[Build] Add FIPS docker image for GovCloud #117152
Conversation
breskeby
added
>non-issue
:Delivery/Build
|
Pinging @elastic/es-delivery (Team:Delivery) |
breskeby
changed the title
breskeby
force-pushed
the
add-fips-docker-image
branch
from
8003e4c to
c11d177
Compare
breskeby
added
the
:Delivery/Packaging
breskeby
force-pushed
the
add-fips-docker-image
branch
3 times, most recently
from
a23256c to
3f203b4
Compare
| CLOUD_ESS(null, "-cloud-ess", "apk"); | ||
| CLOUD_ESS(null, "-cloud-ess", "apk"), | ||
| // Based on WOLFI above, we programmatically extend from the wolfi image. | ||
| FIPS(null, "-fips", "apk"); |
There was a problem hiding this comment.
we need to base the image from: chainguard-base-fips
while the majority of the FIPS compliant for ES is from the JDK/app level, the container itself must also be FIPS compliant.
(EDIT: or is that already the case here ? ...if so, for my own education, how are the tags defined across base and base-fips?)
There was a problem hiding this comment.
we transitively base this on chainguard-base as cloud-ess is based on our es-wolfi image and this is based on chainguard-base. @jakelandis you say this must be chainguard-base-fips instead?
This is coded into distribution/docker/build.gradle
There was a problem hiding this comment.
I need to do more tweaking as but you can test this from the branch by running:
./gradlew buildAarch64FipsDockerImage
# start image directly
docker run elasticsearch-fips:aarch64
# inspect image
docker run -it --entrypoint /bin/bash elasticsearch-fips:aarch64
There was a problem hiding this comment.
@jakelandis With the latest WIP I configure a hardcoded password for the keystore (as it must be >12 characters) Strictly speaking that's fips compliant as I get it, but how is that safe enough if we bake that password into the image itself? each image would have the same keystone password basically public.
It seems we should instead have the ability in ES to ensure we generate dynamically a keystore with fips compliant password without explicitly declaring it?
There was a problem hiding this comment.
you say this must be chainguard-base-fips instead?
Yes, the base image, for this purpose, must also be FIPS compliant.
but how is that safe enough if we bake that password into the image itself? each image would have the same keystone password basically public.
This probably warrants it's own discussion, there is likely some cloud level config needed here.
There was a problem hiding this comment.
@jakelandis I changed the base image to be chainguard-base-fips. One side effect here is that aarch64 is not supported anymore. You can test this with
./gradlew buildFipsDockerImage
# start image directly
docker run elasticsearch-fips:x86_64
# inspect image
docker run -it --entrypoint /bin/bash elasticsearch-fips:x86_64
be6f4c6 to
853068f
Compare
breskeby
force-pushed
the
add-fips-docker-image
branch
from
853068f to
9598e33
Compare
| xpack.security.http.ssl.enabled: true | ||
| xpack.security.http.ssl.key: node1.key | ||
| xpack.security.http.ssl.certificate: node1.crt | ||
| xpack.security.http.ssl.certificate_authorities: node1.crt |
There was a problem hiding this comment.
these keys will work for netty; but not for BCJSSE in approved only mode.
Was this tested or solved?
There was a problem hiding this comment.
this has been removed
| # xpack.security.transport.ssl.enabled: true | ||
| # xpack.security.transport.ssl.certificate: node1.crt | ||
| # xpack.security.transport.ssl.certificate_authorities: node1.crt | ||
| # xpack.security.transport.ssl.key: node1.key |
There was a problem hiding this comment.
ah, that's how incompatibility is fixed by turning off xpack.security ssl.
breskeby
force-pushed
the
add-fips-docker-image
branch
from
9598e33 to
85966a5
Compare
- Adds docker image based on chainguard base fips image - x86 only for now as base image is x86b only TODO: Add packaging test coverage
breskeby
force-pushed
the
add-fips-docker-image
branch
from
85966a5 to
ea43aeb
Compare
The fips image is shipped with:
Todo:
Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios)