📖 Add example to build an image from scratch for ubuntu fips

examples/byoi/ubuntu-fips/Dockerfile

@@ -0,0 +1,159 @@
+
+# Kairos framework packages for ubuntu fips
+FROM quay.io/kairos/framework:master_ubuntu-20-lts-fips as kairos-fips
+
+# Base ubuntu image (focal)
+FROM ubuntu:focal as base
+
+# Generate os-release file
+FROM quay.io/kairos/osbuilder-tools:latest as osbuilder
+RUN zypper install -y gettext && zypper clean
+RUN mkdir /workspace
+COPY --from=base /etc/os-release /workspace/os-release
+# You should change the following values according to your own versioning and other details
+RUN OS_NAME=kairos-core-ubuntu-fips \
+  OS_VERSION=v9.9.9 \
+  OS_ID="kairos" \
+  OS_NAME=kairos-ubuntu-fips \
+  BUG_REPORT_URL="https://github.com/YOUR_ORG/YOUR_PROJECT/issues" \
+  HOME_URL="https://github.com/YOUR_ORG/YOUR_PROJECT" \
+  OS_REPO="quay.io/YOUR_ORG/ubuntu-fips" \
+  OS_LABEL="latest" \
+  GITHUB_REPO="YOUR_ORG/YOUR_PROJECT" \
+  VARIANT="fips" \
+  FLAVOR="ubuntu" \
+  /update-os-release.sh
+
+# Build the custom ubuntu image
+FROM base
+
+# Don't get asked while running apt commands
+ENV DEBIAN_FRONTEND=noninteractive
+
+## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html
+## I've just added "linux-image-fips" in the package list
+RUN --mount=type=secret,id=pro-attach-config \
+    apt-get update \
+    && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \
+    && pro attach --attach-config /run/secrets/pro-attach-config \
+    && apt-get upgrade -y \
+    && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \
+    && pro detach --assume-yes
+
+
+## Kairos setup
+## From documentation: https://kairos.io/docs/reference/build-from-scratch/
+RUN mkdir -p /run/lock
+RUN mkdir -p /usr/libexec
+RUN touch /usr/libexec/.keep
+
+## Kairos required packages
+## See: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts
+RUN apt-get install -y --no-install-recommends \
+    conntrack \
+    console-data \
+    coreutils \
+    cryptsetup \
+    curl \
+    debianutils \
+    dmsetup \
+    dosfstools \
+    dracut \
+    dracut-network \
+    e2fsprogs \
+    efibootmgr \
+    file \
+    fuse \
+    gawk \
+    gdisk \
+    grub2 \
+    grub2-common \
+    grub-efi-amd64-bin \
+    grub-efi-amd64-signed \
+    grub-pc-bin \
+    haveged \
+    iproute2 \
+    iptables \
+    isc-dhcp-common \
+    jq \
+    kbd \
+    krb5-locales \
+    lldpd \
+    lvm2 \
+    mdadm \
+    nano \
+    nbd-client \
+    ncurses-term \
+    neovim \
+    networkd-dispatcher \
+    nfs-common \
+    open-iscsi \
+    openssh-server \
+    open-vm-tools \
+    os-prober \
+    packagekit-tools \
+    parted \
+    patch \
+    policykit-1 \
+    publicsuffix \
+    qemu-guest-agent \
+    rsync \
+    shared-mime-info \
+    snapd \
+    snmpd \
+    squashfs-tools \
+    sudo \
+    systemd \
+    systemd-timesyncd \
+    thermald \
+    ubuntu-advantage-tools \
+    xdg-user-dirs \
+    xxd \
+    xz-utils \
+    zerofree \
+    zfsutils-linux \
+    zstd \
+    && apt-get remove -y unattended-upgrades && apt-get clean \
+    && apt-get purge --auto-remove -y ubuntu-advantage-tools \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list
+COPY --from=kairos-fips / /
+# Copy the os-release file to identify the OS
+COPY --from=osbuilder /workspace/os-release /etc/os-release
+
+# Activate Kairos services
+RUN systemctl enable cos-setup-reconcile.timer && \
+          systemctl enable cos-setup-fs.service && \
+          systemctl enable cos-setup-boot.service && \
+          systemctl enable cos-setup-network.service
+
+## Configuration
+## Took from: https://github.com/kairos-io/kairos/blob/master/images/Dockerfile.ubuntu-20-lts
+# workaround https://github.com/kairos-io/kairos/issues/949
+COPY dracut-broken-iscsi-ubuntu-20.patch /
+RUN cd /usr/lib/dracut/modules.d/95iscsi && patch < /dracut-broken-iscsi-ubuntu-20.patch && rm -rf /dracut-broken-iscsi-ubuntu-20.patch
+
+COPY dracut.conf /etc/dracut.conf.d/kairos-fips.conf
+# CLEANUP
+# Installing dracut and fips creates this default packages and symlinks and we dont want that
+# We want to fully rebuild and link our initrd
+RUN rm -Rf /boot/vmlinuz.old # symlink
+RUN rm -Rf /boot/vmlinuz.img.old # symlink
+RUN rm -Rf /boot/vmlinuz.img # symlink
+RUN rm -Rf /boot/initrd.img.old # symlink to wrong initrd (no immucore, no kairos-agent)
+RUN rm -Rf /boot/initrd.img # symlink to wrong initrd (no immucore, no kairos-agent)
+RUN rm -Rf /boot/initrd.img-* # wrong initrd (no immucore, no kairos-agent)
+## Generate initrd
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
+            ln -sf "${kernel#/boot/}" /boot/vmlinuz
+RUN kernel=$(ls /lib/modules | head -n1) && \
+            dracut -v -N -f "/boot/initrd-${kernel}" "${kernel}" && \
+            ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
+RUN rm -rf /boot/initramfs-*
+
+# Fixup sudo perms
+RUN chown root:root /usr/bin/sudo && chmod 4755 /usr/bin/sudo
+
+# Clear cache
+RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm /etc/machine-id && rm /var/lib/dbus/machine-id && rm /etc/hostname

examples/byoi/ubuntu-fips/README.md

@@ -0,0 +1,21 @@
+# Kairos Ubuntu focal fips
+
+- Edit `pro-attach-config.yaml` with your token
+- run `bash build.sh`
+- start the ISO with qemu `bash run.sh`
+Install the system with a cloud-config file adding `fips=1` to the boot options:
+
+```yaml
+#cloud-config
+
+install:
+  # ...
+  # Set grub options
+  grub_options:
+    # additional Kernel option cmdline to apply
+    extra_cmdline: "fips=1"
+```
+
+Notes:
+- The dracut patch is needed as Ubuntu has an older version of systemd
+- Most of the Dockerfile configuration are: packages being installed by Ubuntu, and the framework files coming from Kairos containing FIPS-enabled packages

examples/byoi/ubuntu-fips/build.sh

@@ -0,0 +1,2 @@
+DOCKER_BUILDKIT=1 docker build . --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-focal-fips
+docker run -v "$PWD"/build:/tmp/auroraboot -v /var/run/docker.sock:/var/run/docker.sock --rm -ti quay.io/kairos/auroraboot --set container_image=docker://ubuntu-focal-fips --set "disable_http_server=true" --set "disable_netboot=true" --set "state_dir=/tmp/auroraboot"

examples/byoi/ubuntu-fips/dracut-broken-iscsi-ubuntu-20.patch

@@ -0,0 +1,28 @@
+diff --git a/module-setup.sh b/module-setup.sh
+index 59ea5e089..fe40547d1 100755
+--- a/module-setup.sh
++++ b/module-setup.sh
+@@ -265,6 +265,23 @@ install() {
+             echo "After=dracut-cmdline.service"
+             echo "Before=dracut-initqueue.service"
+         ) > "${initdir}/$systemdsystemunitdir/iscsid.service.d/dracut.conf"
++
++        # The iscsi deamon does not need to wait for any storage inside initrd
++        mkdir -p "${initdir}/$systemdsystemunitdir/iscsid.socket.d"
++        (
++            echo "[Unit]"
++            echo "DefaultDependencies=no"
++            echo "Conflicts=shutdown.target"
++            echo "Before=shutdown.target sockets.target"
++        ) > "${initdir}/$systemdsystemunitdir/iscsid.socket.d/dracut.conf"
++        mkdir -p "${initdir}/$systemdsystemunitdir/iscsuio.socket.d"
++        (
++            echo "[Unit]"
++            echo "DefaultDependencies=no"
++            echo "Conflicts=shutdown.target"
++            echo "Before=shutdown.target sockets.target"
++        ) > "${initdir}/$systemdsystemunitdir/iscsuio.socket.d/dracut.conf"
++
+     fi
+     inst_dir /var/lib/iscsi
+     dracut_need_initqueue

examples/byoi/ubuntu-fips/dracut.conf

@@ -0,0 +1,4 @@
+omit_dracutmodules+=" iscsi iscsiroot "
+add_dracutmodules+=" fips "
+# These libraries/hmacs are needed in order to boot. The file names are in /usr/share/initramfs-tools/hooks/fips-*
+install_items+=" /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/.libssl.so.1.1.hmac /usr/lib/x86_64-linux-gnu/.libcrypto.so.1.1.hmac "

examples/byoi/ubuntu-fips/pro-attach-config.yaml

@@ -0,0 +1,3 @@
+token: YOUR_TOKEN_HERE
+enable_services:
+  - fips

examples/byoi/ubuntu-fips/run.sh

@@ -0,0 +1,3 @@
+qemu-img create -f qcow2 disk.img 40g
+
+qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm -serial mon:stdio -rtc base=utc,clock=rt -chardev socket,path=qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -drive if=virtio,media=disk,file=disk.img -drive if=ide,media=cdrom,file=build/iso/kairos.iso