From 995d67cdf783dae5b9f32bcb1617bfdee350f54f Mon Sep 17 00:00:00 2001 From: Walt Date: Wed, 14 Jun 2023 16:44:38 -0700 Subject: [PATCH 1/3] Remove unused FIPS build boxes (#26859) FIPS is only built on amd64, and only on our centos:7 buildboxes. These other dockerfiles and targets are vestigial. Furthermore, the buildbox is a security risk, as ubuntu:18.04 is not supported after 2023-05-31. If/when we want to support FIPS on ARM, we can build off the centos:7 infrastructure, or its successor. (cherry picked from commit fafa16a19c376909bc1b99e61044b2f363bb1a8b) --- build.assets/Dockerfile-fips | 187 ----------------------------------- build.assets/Makefile | 32 +----- build.assets/images.mk | 2 - 3 files changed, 2 insertions(+), 219 deletions(-) delete mode 100644 build.assets/Dockerfile-fips diff --git a/build.assets/Dockerfile-fips b/build.assets/Dockerfile-fips deleted file mode 100644 index 181ec49d7e139..0000000000000 --- a/build.assets/Dockerfile-fips +++ /dev/null @@ -1,187 +0,0 @@ -# This Dockerfile makes the FIPS "build box": the container used to build official -# FIPS releases of Teleport and its documentation. - - -FROM ubuntu:18.04 as boringssl -# The below tools are required in order to build and compile the module: -# Clang compiler version 7.0.1 -# Go programming language version 1.12.7 -# Ninja build system version 1.9.0 -# -# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39 -# For more information please refer to the section 12. Guidance and Secure Operation of: -# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf - -RUN apt-get update -y --fix-missing && \ - apt-get -q -y upgrade && \ - apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ - apt-get install -q -y --no-install-recommends \ - build-essential \ - cmake \ - git \ - tar \ - xz-utils \ - unzip \ - zip \ - && \ - apt-get -y clean && \ - rm -rf /var/lib/apt/lists/* - - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ - echo "e74ce06d99ed9ce42898e22d2a966f71ae785bdf4edbded93e628d696858921a" "clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" | sha256sum --check && \ - tar xJf clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ - rm -f clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -ENV PATH="/opt/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH" - - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \ - echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \ - tar xf go1.12.7.linux-amd64.tar.gz && \ - rm -f go1.12.7.linux-amd64.tar.gz && \ - chmod a+w /opt/go && \ - chmod a+w /var/lib && \ - chmod a-w / -ENV GOPATH="/go" \ - GOROOT="/opt/go" \ - PATH="$PATH:/opt/go/bin:/go/bin" - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip && \ - echo "1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305" "ninja-linux.zip" | sha256sum --check && \ - unzip ninja-linux.zip && \ - rm -f ninja-linux.zip && \ - mv /opt/ninja /usr/bin - -RUN mkdir -p /opt && cd /opt && \ - git clone https://github.com/google/boringssl.git && \ - cd boringssl && \ - git checkout ae223d6138807a13006342edfeef32e813246b39 && \ - mkdir build && \ - cd build && \ - cmake -DFIPS=1 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -GNinja .. && \ - ninja - - -# Use Ubuntu 18.04 as base to get an older glibc version. -# Using a newer base image will build against a newer glibc, which creates a -# runtime requirement for the host to have newer glibc too. For example, -# teleport built on any newer Ubuntu version will not run on Centos 7 because -# of this. -FROM ubuntu:18.04 - -COPY locale.gen /etc/locale.gen -COPY profile /etc/profile - -ENV LANGUAGE="en_US.UTF-8" \ - LANG="en_US.UTF-8" \ - LC_ALL="en_US.UTF-8" \ - LC_CTYPE="en_US.UTF-8" \ - DEBIAN_FRONTEND="noninteractive" - -RUN apt-get update -y --fix-missing && \ - apt-get -q -y upgrade && \ - apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ - apt-get install -q -y --no-install-recommends \ - clang-10 \ - clang-format-10 \ - gcc \ - git \ - gzip \ - libc6-dev \ - libelf-dev \ - libpam-dev \ - libsqlite3-0 \ - llvm-10 \ - locales \ - make \ - net-tools \ - openssh-client \ - pkg-config \ - tar \ - tree \ - unzip \ - zip \ - zlib1g-dev \ - && \ - dpkg-reconfigure locales && \ - apt-get -y clean && \ - rm -rf /var/lib/apt/lists/* - -ARG UID -ARG GID -RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ - mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) - -# Install etcd. -RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \ - cp etcd-v3.3.9-linux-amd64/etcd* /bin/) - -# Install Go. -ARG GOLANG_VERSION -RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \ - mkdir -p /go/src/github.com/gravitational/teleport && \ - chmod a+w /go && \ - chmod a+w /var/lib && \ - chmod a-w / -ENV GOEXPERIMENT=boringcrypto \ - GOPATH="/go" \ - GOROOT="/opt/go" \ - PATH="$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build" - -ARG BUILDARCH - -# Install Nodejs -ARG NODE_VERSION -ENV NODE_PATH="/usr/local/lib/nodejs-linux" -ENV PATH="$PATH:${NODE_PATH}/bin" -RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \ - export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \ - mkdir -p ${NODE_PATH} && \ - curl -o /tmp/nodejs.tar.xz -L ${NODE_URL} && \ - tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1 -RUN corepack enable yarn - -# Install libbpf -ARG LIBBPF_VERSION -RUN mkdir -p /opt && cd /opt && \ - curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \ - cd /opt/libbpf-${LIBBPF_VERSION}/src && \ - make && \ - make install - -# Install PAM module and policies for testing. -COPY pam/ /opt/pam_teleport/ -RUN make -C /opt/pam_teleport install - -ARG RUST_VERSION -ENV RUSTUP_HOME=/usr/local/rustup \ - CARGO_HOME=/usr/local/cargo \ - PATH=/usr/local/cargo/bin:$PATH \ - RUST_VERSION=$RUST_VERSION - -RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \ - mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME - -# Install Rust using the ci user, as that is the user that -# will run builds using the Rust toolchains we install here. -USER ci -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \ - rustup --version && \ - cargo --version && \ - rustc --version && \ - rustup component add rustfmt clippy && \ - rustup target add aarch64-unknown-linux-gnu - -# Copy BoringSSL into the final image -COPY --from=boringssl /opt/boringssl /opt/boringssl - -# set boring-rs crate env variables to point to pre-built binaries -# https://github.com/cloudflare/boring#support-for-pre-built-binaries -ENV BORING_BSSL_PATH=/opt/boringssl -ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include - -VOLUME ["/go/src/github.com/gravitational/teleport"] -EXPOSE 6600 2379 2380 diff --git a/build.assets/Makefile b/build.assets/Makefile index 6080289a73e98..e9e39dea692b6 100644 --- a/build.assets/Makefile +++ b/build.assets/Makefile @@ -143,20 +143,7 @@ buildbox: # Builds a Docker buildbox for FIPS # .PHONY:buildbox-fips -buildbox-fips: - if [[ "$(BUILDBOX_FIPS_NAME)" == "$(BUILDBOX_FIPS)" ]]; then \ - if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_FIPS) || true; fi; \ - docker build \ - --build-arg UID=$(UID) \ - --build-arg GID=$(GID) \ - --build-arg BUILDARCH=$(RUNTIME_ARCH) \ - --build-arg GOLANG_VERSION=$(GOLANG_VERSION) \ - --build-arg NODE_VERSION=$(NODE_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ - --build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \ - --cache-from $(BUILDBOX_FIPS) \ - --tag $(BUILDBOX_FIPS) -f Dockerfile-fips . ; \ - fi +buildbox-fips: buildbox-centos7-fips # # Builds a Docker buildbox for CentOS 7 builds @@ -206,20 +193,6 @@ buildbox-arm: buildbox --cache-from $(BUILDBOX_ARM) \ --tag $(BUILDBOX_ARM) -f Dockerfile-arm . -# -# Builds a Docker buildbox for ARMv7/ARM64 FIPS builds -# ARM buildboxes use a regular Teleport buildbox as a base which already has a user -# with the correct UID and GID created, so those arguments are not needed here. -# -.PHONY:buildbox-arm-fips -buildbox-arm-fips: buildbox-fips - @if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_ARM_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_ARM_FIPS) || true; fi; - docker build \ - --build-arg BUILDBOX_VERSION=$(BUILDBOX_VERSION) \ - --cache-from $(BUILDBOX_FIPS) \ - --cache-from $(BUILDBOX_ARM_FIPS) \ - --tag $(BUILDBOX_ARM_FIPS) -f Dockerfile-arm-fips . - CONNECT_VERSION ?= $(VERSION) ifeq ($(CONNECT_VERSION),) CONNECT_VERSION := $(BUILDBOX_VERSION)-dev @@ -408,8 +381,7 @@ release-amd64: $(MAKE) release ARCH=amd64 FIDO2=yes .PHONY: release-amd64-fips -release-amd64-fips: - $(MAKE) release-fips ARCH=amd64 FIPS=yes BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS) +release-amd64-fips: release-amd64-centos7-fips .PHONY: release-386 release-386: diff --git a/build.assets/images.mk b/build.assets/images.mk index d2920bd71991c..f2139009250c1 100644 --- a/build.assets/images.mk +++ b/build.assets/images.mk @@ -6,11 +6,9 @@ BUILDBOX_VERSION ?= teleport13 BUILDBOX_BASE_NAME ?= public.ecr.aws/gravitational/teleport-buildbox BUILDBOX=$(BUILDBOX_BASE_NAME):$(BUILDBOX_VERSION) -BUILDBOX_FIPS=$(BUILDBOX_BASE_NAME)-fips:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7=$(BUILDBOX_BASE_NAME)-centos7:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION) BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION) -BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION) BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION) BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION) From 366ed908f97127fdc7ab9e59b10751a64e9feb55 Mon Sep 17 00:00:00 2001 From: Walt Date: Tue, 20 Jun 2023 17:21:19 +0200 Subject: [PATCH 2/3] Remove further unused fips infrastructure (#27900) * Remove Dockerfile-arm-fips We don't build fips for arm, as documented in https://github.com/gravitational/teleport/issues/10581. * Stop building buildbox-fips We do not use this buildbox for anything. This step is failing because the supporting infrastructure for buildbox-fips was removed in https://github.com/gravitational/teleport/pull/26859. * Fix fips buildbox BUILDBOX_FIPS was removed, replaced by BUILDBOX_CENTOS7_FIPS. Unfortunately I missed updating this target in #26859. This subsequently broke e CI. (cherry picked from commit 6ef118636ff481d598e8ad53c48b89c4b5d42f57) --- .drone.yml | 23 ----------------------- build.assets/Dockerfile-arm-fips | 6 ------ build.assets/Makefile | 5 ++--- dronegen/buildbox.go | 4 ++-- 4 files changed, 4 insertions(+), 34 deletions(-) delete mode 100644 build.assets/Dockerfile-arm-fips diff --git a/.drone.yml b/.drone.yml index 303a652e062d9..ce300b7009aaf 100644 --- a/.drone.yml +++ b/.drone.yml @@ -6100,29 +6100,6 @@ steps: path: /var/run - name: dockerconfig path: /root/.docker -- name: Build and push buildbox-fips - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make aws-cli - - chown -R $UID:$GID /go - - aws ecr get-login-password --profile staging --region=us-west-2 | docker login - -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com - - make -C build.assets buildbox-fips - - docker tag public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA - - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com - - aws ecr-public get-login-password --profile production --region=us-east-1 | docker - login -u="AWS" --password-stdin public.ecr.aws - - docker push public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - volumes: - - name: awsconfig - path: /root/.aws - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker - name: Build and push buildbox-arm image: docker pull: if-not-exists diff --git a/build.assets/Dockerfile-arm-fips b/build.assets/Dockerfile-arm-fips deleted file mode 100644 index 3096fc5bf0634..0000000000000 --- a/build.assets/Dockerfile-arm-fips +++ /dev/null @@ -1,6 +0,0 @@ -ARG BUILDBOX_VERSION -FROM public.ecr.aws/gravitational/teleport-buildbox-fips:$BUILDBOX_VERSION - -RUN apt-get -y update && \ - apt-get -y install gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu && \ - apt-get -y autoclean && apt-get -y clean diff --git a/build.assets/Makefile b/build.assets/Makefile index e9e39dea692b6..4f1ed58691218 100644 --- a/build.assets/Makefile +++ b/build.assets/Makefile @@ -40,7 +40,6 @@ include grpcbox.mk # Requires images.mk # target. The other solution was to remove the 'buildbox' dependency from the 'release' target, but this would # make it harder to run `make -C build.assets release` locally as the buildbox would not automatically be built. BUILDBOX_NAME=$(BUILDBOX) -BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS) DOCSBOX=ghcr.io/gravitational/docs @@ -466,9 +465,9 @@ release-enterprise: # CI should not use this target, it should use named Makefile targets like release-amd64-fips. # .PHONY:release-fips -release-fips: buildbox-fips webassets +release-fips: buildbox-centos7-fips webassets @if [ -z ${VERSION} ]; then echo "VERSION is not set"; exit 1; fi - docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_FIPS_NAME) \ + docker run $(DOCKERFLAGS) -i $(NOROOT) $(BUILDBOX_CENTOS7_FIPS) \ /usr/bin/make -C e release -e ADDFLAGS="$(ADDFLAGS)" OS=$(OS) ARCH=$(ARCH) RUNTIME=$(GOLANG_VERSION) FIPS=yes VERSION=$(VERSION) GITTAG=v$(VERSION) REPRODUCIBLE=yes # diff --git a/dronegen/buildbox.go b/dronegen/buildbox.go index b4a696ca03feb..293ab96f7d449 100644 --- a/dronegen/buildbox.go +++ b/dronegen/buildbox.go @@ -52,8 +52,8 @@ func buildboxPipelineSteps() []step { for _, name := range []string{"buildbox", "buildbox-arm", "buildbox-centos7"} { for _, fips := range []bool{false, true} { - // FIPS is unsupported on ARM/ARM64 - if name == "buildbox-arm" && fips { + // FIPS is only supported on centos7 + if fips && name != "buildbox-centos7" { continue } steps = append(steps, buildboxPipelineStep(name, fips)) From 69f38e7e0148efe15615057a34afd5656670339e Mon Sep 17 00:00:00 2001 From: Grzegorz Zdunek Date: Tue, 26 Sep 2023 09:07:37 +0200 Subject: [PATCH 3/3] Update signature --- .drone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.drone.yml b/.drone.yml index ce300b7009aaf..637fa04321d1c 100644 --- a/.drone.yml +++ b/.drone.yml @@ -17143,6 +17143,6 @@ image_pull_secrets: - DOCKERHUB_CREDENTIALS --- kind: signature -hmac: a3a67d99406db9b0bc8012209e4dd7c3ba76984ce1a2b3d5b487b310a0c4f0cd +hmac: 5c2bc182fb858e4e9d8ee897d13604c9e6841e0c874c5b9cfc1ff971fafe55d3 ...