https://docs.google.com/document/d/1t9QvoWhPR7CVWirhijPv0t2RCODyFzMmXFVsGG7M9a0/edit


Purpose

This document describes the procedure to build  FIPS-UBI images.

Scope

To Enable the UBI images for FIPS compliance and details out the steps to build images.


Prerequisites

Virtual M/C, Awareness on building images, Access to build UBI images, Quay, Jenkins, Dockers


Procedure

Here is the detailed procedure.

Instance with Base Image

Please follow the below instructions :-

Step-1 : docker pull registry.access.redhat.com/ubi8/ubi:8.7

Step-2 : docker run -itd <docker id> bash
Step-3 : docker exec -it <id> bash

Step-4 :  fips-mode-setup --check

Output : 

Installation of FIPS modules is not completed.

FIPS mode is enabled.

Inconsistent state detected.

Step-5 :  fips-mode-setup --enable

Output : 

Setting system policy to FIPS

Note: System-wide crypto policies are applied on application start-up.

It is recommended to restart the system for the change of policies to fully take place.

The grubby command is missing, please configure the bootloader manually.

FIPS mode will be enabled.


Now you need to configure the bootloader to add kernel options "fips=1" and reboot the system for the setting to take effect.



Step-6 : update-crypto-policies --set FIPS

Output :

Setting system policy to FIPS

Note: System-wide crypto policies are applied on application start-up.

It is recommended to restart the system for the change of policies to fully take place.

Step-7 :  docker ps

Step-8 :  docker stop <id>

Step-9 :  docker ps -a

Step-10 : docker start <id>

Step-11 : docker exec -it <id> bash

Steps-12 : fips-mode-setup --check

Output : 

FIPS mode is enabled.

Step13:docker commit <id> quay.io/opsmxpublic/ubifips:8.7

Step-14 : docker login quay.io -u <> -p <>

Step-15 : docker push quay.io/opsmxpublic/ubifips :8.7

Dockerfile

Creating  new docker ubi8 file with above base image:

FROM quay.io/opsmxpublic/ubifips:8.7

MAINTAINER sig-platform@spinnaker.io

COPY igor-web/build/install/igor /opt/igor

RUN yum -y install java-11-openjdk-headless.x86_64 wget vim  curlnet-tools nettle

RUN yum -y  update

RUN adduser spinnaker

RUN mkdir -p /opt/igor/plugins

RUN chmod -R 777 /opt/igor/plugins/

RUN chown -R spinnaker:spinnaker /opt/

USER spinnaker

CMD ["/opt/igor/bin/igor"]


Deploy the new docker image build with the above docker file and check the fips status by using below command.


fips-mode-setup --check


FIPS mode is enabled.