Skip to content

Commit

Permalink
base changes to move fips to wolfi
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ikuni17
Ikuni17 committed Mar 4, 2025
1 parent f2a9173 commit f201210
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 32 deletions.
4 changes: 2 additions & 2 deletions src/dev/build/tasks/os_packages/create_os_package_tasks.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ export const CreateDockerFIPS: Task = {
async run(config, log, build) {
await runDockerGenerator(config, log, build, {
architecture: 'x64',
baseImage: 'ubi',
baseImage: 'wolfi',
context: false,
image: true,
fips: true,
Expand Down Expand Up @@ -197,7 +197,7 @@ export const CreateDockerContexts: Task = {
image: false,
});
await runDockerGenerator(config, log, build, {
baseImage: 'ubi',
baseImage: 'wolfi',
context: true,
image: false,
fips: true,
Expand Down
8 changes: 6 additions & 2 deletions src/dev/build/tasks/os_packages/docker_generator/run.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,15 @@ export async function runDockerGenerator(
'docker.elastic.co/wolfi/chainguard-base:latest@sha256:6387bd4c462007eaecaf13a423aea99c8a8452da09244c129703324aa97769c6';

let imageFlavor = '';
if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud) imageFlavor += `-wolfi`;
if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud && !flags.fips)
imageFlavor += `-wolfi`;
if (flags.ironbank) imageFlavor += '-ironbank';
if (flags.cloud) imageFlavor += '-cloud';
if (flags.serverless) imageFlavor += '-serverless';
if (flags.fips) imageFlavor += '-fips';
if (flags.fips) {
imageFlavor += '-fips';
baseImageName = 'docker.elastic.co/wolfi/chainguard-base-fips:latest';
}

// General docker var config
const license = 'Elastic License';
Expand Down
56 changes: 28 additions & 28 deletions src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
FROM {{{baseImageName}}} AS builder

{{#ubi}}
RUN microdnf install -y findutils tar gzip{{#fips}} perl make gcc{{/fips}}
RUN microdnf install -y findutils tar gzip
{{/ubi}}
{{#wolfi}}
RUN apk --no-cache add curl
Expand All @@ -35,29 +35,29 @@ RUN tar \
--strip-components=1 \
-zxf /tmp/kibana.tar.gz

{{#fips}}
# OpenSSL requires specific versions that are FIPS certified.
#
# See:
# https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
# https://www.openssl.org/docs/man3.0/man7/fips_module.html
RUN set -e ; \
OPENSSL_VERSION='3.0.8'; \
OPENSSL_PATH=/usr/share/kibana/openssl ; \
mkdir "${OPENSSL_PATH}"; \
curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \
curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \
echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \
tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \
rm -rf openssl-${OPENSSL_VERSION}.tar* ; \
cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \
make -j $(nproc) > /dev/null ; \
make install > /dev/null ; \
rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
chown -R 1000:0 "${OPENSSL_PATH}";

{{/fips}}
# {{#fips}}
# # OpenSSL requires specific versions that are FIPS certified.
# #
# # See:
# # https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
# # https://www.openssl.org/docs/man3.0/man7/fips_module.html
# RUN set -e ; \
# OPENSSL_VERSION='3.0.8'; \
# OPENSSL_PATH=/usr/share/kibana/openssl ; \
# mkdir "${OPENSSL_PATH}"; \
# curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \
# curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \
# echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \
# tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \
# rm -rf openssl-${OPENSSL_VERSION}.tar* ; \
# cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
# ./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \
# make -j $(nproc) > /dev/null ; \
# make install > /dev/null ; \
# rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
# chown -R 1000:0 "${OPENSSL_PATH}";

# {{/fips}}
# Ensure that group permissions are the same as user permissions.
# This will help when relying on GID-0 to run Kibana, rather than UID-1000.
# OpenShift does this, for example.
Expand Down Expand Up @@ -118,7 +118,7 @@ RUN for iter in {1..10}; do \
(exit $exit_code)
{{/ubi}}
{{#wolfi}}
RUN apk --no-cache add bash curl fontconfig font-liberation libstdc++ libnss findutils shadow ca-certificates
RUN apk --no-cache add bash curl fontconfig font-liberation libstdc++ libnss findutils shadow ca-certificates{{#fips}} openssl{{/fips}}
{{/wolfi}}

# Bring in Kibana from the initial stage.
Expand All @@ -137,9 +137,9 @@ WORKDIR /usr/share/kibana

# Enable FIPS for Kibana only. In the future we can override OS wide with ENV OPENSSL_CONF
RUN /bin/echo -e '\n--enable-fips' >> config/node.options
RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
# RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
# COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
# ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
ENV XPACK_SECURITY_FIPSMODE_ENABLED=true

{{/fips}}
Expand Down

0 comments on commit f201210

Please sign in to comment.