Security focused alternative image #2526
Conversation
|
|
|
Thank you! A pull request with the |
Should this also be a place for the cuda/rocm versions with the changes to the cuda upstream docker images that have been recently? Sounds good, are we ok with having the readme for the livebook fips give links to the community versions so that people can understand the constraints of how to be able to use it? |
I am not sure I get it.
That's fine by me. Perhaps it is more important to link to the Dockerfile themselves then to the pre-built images because I assume people will want to double check those anyway? |
I thought the nvidia docker image pipeline wouldn't be supported long term. I could be wrong https://github.com/NVIDIA/nvidia-docker?tab=readme-ov-file#deprecation-notice I wasn't sure if you were suggesting that all non debian/hex based livebook images should go to a community version instead of them being maintained as release packaged targets here. Since XLA recently added ROCm I figured if there was going to be a community maintained downstream artifacts for docker images, to do it in such a way that might look like: graph TD;
livebook_version_release-->community_docker_images;
community_docker_images-->cuda;
community_docker_images-->secured;
community_docker_images-->rocm;
community_docker_images-->alpine;
Sounds good, they probably would, not only that they might want to extend. The images might be just a baseline for extending |
|
Great, so please ping us once this is ready to go from your side. :) Thanks! |
@spunkedy I think the container toolkit is separate from the Docker images themselves. The images are built from https://gitlab.com/nvidia/container-images/cuda and that is not deprecated. For ROCm we still don't have precompiled XLA, because there aren't many users and it is maintenance cost to keep the right version matrix and test the builds. If it becomes more stable and popular in the future, then we can consider having Livebook images as well. |
Thanks! I don't use the CUDA containers, happy to be wrong here! |
|
Based upon the feedback, I added the documentation, examples, and more descriptions. Specifically used hex docs for this. I went back and forth between having it be just a sub section of |
lib/livebook.ex
Outdated
| if :crypto.enable_fips_mode(true) do | ||
| IO.puts("[Livebook] FIPS mode set") | ||
| else | ||
| raise "Could not set FIPS mode but was asked to" |
There was a problem hiding this comment.
| raise "Could not set FIPS mode but was asked to" | |
| Livebook.Config.abort!( | |
| "requested FIPS mode via LIVEBOOK_FIPS, but this Erlang installation was compiled without FIPS support" | |
| ) |
docs/deployment/fips.md
Outdated
| ### Error on startup | ||
|
|
||
| ```bash | ||
| export LIVEBOOK_FIPS=true | ||
| _build/prod/rel/livebook/bin/livebook start_iex | ||
|
|
||
| ERROR! Config provider Config.Reader failed with: | ||
| ** (RuntimeError) Could not set FIPS mode but was asked to | ||
| (livebook 0.13.0-dev) lib/livebook.ex:242: Livebook.config_runtime/0 | ||
| ... | ||
|
|
||
| ``` |
There was a problem hiding this comment.
Instead of showing the error, I would just tell them that FIPS is enabled with LIVEBOOK_FIPS. When it fails, the error should be clear enough to tell them what's going on.
There was a problem hiding this comment.
🤔
Here are some of my thoughts around each
Hard error:
- Garuntees the environment in which it is run from the container perspective
- Going through security audits. showing configuration at the environment level makes it easier
Soft warning:
- to garuntee the environment, someone would have to do something like a supervisor script that makes sure the environment is that way on startup
- could give people a false sense of it being turned on if it gets restarted in a node that doesn't support it for some reason or another
Would this be better?
- LIVEBOOK_FIPS true/false - IO puts information for logging
- LIVEBOOK_FIPS_ENFORCE true/false - Hard error and explain what needs to be true to allow for it
There was a problem hiding this comment.
Oh sorry, I wasn't clear. We should definitely exit with clear error. My points was to remove the example from the docs and make the error itself clear enough in case they run into it.
Co-authored-by: Jonatan Kłosko <jonatanklosko@gmail.com>
Co-authored-by: Jonatan Kłosko <jonatanklosko@gmail.com>
Uffizzi Ephemeral Environment
|
|
Uffizzi Preview |
|
Gotcha. Will get that in later today my time.
…On Tue, Apr 2, 2024 at 8:42 AM Jonatan Kłosko ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In docs/deployment/fips.md
<#2526 (comment)>
:
> +### Error on startup
+
+```bash
+export LIVEBOOK_FIPS=true
+_build/prod/rel/livebook/bin/livebook start_iex
+
+ERROR! Config provider Config.Reader failed with:
+** (RuntimeError) Could not set FIPS mode but was asked to
+ (livebook 0.13.0-dev) lib/livebook.ex:242: Livebook.config_runtime/0
+ ...
+
+```
Oh sorry, I wasn't clear. We should definitely exit with clear error. My
points was to remove the example from the docs and make the error itself
clear enough in case they run into it.
—
Reply to this email directly, view it on GitHub
<#2526 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFIUL7GVFXMZGKGFCSCSQDY3KYUFAVCNFSM6AAAAABFJJ47HKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSNZTHA3TAOJYHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Sounds good will make those changes
…On Tue, Apr 2, 2024 at 8:45 AM Jonatan Kłosko ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In docs/deployment/fips.md
<#2526 (comment)>
:
> +_build/prod/rel/livebook/bin/livebook start_iex
+
+ERROR! Config provider Config.Reader failed with:
+** (RuntimeError) Could not set FIPS mode but was asked to
+ (livebook 0.13.0-dev) lib/livebook.ex:242: Livebook.config_runtime/0
+ ...
+
+```
+
+This means that your elixir/erlang environmet was NOT compiled with FIPS enabled.
+
+### Docker example
+To do this in docker, you will need to build it a little bit differently. You can see a full example below. This should be considered psuedo code, you will want to adapt it to your needs. You should consider having a base image for the erlang/elixir portion with FIPS turned on and then overlay with a [multi stage build](https://docs.docker.com/build/building/multi-stage/).
+
+
+```docker
Yeah, we can keep everything before WORKDIR /build_app.
—
Reply to this email directly, view it on GitHub
<#2526 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAFIUL5GNGWEB4EGLNW5SYLY3KY7PAVCNFSM6AAAAABFJJ47HKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTSNZTHA3TSNRVGM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Ugh, the rebase added everything, let me see if I can adjust that |
|
@jonatanklosko I think I have applied everything you were asking, let me know otherwise. |
|
@spunkedy thanks! |
|
💚 💙 💜 💛 ❤️ |
I finally had time to come back around to getting a hardened version.
Let me know if we would like a different pattern, I tried to follow the conventions in place as best as possible.
This enables a ubi8 image which currently has 0 vulnerabilities
ubi8
Use ubi8 instead of 9 since it is still pending for FIPS
Redhat universal base image allows for a maintained upstrean docker image with security in mind
Fips mode
This does NOT mean that everything that is run here is "FIPS compliant" you still have to configure hackney/req/ssl/ etc to run in these modes, but I figured that was out of scope for this. These changes to the runtime are what is required to be able to enable the others.
Startup fips mode
This introduces a
LIVEBOOK_FIPSflag that will show a log and raise an error if there is an issue setting the mode.User Change
nobody as the user for the execution environment, by default allow for this.
Possible improvements
Possible improvements I see: