From b5b2a9e5609c337da9570c5f38176ec7755c04ec Mon Sep 17 00:00:00 2001 From: mudler Date: Fri, 30 Jun 2023 11:49:43 +0200 Subject: [PATCH 1/5] :book: Add byoi focal-fips example Signed-off-by: mudler --- examples/byoi/ubuntu-fips/Dockerfile | 148 ++++++++++++++++++ examples/byoi/ubuntu-fips/README.md | 21 +++ examples/byoi/ubuntu-fips/build.sh | 2 + .../dracut-broken-iscsi-ubuntu-20.patch | 28 ++++ examples/byoi/ubuntu-fips/dracut.conf | 4 + .../byoi/ubuntu-fips/pro-attach-config.yaml | 3 + examples/byoi/ubuntu-fips/run.sh | 3 + 7 files changed, 209 insertions(+) create mode 100644 examples/byoi/ubuntu-fips/Dockerfile create mode 100644 examples/byoi/ubuntu-fips/README.md create mode 100644 examples/byoi/ubuntu-fips/build.sh create mode 100644 examples/byoi/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch create mode 100644 examples/byoi/ubuntu-fips/dracut.conf create mode 100644 examples/byoi/ubuntu-fips/pro-attach-config.yaml create mode 100644 examples/byoi/ubuntu-fips/run.sh diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile new file mode 100644 index 000000000..bdffe9b6b --- /dev/null +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -0,0 +1,148 @@ + +# Kairos framework packages for ubuntu fips +FROM quay.io/kairos/framework:master_ubuntu-20-lts-fips as kairos-fips + +# Base ubuntu image (focal) +FROM ubuntu:focal as base + +# Generate os-release file +FROM quay.io/kairos/osbuilder-tools:latest as osbuilder +RUN zypper install -y gettext +RUN mkdir /workspace +COPY --from=base /etc/os-release /workspace/os-release +# You should change the following values according to your own versioning and other details +RUN OS_NAME=kairos-core-ubuntu-fips \ + OS_VERSION=v9.9.9 \ + OS_ID="kairos" \ + OS_NAME=kairos-ubuntu-fips \ + BUG_REPORT_URL="https://github.com/YOUR_ORG/YOUR_PROJECT/issues" \ + HOME_URL="https://github.com/YOUR_ORG/YOUR_PROJECT" \ + OS_REPO="quay.io/YOUR_ORG/ubuntu-fips" \ + OS_LABEL="latest" \ + GITHUB_REPO="YOUR_ORG/YOUR_PROJECT" \ + VARIANT="fips" \ + FLAVOR="ubuntu" \ + /update-os-release.sh + +# Build the custom ubuntu image +FROM base + +# Don't get asked while running apt commands +ENV DEBIAN_FRONTEND=noninteractive + +## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html +## I've just added "linux-image-fips" in the package list +RUN --mount=type=secret,id=pro-attach-config \ + apt-get update \ + && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ + && pro attach --attach-config /run/secrets/pro-attach-config \ + && apt-get upgrade -y \ + && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips + + +## Kairos setup +## From documentation: https://kairos.io/docs/reference/build-from-scratch/ +RUN mkdir -p /run/lock +RUN mkdir -p /usr/libexec +RUN touch /usr/libexec/.keep + +## Kairos required packages +## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts +RUN apt-get install -y --no-install-recommends \ + conntrack \ + console-data \ + coreutils \ + cryptsetup \ + curl \ + debianutils \ + dmsetup \ + dosfstools \ + dracut \ + dracut-network \ + e2fsprogs \ + efibootmgr \ + file \ + fuse \ + gawk \ + gdisk \ + grub2 \ + grub2-common \ + grub-efi-amd64-bin \ + grub-efi-amd64-signed \ + grub-pc-bin \ + haveged \ + iproute2 \ + iptables \ + isc-dhcp-common \ + jq \ + kbd \ + krb5-locales \ + lldpd \ + lvm2 \ + mdadm \ + nano \ + nbd-client \ + ncurses-term \ + neovim \ + networkd-dispatcher \ + nfs-common \ + open-iscsi \ + openssh-server \ + open-vm-tools \ + os-prober \ + packagekit-tools \ + parted \ + patch \ + policykit-1 \ + publicsuffix \ + qemu-guest-agent \ + rsync \ + shared-mime-info \ + snapd \ + snmpd \ + squashfs-tools \ + sudo \ + systemd \ + systemd-timesyncd \ + thermald \ + ubuntu-advantage-tools \ + xdg-user-dirs \ + xxd \ + xz-utils \ + zerofree \ + zfsutils-linux \ + zstd \ + && apt-get remove -y unattended-upgrades && apt-get clean + +# Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list +COPY --from=kairos-fips / / +# Copy the os-release file to identify the OS +COPY --from=osbuilder /workspace/os-release /etc/os-release + +# Activate Kairos services +RUN systemctl enable cos-setup-reconcile.timer && \ + systemctl enable cos-setup-fs.service && \ + systemctl enable cos-setup-boot.service && \ + systemctl enable cos-setup-network.service + +## Configuration +## Took from: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts +# workaround https://github.com/kairos-io/kairos/issues/949 +COPY dracut-broken-iscsi-ubuntu-20.patch / +RUN cd /usr/lib/dracut/modules.d/95iscsi && patch < /dracut-broken-iscsi-ubuntu-20.patch && rm -rf /dracut-broken-iscsi-ubuntu-20.patch + +COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf + +## Generate initrd +RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ + ln -sf "${kernel#/boot/}" /boot/vmlinuz +RUN kernel=$(ls /lib/modules | head -n1) && \ + dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ + ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" +RUN rm -rf /boot/initramfs-* + +# Fixup sudo perms +RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo + +# Clear cache +RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname diff --git a/examples/byoi/ubuntu-fips/README.md b/examples/byoi/ubuntu-fips/README.md new file mode 100644 index 000000000..b43f8b06f --- /dev/null +++ b/examples/byoi/ubuntu-fips/README.md @@ -0,0 +1,21 @@ +# Kairos Ubuntu focal fips + +- Edit `pro-attach-config.yaml` with your token +- run `bash build.sh` +- start the ISO with qemu `bash run.sh` +Install the system with a cloud-config file adding `fips=1` to the boot options: + +```yaml +#cloud-config + +install: + # ... + # Set grub options + grub_options: + # additional Kernel option cmdline to apply + extra_cmdline: "fips=1" +``` + +Notes: +- The dracut patch is needed as Ubuntu has an older version of systemd +- Most of the Dockerfile configuration are: packages being installed by ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages diff --git a/examples/byoi/ubuntu-fips/build.sh b/examples/byoi/ubuntu-fips/build.sh new file mode 100644 index 000000000..47051fd1b --- /dev/null +++ b/examples/byoi/ubuntu-fips/build.sh @@ -0,0 +1,2 @@ +DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips +docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm -ti quay.io/kairos/auroraboot --set container_image=docker://ubuntu-focal-fips --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" diff --git a/examples/byoi/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch b/examples/byoi/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch new file mode 100644 index 000000000..7fba71378 --- /dev/null +++ b/examples/byoi/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch @@ -0,0 +1,28 @@ +diff --git a/module-setup.sh b/module-setup.sh +index 59ea5e089..fe40547d1 100755 +--- a/module-setup.sh ++++ b/module-setup.sh +@@ -265,6 +265,23 @@ install() { + echo "After=dracut-cmdline.service" + echo "Before=dracut-initqueue.service" + ) > "${initdir}/$systemdsystemunitdir/iscsid.service.d/dracut.conf" ++ ++ # The iscsi deamon does not need to wait for any storage inside initrd ++ mkdir -p "${initdir}/$systemdsystemunitdir/iscsid.socket.d" ++ ( ++ echo "[Unit]" ++ echo "DefaultDependencies=no" ++ echo "Conflicts=shutdown.target" ++ echo "Before=shutdown.target sockets.target" ++ ) > "${initdir}/$systemdsystemunitdir/iscsid.socket.d/dracut.conf" ++ mkdir -p "${initdir}/$systemdsystemunitdir/iscsuio.socket.d" ++ ( ++ echo "[Unit]" ++ echo "DefaultDependencies=no" ++ echo "Conflicts=shutdown.target" ++ echo "Before=shutdown.target sockets.target" ++ ) > "${initdir}/$systemdsystemunitdir/iscsuio.socket.d/dracut.conf" ++ + fi + inst_dir /var/lib/iscsi + dracut_need_initqueue \ No newline at end of file diff --git a/examples/byoi/ubuntu-fips/dracut.conf b/examples/byoi/ubuntu-fips/dracut.conf new file mode 100644 index 000000000..f0826a5e4 --- /dev/null +++ b/examples/byoi/ubuntu-fips/dracut.conf @@ -0,0 +1,4 @@ +omit_dracutmodules+=" iscsi iscsiroot " +add_dracutmodules+=" fips " +# These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* +install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " diff --git a/examples/byoi/ubuntu-fips/pro-attach-config.yaml b/examples/byoi/ubuntu-fips/pro-attach-config.yaml new file mode 100644 index 000000000..0acb5bf50 --- /dev/null +++ b/examples/byoi/ubuntu-fips/pro-attach-config.yaml @@ -0,0 +1,3 @@ +token: YOUR_TOKEN_HERE +enable_services: + - fips diff --git a/examples/byoi/ubuntu-fips/run.sh b/examples/byoi/ubuntu-fips/run.sh new file mode 100644 index 000000000..cc5152470 --- /dev/null +++ b/examples/byoi/ubuntu-fips/run.sh @@ -0,0 +1,3 @@ +qemu-img create -f qcow2 disk.img 40g + +qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso From 9f29a3d8343decf289dbdf194f91a770ca897c30 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Mon, 3 Jul 2023 13:35:40 +0200 Subject: [PATCH 2/5] Update examples/byoi/ubuntu-fips/README.md Co-authored-by: Mauro Morales Signed-off-by: Ettore Di Giacinto --- examples/byoi/ubuntu-fips/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/byoi/ubuntu-fips/README.md b/examples/byoi/ubuntu-fips/README.md index b43f8b06f..2d1e194e2 100644 --- a/examples/byoi/ubuntu-fips/README.md +++ b/examples/byoi/ubuntu-fips/README.md @@ -18,4 +18,4 @@ install: Notes: - The dracut patch is needed as Ubuntu has an older version of systemd -- Most of the Dockerfile configuration are: packages being installed by ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages +- Most of the Dockerfile configuration are: packages being installed by Ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages From 85837b42dbc920d2c8fe0920788d1193bd2cf7e7 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Mon, 3 Jul 2023 13:44:09 +0200 Subject: [PATCH 3/5] Update examples/byoi/ubuntu-fips/Dockerfile Co-authored-by: Itxaka Signed-off-by: Ettore Di Giacinto --- examples/byoi/ubuntu-fips/Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index bdffe9b6b..1bdb74968 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -132,7 +132,15 @@ COPY dracut-broken-iscsi-ubuntu-20.patch / RUN cd /usr/lib/dracut/modules.d/95iscsi && patch < /dracut-broken-iscsi-ubuntu-20.patch && rm -rf /dracut-broken-iscsi-ubuntu-20.patch COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf - +# CLEANUP +# Installing dracut and fips creates this default packages and symlinks and we dont want that +# We want to fully rebuild and link our initrd +RUN rm -Rf /boot/vmlinuz.old # symlink +RUN rm -Rf /boot/vmlinuz.img.old # symlink +RUN rm -Rf /boot/vmlinuz.img # symlink +RUN rm -Rf /boot/initrd.img.old # symlink to wrong initrd (no immucore, no kairos-agent) +RUN rm -Rf /boot/initrd.img # symlink to wrong initrd (no immucore, no kairos-agent) +RUN rm -Rf /boot/initrd.img-* # wrong initrd (no immucore, no kairos-agent) ## Generate initrd RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ ln -sf "${kernel#/boot/}" /boot/vmlinuz From 6980ca4fd4e733360a23058a3208b0ffe13edce4 Mon Sep 17 00:00:00 2001 From: mudler Date: Mon, 3 Jul 2023 13:45:14 +0200 Subject: [PATCH 4/5] Cleanup Signed-off-by: mudler --- examples/byoi/ubuntu-fips/Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index 1bdb74968..46ee06232 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -37,7 +37,10 @@ RUN --mount=type=secret,id=pro-attach-config \ && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ && pro attach --attach-config /run/secrets/pro-attach-config \ && apt-get upgrade -y \ - && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips + && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ + && pro detach --assume-yes \ + && apt-get purge --auto-remove -y ubuntu-advantage-tools \ + && rm -rf /var/lib/apt/lists/* ## Kairos setup From f0bacc389f76737d1cef0ef52f42053f63e60612 Mon Sep 17 00:00:00 2001 From: mudler Date: Mon, 3 Jul 2023 13:51:04 +0200 Subject: [PATCH 5/5] Fixups Signed-off-by: mudler --- examples/byoi/ubuntu-fips/Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/byoi/ubuntu-fips/Dockerfile b/examples/byoi/ubuntu-fips/Dockerfile index 46ee06232..57c45673c 100644 --- a/examples/byoi/ubuntu-fips/Dockerfile +++ b/examples/byoi/ubuntu-fips/Dockerfile @@ -7,7 +7,7 @@ FROM ubuntu:focal as base # Generate os-release file FROM quay.io/kairos/osbuilder-tools:latest as osbuilder -RUN zypper install -y gettext +RUN zypper install -y gettext && zypper clean RUN mkdir /workspace COPY --from=base /etc/os-release /workspace/os-release # You should change the following values according to your own versioning and other details @@ -38,9 +38,7 @@ RUN --mount=type=secret,id=pro-attach-config \ && pro attach --attach-config /run/secrets/pro-attach-config \ && apt-get upgrade -y \ && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ - && pro detach --assume-yes \ - && apt-get purge --auto-remove -y ubuntu-advantage-tools \ - && rm -rf /var/lib/apt/lists/* + && pro detach --assume-yes ## Kairos setup @@ -115,7 +113,9 @@ RUN apt-get install -y --no-install-recommends \ zerofree \ zfsutils-linux \ zstd \ - && apt-get remove -y unattended-upgrades && apt-get clean + && apt-get remove -y unattended-upgrades && apt-get clean \ + && apt-get purge --auto-remove -y ubuntu-advantage-tools \ + && rm -rf /var/lib/apt/lists/* # Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list COPY --from=kairos-fips / /