-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📖 Add example to build an image from scratch for ubuntu fips #1570
Conversation
1fec227
to
e5187ba
Compare
Signed-off-by: mudler <mudler@kairos.io>
e5187ba
to
b5b2a9e
Compare
@@ -0,0 +1,21 @@ | |||
# Kairos Ubuntu focal fips | |||
|
|||
- Edit `pro-attach-config.yaml` with your token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very cool!
omit_dracutmodules+=" iscsi iscsiroot " | ||
add_dracutmodules+=" fips " | ||
# These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* | ||
install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great find
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
|
||
## Kairos required packages | ||
## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts | ||
RUN apt-get install -y --no-install-recommends \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldnt this be before the fips stuff?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it really matters, I moved it down just_in_case in the repos there were some of these packages, and so to give a chance to get replaced with fips-ones.
omit_dracutmodules+=" iscsi iscsiroot " | ||
add_dracutmodules+=" fips " | ||
# These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* | ||
install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as far as I can see only the hidden hmac for libssl and libcrypto are needed, in case we want to minimize the number of files added here. Its still good to have the full list thought.
Also we could move this to immucore directly, there is a install_optional_items
that only copies those files if they exist so we could have out of the box fips support in dracut via the immucore config. And grow the list if needed with other files for other distros
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's do that, however we have to be smart there and scan for the files. let's keep the example for now, we will work later to make it smaller and easier to digest
Co-authored-by: Mauro Morales <mauro.morales@spectrocloud.com> Signed-off-by: Ettore Di Giacinto <mudler@users.noreply.github.com>
just re-tested it manually, works. merging it and we can fix/cleanup on later iterations |
What this PR does / why we need it:
It adds a full e2e example to build a custom ubuntu fips-enabled image (license subscription is needed)