Skip to content

Commit

Permalink
Rework initial fips setup; base on cloud
Browse files Browse the repository at this point in the history
  • Loading branch information
@breskeby
breskeby committed Dec 3, 2024
1 parent 72a86c9 commit 2a3467d
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 44 deletions.
45 changes: 7 additions & 38 deletions distribution/docker/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,6 @@ apply plugin: 'elasticsearch.dra-artifacts'
apply plugin: 'elasticsearch.jdk-download'
apply plugin: 'elasticsearch.repositories'

//// Setup FIPS image jdk
//project.jdks {
// ['x64', 'aarch64'].each { architecture ->
// "fips_linux_${architecture}" {
// it.platform = "linux"
// it.version = "17.0.12"
// it.vendor = VersionProperties.bundledJdkVendor
// it.architecture = architecture
// }
// }
//}

String buildId = providers.systemProperty('build.id').getOrNull()
boolean useLocalArtifacts = buildId != null && buildId.isBlank() == false && useDra == false

Expand Down Expand Up @@ -125,10 +113,8 @@ dependencies {
filebeat_x86_64 "beats:filebeat:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz"
metricbeat_aarch64 "beats:metricbeat:${VersionProperties.elasticsearch}:linux-arm64@tar.gz"
metricbeat_x86_64 "beats:metricbeat:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz"
// fips "org.bouncycastle:bcpg-fips:1.0.7.1"
// fips "org.bouncycastle:bc-fips:1.0.2.4"
fips "org.bouncycastle:bcprov-jdk18on:1.78.1"

fips "org.bouncycastle:bctls-fips:1.0.17"
fips "org.bouncycastle:bc-fips:1.0.2.4"
}

ext.expansions = { Architecture architecture, DockerBase base ->
Expand Down Expand Up @@ -468,27 +454,9 @@ void addBuildFipsDockerImageTasks(Architecture architecture) {
into("resources") {
from tasks.named('fipsResources')
}
into('jdk') {
// from(files("jdk-17.0.12"))
eachFile { FileCopyDetails details ->
if (details.relativePath.segments[-2] == 'bin' || details.relativePath.segments[-1] == 'jspawnhelper') {
details.permissions {
unix(0755)
}
} else {
details.permissions {
unix(0644)
}
}
if (details.name == 'src.zip') {
details.exclude()
}
}
}
}


String baseSuffix = DockerBase.WOLFI.suffix
String baseSuffix = DockerBase.CLOUD_ESS.suffix
from(projectDir.resolve("src/docker/Dockerfile.fips")) {
expand(
[
Expand Down Expand Up @@ -602,18 +570,19 @@ void addBuildCloudDockerImageTasks(Architecture architecture) {
}

// fips
String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security'
//String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security'
String javaSecurityFilename = 'fips_java.security'
File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
//File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')

TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
fipsResourcesTask.configure {
outputDir = fipsResourcesDir
copy javaSecurityFilename
copy 'fips_java.policy'
copy 'cacerts.bcfks'
// copy 'cacerts.bcfks'
}

for (final Architecture architecture : Architecture.values()) {
Expand Down
57 changes: 51 additions & 6 deletions distribution/docker/src/docker/Dockerfile.fips
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,64 @@ FROM ${base_image} AS builder

USER root

# Add fips specific files (certified security providers, jdk, config files)
# Add fips specific files (certified security providers, config files)
RUN mkdir -p /opt/fips/
RUN chmod -R 0555 /opt/fips
COPY fips /opt/fips/
COPY fips/resources/fips_java_oracle.security /usr/share/elasticsearch/config/fips_java.security
COPY fips/resources/fips_java.policy /usr/share/elasticsearch/config/fips_java.policy

RUN chown 1000:1000 /opt/fips/*
RUN chmod 0444 /opt/fips/*

WORKDIR /usr/share/elasticsearch
RUN cat <<EOF > instance.yml
instances:
- name: "node1"
dns:
- "node1.example.com"
cn:
- "node1.elasticsearch.cluster"
EOF
RUN bin/elasticsearch-certutil cert --in instance.yml --self-signed --pem --out certificate-bundle.zip
RUN unzip certificate-bundle.zip
RUN cp node1/node1.crt config
RUN cp node1/node1.key config

WORKDIR /usr/share/elasticsearch/config
# Add policies for FIPS
RUN cat <<EOF > elasticsearch.yml
xpack.security.fips_mode.enabled: true
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.enrollment.enabled: false
xpack.security.autoconfiguration.enabled: false
xpack.security.authc.reserved_realm.enabled: false
xpack.security.http.ssl.key: node1.key
xpack.security.http.ssl.certificate: node1.crt
xpack.security.http.ssl.certificate_authorities: node1.crt
xpack.security.transport.ssl.key: node1.key
xpack.security.transport.ssl.certificate: node1.crt
xpack.security.transport.ssl.certificate_authorities: node1.crt
xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch
xpack.security.fips_mode.required_providers: ["BCFIPS", "BCJSSE"]
logger.org.elasticsearch.xpack.security: trace
discovery.seed_hosts: []
node.name: node1
cluster.initial_master_nodes: ["node1"]
EOF


WORKDIR /usr/share/elasticsearch/config/jvm.options.d
RUN cat <<EOF > fips.options
-Djava.security.properties=/usr/share/elasticsearch/config/fips_java.security
-Djava.security.policy=/usr/share/elasticsearch/config/fips_java.policy
EOF

FROM ${base_image}
USER root

# COPY --from=builder --chown=0:0 /opt/fips/jdk /opt/jdk
COPY --from=builder --chown=0:0 /opt/fips/libs/*.jar /usr/share/elasticsearch/lib
COPY --from=builder --chown=0:0 /opt/fips/resources/fips_java_oracle.security /usr/share/elasticsearch/jdk/conf/security/java.security
COPY --from=builder --chown=0:0 /opt/fips/resources/fips_java.policy /usr/share/elasticsearch/jdk/conf/security/java.policy
COPY --from=builder --chown=0:0 /usr/share/elasticsearch/config/ /usr/share/elasticsearch/config
COPY --from=builder --chown=0:0 /opt/fips/libs/*.jar /usr/share/elasticsearch/lib/

USER 1000:0
6 changes: 6 additions & 0 deletions distribution/docker/src/docker/config/elasticsearch.yml
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,8 @@
cluster.name: "docker-cluster"
network.host: 0.0.0.0
#xpack.security.fips_mode.enabled: true
#xpack.security.autoconfiguration.enabled: false
## xpack.security.fips_mode.required_providers: ["BCFIPS"]
#xpack.security.fips_mode.required_providers: ["BCFIPS", "BCJSSE"]
#xpack.security.authc.password_hashing.algorithm: "pbkdf2_stretch"
## xpack.security.transport.ssl.enabled: true

0 comments on commit 2a3467d

Please sign in to comment.