-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
Copy pathDockerfile-fips
185 lines (159 loc) · 6.68 KB
/
Dockerfile-fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# This Dockerfile makes the FIPS "build box": the container used to build official
# FIPS releases of Teleport and its documentation.
FROM ubuntu:18.04 as boringssl
# The below tools are required in order to build and compile the module:
# Clang compiler version 7.0.1
# Go programming language version 1.12.7
# Ninja build system version 1.9.0
#
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
# For more information please refer to the section 12. Guidance and Secure Operation of:
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
RUN apt-get update -y --fix-missing && \
apt-get -q -y upgrade && \
apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \
apt-get install -q -y --no-install-recommends \
build-essential \
cmake \
git \
tar \
xz-utils \
unzip \
zip \
&& \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/*
RUN mkdir -p /opt && cd /opt && \
curl -sLO https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \
echo "e74ce06d99ed9ce42898e22d2a966f71ae785bdf4edbded93e628d696858921a" "clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" | sha256sum --check && \
tar xJf clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \
rm -f clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz
ENV PATH="/opt/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH"
RUN mkdir -p /opt && cd /opt && \
curl -sLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \
tar xf go1.12.7.linux-amd64.tar.gz && \
rm -f go1.12.7.linux-amd64.tar.gz && \
chmod a+w /opt/go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOPATH="/go" \
GOROOT="/opt/go" \
PATH="$PATH:/opt/go/bin:/go/bin"
RUN mkdir -p /opt && cd /opt && \
curl -sLO https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip && \
echo "1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305" "ninja-linux.zip" | sha256sum --check && \
unzip ninja-linux.zip && \
rm -f ninja-linux.zip && \
mv /opt/ninja /usr/bin
RUN mkdir -p /opt && cd /opt && \
git clone https://github.com/google/boringssl.git && \
cd boringssl && \
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
mkdir build && \
cd build && \
cmake -DFIPS=1 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -GNinja .. && \
ninja
# Use Ubuntu 18.04 as base to get an older glibc version.
# Using a newer base image will build against a newer glibc, which creates a
# runtime requirement for the host to have newer glibc too. For example,
# teleport built on any newer Ubuntu version will not run on Centos 7 because
# of this.
FROM ubuntu:18.04
COPY locale.gen /etc/locale.gen
COPY profile /etc/profile
ENV LANGUAGE="en_US.UTF-8" \
LANG="en_US.UTF-8" \
LC_ALL="en_US.UTF-8" \
LC_CTYPE="en_US.UTF-8" \
DEBIAN_FRONTEND="noninteractive"
RUN apt-get update -y --fix-missing && \
apt-get -q -y upgrade && \
apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \
apt-get install -q -y --no-install-recommends \
clang-10 \
clang-format-10 \
gcc \
git \
gzip \
libc6-dev \
libelf-dev \
libpam-dev \
libsqlite3-0 \
llvm-10 \
locales \
make \
net-tools \
openssh-client \
pkg-config \
tar \
tree \
unzip \
zip \
zlib1g-dev \
&& \
dpkg-reconfigure locales && \
apt-get -y clean && \
rm -rf /var/lib/apt/lists/*
ARG UID
ARG GID
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
# Install etcd.
RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \
cp etcd-v3.3.9-linux-amd64/etcd* /bin/)
# Install Go.
ARG GOLANG_VERSION
RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
mkdir -p /go/src/github.com/gravitational/teleport && \
chmod a+w /go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOEXPERIMENT=boringcrypto \
GOPATH="/go" \
GOROOT="/opt/go" \
PATH="$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
# Install Nodejs
ARG NODE_VERSION
ENV NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${BUILDARCH}.tar.xz"
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
ENV PATH="$PATH:${NODE_PATH}/bin"
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \
export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \
mkdir -p ${NODE_PATH} && \
curl -o /tmp/nodejs.tar.xz -L ${NODE_URL} && \
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
RUN corepack enable yarn
# Install libbpf
ARG LIBBPF_VERSION
RUN mkdir -p /opt && cd /opt && curl -L https://github.com/gravitational/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
make && \
make install
# Install PAM module and policies for testing.
COPY pam/ /opt/pam_teleport/
RUN make -C /opt/pam_teleport install
ARG RUST_VERSION
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=$RUST_VERSION
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
# Install Rust using the ci user, as that is the user that
# will run builds using the Rust toolchains we install here.
USER ci
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
rustup --version && \
cargo --version && \
rustc --version && \
rustup component add rustfmt clippy && \
rustup target add aarch64-unknown-linux-gnu
# Copy BoringSSL into the final image
COPY --from=boringssl /opt/boringssl /opt/boringssl
# set boring-rs crate env variables to point to pre-built binaries
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
ENV BORING_BSSL_PATH=/opt/boringssl
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
VOLUME ["/go/src/github.com/gravitational/teleport"]
EXPOSE 6600 2379 2380