diff --git a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts index a9a2fa7b2ff0c..7572448f97664 100644 --- a/src/dev/build/tasks/os_packages/create_os_package_tasks.ts +++ b/src/dev/build/tasks/os_packages/create_os_package_tasks.ts @@ -155,7 +155,7 @@ export const CreateDockerFIPS: Task = { async run(config, log, build) { await runDockerGenerator(config, log, build, { architecture: 'x64', - baseImage: 'ubi', + baseImage: 'wolfi', context: false, image: true, fips: true, @@ -197,7 +197,7 @@ export const CreateDockerContexts: Task = { image: false, }); await runDockerGenerator(config, log, build, { - baseImage: 'ubi', + baseImage: 'wolfi', context: true, image: false, fips: true, diff --git a/src/dev/build/tasks/os_packages/docker_generator/run.ts b/src/dev/build/tasks/os_packages/docker_generator/run.ts index 295c2da404e96..075ff6a0b6716 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/run.ts +++ b/src/dev/build/tasks/os_packages/docker_generator/run.ts @@ -53,11 +53,15 @@ export async function runDockerGenerator( 'docker.elastic.co/wolfi/chainguard-base:latest@sha256:6387bd4c462007eaecaf13a423aea99c8a8452da09244c129703324aa97769c6'; let imageFlavor = ''; - if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud) imageFlavor += `-wolfi`; + if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud && !flags.fips) + imageFlavor += `-wolfi`; if (flags.ironbank) imageFlavor += '-ironbank'; if (flags.cloud) imageFlavor += '-cloud'; if (flags.serverless) imageFlavor += '-serverless'; - if (flags.fips) imageFlavor += '-fips'; + if (flags.fips) { + imageFlavor += '-fips'; + baseImageName = 'docker.elastic.co/wolfi/chainguard-base-fips:latest'; + } // General docker var config const license = 'Elastic License'; diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile index d8199c5911ca3..041bb7187e566 100644 --- a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile +++ b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile @@ -12,7 +12,7 @@ FROM {{{baseImageName}}} AS builder {{#ubi}} -RUN microdnf install -y findutils tar gzip{{#fips}} perl make gcc{{/fips}} +RUN microdnf install -y findutils tar gzip {{/ubi}} {{#wolfi}} RUN apk --no-cache add curl @@ -35,29 +35,29 @@ RUN tar \ --strip-components=1 \ -zxf /tmp/kibana.tar.gz -{{#fips}} -# OpenSSL requires specific versions that are FIPS certified. -# -# See: -# https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md -# https://www.openssl.org/docs/man3.0/man7/fips_module.html -RUN set -e ; \ - OPENSSL_VERSION='3.0.8'; \ - OPENSSL_PATH=/usr/share/kibana/openssl ; \ - mkdir "${OPENSSL_PATH}"; \ - curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \ - curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \ - echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \ - tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \ - rm -rf openssl-${OPENSSL_VERSION}.tar* ; \ - cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \ - ./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \ - make -j $(nproc) > /dev/null ; \ - make install > /dev/null ; \ - rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \ - chown -R 1000:0 "${OPENSSL_PATH}"; - -{{/fips}} +# {{#fips}} +# # OpenSSL requires specific versions that are FIPS certified. +# # +# # See: +# # https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md +# # https://www.openssl.org/docs/man3.0/man7/fips_module.html +# RUN set -e ; \ +# OPENSSL_VERSION='3.0.8'; \ +# OPENSSL_PATH=/usr/share/kibana/openssl ; \ +# mkdir "${OPENSSL_PATH}"; \ +# curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \ +# curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \ +# echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \ +# tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \ +# rm -rf openssl-${OPENSSL_VERSION}.tar* ; \ +# cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \ +# ./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \ +# make -j $(nproc) > /dev/null ; \ +# make install > /dev/null ; \ +# rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \ +# chown -R 1000:0 "${OPENSSL_PATH}"; + +# {{/fips}} # Ensure that group permissions are the same as user permissions. # This will help when relying on GID-0 to run Kibana, rather than UID-1000. # OpenShift does this, for example. @@ -118,7 +118,7 @@ RUN for iter in {1..10}; do \ (exit $exit_code) {{/ubi}} {{#wolfi}} -RUN apk --no-cache add bash curl fontconfig font-liberation libstdc++ libnss findutils shadow ca-certificates +RUN apk --no-cache add bash curl fontconfig font-liberation libstdc++ libnss findutils shadow ca-certificates{{#fips}} openssl{{/fips}} {{/wolfi}} # Bring in Kibana from the initial stage. @@ -137,9 +137,9 @@ WORKDIR /usr/share/kibana # Enable FIPS for Kibana only. In the future we can override OS wide with ENV OPENSSL_CONF RUN /bin/echo -e '\n--enable-fips' >> config/node.options -RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options -COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf" -ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules +# RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options +# COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf" +# ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules ENV XPACK_SECURITY_FIPSMODE_ENABLED=true {{/fips}}