📖 Add example to build an image from scratch for ubuntu fips #1570
Conversation
mudler
force-pushed
the
focal-fips-example
branch
from
1fec227
to
e5187ba
Compare
Signed-off-by: mudler <mudler@kairos.io>
mudler
force-pushed
the
focal-fips-example
branch
from
e5187ba
to
b5b2a9e
Compare
| @@ -0,0 +1,21 @@ | |||
| # Kairos Ubuntu focal fips | |||
|
|
|||
| - Edit `pro-attach-config.yaml` with your token | |||
| omit_dracutmodules+=" iscsi iscsiroot " | ||
| add_dracutmodules+=" fips " | ||
| # These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* | ||
| install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " |
|
|
||
| ## Kairos required packages | ||
| ## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts | ||
| RUN apt-get install -y --no-install-recommends \ |
There was a problem hiding this comment.
shouldnt this be before the fips stuff?
There was a problem hiding this comment.
I don't think it really matters, I moved it down just_in_case in the repos there were some of these packages, and so to give a chance to get replaced with fips-ones.
| omit_dracutmodules+=" iscsi iscsiroot " | ||
| add_dracutmodules+=" fips " | ||
| # These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* | ||
| install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " |
There was a problem hiding this comment.
as far as I can see only the hidden hmac for libssl and libcrypto are needed, in case we want to minimize the number of files added here. Its still good to have the full list thought.
Also we could move this to immucore directly, there is a install_optional_items that only copies those files if they exist so we could have out of the box fips support in dracut via the immucore config. And grow the list if needed with other files for other distros
There was a problem hiding this comment.
let's do that, however we have to be smart there and scan for the files. let's keep the example for now, we will work later to make it smaller and easier to digest
Co-authored-by: Mauro Morales <mauro.morales@spectrocloud.com> Signed-off-by: Ettore Di Giacinto <mudler@users.noreply.github.com>
|
just re-tested it manually, works. merging it and we can fix/cleanup on later iterations |
What this PR does / why we need it:
It adds a full e2e example to build a custom ubuntu fips-enabled image (license subscription is needed)