[CIVIS-11019] ubuntu 22.04 fips enabled base image for linuxserver #1
Conversation
- Replace multi-stage build with gabemendoza1/cloudcode-baseimage-ubuntu-fips:jammy-22.04 - Remove Ubuntu Cloud Image extraction and Alpine stage - Remove sources.list copy (already configured in base image) - Add s6-overlay installation for LinuxServer.io compatibility - Add LinuxServer.io mod scripts (docker-mods, package-install, lsiown) - Conditionally create abc user (911:911) if not exists - Maintain full LinuxServer.io ecosystem on FIPS foundation 🤖 Generated with [opencode](https://opencode.ai) Co-Authored-By: opencode <noreply@opencode.ai>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
thatguyinabeanie
changed the title
thatguyinabeanie
changed the title
There was a problem hiding this comment.
Some questions - I'm not sure I fully understand the background/history of this PR and this repo, in relation to the linuxserver/docker-baseimage-ubuntu repo.
Also, sorry if I missed it among all the PRs, but could you describe how you view the purpose of each of these image layers now - what each layer provides and when we'll need to update each one?
The final checkbox of the PR description needs to be checked too, assuming everything else is complete.
Dockerfile
Outdated
|
|
||
| FROM alpine:3 as rootfs-stage | ||
| # ECR and base image configuration | ||
| ARG ECR_ACCOUNT_ID=1234567890123 |
There was a problem hiding this comment.
Can you explain why we're using a placeholder value here? I agree with copliot's suggestion (assuming this is not a real value).
What will supply these values for the real build?
🤖 Generated with [opencode](https://opencode.ai) Co-Authored-By: opencode <noreply@opencode.ai>
There was a problem hiding this comment.
Pull Request Overview
This PR migrates the LinuxServer Ubuntu base image to use Civis Analytics' FIPS-enabled Ubuntu 22.04 base image while maintaining compatibility with the existing LinuxServer infrastructure. The changes eliminate LinuxServer-specific build infrastructure and replace it with AWS CodeBuild/ECR-based workflows for FIPS compliance.
Key Changes
- Replace upstream Ubuntu base with Civis FIPS-enabled Ubuntu 22.04 image from ECR
- Remove Jenkins-based CI/CD in favor of AWS CodeBuild workflows
- Update Dockerfile to install S6 overlay directly on the FIPS base instead of building from scratch
Reviewed Changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| Dockerfile | Core changes to use ECR FIPS base image and install S6 overlay directly |
| docker-compose.yml | New composition for building with ECR registry and build args |
| buildspec/*.yaml | AWS CodeBuild specifications for push, release, and merge workflows |
| Jenkinsfile | Removed entire Jenkins-based CI/CD pipeline |
| sources.list* | Removed custom APT sources (using base image sources) |
| .github/workflows/* | Removed LinuxServer GitHub workflows |
| package_versions.txt | Removed package tracking file |
| readme-vars.yml, jenkins-vars.yml | Removed LinuxServer configuration files |
Comments suppressed due to low confidence (1)
buildspec/release.yaml:20
- Missing closing brace '}' for the MINOR_TAG variable expansion. This will cause the docker build command to fail.
--tag ${FIPS_REPOSITORY_URI}:${MINOR_TAG
|
Pull Request Merged!!! This build is running now. |
3 participants
Associated PRs
Description
Required: Please provide a brief description of what this pull request is trying to accomplish.
Context, Consequences, & Considerations
Required: Please step through the following list, pausing at each item to consider your change in relation to the item's context.
Check the box to mark that it applies, and enter your relevant notes under the item.
securitylabel to this PR then request a review from the Security Code Reviewers Team.