Test build for #2062

.obs/workflows.yml

@@ -29,6 +29,10 @@ staging_build:
         source_project: home:defolos:BCI:CR:Tumbleweed
         source_package: apache-tomcat-9-image
         target_project: home:defolos:BCI:CR:Tumbleweed:Staging
+    - branch_package:
+        source_project: home:defolos:BCI:CR:Tumbleweed
+        source_package: base-fips-image
+        target_project: home:defolos:BCI:CR:Tumbleweed:Staging
     - branch_package:
         source_project: home:defolos:BCI:CR:Tumbleweed
         source_package: blackbox_exporter-image
@@ -275,6 +279,9 @@ refresh_devel_BCI:
     - trigger_services:
         project: devel:BCI:Tumbleweed
         package: apache-tomcat-9-image
+    - trigger_services:
+        project: devel:BCI:Tumbleweed
+        package: base-fips-image
     - trigger_services:
         project: devel:BCI:Tumbleweed
         package: blackbox_exporter-image

base-fips-image/Dockerfile

@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: MIT
+
+#     Copyright (c) 2024 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!UseOBSRepositories
+
+#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%
+#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%
+#!BuildTag: opensuse/bci/bci-base-fips:latest
+
+FROM opensuse/tumbleweed:latest
+
+RUN set -euo pipefail; \
+    zypper -n install --no-recommends openSUSE-release openSUSE-release-appliance-docker coreutils crypto-policies-scripts; \
+    zypper -n clean; \
+    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
+
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=org.opensuse.bci.base-fips
+LABEL org.opencontainers.image.title="openSUSE Tumbleweed BCI FIPS-140-3"
+LABEL org.opencontainers.image.description="FIPS-140-3 container based on the openSUSE Tumbleweed Base Container Image."
+LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opencontainers.image.url="https://www.opensuse.org"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="openSUSE Project"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opensuse.reference="registry.opensuse.org/opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
+LABEL org.opensuse.release-stage="released"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/base-fips-image/README.md"
+LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
+RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS
+
+ENV GNUTLS_FORCE_FIPS_MODE=1
+ENV LIBGCRYPT_FORCE_FIPS_MODE=1
+ENV LIBICA_FIPS_FLAG=1
+ENV NSS_FIPS=1
+ENV OPENSSL_FIPS=1
+ENV OPENSSL_FORCE_FIPS_MODE=1

base-fips-image/README.md

@@ -0,0 +1,33 @@
+
+# The SUSE Linux Enterprise FIPS-140-3 container image
+
+![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)
+
+## Description
+
+
+This base container image is configured with FIPS mode enabled by default, but
+does not include any certified binaries.
+
+
+## Usage
+The image is configured to enforce the use of FIPS mode by default,
+independent of the host environment setup by specifying the following
+environment variables:
+* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode
+* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel
+* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing
+
+Below is a list of other environment variables that can be used to configure the OpenSSL library:
+
+* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate
+the acceptable key sizes of RSA.
+## Licensing
+
+`SPDX-License-Identifier: MIT`
+
+This documentation and the build recipe are licensed as MIT.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/).

base-fips-image/_service

@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+</services>

base-fips-image/base-fips-image.changes

@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Nov 26 17:32:50 UTC 2024 - SUSE Update Bot <[email protected]>
+
+- First version of the FIPS-140-3 BCI