Rebase on Amazon Linux 2023 and add FIPS support

Dockerfile

@@ -1,57 +1,14 @@
-FROM public.ecr.aws/amazonlinux/amazonlinux:2 AS builder
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
 
-# Install build dependencies for the package(s) below
-RUN \
-  yum -y install \
-    autoconf \
-    automake \
-    bison \
-    gettext-devel \
-    libtool \
-    make \
-    pkgconfig \
-    tar \
-    xz
-COPY ./sdk-fetch /usr/local/bin
+RUN dnf install -y \
+    'dnf-command(download)' \
+    cpio
 
-ARG utillinux_version=2.38.1
-ENV utillinux_version=$utillinux_version
+WORKDIR /root/build/util-linux
+RUN dnf download util-linux && \
+    rpm2cpio util-linux-*.rpm | cpio -idmv
 
-ENV HOME=/root
-
-WORKDIR ${HOME}/build
-COPY ./hashes/util-linux ./hashes
-
-RUN \
-  sdk-fetch hashes && \
-  tar -xf util-linux-${utillinux_version}.tar.xz && \
-  rm util-linux-${utillinux_version}.tar.xz hashes
-
-# Build script for SSM session logging
-WORKDIR ${HOME}/build/util-linux-${utillinux_version}
-RUN \
-  ./autogen.sh && ./configure \
-      --disable-makeinstall-chown \
-      --disable-nls \
-      --disable-rpath \
-      --prefix=/opt/util-linux \
-      --without-audit \
-      --without-python \
-      --without-readline \
-      --without-systemd \
-      --without-udev \
-      --without-utempter \
-    || { cat config.log; exit 1; }
-RUN make -j`nproc` lscpu script
-RUN make install-strip
-RUN \
-  mkdir -p /usr/share/licenses/util-linux && cp -p \
-      Documentation/licenses/COPYING.BSD-4-Clause-UC \
-      Documentation/licenses/COPYING.GPL-2.0-or-later \
-      Documentation/licenses/COPYING.LGPL-2.1-or-later \
-    /usr/share/licenses/util-linux
-
-FROM public.ecr.aws/amazonlinux/amazonlinux:2
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023
 
 # IMAGE_VERSION is the assigned version from input for this image.
 ARG IMAGE_VERSION
@@ -68,42 +25,47 @@ RUN : \
 
 LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
 
+# Install the arch specific build of SSM agent *and confirm that it installed* -
+# dnf will allow architecture-mismatched packages to not install and consider
+# the run successful.
+# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
+COPY ./hashes/ssm ./hashes
+COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
+RUN dnf update -y && \
+    dnf install -y \
+        crypto-policies-scripts \
+        jq \
+        libutempter \
+        screen \
+        shadow-utils \
+        && \
+    dnf remove -y amazon-ssm-agent && \
+    ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
+    curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
+        -o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
+        | sha512sum --check - && \
+    rpm --import amazon-ssm-agent.gpg && \
+    rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    dnf install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
+    rm -rf /var/cache/dnf ./hashes && \
+    rmdir /var/lib/amazon/ssm && \
+    ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm
+
 # Copy util-linux binaries and dependencies
-COPY --from=builder /opt/util-linux/bin/lscpu /opt/util-linux/bin/script \
+COPY --from=builder /root/build/util-linux/usr/bin/lscpu /root/build/util-linux/usr/bin/script \
                     /opt/util-linux/bin/
-COPY --from=builder /opt/util-linux/include/libsmartcols \
-                    /opt/util-linux/include/libsmartcols
-COPY --from=builder /opt/util-linux/lib/libsmartcols* \
-                    /opt/util-linux/lib/
-COPY --from=builder /usr/share/licenses/util-linux \
-                    /usr/share/licenses/util-linux
+COPY --from=builder /root/build/util-linux/usr/share/licenses/util-linux/COPYING.BSD-4-Clause-UC \
+                    /root/build/util-linux/usr/share/licenses/util-linux/COPYING.GPL-2.0-or-later \
+                    /root/build/util-linux/usr/share/licenses/util-linux/COPYING.LGPL-2.1-or-later \
+                    /usr/share/licenses/util-linux/
 RUN ln -s /opt/util-linux/bin/* /usr/bin
 
 # Validate lscpu binary
-RUN /usr/bin/lscpu &>/dev/null
+RUN /usr/bin/lscpu
 # Validate script binary
-RUN /usr/bin/script --version &>/dev/null
-
-# Install the arch specific build of SSM agent *and confirm that it installed* -
-# yum will allow architecture-mismatched packages to not install and consider
-# the run successful.
-# SSM Agent is downloaded from eu-north-1 as this region gets new releases of SSM Agent first.
-COPY ./hashes/ssm ./hashes
-COPY ./gpg-keys/amazon-ssm-agent.gpg ./amazon-ssm-agent.gpg
-RUN \
-  ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/') && \
-  curl -L "https://s3.eu-north-1.amazonaws.com/amazon-ssm-eu-north-1/${SSM_AGENT_VERSION}/linux_${ARCH}/amazon-ssm-agent.rpm" \
-       -o "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
-  grep "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" hashes \
-    | sha512sum --check - && \
-  rpm --import amazon-ssm-agent.gpg && \
-  rpm --checksig "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
-  yum update -y && yum install -y jq screen shadow-utils && \
-  yum install -y "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
-  rm "amazon-ssm-agent-${SSM_AGENT_VERSION}.${ARCH}.rpm" && \
-  rm -rf /var/cache/yum ./hashes && \
-  rmdir /var/lib/amazon/ssm && \
-  ln -snf /.bottlerocket/host-containers/current/ssm /var/lib/amazon/ssm
+RUN /usr/bin/script --version
 
 # Add motd explaining the control container.
 RUN rm -f /etc/motd /etc/issue
@@ -121,14 +83,14 @@ ENV ENV=/etc/skel/.bashrc
 
 # Add our helpers to quickly interact with the admin container.
 COPY --chmod=755 \
-  ./disable-admin-container \
-  ./enable-admin-container \
-  ./enter-admin-container \
-  /usr/bin/
+    ./disable-admin-container \
+    ./enable-admin-container \
+    ./enter-admin-container \
+    /usr/bin/
 
 # Create our user in the group that allows API access.
-RUN groupadd -g 274 api
-RUN useradd -m -G users,api ssm-user
+RUN groupadd -g 274 api && \
+    useradd -m -G users,api ssm-user
 
 COPY --chmod=755 start_control_ssm.sh /usr/sbin/
 CMD ["/usr/sbin/start_control_ssm.sh"]

start_control_ssm.sh

@@ -8,6 +8,9 @@ declare -r SSM_AGENT_PERSISTENT_STATE_DIR="${PERSISTENT_STORAGE_BASE_DIR}/ssm"
 declare -r SSM_AGENT_LOCAL_STATE_DIR="/var/lib/amazon/ssm"
 declare -r HOST_CERTS="/.bottlerocket/certs"
 
+#shellcheck disable=SC2155  # If not set then we'll treat it as 0
+declare -r FIPS_MODE_FLAG=$(cat '/proc/sys/crypto/fips_enabled' 2>/dev/null || echo 0)
+
 log() {
   echo "$*" >&2
 }
@@ -65,6 +68,17 @@ fetch_from_json() {
 # then check to see if the user-data file contains ssm at the top-level. If so,
 # attempt to manually register with SSM with a hybrid activation.
 
+if [[ ${FIPS_MODE_FLAG} -eq 1 ]]; then
+  update-crypto-policies --set FIPS 2>/dev/null
+  if [[ "$(cat '/etc/crypto-policies/config')" != "FIPS" ]]; then
+    log "Failed to validate FIPS configuration"
+    exit 1
+  fi
+
+  # Enable the Go Cryptographic Module to operate in FIPS 140-3 mode at runtime
+  export GODEBUG='fips140=on'
+fi
+
 [[ -d "${HOST_CERTS}" ]] && link_host_certs
 
 mkdir -p "${SSM_AGENT_PERSISTENT_STATE_DIR}"