[Build] Add FIPS docker image for GovCloud #117152
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
breskeby
added
>non-issue
:Delivery/Build
|
Pinging @elastic/es-delivery (Team:Delivery) |
breskeby
changed the title
breskeby
force-pushed
the
add-fips-docker-image
branch
from
8003e4c to
c11d177
Compare
breskeby
added
the
:Delivery/Packaging
breskeby
force-pushed
the
add-fips-docker-image
branch
3 times, most recently
from
a23256c to
3f203b4
Compare
jakelandis
reviewed
Dec 9, 2024
| CLOUD_ESS(null, "-cloud-ess", "apk"); | ||
| CLOUD_ESS(null, "-cloud-ess", "apk"), | ||
| // Based on WOLFI above, we programmatically extend from the wolfi image. | ||
| FIPS(null, "-fips", "apk"); |
There was a problem hiding this comment.
we need to base the image from: chainguard-base-fips
while the majority of the FIPS compliant for ES is from the JDK/app level, the container itself must also be FIPS compliant.
(EDIT: or is that already the case here ? ...if so, for my own education, how are the tags defined across base and base-fips?)
There was a problem hiding this comment.
we transitively base this on chainguard-base as cloud-ess is based on our es-wolfi image and this is based on chainguard-base. @jakelandis you say this must be chainguard-base-fips instead?
This is coded into distribution/docker/build.gradle
There was a problem hiding this comment.
I need to do more tweaking as but you can test this from the branch by running:
./gradlew buildAarch64FipsDockerImage
# start image directly
docker run elasticsearch-fips:aarch64
# inspect image
docker run -it --entrypoint /bin/bash elasticsearch-fips:aarch64
There was a problem hiding this comment.
@jakelandis With the latest WIP I configure a hardcoded password for the keystore (as it must be >12 characters) Strictly speaking that's fips compliant as I get it, but how is that safe enough if we bake that password into the image itself? each image would have the same keystone password basically public.
It seems we should instead have the ability in ES to ensure we generate dynamically a keystore with fips compliant password without explicitly declaring it?
There was a problem hiding this comment.
you say this must be chainguard-base-fips instead?
Yes, the base image, for this purpose, must also be FIPS compliant.
but how is that safe enough if we bake that password into the image itself? each image would have the same keystone password basically public.
This probably warrants it's own discussion, there is likely some cloud level config needed here.
There was a problem hiding this comment.
@jakelandis I changed the base image to be chainguard-base-fips. One side effect here is that aarch64 is not supported anymore. You can test this with
./gradlew buildFipsDockerImage
# start image directly
docker run elasticsearch-fips:x86_64
# inspect image
docker run -it --entrypoint /bin/bash elasticsearch-fips:x86_64
be6f4c6 to
853068f
Compare
breskeby
force-pushed
the
add-fips-docker-image
branch
from
853068f to
9598e33
Compare
xnox
reviewed
Mar 6, 2025
| xpack.security.http.ssl.enabled: true | ||
| xpack.security.http.ssl.key: node1.key | ||
| xpack.security.http.ssl.certificate: node1.crt | ||
| xpack.security.http.ssl.certificate_authorities: node1.crt |
There was a problem hiding this comment.
these keys will work for netty; but not for BCJSSE in approved only mode.
Was this tested or solved?
There was a problem hiding this comment.
this has been removed
xnox
reviewed
Mar 6, 2025
| # xpack.security.transport.ssl.enabled: true | ||
| # xpack.security.transport.ssl.certificate: node1.crt | ||
| # xpack.security.transport.ssl.certificate_authorities: node1.crt | ||
| # xpack.security.transport.ssl.key: node1.key |
There was a problem hiding this comment.
ah, that's how incompatibility is fixed by turning off xpack.security ssl.
breskeby
force-pushed
the
add-fips-docker-image
branch
from
9598e33 to
85966a5
Compare
breskeby
force-pushed
the
add-fips-docker-image
branch
from
85966a5 to
ea43aeb
Compare
breskeby
force-pushed
the
add-fips-docker-image
branch
from
ea43aeb to
b92d01f
Compare
- Adds docker image based on chainguard base fips image - x86 only for now as base image is x86b only TODO: Add packaging test coverage
breskeby
force-pushed
the
add-fips-docker-image
branch
from
da2a817 to
2ee47f2
Compare
breskeby
added
the
auto-backport
breskeby
added a commit
to breskeby/elasticsearch
that referenced
this pull request
Mar 26, 2025
- Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios)
💔 Backport failed
You can use sqren/backport to manually backport by running |
breskeby
added a commit
to breskeby/elasticsearch
that referenced
this pull request
Mar 26, 2025
- Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios) (cherry picked from commit 653c179) # Conflicts: # build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/distribution/InternalElasticsearchDistributionTypes.java # distribution/docker/build.gradle # distribution/docker/src/docker/Dockerfile
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
breskeby
added a commit
to breskeby/elasticsearch
that referenced
this pull request
Mar 27, 2025
- Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios) (cherry picked from commit 653c179) # Conflicts: # build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/distribution/InternalElasticsearchDistributionTypes.java # distribution/docker/build.gradle # distribution/docker/src/docker/Dockerfile
breskeby
added a commit
that referenced
this pull request
Mar 27, 2025
* [Build] Add FIPS docker image for GovCloud (#117152) - Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios) (cherry picked from commit 653c179) # Conflicts: # build-tools-internal/src/main/java/org/elasticsearch/gradle/internal/distribution/InternalElasticsearchDistributionTypes.java # distribution/docker/build.gradle # distribution/docker/src/docker/Dockerfile * Fix merge conflict while back porting * Fix another merge conflict * Fix fips tests reported as broken due to issue in gradle setup
omricohenn
pushed a commit
to omricohenn/elasticsearch
that referenced
this pull request
Mar 28, 2025
- Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios)
breskeby
added a commit
that referenced
this pull request
Apr 11, 2025
* [Build] Add FIPS docker image for GovCloud (#117152) - Adds docker image based on chainguard base fips image - x86 only for now as the base image is x86 only - the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch The image is shipped with: - org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder - config/jvm.options.d/fips.options for fips specific JVM options - fips_java.security file - fips_java.policy Out of scope: - Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios) * Fix fips tests reported as broken due to issue in gradle setup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The image is shipped with:
Out of scope: