Produce FIPS compliant ARM builds #10581
Assignees
Labels
arm
c-fw
Internal Customer Reference
c-kb
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
fedramp
release-engineering
Comments
pschisa
added
feature-request
|
We'll be able to support this soon. |
|
This is now possible with Go 1.19.4 |
wadells
added a commit
that referenced
this issue
Jun 15, 2023
We don't build fips for arm, as documented in #10581.
wadells
added a commit
that referenced
this issue
Jun 15, 2023
We don't build fips for arm, as documented in #10581.
wadells
added a commit
that referenced
this issue
Jun 20, 2023
* Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI.
gzdunek
pushed a commit
that referenced
this issue
Sep 21, 2023
* Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186)
gzdunek
pushed a commit
that referenced
this issue
Sep 21, 2023
* Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186)
gzdunek
pushed a commit
that referenced
this issue
Sep 26, 2023
* Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186)
gzdunek
pushed a commit
that referenced
this issue
Sep 26, 2023
* Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186)
github-merge-queue bot
pushed a commit
that referenced
this issue
Sep 26, 2023
* Remove unused FIPS build boxes (#26859) FIPS is only built on amd64, and only on our centos:7 buildboxes. These other dockerfiles and targets are vestigial. Furthermore, the buildbox is a security risk, as ubuntu:18.04 is not supported after 2023-05-31. If/when we want to support FIPS on ARM, we can build off the centos:7 infrastructure, or its successor. (cherry picked from commit fafa16a) * Remove further unused fips infrastructure (#27900) * Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186) * Update signature --------- Co-authored-by: Walt <walt@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this issue
Sep 26, 2023
* Remove unused FIPS build boxes (#26859) FIPS is only built on amd64, and only on our centos:7 buildboxes. These other dockerfiles and targets are vestigial. Furthermore, the buildbox is a security risk, as ubuntu:18.04 is not supported after 2023-05-31. If/when we want to support FIPS on ARM, we can build off the centos:7 infrastructure, or its successor. (cherry picked from commit fafa16a) * Remove further unused fips infrastructure (#27900) * Remove Dockerfile-arm-fips We don't build fips for arm, as documented in #10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in #26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef1186) * Update signature --------- Co-authored-by: Walt <walt@goteleport.com>
reedloden
added a commit
that referenced
this issue
Dec 12, 2023
Replace `Dockerfile-centos7-fips` with a simple version that just uses the existing `Dockerfile-centos7` image with some extra modifications (specifically, enabling BoringCrypto for Go and configuring OpenSSL to use FIPS mode). Several changes were made to `Dockerfile-centos7` to support this. There is a mix of `public.ecr.aws` and `ghcr.io` being used for the buildboxes. The default now uses `ghcr.io`. Buildbox images did not handle varying architectures well, so use docker buildx multi-architecture support to make it easy to target specific architectures. `--platform` usage has been removed for the time being, as it wasn't correctly implemented. Additionally, start building arm and CentOS 7 FIPS buildbox images in GHA to bring it in sync with `dronegen/buildbox.go`. This does not include any drone/dronegen changes yet. Changes will come in a separate PR once this groundwork has been done. Ref #5068. Ref #10581.
reedloden
added a commit
that referenced
this issue
Dec 19, 2023
Replace `Dockerfile-centos7-fips` with a simple version that just uses the existing `Dockerfile-centos7` image with some extra modifications (specifically, enabling BoringCrypto for Go and configuring OpenSSL to use FIPS mode). Several changes were made to `Dockerfile-centos7` to support this. There is a mix of `public.ecr.aws` and `ghcr.io` being used for the buildboxes. The default now uses `ghcr.io`. Buildbox images did not handle varying architectures well, so use docker buildx multi-architecture support to make it easy to target specific architectures. `--platform` usage has been removed for the time being, as it wasn't correctly implemented. Additionally, start building arm and CentOS 7 FIPS buildbox images in GHA to bring it in sync with `dronegen/buildbox.go`. This does not include any drone/dronegen changes yet. Changes will come in a separate PR once this groundwork has been done. Ref #5068. Ref #10581.
github-merge-queue bot
pushed a commit
that referenced
this issue
Dec 19, 2023
…34950) Replace `Dockerfile-centos7-fips` with a simple version that just uses the existing `Dockerfile-centos7` image with some extra modifications (specifically, enabling BoringCrypto for Go and configuring OpenSSL to use FIPS mode). Several changes were made to `Dockerfile-centos7` to support this. There is a mix of `public.ecr.aws` and `ghcr.io` being used for the buildboxes. The default now uses `ghcr.io`. Buildbox images did not handle varying architectures well, so use docker buildx multi-architecture support to make it easy to target specific architectures. `--platform` usage has been removed for the time being, as it wasn't correctly implemented. Additionally, start building arm and CentOS 7 FIPS buildbox images in GHA to bring it in sync with `dronegen/buildbox.go`. This does not include any drone/dronegen changes yet. Changes will come in a separate PR once this groundwork has been done. Ref #5068. Ref #10581.
|
Teleport 15 will have ARM64 FIPS builds. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature request to start offering ARM specific builds that are FEDRAMP/FIPS compliant like we do for DEB/RPM
The text was updated successfully, but these errors were encountered: