-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📖 Add example to build an image from scratch for ubuntu fips #1570
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
|
||
# Kairos framework packages for ubuntu fips | ||
FROM quay.io/kairos/framework:master_ubuntu-20-lts-fips as kairos-fips | ||
|
||
# Base ubuntu image (focal) | ||
FROM ubuntu:focal as base | ||
|
||
# Generate os-release file | ||
FROM quay.io/kairos/osbuilder-tools:latest as osbuilder | ||
RUN zypper install -y gettext && zypper clean | ||
RUN mkdir /workspace | ||
COPY --from=base /etc/os-release /workspace/os-release | ||
# You should change the following values according to your own versioning and other details | ||
RUN OS_NAME=kairos-core-ubuntu-fips \ | ||
OS_VERSION=v9.9.9 \ | ||
OS_ID="kairos" \ | ||
OS_NAME=kairos-ubuntu-fips \ | ||
BUG_REPORT_URL="https://github.com/YOUR_ORG/YOUR_PROJECT/issues" \ | ||
HOME_URL="https://github.com/YOUR_ORG/YOUR_PROJECT" \ | ||
OS_REPO="quay.io/YOUR_ORG/ubuntu-fips" \ | ||
OS_LABEL="latest" \ | ||
GITHUB_REPO="YOUR_ORG/YOUR_PROJECT" \ | ||
VARIANT="fips" \ | ||
FLAVOR="ubuntu" \ | ||
/update-os-release.sh | ||
|
||
# Build the custom ubuntu image | ||
FROM base | ||
|
||
# Don't get asked while running apt commands | ||
ENV DEBIAN_FRONTEND=noninteractive | ||
|
||
## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html | ||
## I've just added "linux-image-fips" in the package list | ||
RUN --mount=type=secret,id=pro-attach-config \ | ||
apt-get update \ | ||
&& apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \ | ||
&& pro attach --attach-config /run/secrets/pro-attach-config \ | ||
&& apt-get upgrade -y \ | ||
&& apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ | ||
&& pro detach --assume-yes | ||
|
||
|
||
## Kairos setup | ||
## From documentation: https://kairos.io/docs/reference/build-from-scratch/ | ||
RUN mkdir -p /run/lock | ||
RUN mkdir -p /usr/libexec | ||
RUN touch /usr/libexec/.keep | ||
|
||
## Kairos required packages | ||
## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts | ||
RUN apt-get install -y --no-install-recommends \ | ||
conntrack \ | ||
console-data \ | ||
coreutils \ | ||
cryptsetup \ | ||
curl \ | ||
debianutils \ | ||
dmsetup \ | ||
dosfstools \ | ||
dracut \ | ||
dracut-network \ | ||
e2fsprogs \ | ||
efibootmgr \ | ||
file \ | ||
fuse \ | ||
gawk \ | ||
gdisk \ | ||
grub2 \ | ||
grub2-common \ | ||
grub-efi-amd64-bin \ | ||
grub-efi-amd64-signed \ | ||
grub-pc-bin \ | ||
haveged \ | ||
iproute2 \ | ||
iptables \ | ||
isc-dhcp-common \ | ||
jq \ | ||
kbd \ | ||
krb5-locales \ | ||
lldpd \ | ||
lvm2 \ | ||
mdadm \ | ||
nano \ | ||
nbd-client \ | ||
ncurses-term \ | ||
neovim \ | ||
networkd-dispatcher \ | ||
nfs-common \ | ||
open-iscsi \ | ||
openssh-server \ | ||
open-vm-tools \ | ||
os-prober \ | ||
packagekit-tools \ | ||
parted \ | ||
patch \ | ||
policykit-1 \ | ||
publicsuffix \ | ||
qemu-guest-agent \ | ||
rsync \ | ||
shared-mime-info \ | ||
snapd \ | ||
snmpd \ | ||
squashfs-tools \ | ||
sudo \ | ||
systemd \ | ||
systemd-timesyncd \ | ||
thermald \ | ||
ubuntu-advantage-tools \ | ||
xdg-user-dirs \ | ||
xxd \ | ||
xz-utils \ | ||
zerofree \ | ||
zfsutils-linux \ | ||
zstd \ | ||
&& apt-get remove -y unattended-upgrades && apt-get clean \ | ||
&& apt-get purge --auto-remove -y ubuntu-advantage-tools \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
# Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list | ||
COPY --from=kairos-fips / / | ||
# Copy the os-release file to identify the OS | ||
COPY --from=osbuilder /workspace/os-release /etc/os-release | ||
|
||
# Activate Kairos services | ||
RUN systemctl enable cos-setup-reconcile.timer && \ | ||
systemctl enable cos-setup-fs.service && \ | ||
systemctl enable cos-setup-boot.service && \ | ||
systemctl enable cos-setup-network.service | ||
|
||
## Configuration | ||
## Took from: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts | ||
# workaround https://github.com/kairos-io/kairos/issues/949 | ||
COPY dracut-broken-iscsi-ubuntu-20.patch / | ||
RUN cd /usr/lib/dracut/modules.d/95iscsi && patch < /dracut-broken-iscsi-ubuntu-20.patch && rm -rf /dracut-broken-iscsi-ubuntu-20.patch | ||
|
||
COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf | ||
# CLEANUP | ||
# Installing dracut and fips creates this default packages and symlinks and we dont want that | ||
# We want to fully rebuild and link our initrd | ||
RUN rm -Rf /boot/vmlinuz.old # symlink | ||
RUN rm -Rf /boot/vmlinuz.img.old # symlink | ||
RUN rm -Rf /boot/vmlinuz.img # symlink | ||
RUN rm -Rf /boot/initrd.img.old # symlink to wrong initrd (no immucore, no kairos-agent) | ||
RUN rm -Rf /boot/initrd.img # symlink to wrong initrd (no immucore, no kairos-agent) | ||
RUN rm -Rf /boot/initrd.img-* # wrong initrd (no immucore, no kairos-agent) | ||
## Generate initrd | ||
RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \ | ||
ln -sf "${kernel#/boot/}" /boot/vmlinuz | ||
RUN kernel=$(ls /lib/modules | head -n1) && \ | ||
dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \ | ||
ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}" | ||
RUN rm -rf /boot/initramfs-* | ||
|
||
# Fixup sudo perms | ||
RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo | ||
|
||
# Clear cache | ||
RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Kairos Ubuntu focal fips | ||
|
||
- Edit `pro-attach-config.yaml` with your token | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. very cool! |
||
- run `bash build.sh` | ||
- start the ISO with qemu `bash run.sh` | ||
Install the system with a cloud-config file adding `fips=1` to the boot options: | ||
|
||
```yaml | ||
#cloud-config | ||
|
||
install: | ||
# ... | ||
# Set grub options | ||
grub_options: | ||
# additional Kernel option cmdline to apply | ||
extra_cmdline: "fips=1" | ||
``` | ||
|
||
Notes: | ||
- The dracut patch is needed as Ubuntu has an older version of systemd | ||
- Most of the Dockerfile configuration are: packages being installed by Ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips | ||
docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm -ti quay.io/kairos/auroraboot --set container_image=docker://ubuntu-focal-fips --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
diff --git a/module-setup.sh b/module-setup.sh | ||
index 59ea5e089..fe40547d1 100755 | ||
--- a/module-setup.sh | ||
+++ b/module-setup.sh | ||
@@ -265,6 +265,23 @@ install() { | ||
echo "After=dracut-cmdline.service" | ||
echo "Before=dracut-initqueue.service" | ||
) > "${initdir}/$systemdsystemunitdir/iscsid.service.d/dracut.conf" | ||
+ | ||
+ # The iscsi deamon does not need to wait for any storage inside initrd | ||
+ mkdir -p "${initdir}/$systemdsystemunitdir/iscsid.socket.d" | ||
+ ( | ||
+ echo "[Unit]" | ||
+ echo "DefaultDependencies=no" | ||
+ echo "Conflicts=shutdown.target" | ||
+ echo "Before=shutdown.target sockets.target" | ||
+ ) > "${initdir}/$systemdsystemunitdir/iscsid.socket.d/dracut.conf" | ||
+ mkdir -p "${initdir}/$systemdsystemunitdir/iscsuio.socket.d" | ||
+ ( | ||
+ echo "[Unit]" | ||
+ echo "DefaultDependencies=no" | ||
+ echo "Conflicts=shutdown.target" | ||
+ echo "Before=shutdown.target sockets.target" | ||
+ ) > "${initdir}/$systemdsystemunitdir/iscsuio.socket.d/dracut.conf" | ||
+ | ||
fi | ||
inst_dir /var/lib/iscsi | ||
dracut_need_initqueue |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
omit_dracutmodules+=" iscsi iscsiroot " | ||
add_dracutmodules+=" fips " | ||
# These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-* | ||
install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac " | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. great find There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. as far as I can see only the hidden hmac for libssl and libcrypto are needed, in case we want to minimize the number of files added here. Its still good to have the full list thought. Also we could move this to immucore directly, there is a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. let's do that, however we have to be smart there and scan for the files. let's keep the example for now, we will work later to make it smaller and easier to digest |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
token: YOUR_TOKEN_HERE | ||
enable_services: | ||
- fips |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
qemu-img create -f qcow2 disk.img 40g | ||
|
||
qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldnt this be before the fips stuff?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it really matters, I moved it down just_in_case in the repos there were some of these packages, and so to give a chance to get replaced with fips-ones.