Skip to content

Commit c11d177

Browse files
breskebybreskeby
committed
Rework initial fips setup; base on cloud
1 parent f7f244e commit c11d177

File tree

3 files changed

+64
-44
lines changed

3 files changed

+64
-44
lines changed

distribution/docker/build.gradle

Lines changed: 7 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -21,18 +21,6 @@ apply plugin: 'elasticsearch.dra-artifacts'
2121
apply plugin: 'elasticsearch.jdk-download'
2222
apply plugin: 'elasticsearch.repositories'
2323

24-
//// Setup FIPS image jdk
25-
//project.jdks {
26-
// ['x64', 'aarch64'].each { architecture ->
27-
// "fips_linux_${architecture}" {
28-
// it.platform = "linux"
29-
// it.version = "17.0.12"
30-
// it.vendor = VersionProperties.bundledJdkVendor
31-
// it.architecture = architecture
32-
// }
33-
// }
34-
//}
35-
3624
String buildId = providers.systemProperty('build.id').getOrNull()
3725
boolean useLocalArtifacts = buildId != null && buildId.isBlank() == false && useDra == false
3826

@@ -125,10 +113,8 @@ dependencies {
125113
filebeat_x86_64 "beats:filebeat:${VersionProperties.elasticsearch}:[email protected]"
126114
metricbeat_aarch64 "beats:metricbeat:${VersionProperties.elasticsearch}:[email protected]"
127115
metricbeat_x86_64 "beats:metricbeat:${VersionProperties.elasticsearch}:[email protected]"
128-
// fips "org.bouncycastle:bcpg-fips:1.0.7.1"
129-
// fips "org.bouncycastle:bc-fips:1.0.2.4"
130-
fips "org.bouncycastle:bcprov-jdk18on:1.78.1"
131-
116+
fips "org.bouncycastle:bctls-fips:1.0.17"
117+
fips "org.bouncycastle:bc-fips:1.0.2.4"
132118
}
133119

134120
ext.expansions = { Architecture architecture, DockerBase base ->
@@ -468,27 +454,9 @@ void addBuildFipsDockerImageTasks(Architecture architecture) {
468454
into("resources") {
469455
from tasks.named('fipsResources')
470456
}
471-
into('jdk') {
472-
// from(files("jdk-17.0.12"))
473-
eachFile { FileCopyDetails details ->
474-
if (details.relativePath.segments[-2] == 'bin' || details.relativePath.segments[-1] == 'jspawnhelper') {
475-
details.permissions {
476-
unix(0755)
477-
}
478-
} else {
479-
details.permissions {
480-
unix(0644)
481-
}
482-
}
483-
if (details.name == 'src.zip') {
484-
details.exclude()
485-
}
486-
}
487-
}
488457
}
489458

490-
491-
String baseSuffix = DockerBase.WOLFI.suffix
459+
String baseSuffix = DockerBase.CLOUD_ESS.suffix
492460
from(projectDir.resolve("src/docker/Dockerfile.fips")) {
493461
expand(
494462
[
@@ -602,18 +570,19 @@ void addBuildCloudDockerImageTasks(Architecture architecture) {
602570
}
603571

604572
// fips
605-
String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security'
573+
//String javaSecurityFilename = buildParams.runtimeJavaDetails.get().toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security'
574+
String javaSecurityFilename = 'fips_java.security'
606575
File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
607576
File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
608577
File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
609-
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
578+
//File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
610579

611580
TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
612581
fipsResourcesTask.configure {
613582
outputDir = fipsResourcesDir
614583
copy javaSecurityFilename
615584
copy 'fips_java.policy'
616-
copy 'cacerts.bcfks'
585+
// copy 'cacerts.bcfks'
617586
}
618587

619588
for (final Architecture architecture : Architecture.values()) {

distribution/docker/src/docker/Dockerfile.fips

Lines changed: 51 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,19 +2,64 @@ FROM ${base_image} AS builder
22

33
USER root
44

5-
# Add fips specific files (certified security providers, jdk, config files)
5+
# Add fips specific files (certified security providers, config files)
66
RUN mkdir -p /opt/fips/
77
RUN chmod -R 0555 /opt/fips
88
COPY fips /opt/fips/
9+
COPY fips/resources/fips_java_oracle.security /usr/share/elasticsearch/config/fips_java.security
10+
COPY fips/resources/fips_java.policy /usr/share/elasticsearch/config/fips_java.policy
11+
912
RUN chown 1000:1000 /opt/fips/*
1013
RUN chmod 0444 /opt/fips/*
1114

15+
WORKDIR /usr/share/elasticsearch
16+
RUN cat <<EOF > instance.yml
17+
instances:
18+
- name: "node1"
19+
dns:
20+
- "node1.example.com"
21+
cn:
22+
- "node1.elasticsearch.cluster"
23+
EOF
24+
RUN bin/elasticsearch-certutil cert --in instance.yml --self-signed --pem --out certificate-bundle.zip
25+
RUN unzip certificate-bundle.zip
26+
RUN cp node1/node1.crt config
27+
RUN cp node1/node1.key config
28+
29+
WORKDIR /usr/share/elasticsearch/config
30+
# Add policies for FIPS
31+
RUN cat <<EOF > elasticsearch.yml
32+
xpack.security.fips_mode.enabled: true
33+
xpack.security.enabled: true
34+
xpack.security.http.ssl.enabled: true
35+
xpack.security.transport.ssl.enabled: true
36+
xpack.security.enrollment.enabled: false
37+
xpack.security.autoconfiguration.enabled: false
38+
xpack.security.authc.reserved_realm.enabled: false
39+
xpack.security.http.ssl.key: node1.key
40+
xpack.security.http.ssl.certificate: node1.crt
41+
xpack.security.http.ssl.certificate_authorities: node1.crt
42+
xpack.security.transport.ssl.key: node1.key
43+
xpack.security.transport.ssl.certificate: node1.crt
44+
xpack.security.transport.ssl.certificate_authorities: node1.crt
45+
xpack.security.authc.password_hashing.algorithm: pbkdf2_stretch
46+
xpack.security.fips_mode.required_providers: ["BCFIPS", "BCJSSE"]
47+
logger.org.elasticsearch.xpack.security: trace
48+
discovery.seed_hosts: []
49+
node.name: node1
50+
cluster.initial_master_nodes: ["node1"]
51+
EOF
52+
53+
54+
WORKDIR /usr/share/elasticsearch/config/jvm.options.d
55+
RUN cat <<EOF > fips.options
56+
-Djava.security.properties=/usr/share/elasticsearch/config/fips_java.security
57+
-Djava.security.policy=/usr/share/elasticsearch/config/fips_java.policy
58+
EOF
59+
1260
FROM ${base_image}
13-
USER root
1461

15-
# COPY --from=builder --chown=0:0 /opt/fips/jdk /opt/jdk
16-
COPY --from=builder --chown=0:0 /opt/fips/libs/*.jar /usr/share/elasticsearch/lib
17-
COPY --from=builder --chown=0:0 /opt/fips/resources/fips_java_oracle.security /usr/share/elasticsearch/jdk/conf/security/java.security
18-
COPY --from=builder --chown=0:0 /opt/fips/resources/fips_java.policy /usr/share/elasticsearch/jdk/conf/security/java.policy
62+
COPY --from=builder --chown=0:0 /usr/share/elasticsearch/config/ /usr/share/elasticsearch/config
63+
COPY --from=builder --chown=0:0 /opt/fips/libs/*.jar /usr/share/elasticsearch/lib/
1964

2065
USER 1000:0

distribution/docker/src/docker/config/elasticsearch.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,8 @@
11
cluster.name: "docker-cluster"
22
network.host: 0.0.0.0
3+
#xpack.security.fips_mode.enabled: true
4+
#xpack.security.autoconfiguration.enabled: false
5+
## xpack.security.fips_mode.required_providers: ["BCFIPS"]
6+
#xpack.security.fips_mode.required_providers: ["BCFIPS", "BCJSSE"]
7+
#xpack.security.authc.password_hashing.algorithm: "pbkdf2_stretch"
8+
## xpack.security.transport.ssl.enabled: true

0 commit comments

Comments
 (0)