Cleanup

examples/byoi/ubuntu-fips/Dockerfile

@@ -32,7 +32,7 @@ RUN --mount=type=secret,id=pro-attach-config \
     && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \
     && pro attach --attach-config /run/secrets/pro-attach-config \
     && apt-get upgrade -y \
-    && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-unsigned-5.4.0-1007-fips
+    && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips
 
 
 ## Kairos stuff
@@ -115,13 +115,6 @@ COPY --from=kairos-fips / /
 # Copy the os-release file to identify the OS
 COPY --from=osbuilder /workspace/os-release /etc/os-release
 
-RUN apt-get install -y linux-fips linux-tools-fips
-RUN apt-get remove -y linux-image-fips
-RUN rm -rfv /boot/*
-RUN apt-get install -y linux-image-unsigned-5.4.0-1007-fips
-#RUN apt-get install -y ubuntu-fips || true # will fail
-#RUN sed -i 's/update-grub/#update-grub/g' /var/lib/dpkg/info/ubuntu-fips.postinst
-#RUN apt-get install -y ubuntu-fips
 # Activate Kairos services
 RUN systemctl enable cos-setup-reconcile.timer && \
           systemctl enable cos-setup-fs.service && \

examples/byoi/ubuntu-fips/README.md

@@ -2,4 +2,20 @@
 
 - Edit `pro-attach-config.yaml` with your token
 - run `bash build.sh`
+- start the ISO with qemu `bash run.sh`
+Install the system with a cloud-config file adding `fips=1` to the boot options:
 
+```yaml
+#cloud-config
+
+install:
+  # ...
+  # Set grub options
+  grub_options:
+    # additional Kernel option cmdline to apply
+    extra_cmdline: "fips=1"
+```
+
+Notes:
+- The dracut patch is needed as Ubuntu has an older version of systemd
+- Most of the Dockerfile configuration are: packages being installed by ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages