This is a secure boot environment for X11-applications deployed via docker. The PVZD LiveCD comes with an LXDE desktop based on Fedora 24 and is booting automatically into a predefined docker image. Docker data and the container user’s home are stored on a device with a writeable filesystem. The device is tagged with a filename in the root directory for auto-discovery at boot time.
There are currently 3 docker images supporting this LiveCD:
-
Booting the LiveCD will bring up the PVZD LXDE desktop for user livecd.
-
LXDE has an autostart item to execute /usr/local/bin/start.sh.
-
start.sh will do 2 steps:
-
Execute 'predocker.sh'. This script has following tasks:
-
Search the writeable filesystem to be used for storing docker data (images, container etc.), called DOCKERDATA_DIR. The respective filesystem has to be marked by a file with the name 'UseMe4DockerData' in the root directory.
-
Once the UseMe4DockerData filesystem is found, the docker daemon is reconfigured to use DOCKERDATA_DIR.
-
predocker.sh will then copy a docker start script to DOCKERDATA_DIR and create a call script at /tmp/startapp_inv.sh.
-
-
Execute /tmp/startapp_inv.sh. This will pull and run the docker container.
-
-
Copy the ISO image to your boot device (DVD or USB Flash >= 1GB), e.g. like this:
// insert USB-stick into hardware dmesg | tail # checl the the device name of the USB-drive dd if=livecd-PVZDliveCD-Fedora24-lxde-Remix-<imageid>.iso of=/dev/<usb-drive>
// or like this on OSX (dd dead slow if not using rdisk; block size needs _lowercase m): sudo dd bs=1m if=livecd-centos-7-gnome-docker-pvzdclient-v0_32.iso of=/dev/rdisk2
-
You require 2 media:
-
the boot medium with the LiveCD (should be read-only, such as CD-ROM), and
-
a writeable medium, large enough to contain a docker image and docker work files. Start with at least 8GB for a GUI.
-
-
Initialize the data medium: Create a FAT32 partition, insert and follow the instruction or run /usr/local/bin/init_usbdrive.sh (Requires to have just a single FAT partition - otherwise format the drive with mkfs.ext4, cd into its root dir and and run
touch UseMe4DockerData) -
Insert both media into the PC and connect your smartcard reader. Any PCSC-compliant reader should work.
-
Boot from the boot-medium (you might have to modify the boot sequence in the BIOS)
-
Wait for the system to come up
-
Boot selection issues- You might need to have access to the BIOS settings - check with your admin
-
The execution environment (i.e. the hardware to boot the system) must be trusted.
-
Booting the system on a virtual machine on a machine used for other purposes is weakening the security properties. However, using a virtual environment is OK to enable installation on a dedicated machine which cannot boot the livecd otherwise.
-
Docker content security (to be implemented): The docker image must be signed with a key generated by the trusted Docker notary.
-
Docker container security: containers reside on unprotected writeable media. To prevent tampering, the container is discarded after each usage and a new one is on rebooting the system.