Rebase to Amazon Linux 2023 and enable FIPS

[maherthomsi]

Issue number:
#109, #113

Description of changes:
This PR modernizes the admin container with three key improvements:

Base image upgrade from Amazon Linux 2 to AL2023 and bash updated to 5.2.15. Removed legacy configuration from the Dockerfile that is no longer required.

FIPS 140 enabled for environments requiring federal cryptographic standards. Implements proper FIPS-approved algorithms and key management protocols.

Enabled cgroupv2 compatibility and removed previous patches needed for cgroupv2 availability. Added cgroup synchronization between host and container.

Testing Done

• Image compatibility: Validated builds and launches on Bottlerocket Kubernetes and metal-dev instances

  • Able to connect to metal-dev instance and ssh into the admin container

  • glibc Version: 2.34 - compatible with AL2023

  • systemd Version: 252 (AL2023)

  • Serial Console: ARM serial ports (/dev/ttyAMA0) accessible

     bottlerocket
     Password: 
     Last login: Thu Oct 30 16:43:25 on /.bottlerocket/rootfs/dev/ttyS0
               Welcome to Bottlerocket's admin container!
         ╱╲
        ╱┄┄╲   This container provides access to the Bottlerocket host
        │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
       ╱│  │╲  tools for inspection and troubleshooting.  It is based on
       │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
         ╹╹    would find them on an AL2 host.
     
     To permit more intrusive troubleshooting, including actions that mutate the
     running state of the Bottlerocket host, we provide a tool called "sheltie"
     (`sudo sheltie`).  When run, this tool drops you into a root shell in the
     Bottlerocket host's root filesystem.
     [bottlerocket@admin]$ stat -fc %T /sys/fs/cgroup/
     cgroup2fs
     [bottlerocket@admin]$ cat /proc/sys/crypto/fips_enabled
     1
     [bottlerocket@admin]$ cat /etc/os-release
     NAME="Amazon Linux"
     VERSION="2023"
     ID="amzn"
     ID_LIKE="fedora"
     VERSION_ID="2023"
     PLATFORM_ID="platform:al2023"
     PRETTY_NAME="Amazon Linux 2023.9.20251020"
     ANSI_COLOR="0;33"
     CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
     HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
     DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
     SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
     BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
     VENDOR_NAME="AWS"
     VENDOR_URL="https://aws.amazon.com/"
     SUPPORT_END="2029-06-30"
    

• AL2023 functionality: Confirmed all Amazon Linux 2023 commands operate correctly within the admin container

  [ec2-user@admin]$ cat /etc/os-release
  NAME="Amazon Linux"
  VERSION="2023"
  ID="amzn"
  ID_LIKE="fedora"
  VERSION_ID="2023"
  PLATFORM_ID="platform:al2023"
  PRETTY_NAME="Amazon Linux 2023.9.20251110"
  ANSI_COLOR="0;33"
  CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2023"
  HOME_URL="https://aws.amazon.com/linux/amazon-linux-2023/"
  DOCUMENTATION_URL="https://docs.aws.amazon.com/linux/"
  SUPPORT_URL="https://aws.amazon.com/premiumsupport/"
  BUG_REPORT_URL="https://github.com/amazonlinux/amazon-linux-2023"
  VENDOR_NAME="AWS"
  VENDOR_URL="https://aws.amazon.com/"
  SUPPORT_END="2029-06-30"
  [ec2-user@admin]$ cat /etc/system-release
  Amazon Linux release 2023.9.20251110 (Amazon Linux)
  [ec2-user@admin]$ uname -r
  6.1.156
  [ec2-user@admin]$ modprobe --version
  kmod version 34.2
  +ZSTD -XZ +ZLIB -OPENSSL

  [ec2-user@admin]$ dnf --version
  4.14.0
    Installed: dnf-0:4.14.0-1.amzn2023.0.6.noarch at Sat Nov  8 08:15:43 2025
    Built    : Amazon Linux at Fri Feb  7 20:55:48 2025
  
    Installed: rpm-0:4.16.1.3-29.amzn2023.0.6.aarch64 at Sat Nov  8 08:15:43 2025
    Built    : Amazon Linux at Mon Feb 26 20:41:22 2024
  [ec2-user@admin]$ dnf list installed | head -10
  Installed Packages
  alternatives.aarch64                 1.15-2.amzn2023.0.2                @System
  amazon-linux-repo-cdn.noarch         2023.9.20251110-0.amzn2023         @System
  audit-libs.aarch64                   3.1.5-1.amzn2023.0.2               @System
  basesystem.noarch                    11-11.amzn2023.0.2                 @System
  bash.aarch64                         5.2.15-1.amzn2023.0.2              @System
  bzip2-libs.aarch64                   1.0.8-6.amzn2023.0.2               @System
  ca-certificates.noarch               2025.2.76-1.0.amzn2023.0.2         @System
  checkpolicy.aarch64                  3.4-3.amzn2023.0.2                 @amazonlinux
  coreutils-single.aarch64             8.32-30.amzn2023.0.4               @System
  [ec2-user@admin]$ dnf info glibc
  Last metadata expiration check: 0:02:19 ago on Tue Nov 11 19:14:18 2025.
  Installed Packages
  Name         : glibc
  Version      : 2.34
  Release      : 231.amzn2023.0.1
  Architecture : aarch64
  Size         : 9.7 M
  Source       : glibc-2.34-231.amzn2023.0.1.src.rpm
  Repository   : @System
  Summary      : The GNU libc libraries
  URL          : http://www.gnu.org/software/glibc/
  License      : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+ and GPLv2+ with exceptions and BSD and Inner-Net and ISC and
               : Public Domain and GFDL
  Description  : The glibc package contains standard libraries which are used by
               : multiple programs on the system. In order to save disk space and
               : memory, as well as to make upgrading easier, common system code is
               : kept in one place and shared between programs. This particular package
               : contains the most important sets of shared libraries: the standard C
               : library and the standard math library. Without these two libraries, a
               : Linux system will not function.
  
  [ec2-user@admin]$ dnf check-update
  Last metadata expiration check: 0:02:28 ago on Tue Nov 11 19:14:18 2025.

• FIPS compliance: Verified FIPS-relevant flags are present in admin container on FIPS-enabled AMIs

  [root@admin]# cat /proc/sys/crypto/fips_enabled
  1
  [root@admin]# ls -la /etc/crypto-policies/ 2>/dev/null || echo "crypto-policies not available"
  total 12
  drwxr-xr-x. 1 root root   50 Nov 12 23:02 .
  drwxr-xr-x. 1 root root 4096 Nov 12 23:02 ..
  drwxr-xr-x. 1 root root 4096 Nov 12 23:02 back-ends
  -rw-r--r--. 1 root root    5 Nov 12 23:02 config
  drwxr-xr-x. 2 root root    6 Jan 23  2025 local.d
  drwxr-xr-x. 3 root root   21 Nov  8 08:15 policies
  drwxr-xr-x. 1 root root   40 Nov 12 23:02 state
  [root@admin]# openssl version
  OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
  [root@admin]# openssl version -a 2>/dev/null | grep -i fips || echo "No FIPS info in OpenSSL"
  compiler: gcc -fPIC -pthread -Wa,--noexecstack -O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -
  g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -
  specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-
  cc1  -march=armv8.2-a+crypto -mtune=neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-
  clash-protection -O2 -ftree-vectorize -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -
  Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-
  hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -march=armv8.2-a+crypto -mtune=
  neoverse-n1 -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection -Wa,--noexecstack -
  Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/
  redhat-annobin-cc1 -DOPENSSL_USE_NODELETE -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -DPURIFY -
  DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"3.2.2-6a2d04a6952ab14a\"" -D_GNU_SOURCE -DSYSTEM_CIPHERS_
  FILE="/etc/crypto-policies/back-ends/openssl.config"
  [root@admin]# echo "test" | openssl dgst -sha256
  SHA2-256(stdin)= f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
  [root@admin]# echo "test" | openssl dgst -md5 2>&1 | head -1
  Error setting digest
  [root@admin]# rpm -qa 2>/dev/null | grep -i fips || echo "rpm not available"
  openssl-fips-provider-latest-3.2.2-1.amzn2023.0.2.aarch64

• Bash version: Confirmed bash 5.2.15 installation and functionality

  [ec2-user@admin]$ bash --version
  GNU bash, version 5.2.15(1)-release (aarch64-amazon-linux-gnu)
  Copyright (C) 2022 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  
  This is free software; you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

• Cgroup synchronization: Validated cgroup versions match between host system and container

  • cgroupsv1 on host

    [ssm-user@control]$ test -f /sys/fs/cgroup/cgroup.controllers && echo "cgroupv2" || echo "cgroupv1"
  cgroupv1
  [ssm-user@control]$ enter-admin-container
  Confirming admin container is enabled...
  Waiting for admin container to start...
  Entering admin container
           Welcome to Bottlerocket's admin container!
     ╱╲
    ╱┄┄╲   This container provides access to the Bottlerocket host
    │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
   ╱│  │╲  tools for inspection and troubleshooting.  It is based on
   │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
     ╹╹    would find them on an AL2 host.
  
  To permit more intrusive troubleshooting, including actions that mutate the
  running state of the Bottlerocket host, we provide a tool called "sheltie"
  (`sudo sheltie`).  When run, this tool drops you into a root shell in the
  Bottlerocket host's root filesystem.
  [root@admin]# test -f /sys/fs/cgroup/cgroup.controllers && echo "cgroupv2" || echo "cgroupv1"
  cgroupv1
  [root@admin]# mount | grep cgroup
  tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,context=system_u:object_r:secret_t:s0,mode=755)
  cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,name=systemd)
  cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
  cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_cls,net_prio)
  cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
  cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
  cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
  cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
  cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
  cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
  cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
  cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpu,cpuacct)
  cgroup on /sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,misc)
  tmpfs on /.bottlerocket/rootfs/sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,size=4096k,nr_inodes=1024,mode=755)
  cgroup2 on /.bottlerocket/rootfs/sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,name=systemd)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_cls,net_prio)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpu,cpuacct)
  cgroup on /.bottlerocket/rootfs/sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,misc)
  tmpfs on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,context=system_u:object_r:secret_t:s0,mode=755)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,name=systemd)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_cls,net_prio)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpu,cpuacct)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,misc)
  [root@admin]# /sys/fs/cgroup/
  bash: /sys/fs/cgroup/: Is a directory

  • cgroupsv2 on host

    [ssm-user@control]$ test -f /sys/fs/cgroup/cgroup.controllers && echo "cgroupv2" || echo "cgroupv1"
  cgroupv2
  [ssm-user@control]$ enter-admin-container
  Confirming admin container is enabled...
  Waiting for admin container to start...
  Entering admin container
           Welcome to Bottlerocket's admin container!
     ╱╲
    ╱┄┄╲   This container provides access to the Bottlerocket host
    │▗▖│   filesystems (see /.bottlerocket/rootfs) and contains common
   ╱│  │╲  tools for inspection and troubleshooting.  It is based on
   │╰╮╭╯│  Amazon Linux 2, and most things are in the same places you
     ╹╹    would find them on an AL2 host.
  
  To permit more intrusive troubleshooting, including actions that mutate the
  running state of the Bottlerocket host, we provide a tool called "sheltie"
  (`sudo sheltie`).  When run, this tool drops you into a root shell in the
  Bottlerocket host's root filesystem.
  [root@admin]# test -f /sys/fs/cgroup/cgroup.controllers && echo "cgroupv2" || echo "cgroupv1"
  cgroupv2
  [root@admin]# mount | grep cgroup
  cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel)
  cgroup2 on /.bottlerocket/rootfs/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel)
  cgroup on /.bottlerocket/rootfs/run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel)

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[arnaldo2792]

nit: for your commit messages please break lines at 75 characters

[arnaldo2792]

You are missing a new line at the end of this file.

[arnaldo2792]

Same here, you are missing a newline

[arnaldo2792]

What's the default size of the RSA key? It must be >= 2048 bits. And for ECDSA, make sure you use FIPS curve.

[jpculp]

Looks like for RSA its 3072 bits (changed from 2048 in OpenSSH 8.2). ECSDA defaults to P-256 which is a FIPS curve. Of course if we wanted to be extra sure we could set these explicitly to avoid changes in behavior.