract.yaml

# Sign the combination from workload and env being approved
echo \$( cat contract.yaml | openssl dgst -sha256 -sign private.pem -passin pass:test1234 | openssl enc -base64) | tr -d ' ' > signature.yaml

# Create user data and add signature:
echo "workload: \$(cat workload.yaml)
env: \$(cat env.yaml)
envWorkloadSignature: \$(cat signature.yaml)" > user_data.yaml

echo ""
echo "import `pwd`/user_data.yaml into User Data or copy and paste from below:"
echo ""

cat user_data.yaml
EOF

Create and run helper script to produce the encrypted and signed contract¶

Create this helper script that you will use to create the signed and encrypted contract:

cat << EOF > makeContract
. ./flow.prepare
cd workload
. ./flow.workload
cd ../environment
. ./flow.env
cd ..
. ./flow.signature
EOF

Create the contract:
```
. ./makeContract
```
Display your contract data:
```
cat user_data.yaml
```

Proceed to the next section to create your Hyper Protect Virtual Servers for IBM Cloud VPC instance.

Create an instance¶

Note: There are often multiple ways to perform a task. The lab instructions may describe a particular way to go about things, but if you have prior experience with the IBM Cloud Web user interface and can perform the same task through different methods, feel free to do so. The lab instructions themselves may provide alternative ways to accomplish the tasks in different sections of the labs.

These instructions assume you are logged in to the IBM Cloud Web UI. If not, please log in before proceeding.

Go to your VPC

One way to do this is to start by clicking the "hamburger" menu in the top left (the icon will then turn into an "x" as shown in the screen snippet below), then click VPC Infrastucture and then VPCs:

Then, select the link for your VPC from the list that is shown:
Click the link to create a virtual server instance

You may have to scroll down on the page- find and click on the "Create a virtual server instance" link:
In the Location section, ensure that you select the Zone that contains your subnet. Give your instance a name in the Name field in the Details section. We chose lab-was-hpvs-lab4 in the screen shot below:
Scroll down and click the Change image link to select it:
On the Select an image screen, perform the following actions:
1. Click the IBM Z, Linux ONE box.
2. Toggle the slider on for "Run your workload with an OS and a profile for Secure Execution".
3. Select the most recent image, ibm-hyper-protect-container-runtime-1-0-s390x-13.
4. Click the blue Save button.
Scroll down and in the Advanced options section, within the Instance configuration subsection, click the arrow at the right of the User data item. Drag the lower right corner of the User data box that appears in order to enlarge it a bit, like we've done in the screen shot below:
At the end of the previous section of the lab, Prepare the contract, in the very last instruction, you displayed the contents of your user_data.yaml, on your prep system. Go back to your prep system and copy the file contents that you displayed to your clipboard. Then paste them into the user data box. It should look similar to what is shown below. The screen shot below does not show the entire contract- the entire encrypted workload section and the top of the encrypted environment section is not visible in the screen shot, but we are showing the entire base64-encoded envWorkloadSignature section is shown:
Go to your IBM Log Analysis Dashboard so you can verify that you receive log messages from the instance that you're about to create.

Open another tab in your browser and go to cloud.ibm.com. Log in if necessary. Assuming you're logged in, the below screenshot provides guidance on one way to get to your list of IBM Log Analysis instances:

From the list, click the Open dashboard link:
Now, go back to the tab where you were setting up your virtual server instance- click the blue Create virtual server button in the lower right. Reminder: you may incur costs for this action, and these costs are your responsibility. We will provide instructions to delete resources that are no longer needed to help you minimize any costs you might incur.
Verify that your instance has started to come up.

Within a couple of minutes of starting your instance, you should see many messages appear in your IBM Log Analysis Dashboard. However, unlike the previous lab, the instance will not come up completely until you take further action- specifically, you need to attach the data volume that you created in the previous lab. Continue with these instructions.
Attach the disk volume that you created in lab:

Note: The screen shots in this instruction are taken from the section for lab 2 but the process is exactly the same for your lab 4 instance, so don't be confused if you see 'lab 2' in some of these screen snippets.

Click on the link for your instance in the list under Virtual server instances for VPC:

Scroll down to the Storage volumes section and click the blue Attach button:

On the Attach storage volume screen, select the Block volume that you created in the first lab (lab-was-datavol if you used the same name we used in these instructions) and then click the blue Save button at the bottom:

Now back on the screen displaying your instance information, you should see this data volume in the list of Storage volumes, similar to the screen shot below:
Now that you have attached the disk volume, startup continues and completes. Within your IBM Log Analysis Dashboard you should be able to see some messages greeting Lab 1 Student and some messages greeting Lab 3 Student (and maybe with some messages to Lab 2 Student- extra credit if you understand why you may or may not see greetings to her)- this is data written from your earlier instances from the first three labs. (You may need to scroll up to find them.) Then, this instance will provide similar greetings to Lab 4 Student- this provides a demonstration of successfully reusing a data volume to provide data persistence across different virtual server instances.

If something went wrong in your setup of the contract that the hyper protect container runtime detects, your instance will automatically be stopped in five minutes. So if you receive no messages within five minutes of starting your instance, it is time to contact your instructor.
Delete your instance.

Your instance either started successfully- as evidenced by the display of earlier greetings to Lab 1 Student and Lab 3 Student and then periodic greetings to Lab 4 Student, or it failed to start successfully. In either case you will want to delete your instance at this point.

The screenshot below shows how you can delete an instance if you are currently displaying it- by clicking the blue Actions button in the upper right, then choosing Delete. From there, follow the instructions to confirm your intention to delete the instance. (This screen snippet is from the instance created in lab 1, but the process to delete the instance is the same.)
Proceed to the next section to clean up all of the resources you created in these four labs.

Ended: Lab 4 - encrypted and signed contract

Delete the resources you created in the IBM Cloud-based labs¶

Danger

We get a little nervous when telling students to delete things on their IBM Cloud account, but we promised to help you minimize any costs associated with this lab.

Be aware that the these cleanup instructions make two important assumptions.

The first is that you created a new Virtual Private Cloud (VPC) just for these labs so that you can delete the entire VPC without impacting any other users or resources.

The second assumption is that you created a new IBM Log Analysis instance just for these labs so that you can delete the IBM Log Analysis instance without impacting any other users or resources.

If you used a pre-existing virtual private cloud or a pre-existing IBM Log Analysis instance, do not follow these instructions verbatim but take extreme care instead in deleting only the resources you created for theses labs. Our assumption is that if you were confident enough to use pre-existing resources, then you are confident enough to know what to delete afterwards and what not to delete. Please, err on the side of caution- ask an instructor or the appropriate person(s) in your company for help if you are unsure!

Delete your virtual private cloud¶

Warning

Skip this step if you used a pre-existing Virtual Private Cloud that you or others in your company are using for any purposes other than these labs.

Navigate to your Virtual Private Cloud and from the "vertical dots" icon on the right, select the Delete choice.

You may be presented with a list of attached resources that will also be deleted when you delete the VPC, similar to what is shown here:

Select the checkbox to confirm that you agree to these attached resources.
Click the blue Delete all button in the lower right to start the deletion.

Wait until you see the message that your VPC and all attached resources have been deleted:

Delete your storage volume¶

After deleting your VPC your storage volume remains assigned to you. To delete it, select Block storage volumes to see your data volume in a list:

From the "vertical dots" menu on the right select the Delete action:

Confirm the deletion of your storage volume:

Delete your IBM Log Analysis instance¶

Warning

Skip this step if you used a pre-existing IBM Log Analysis instance that you or others in your company are using for any purposes other than these labs

Go to your resources list
Expand the Logging and Monitoring category
Find your IBM Log Analysis instance and find the Delete option from the 'vertical dots' menu

The below screenshot shows what it looks like after completing the above three steps:

Click Delete and confim the deletion if prompted.

Congratulations!!¶

Congratulations on finishing the labs and cleaning up afterwards. We hope you learned something useful in the labs and we know there is always room for improvement, so constructive criticism on the current labs or ideas for new labs are always welcome, either by a GitHub issue if you are comfortable with that (click the GitHub link on the right side of the banner at the top of the page) or via email to the authors.

Ended: IBM Cloud-based labs

Building the Documentation Yourself¶

For Documentation Contributors Only

This is for people who want to update the documentation of Confidential Computing LinuxONE Workshop and see the updates locally or if you are a regular user and are curious on how to do it. In most cases, just accessing the documentation via this site (https://ibm-wsc.github.io/ConfidentialComputingOnLinuxONE/) is best. If you want to access the documentation without internet access, instead of following this documentation, you should navigate to the print page (which displays the documentation in printable format). Then, Print->Save to pdf in your web browser and access the PDF freely offline.

Installing Necessary Pre-requisites¶

Install pip3 on your computer, if it's not already installed (instructions vary depending on Operating System)

Install mkdocs and plugins used in Confidential Computing LinuxONE Workshop documentation

pip3 install mkdocs mkdocs-material mkdocs-git-revision-date-localized-plugin mkdocs-print-site-plugin

Get a local copy of the source code with:

HTTPSSSH

git clone https://github.com/ibm-wsc/ConfidentialComputingOnLinuxONE.git

git clone git@github.com:ibm-wsc/ConfidentialComputingOnLinuxONE.git

Change into the source code directory in your terminal
Serve the documentation in a terminal while in your source code directory with:
```
mkdocs serve
```
Open a web browser and access the documentation

The above mkdocs serve command should output an address to access the documentation which by default is: http://127.0.0.1:8000 which is over localhost (only accessible locally). Go to this address to access the documentation.

Documentation updates automatically

If you leave the terminal tab where you ran mkdocs serve open, the docs will update automatically when your save your changes to the file. This way as you make changes you can check your changes at the given web site, displaying in the same way as it will when displayed as a static website on GitHub.
Make edits to the relevant markdown files in the docs/ subfolder, and watch the changes display in realtime in your web browser when you save your file updates.

Special Documentation Features

To use the special features of mkdocs-material and the plugins used in these docs that enhance the documentation from traditional markdown, please take a look at the syntax for the various features. You can find examples of them in action in the markdown of this site by either:

Inspecting a given page of the site in your web browser
1. scroll to the top of a page with a feature you want to see how to use
2. click the page with an eye icon to the right of the title
3. Inspect the markdown for the part of the page with the given feature

OR

See the markdown for the entire site in the docs/ subfolder of the GitHub project, navigating the markdown files for each page

Additionally, you can find more examples and explainers on the mkdocs-material reference page.

Additional Resources ↵

Files created in the on-premises labs¶

Directories created on your Ubuntu KVM guest¶

Directory	Purpose
x509Work	High-level directory for doing x509 work
x509Work/GREP11Client	Directory for creating certificate for your GREP11 Client code
x509Work/rsyslog	High-level directory for x509 work related to rsyslog service on your Ubuntu KVM guest
x509Work/rsyslog/CA	Directory that holds a Certificate Authority certificate for your rsyslog service
x509Work/rsyslog/clients	For each lab you send a CSR to this directory from your host RHEL userid
x509Work/rsyslog/server	You use this as a working directory to create the rsyslog service's certificate
hpcs-grep11-go	From the GREP11 lab, this is where the GitHub repo is cloned so that you can modify and run the sample GREP11 code
paynow-website	From the PayNow lab, this is where the GitHub repo is cloned so that you can build and run the OCI image

Directories created in your host RHEL studentxx userid's home directory¶

Directory	Purpose
grep11Lab	High-level directory for Grep11 Lab
grep11Lab/contract	High-level directory for creating the contract used by the HPVS KVM guest for the GREP11 Server
grep11Lab/contract/environment	Directory used by the "workload deployer" persona to create the environment section of the contract
grep11Lab/contract/environment/rsyslog	Directory to contain the x509 material needed to establish a mutual TLS connection with the rsyslog service that you set up on your Ubuntu KVM guest
grep11Lab/contract/workload	Directory used by the "workload provider" persona to create the workload section of the contract
grep11Lab/contract/workload/compose	Directory containing the Docker Compose file and files referenced by the Docker Compose file
grep11Lab/x509Work	High-level directory for x509 work
grep11Lab/x509Work/CENA4SEEClient	Directory used for creating client certificate for access to the CENA4SEE server. Your HPVS GREP11 Server is a client to the CENA4SEE server.
grep11Lab/x509Work/GREP11Server	High-level directory for x509 work related to the GREP11 Server and mutual authentication with its clients (the sample GREP11 client code in this lab)
grep11Lab/x509Work/GREP11Server/CA	Directory that holds a Certificate Authority certificate for the GREP11 Server
grep11Lab/x509Work/GREP11Server/clients	You send a CSR to this directory from your Ubuntu guest on behalf of your GREP11 Client code which runs in your Ubuntu guest
grep11Lab/x509Work/GREP11Server/server	You use this as a working directory to create the GREP11 server's certificate
grep11Lab/x509Work/rsyslogClient	work directory used for creating the client certificate that will allow your HPVS GREP11 Server to send log messages to your rsyslog service running on your Ubuntu guest
paynowLab	High-level directory for the PayNow Lab
paynowLab/contract	High-level directory for creating the contract used by the HPVS KVM guest for the PayNow app
paynowLab/contract/environment/rsyslog	Directory to contain the x509 material needed to establish a mutual TLS connection with the rsyslog service that you set up on your Ubuntu KVM guest
paynowLab/contract/workload	Directory used by the "workload provider" persona to create the workload section of the contract
paynowLab/contract/workload/play	Directory containing the pod descriptor file which specifies the OCI image to run
paynowLab/x509Work	High-level directory for x509 work
paynowLab/x509Work/rsyslogClient	work directory used for creating the client certificate that will allow your HPVS PayNow app to send log messages to your rsyslog service running on your Ubuntu guest

Files in your Ubuntu guest's x509work/GREP11Client/ directory¶

File	Comments
client.cnf	Configuration file used so that openssl command does not ask interactive questions
client.csr	Certificate signing request you create and then send to the "GREP11 CA" registrar on your host RHEL account
client.key	Private key associated with your GREP11 client certificate
client.pem	GREP11 client certificate that your "GREP11 CA" registrar on your host RHEL account sends to you

Files in your Ubuntu guests's x509Work/rsyslog/CA/ directory¶

File	Comments
ca-key.pem	Private key you create for your CA certificate for rsyslog
ca-req.csr	CSR request you create which you use to create the CA certificate for rsyslog
ca.cnf	Configuration file used so that openssl command does not ask interactive questions
ca.crt	Self-signed CA certificate for the CA used by the rsyslog service and its clients. In our labs the client to rsyslog is the HPVS guest you create in each lab

Files in your Ubuntu guests's x509Work/rsyslog/clients/ directory¶

File	Comments
grep11Lab-client-req.csr	CSR sent to you from your host RHEL userid so that the HPVS GREP11 Server can authenticate with rsyslog
grep11Lab-client.crt	Certificate you create on your Ubuntu guest and then send to your host RHEL userid
paynowLab-client-req.csr	CSR sent to you from your host RHEL userid so that the HPVS PayNow app can authenticate with rsyslog
paynowLab-client.crt	Certificate you create on your Ubuntu guest and then send to your host RHEL userid

Files in your Ubuntu guest's x509Work/rsyslog/server/ directory¶

File	Comments
server-key.pem	private key you create which is used with your rsyslog service's certificate
server-req.csr	CSR you create so that your "rsyslog CA" registrar can create your rsyslog service's certificate
server.cnf	Configuration file used so that openssl command does not ask interactive questions
server.crt	rsyslog service's certificate that your "rsyslog CA" registrar creates from your CSR

Files in your host RHEL studentxx's grep11Lab/contract/environment/rsyslog/ directory¶

File	Comments
ca.crt	The self-signed CA certificate used by the rsyslog service and its clients. You copy it from your Ubuntu KVM host, which is where the rsyslog service and its CA reside.
client-key-pkcs8.pem	This is your HPVS GREP11 Server's private key used for authentication with the rsyslog service, after it has been converted to PKCS #8 format
grep11Lab-client.crt	This is your HPVS GREP11 Server's client certificte used for authentication with the rsyslog service. It is created by your "rsyslog CA" registrar on your Ubuntu guest, sent to you in your working directory, and from there you copy it into this directory so that it can be included in the workload section of the contract

Files in your host RHEL studentxx's grep11Lab/contract/environment/ directory¶

File	Comments
env.yaml.plaintext	This file is created by the flow.env convenience script and is in plaintext. It is used within the flow.env script as input to produce an encrypted environment section of the contract. In this lab we've left the script intact for educational purposes. In a production environment you would either delete this plaintext file or restrict access to it as it contains sensitive information.
flow.env	This is a convenience script that encompasses many of the manual commands that are listed in the product documentation. Careful study of this script will be worthwhile for those who want a deep understanding of how an environment section of the contract is created and encrypted.
pubSigningKey.yaml	This is the public key corresponding to the private key that is used to sign the contract. It is created by the flow.prepare convenience script and then added to the environment section of the contract. The HPCR runtime uses this to verify the signature on the contract.

Files in your host RHEL studentxx's grep11Lab/contract/workload/compose/ directory¶

File	Comments
c16client.yaml	Configuration file for the connection between your HPVS GREP11 Server and the Crypto Express Network API for Secure Execution Enclaves (CENA4SEE) appliance
c16server-ca.pem	The self-signed CA certificate used by the CENA4SEE appliance and its clients. It is created by the instructors and copied into this directory by you during the lab. All students share a single CENA4SEE appliance, so control of this appliance's CA is in the hands of the instructors.
c16server-client.key	Private key you create used for authentication between your HPVS GREP11 Server and the CENA4SEE appliance.
c16server-client.pem	Certificate created for you by the instructors and used for authentication between your HPVS GREP11 Server and the CENA4SEE appliance. All students share a single CENA4SEE appliance, so control of this appliance's CA is in the hands of the instructors, which is why the instructors have to create this certificate for you.
c16server-restricted-server.pem	This is the CENA4SEE appliance's server certificate. It is specified in the c16client.yaml file which prevents the GREP11 Server from communicating with the CENA4SEE appliance if it does not present this certficiate.
docker-compose.yml	This file specifies the OCI image for the application worklaod (the GREP11 Server in this case), as well as references to several files that the GREP11 Server needs.
grep11-ca.pem	The self-signed CA certificate for the "GREP11 Server" CA. It is required for mutual TLS authentication with clients to the GREP11 Server.
grep11-server.key	The private key used by the GREP11 Server's server certificate. It is required for mutual TLS authentication with clients to the GREP11 Server.
grep11-server.pem	The GREP11 Server's server certificate. It is required for mutual TLS authentication with clients to the GREP11 Server.
grep11server.yaml	Configuration file that governs communication with GREP11 clients and also specifies with crypto card domain on the CENA4SEE appliance LPAR this GREP11 Server is associated with.

Files in your host RHEL studentxx's grep11Lab/contract/workload/ directory¶

File

Comments

flow.workload

This is a convenience script that encompasses many of the manual commands that are listed in the product documentation. Careful study of this script will be worthwhile for those who want a deep understanding of how a workload section of the contract is created and encrypted.

workload.yaml.plaintext

This file is created by the flow.workload convenience script and is in plaintext. It is used within the flow.workload script as input to produce an encrypted workload section of the contract. In this lab we've left the script intact for educational purposes. In a production environment you would either delete this plaintext file or restrict access to it as it contains sensitive information. In some use cases the workload deployer persona would never even have access to the plaintext workload section because the workload provider persona would provide the workload section that is already encrypted by the Hyper Protect Container Runtime image's public key.

Files in your host RHEL studentxx's grep11Lab/contract/ directory¶

File	Comments
contract.yaml	This is an intermediate file created by the flow.signature script. It is the concatenation of the encrypted workload and the encrypted environment sections of the contract. It is then signed in the flow.signature script and the signature is then appended to ths file to product the final contract that is passed to the HPVS instance
env.yaml	Intermediate file created by the flow.env script. It is the encrypted environment section of the contract.
flow.clear	Convenience script that deletes some of the intermediate files created by the convenience scripts.
flow.prepare	Convenience script that creates an RSA key pair which will be used to sign the encrypted environment and workload sections of the contract.
flow.signature	Convenience script that signs the encrypted environment and workload sections of the contract using the RSA key pair created by flow.prepare. flow.signature then appends the signature to the encrypted sections that it just signed.
makeContract	High-level, or "wrapper", script that runs all of the "flow.*" scripts in the proper order in order to create the contract
meta-data	Input file used in created the ISO image. It contains the hostname that will be assigned to the HPVS instance.
private.pem	Private key created in flow.prepare that is used to create the signature over the contract.
public.pem	Public key created in flow.prepare. It is passed to the contract so that the HPCR can verify the signature on the contract.
signature.yaml	The signature over the contract, created in flow.signature and then added to the contract as the 'envWorkloadSignature' key.
user-data	Output of the makeContract script, it is the signed and encrypted contract.
user_data.yaml	A copy of user-data that is then used as input to the genisoimage command that generates the ISO image that contains the contract
vendor-data	Input to the command that generates the ISO image. Not much of interest in it for these labs.
workoad.yaml	Intermediate file created by the flow.workload script. It is the encrypted workload section of the contract.

Files in your host RHEL studentxx's grep11Lab/x509Work/CENA4SEEClient/ directory¶

File	Comments
c16server-client.csr	CSR for your GREP11 Server, which will be used by the instructors to create your GREP11 Server's certificate that will allow it to authenticate with the CENA4SEE Server.
c16server-client.key	Private key associated with your GREP11 Server's certificate that will allow it to authenticate with the CENA4SEE Server.
c16server-client.pem	Certificate created by the instructors that will allow your HPVS GREP11 Server to communicate with the CENA4SEE Serer.
csr.cfg	Configuration file used in created the CSR that will prevent interactive questions during the CSR creation.

Files in your host RHEL studentxx's grep11Lab/x509Work/GREP11Server/CA/ directory¶

File	Comments
ca.cnf	Configuration file used to avoid interactive questions while creating the CSR
grep11-ca-key.pem	Private key associated with the self-signed CA root certificate used for authentication between the GREP11 Server and its clients.
grep11-ca.pem	Self-signed CA root certificate used for authentication between the GREP11 Server and its clients.
grep11-ca.srl	File created during the creation of the self-signed CA root certificate
grep11-server.csr	Copy of the GREP11 Server CSR request that you create in the '../server' directory and then copy into this directory. Think of the '../server' directory as belonging to a "GREP11 Server administrator" persona and the directory in this table as belong to a "GREP11 CA Registrar" persona.
grep11-server.pem	The GREP11 Server certificate that the "GREP11 CA Registrar" persona creates in this directory and then copies to the "../server" directory.
server.cnf	Configuration file to avoid interactive questions

Files in your host RHEL studentxx's grep11Lab/x509Work/GREP11Server/clients/ directory¶

File	Comments
client.csr	CSR sent from your Ubuntu KVM guest
client.pem	Certificate that you create on behalf of your GREP11 Client code. You send this certificate back to your Ubuntu KVM guest so that your GREP11 Client code that runs there can authenticate with your HPVS GREP11 Server.

Files in your host RHEL studentxx's grep11Lab/x509Work/GREP11Server/server/ directory¶

File	Comments
grep11-ca.pem	A copy of the "GREP11 CA" Registrar's self-signed public CA certificate. Copying it from the "../CA" directory to this directory is simply a simulation of a real-world scenario where the "GREP11 Server administrator" persona would obtain this certificate by some means.
grep11-server.csr	The CSR that the "GREP11 Server administraro" creates and then copies to the "../CA" directory as s simulation of a real-world scenario where the "GREP11 Server administrator" would send a CSR to the "GREP11 CA Registrar".
grep11-server.pem	The "GREP11 CA Registrar" creates this in the "../CA" directory and then copies it here in a simulation of a real-world scenario where the "GREP11 CA Registrar" creates the certificate and then delivers it to the "GREP11 Server administrator" by some means.
serverCSR.cnf	Configuration file used to avoid interactive questions.

Files in your host RHEL studentxx's grep11Lab/x509Work/rsyslogClient/ directory¶

File	Comments
client.cnf	Configuration file used to avoid interactive questions.
client-key.pem	Private key associated with the CSR you create (and the certificate created from the CSR) that is used in authenticating your HPVS GREP11 Server to the rsyslog service that you set up on your Ubuntu KVM guest.
grep11Lab-client.crt	Certificate created on your Ubuntu KVM guest by your "Rsyslog CA Registrar" persona and then sent to you here by that persona.
grep11Lab-client-req.csr	CSR that you create here and then send to your Ubuntu KVM guest, where the "Rsyslog CA Registrar" persona creates the certificate.

Ended: Additional Resources