Test build for #2062

SUSE · Nov 26, 2024 · ee9e96a · ee9e96a
1 parent b9dbda5
commit ee9e96a
Show file tree

Hide file tree

Showing 10 changed files with 116 additions and 5 deletions.
diff --git a/.obs/workflows.yml b/.obs/workflows.yml
@@ -5,6 +5,10 @@ staging_build:
         source_project: home:defolos:BCI:CR:16.0
         source_package: base-image
         target_project: home:defolos:BCI:CR:16.0:Staging
+    - branch_package:
+        source_project: home:defolos:BCI:CR:16.0
+        source_package: base-fips-image
+        target_project: home:defolos:BCI:CR:16.0:Staging
     - branch_package:
         source_project: home:defolos:BCI:CR:16.0
         source_package: busybox-image
@@ -53,6 +57,9 @@ refresh_devel_BCI:
     - trigger_services:
         project: devel:BCI:16.0
         package: base-image
+    - trigger_services:
+        project: devel:BCI:16.0
+        package: base-fips-image
     - trigger_services:
         project: devel:BCI:16.0
         package: busybox-image

diff --git a/base-fips-image/Dockerfile b/base-fips-image/Dockerfile
@@ -0,0 +1,56 @@
+# SPDX-License-Identifier: MIT
+
+#     Copyright (c) 2024 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!UseOBSRepositories
+
+#!BuildTag: bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%
+#!BuildTag: bci/bci-base-fips:%OS_VERSION_ID_SP%
+#!BuildName: bci-bci-base-fips-%OS_VERSION_ID_SP%
+#!BuildVersion: 16.0
+FROM bci/bci-base:16.0
+
+RUN set -euo pipefail; \
+    zypper -n install --no-recommends SLES-release coreutils crypto-policies-scripts patterns-base-fips; \
+    zypper -n clean; \
+    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
+
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.bci.base-fips
+LABEL org.opencontainers.image.authors="https://github.com/SUSE/bci/discussions"
+LABEL org.opencontainers.image.title="SLE BCI 16 FIPS-140-3"
+LABEL org.opencontainers.image.description="16 FIPS-140-3 container based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/base-container-images/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opensuse.reference="registry.suse.com/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.eula="sle-bci"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.release-stage="beta"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="%SOURCEURL%/README.md"
+LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
+RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS
+
+ENV GNUTLS_FORCE_FIPS_MODE=1
+ENV LIBGCRYPT_FORCE_FIPS_MODE=1
+ENV LIBICA_FIPS_FLAG=1
+ENV NSS_FIPS=1
+ENV OPENSSL_FIPS=1
+ENV OPENSSL_FORCE_FIPS_MODE=1
diff --git a/base-fips-image/README.md b/base-fips-image/README.md
@@ -0,0 +1,37 @@
+
+# The SUSE Linux Enterprise FIPS-140-3 container image
+
+![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)![Support Level](https://img.shields.io/badge/Support_Level-techpreview-blue)
+[![SLSA](https://img.shields.io/badge/SLSA_(v0.1)-Level_4-Green)](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/)
+[![Provenance: Available](https://img.shields.io/badge/Provenance-Available-Green)](https://documentation.suse.com/container/all/html/Container-guide/index.html#container-verify)
+
+## Description
+
+
+This base container image is configured with FIPS mode enabled by default, but
+does not include any certified binaries.
+
+
+## Usage
+The image is configured to enforce the use of FIPS mode by default,
+independent of the host environment setup by specifying the following
+environment variables:
+* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode
+* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel
+* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing
+
+Below is a list of other environment variables that can be used to configure the OpenSSL library:
+
+* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate
+the acceptable key sizes of RSA.
+## Licensing
+
+`SPDX-License-Identifier: MIT`
+
+This documentation and the build recipe are licensed as MIT.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is a tech preview. Do not use it for production.
+Your feedback is welcome.
+Please report any issues to the [SUSE Bugzilla](https://bugzilla.suse.com/enter_bug.cgi?product=SUSE%20Linux%20Enterprise%20Base%20Container%20Images).
diff --git a/base-fips-image/_service b/base-fips-image/_service
@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+</services>
diff --git a/base-fips-image/base-fips-image.changes b/base-fips-image/base-fips-image.changes
@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Nov 26 17:32:22 UTC 2024 - SUSE Update Bot <[email protected]>
+
+- First version of the 16 FIPS-140-3 BCI
diff --git a/base-image/base-image.kiwi b/base-image/base-image.kiwi
@@ -69,7 +69,6 @@ You can contact the BCI team via https://github.com/SUSE/bci/discussions
     <package name="glibc-locale-base"/>
     <package name="jdupes"/>
     <package name="libcurl-mini4"/>
-    <package name="patterns-base-fips"/>
     <package name="patterns-base-minimal_base"/>
     <package name="shadow"/>
     <package name="zypper"/>

diff --git a/gcc-14-image/Dockerfile b/gcc-14-image/Dockerfile
@@ -18,7 +18,8 @@
 #!BuildTag: bci/gcc:%%gcc_minor_version%%-%RELEASE%
 #!BuildTag: bci/gcc:%%gcc_minor_version%%
 #!BuildTag: bci/gcc:14
-
+#!BuildName: bci-gcc-14
+#!BuildVersion: 16.0.14
 FROM bci/bci-base:16.0
 
 RUN set -euo pipefail; \

diff --git a/init-image/Dockerfile b/init-image/Dockerfile
@@ -17,7 +17,8 @@
 
 #!BuildTag: bci/bci-init:%OS_VERSION_ID_SP%-%RELEASE%
 #!BuildTag: bci/bci-init:%OS_VERSION_ID_SP%
-
+#!BuildName: bci-bci-init-%OS_VERSION_ID_SP%
+#!BuildVersion: 16.0
 FROM bci/bci-base:16.0
 
 RUN set -euo pipefail; \

diff --git a/kiwi-image/Dockerfile b/kiwi-image/Dockerfile
@@ -19,7 +19,8 @@
 #!BuildTag: bci/kiwi:10.1.16
 #!BuildTag: bci/kiwi:10.1
 #!BuildTag: bci/kiwi:10
-
+#!BuildName: bci-kiwi-10.1
+#!BuildVersion: 16.0.10.1
 FROM bci/bci-base:16.0
 
 RUN set -euo pipefail; \

diff --git a/sle16-kernel-module-devel-image/Dockerfile b/sle16-kernel-module-devel-image/Dockerfile
@@ -17,7 +17,8 @@
 
 #!BuildTag: bci/bci-sle16-kernel-module-devel:%OS_VERSION_ID_SP%-%RELEASE%
 #!BuildTag: bci/bci-sle16-kernel-module-devel:%OS_VERSION_ID_SP%
-
+#!BuildName: bci-bci-sle16-kernel-module-devel-%OS_VERSION_ID_SP%
+#!BuildVersion: 16.0
 FROM bci/bci-base:16.0
 
 RUN set -euo pipefail; \