Skip to content

Commit

Permalink
Remove unused FIPS build boxes (#26859)
Browse files Browse the repository at this point in the history
FIPS is only built on amd64, and only on our centos:7 buildboxes.  These
other dockerfiles and targets are vestigial.  Furthermore, the buildbox
is a security risk, as ubuntu:18.04 is not supported after 2023-05-31.

If/when we want to support FIPS on ARM, we can build off the centos:7
infrastructure, or its successor.

(cherry picked from commit fafa16a)
  • Loading branch information
wadells authored and gzdunek committed Sep 21, 2023
1 parent c4f27b8 commit c8f1571
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 218 deletions.
186 changes: 0 additions & 186 deletions build.assets/Dockerfile-fips

This file was deleted.

32 changes: 2 additions & 30 deletions build.assets/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -141,20 +141,7 @@ buildbox:
# Builds a Docker buildbox for FIPS
#
.PHONY:buildbox-fips
buildbox-fips:
if [[ "$(BUILDBOX_FIPS_NAME)" == "$(BUILDBOX_FIPS)" ]]; then \
if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_FIPS) || true; fi; \
docker build \
--build-arg UID=$(UID) \
--build-arg GID=$(GID) \
--build-arg BUILDARCH=$(RUNTIME_ARCH) \
--build-arg GOLANG_VERSION=$(GOLANG_VERSION) \
--build-arg NODE_VERSION=$(NODE_VERSION) \
--build-arg RUST_VERSION=$(RUST_VERSION) \
--build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \
--cache-from $(BUILDBOX_FIPS) \
--tag $(BUILDBOX_FIPS) -f Dockerfile-fips . ; \
fi
buildbox-fips: buildbox-centos7-fips

#
# Builds a Docker buildbox for CentOS 7 builds
Expand Down Expand Up @@ -204,20 +191,6 @@ buildbox-arm: buildbox
--cache-from $(BUILDBOX_ARM) \
--tag $(BUILDBOX_ARM) -f Dockerfile-arm .

#
# Builds a Docker buildbox for ARMv7/ARM64 FIPS builds
# ARM buildboxes use a regular Teleport buildbox as a base which already has a user
# with the correct UID and GID created, so those arguments are not needed here.
#
.PHONY:buildbox-arm-fips
buildbox-arm-fips: buildbox-fips
@if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_ARM_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_ARM_FIPS) || true; fi;
docker build \
--build-arg BUILDBOX_VERSION=$(BUILDBOX_VERSION) \
--cache-from $(BUILDBOX_FIPS) \
--cache-from $(BUILDBOX_ARM_FIPS) \
--tag $(BUILDBOX_ARM_FIPS) -f Dockerfile-arm-fips .

CONNECT_VERSION ?= $(VERSION)
ifeq ($(CONNECT_VERSION),)
CONNECT_VERSION := $(BUILDBOX_VERSION)-dev
Expand Down Expand Up @@ -393,8 +366,7 @@ release-amd64:
$(MAKE) release ARCH=amd64 FIDO2=yes

.PHONY: release-amd64-fips
release-amd64-fips:
$(MAKE) release-fips ARCH=amd64 FIPS=yes BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS)
release-amd64-fips: release-amd64-centos7-fips

.PHONY: release-386
release-386:
Expand Down
2 changes: 0 additions & 2 deletions build.assets/images.mk
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@ BUILDBOX_VERSION ?= teleport12
BUILDBOX_BASE_NAME ?= public.ecr.aws/gravitational/teleport-buildbox

BUILDBOX=$(BUILDBOX_BASE_NAME):$(BUILDBOX_VERSION)
BUILDBOX_FIPS=$(BUILDBOX_BASE_NAME)-fips:$(BUILDBOX_VERSION)
BUILDBOX_CENTOS7=$(BUILDBOX_BASE_NAME)-centos7:$(BUILDBOX_VERSION)
BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION)
BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION)
BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION)
BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION)
BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION)
BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)

0 comments on commit c8f1571

Please sign in to comment.