* [tpm2] Re: tpm2-pytss connect to dockerized swtpm
@ 2022-07-27 12:39 henry.gadacz
0 siblings, 0 replies; 5+ messages in thread
From: henry.gadacz @ 2022-07-27 12:39 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4459 bytes --]
Hi Erik,
Thank you very much! The suggestion about the swtpm IP address was correct!
Best regards,
Henry
-----Ursprüngliche Nachricht-----
Von: Erik <who+01tpm(a)cnackers.org>
Gesendet: Mittwoch, 27. Juli 2022 14:16
An: henry.gadacz(a)stud.h-da.de; tpm2(a)lists.01.org
Betreff: [tpm2] Re: tpm2-pytss connect to dockerized swtpm
HI,
swtpm only listens on 127.0.0.1 by default, so unless you have changed that it wont be accessible by any other address.
docker compose seems to use the same network namespace for each container so localhost should work, but it might be as simple as that the python script runs before swtpm is ready.
The unit tests for tpm2-pytss tries to connect to swtpm a couple of times with a small sleep in between each try to get around that, so try adding for example time.sleep(5) before calling ESAPI(...) to see if that helps.
/Erik
On Wed, 2022-07-27 at 10:29 +0200, henry.gadacz(a)stud.h-da.de <mailto:henry.gadacz(a)stud.h-da.de> wrote:
Hello everyone,
I am trying to accomplish the following, but did not succeed and I hope someone can help me.
I want to have a docker compose with two containers. In the first container I want to run the swtpm (https://github.com/stefanberger/swtpm) and in the other a python script that uses tpm2-pytss to connect to the swtpm in the first container.
When I run swtpm and the python script in the same container it works.
In order to run them in separate containers I just duplicated the Dockerfile (I know this has some overhead, but to make sure don’t miss any dependencies), changed the docker CMD command to either run the python script or the swtpm and renamed them to Dockerfile_app_test and Dockerfile_tpm_test.
My docker compose file is looking like this:
version: '3.7'
services:
app:
container_name: app
build:
context: .
dockerfile: Dockerfile_app_test
restart: unless-stopped
tpm:
container_name: tpm
build:
context: .
dockerfile: Dockerfile_tpm_test
ports:
- "2321:2321"
- "2322:2322"
restart: unless-stopped
My python script is:
from tpm2_pytss import *
if __name__ == '__main__':
print("TPM test application")
tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
tpm.startup(TPM2_SU.CLEAR)
r = tpm.get_random(8)
print("type is ", type(r))
print("r is ", str(r))
print("as int ", int(str(r), 16))
When I run it in one Dockerfile I used
tpm = ESAPI(tcti="swtpm:host=localhost,port=2321")
so I thought changing the host name to the docker container name should do it but I always get the following errors:
app | WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 172.21.0.2, port 2321: errno 111: Connection refused
app | ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
app | ERROR:tcti:src/tss2-tcti/tctildr-dl.c:170:tcti_from_file() Could not initialize TCTI file: swtpm
app | ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
app | Traceback (most recent call last):
app | File "/app/main.py", line 70, in <module>
app | tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/ESAPI.py", line 123, in __init__
app | tcti = TCTILdr.parse(tcti)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 54, in parse
app | return cls(name, conf)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 29, in __init__
app | _chkrc(lib.Tss2_TctiLdr_Initialize_Ex(name, conf, self._ctx_pp))
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/internal/utils.py", line 32, in _chkr
app | raise TSS2_Exception(rc)
app | tpm2_pytss.TSS2_Exception.TSS2_Exception: tcti:IO failure
app exited with code 1
I know it’s not a plain tpm2-tss question, but does anyone has experience with that and can help me?
Kind regards,
Henry
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
^ permalink raw reply [flat|nested] 5+ messages in thread* [tpm2] Re: tpm2-pytss connect to dockerized swtpm
@ 2022-08-01 15:37 Roberts, William C
0 siblings, 0 replies; 5+ messages in thread
From: Roberts, William C @ 2022-08-01 15:37 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 5415 bytes --]
Oh nevermind I see you expose the ports in the dockerfile and Erik figured it out.
________________________________
From: henry.gadacz(a)stud.h-da.de <henry.gadacz(a)stud.h-da.de>
Sent: Wednesday, July 27, 2022 7:39 AM
To: 'Erik' <who+01tpm(a)cnackers.org>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: tpm2-pytss connect to dockerized swtpm
Hi Erik,
Thank you very much! The suggestion about the swtpm IP address was correct!
Best regards,
Henry
-----Ursprüngliche Nachricht-----
Von: Erik <who+01tpm(a)cnackers.org>
Gesendet: Mittwoch, 27. Juli 2022 14:16
An: henry.gadacz(a)stud.h-da.de; tpm2(a)lists.01.org
Betreff: [tpm2] Re: tpm2-pytss connect to dockerized swtpm
HI,
swtpm only listens on 127.0.0.1 by default, so unless you have changed that it wont be accessible by any other address.
docker compose seems to use the same network namespace for each container so localhost should work, but it might be as simple as that the python script runs before swtpm is ready.
The unit tests for tpm2-pytss tries to connect to swtpm a couple of times with a small sleep in between each try to get around that, so try adding for example time.sleep(5) before calling ESAPI(...) to see if that helps.
/Erik
On Wed, 2022-07-27 at 10:29 +0200, henry.gadacz(a)stud.h-da.de <mailto:henry.gadacz(a)stud.h-da.de> wrote:
Hello everyone,
I am trying to accomplish the following, but did not succeed and I hope someone can help me.
I want to have a docker compose with two containers. In the first container I want to run the swtpm (https://github.com/stefanberger/swtpm) and in the other a python script that uses tpm2-pytss to connect to the swtpm in the first container.
When I run swtpm and the python script in the same container it works.
In order to run them in separate containers I just duplicated the Dockerfile (I know this has some overhead, but to make sure don’t miss any dependencies), changed the docker CMD command to either run the python script or the swtpm and renamed them to Dockerfile_app_test and Dockerfile_tpm_test.
My docker compose file is looking like this:
version: '3.7'
services:
app:
container_name: app
build:
context: .
dockerfile: Dockerfile_app_test
restart: unless-stopped
tpm:
container_name: tpm
build:
context: .
dockerfile: Dockerfile_tpm_test
ports:
- "2321:2321"
- "2322:2322"
restart: unless-stopped
My python script is:
from tpm2_pytss import *
if __name__ == '__main__':
print("TPM test application")
tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
tpm.startup(TPM2_SU.CLEAR)
r = tpm.get_random(8)
print("type is ", type(r))
print("r is ", str(r))
print("as int ", int(str(r), 16))
When I run it in one Dockerfile I used
tpm = ESAPI(tcti="swtpm:host=localhost,port=2321")
so I thought changing the host name to the docker container name should do it but I always get the following errors:
app | WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 172.21.0.2, port 2321: errno 111: Connection refused
app | ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
app | ERROR:tcti:src/tss2-tcti/tctildr-dl.c:170:tcti_from_file() Could not initialize TCTI file: swtpm
app | ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
app | Traceback (most recent call last):
app | File "/app/main.py", line 70, in <module>
app | tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/ESAPI.py", line 123, in __init__
app | tcti = TCTILdr.parse(tcti)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 54, in parse
app | return cls(name, conf)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 29, in __init__
app | _chkrc(lib.Tss2_TctiLdr_Initialize_Ex(name, conf, self._ctx_pp))
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/internal/utils.py", line 32, in _chkr
app | raise TSS2_Exception(rc)
app | tpm2_pytss.TSS2_Exception.TSS2_Exception: tcti:IO failure
app exited with code 1
I know it’s not a plain tpm2-tss question, but does anyone has experience with that and can help me?
Kind regards,
Henry
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org <mailto:tpm2(a)lists.01.org>
To unsubscribe send an email to tpm2-leave(a)lists.01.org <mailto:tpm2-leave(a)lists.01.org>
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 10164 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* [tpm2] Re: tpm2-pytss connect to dockerized swtpm
@ 2022-08-01 15:36 Roberts, William C
0 siblings, 0 replies; 5+ messages in thread
From: Roberts, William C @ 2022-08-01 15:36 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4196 bytes --]
From: Roberts, William C <william.c.roberts(a)intel.com>
Sent: Monday, August 1, 2022 10:31 AM
To: henry.gadacz(a)stud.h-da.de <henry.gadacz(a)stud.h-da.de>; tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: Re: [tpm2] tpm2-pytss connect to dockerized swtpm
My guess is, that since containers are used to isolate things, that the port from container needs to be exposed somehow.
Premature send, sorry, look at these links:
- https://www.mend.io/free-developer-tools/blog/docker-expose-port/
- https://docs.docker.com/config/containers/container-networking/#:~:text=To%20make%20a%20port%20available,host%20to%20the%20outside%20world.
- https://docs.docker.com/network/network-tutorial-standalone/
*
I think somewhere in there is your answer.
Bill
________________________________
From: henry.gadacz(a)stud.h-da.de <henry.gadacz(a)stud.h-da.de>
Sent: Wednesday, July 27, 2022 3:29 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] tpm2-pytss connect to dockerized swtpm
Hello everyone,
I am trying to accomplish the following, but did not succeed and I hope someone can help me.
I want to have a docker compose with two containers. In the first container I want to run the swtpm (https://github.com/stefanberger/swtpm) and in the other a python script that uses tpm2-pytss to connect to the swtpm in the first container.
When I run swtpm and the python script in the same container it works.
In order to run them in separate containers I just duplicated the Dockerfile (I know this has some overhead, but to make sure don’t miss any dependencies), changed the docker CMD command to either run the python script or the swtpm and renamed them to Dockerfile_app_test and Dockerfile_tpm_test.
My docker compose file is looking like this:
version: '3.7'
services:
app:
container_name: app
build:
context: .
dockerfile: Dockerfile_app_test
restart: unless-stopped
tpm:
container_name: tpm
build:
context: .
dockerfile: Dockerfile_tpm_test
ports:
- "2321:2321"
- "2322:2322"
restart: unless-stopped
My python script is:
from tpm2_pytss import *
if __name__ == '__main__':
print("TPM test application")
tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
tpm.startup(TPM2_SU.CLEAR)
r = tpm.get_random(8)
print("type is ", type(r))
print("r is ", str(r))
print("as int ", int(str(r), 16))
When I run it in one Dockerfile I used
tpm = ESAPI(tcti="swtpm:host=localhost,port=2321")
so I thought changing the host name to the docker container name should do it but I always get the following errors:
app | WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 172.21.0.2, port 2321: errno 111: Connection refused
app | ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
app | ERROR:tcti:src/tss2-tcti/tctildr-dl.c:170:tcti_from_file() Could not initialize TCTI file: swtpm
app | ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
app | Traceback (most recent call last):
app | File "/app/main.py", line 70, in <module>
app | tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/ESAPI.py", line 123, in __init__
app | tcti = TCTILdr.parse(tcti)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 54, in parse
app | return cls(name, conf)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 29, in __init__
app | _chkrc(lib.Tss2_TctiLdr_Initialize_Ex(name, conf, self._ctx_pp))
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/internal/utils.py", line 32, in _chkr
app | raise TSS2_Exception(rc)
app | tpm2_pytss.TSS2_Exception.TSS2_Exception: tcti:IO failure
app exited with code 1
I know it’s not a plain tpm2-tss question, but does anyone has experience with that and can help me?
Kind regards,
Henry
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 18746 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* [tpm2] Re: tpm2-pytss connect to dockerized swtpm
@ 2022-08-01 15:31 Roberts, William C
0 siblings, 0 replies; 5+ messages in thread
From: Roberts, William C @ 2022-08-01 15:31 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 3537 bytes --]
My guess is, that since containers are used to isolate things, that the port from container needs to be exposed somehow.
________________________________
From: henry.gadacz(a)stud.h-da.de <henry.gadacz(a)stud.h-da.de>
Sent: Wednesday, July 27, 2022 3:29 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] tpm2-pytss connect to dockerized swtpm
Hello everyone,
I am trying to accomplish the following, but did not succeed and I hope someone can help me.
I want to have a docker compose with two containers. In the first container I want to run the swtpm (https://github.com/stefanberger/swtpm) and in the other a python script that uses tpm2-pytss to connect to the swtpm in the first container.
When I run swtpm and the python script in the same container it works.
In order to run them in separate containers I just duplicated the Dockerfile (I know this has some overhead, but to make sure don’t miss any dependencies), changed the docker CMD command to either run the python script or the swtpm and renamed them to Dockerfile_app_test and Dockerfile_tpm_test.
My docker compose file is looking like this:
version: '3.7'
services:
app:
container_name: app
build:
context: .
dockerfile: Dockerfile_app_test
restart: unless-stopped
tpm:
container_name: tpm
build:
context: .
dockerfile: Dockerfile_tpm_test
ports:
- "2321:2321"
- "2322:2322"
restart: unless-stopped
My python script is:
from tpm2_pytss import *
if __name__ == '__main__':
print("TPM test application")
tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
tpm.startup(TPM2_SU.CLEAR)
r = tpm.get_random(8)
print("type is ", type(r))
print("r is ", str(r))
print("as int ", int(str(r), 16))
When I run it in one Dockerfile I used
tpm = ESAPI(tcti="swtpm:host=localhost,port=2321")
so I thought changing the host name to the docker container name should do it but I always get the following errors:
app | WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 172.21.0.2, port 2321: errno 111: Connection refused
app | ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
app | ERROR:tcti:src/tss2-tcti/tctildr-dl.c:170:tcti_from_file() Could not initialize TCTI file: swtpm
app | ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
app | Traceback (most recent call last):
app | File "/app/main.py", line 70, in <module>
app | tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/ESAPI.py", line 123, in __init__
app | tcti = TCTILdr.parse(tcti)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 54, in parse
app | return cls(name, conf)
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 29, in __init__
app | _chkrc(lib.Tss2_TctiLdr_Initialize_Ex(name, conf, self._ctx_pp))
app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/internal/utils.py", line 32, in _chkr
app | raise TSS2_Exception(rc)
app | tpm2_pytss.TSS2_Exception.TSS2_Exception: tcti:IO failure
app exited with code 1
I know it’s not a plain tpm2-tss question, but does anyone has experience with that and can help me?
Kind regards,
Henry
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 12381 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* [tpm2] Re: tpm2-pytss connect to dockerized swtpm
@ 2022-07-27 12:16 Erik
0 siblings, 0 replies; 5+ messages in thread
From: Erik @ 2022-07-27 12:16 UTC (permalink / raw)
To: tpm2
[-- Attachment #1: Type: text/plain, Size: 4240 bytes --]
HI,
swtpm only listens on 127.0.0.1 by default, so unless you have changed that it wont be accessible by any other address.
docker compose seems to use the same network namespace for each container so localhost should work, but it might be as
simple as that the python script runs before swtpm is ready.
The unit tests for tpm2-pytss tries to connect to swtpm a couple of times with a small sleep in between each try to get
around that, so try adding for example time.sleep(5) before calling ESAPI(...) to see if that helps.
/Erik
On Wed, 2022-07-27 at 10:29 +0200, henry.gadacz(a)stud.h-da.de wrote:
> Hello everyone,
>
> I am trying to accomplish the following, but did not succeed and I hope someone can help me.
> I want to have a docker compose with two containers. In the first container I want to run the swtpm
> (https://github.com/stefanberger/swtpm) and in the other a python script that uses tpm2-pytss to connect to the swtpm
> in the first container.
>
> When I run swtpm and the python script in the same container it works.
> In order to run them in separate containers I just duplicated the Dockerfile (I know this has some overhead, but to
> make sure don’t miss any dependencies), changed the docker CMD command to either run the python script or the swtpm
> and renamed them to Dockerfile_app_test and Dockerfile_tpm_test.
>
> My docker compose file is looking like this:
> version: '3.7'
> services:
>
> app:
> container_name: app
> build:
> context: .
> dockerfile: Dockerfile_app_test
> restart: unless-stopped
>
> tpm:
> container_name: tpm
> build:
> context: .
> dockerfile: Dockerfile_tpm_test
> ports:
> - "2321:2321"
> - "2322:2322"
> restart: unless-stopped
>
>
> My python script is:
> from tpm2_pytss import *
> if __name__ == '__main__':
> print("TPM test application")
> tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
> tpm.startup(TPM2_SU.CLEAR)
>
> r = tpm.get_random(8)
> print("type is ", type(r))
> print("r is ", str(r))
> print("as int ", int(str(r), 16))
>
>
> When I run it in one Dockerfile I used
> tpm = ESAPI(tcti="swtpm:host=localhost,port=2321")
>
> so I thought changing the host name to the docker container name should do it but I always get the following errors:
> app | WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 172.21.0.2, port 2321: errno 111:
> Connection refused
> app | ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:614:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket
> app | ERROR:tcti:src/tss2-tcti/tctildr-dl.c:170:tcti_from_file() Could not initialize TCTI file: swtpm
> app | ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
> app | Traceback (most recent call last):
> app | File "/app/main.py", line 70, in <module>
> app | tpm = ESAPI(tcti="swtpm:host=tpm,port=2321")
> app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/ESAPI.py", line 123, in __init__
> app | tcti = TCTILdr.parse(tcti)
> app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 54, in parse
> app | return cls(name, conf)
> app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/TCTILdr.py", line 29, in __init__
> app | _chkrc(lib.Tss2_TctiLdr_Initialize_Ex(name, conf, self._ctx_pp))
> app | File "/usr/local/lib/python3.10/dist-packages/tpm2_pytss/internal/utils.py", line 32, in _chkr
> app | raise TSS2_Exception(rc)
> app | tpm2_pytss.TSS2_Exception.TSS2_Exception: tcti:IO failure
> app exited with code 1
>
>
>
> I know it’s not a plain tpm2-tss question, but does anyone has experience with that and can help me?
>
> Kind regards,
> Henry
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5793 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-08-01 15:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-27 12:39 [tpm2] Re: tpm2-pytss connect to dockerized swtpm henry.gadacz
-- strict thread matches above, loose matches on Subject: below --
2022-08-01 15:37 Roberts, William C
2022-08-01 15:36 Roberts, William C
2022-08-01 15:31 Roberts, William C
2022-07-27 12:16 Erik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox