|
1 | 1 |
|
2 | 2 | # Kairos framework packages for ubuntu fips |
3 | 3 | # FROM gcr.io/spectro-images-public/kairos/framework:v2.11.7-fips as kairos-fips |
4 | | -FROM quay.io/kairos/framework:v2.11.7-fips as kairos-fips |
| 4 | +FROM quay.io/kairos/framework:v2.11.7-fips AS kairos-fips |
5 | 5 |
|
6 | 6 | # Base ubuntu image (focal) |
7 | | -FROM ubuntu:focal as base |
| 7 | +FROM ubuntu:focal AS base |
8 | 8 |
|
9 | 9 | # Generate os-release file |
10 | | -FROM quay.io/kairos/osbuilder-tools:v0.200.11 as osbuilder |
| 10 | +FROM quay.io/kairos/osbuilder-tools:v0.200.11 AS osbuilder |
11 | 11 | RUN zypper install -y gettext && zypper clean |
12 | 12 | RUN mkdir /workspace |
13 | 13 | COPY --from=base /etc/os-release /workspace/os-release |
@@ -38,6 +38,19 @@ RUN --mount=type=secret,id=pro-attach-config \ |
38 | 38 | && pro attach --attach-config /run/secrets/pro-attach-config \ |
39 | 39 | && apt-get upgrade -y \ |
40 | 40 | && apt-get install -y openssl libssl1.1 libssl1.1-hmac libgcrypt20 libgcrypt20-hmac strongswan strongswan-hmac openssh-client openssh-server linux-image-fips \ |
| 41 | + && LATEST_VERSION=$(apt-cache search --names-only '^linux-image-[0-9].*-fips$' \ |
| 42 | + | awk '{print $1}' \ |
| 43 | + | grep -vE '(azure|aws|gcp)' \ |
| 44 | + | sort -V \ |
| 45 | + | tail -n1 \ |
| 46 | + | sed -E 's/^linux-image-([0-9][^ ]*)-fips$/\1/') && \ |
| 47 | + apt install -y --no-install-recommends \ |
| 48 | + "linux-image-${LATEST_VERSION}-fips" \ |
| 49 | + "linux-modules-${LATEST_VERSION}-fips" \ |
| 50 | + "linux-headers-${LATEST_VERSION}-fips" && \ |
| 51 | + apt-mark hold "linux-image-${LATEST_VERSION}-fips" "linux-modules-${LATEST_VERSION}-fips" && \ |
| 52 | + apt update && apt upgrade -y && \ |
| 53 | + apt install -y --no-install-recommends linux-headers-virtual \ |
41 | 54 | && pro detach --assume-yes |
42 | 55 |
|
43 | 56 |
|
@@ -115,6 +128,13 @@ RUN apt-get install -y --no-install-recommends \ |
115 | 128 | && apt-get remove -y unattended-upgrades && apt-get clean \ |
116 | 129 | && rm -rf /var/lib/apt/lists/* |
117 | 130 |
|
| 131 | +RUN fips_kernel=$(basename $(ls /lib/modules | grep -- '-fips$' | sort -V | tail -n1)) && \ |
| 132 | + echo "Detected FIPS kernel: $fips_kernel" && \ |
| 133 | + # Remove all other kernel module trees (e.g., -generic) |
| 134 | + find /lib/modules -mindepth 1 -maxdepth 1 -type d ! -name "$fips_kernel" -exec rm -rf {} + && \ |
| 135 | + find /usr/lib/modules -mindepth 1 -maxdepth 1 -type d ! -name "$fips_kernel" -exec rm -rf {} + |
| 136 | + |
| 137 | + |
118 | 138 | # Copy the Kairos framework files. We use master builds here for fedora. See https://quay.io/repository/kairos/framework?tab=tags for a list |
119 | 139 | COPY --from=kairos-fips / / |
120 | 140 |
|
|
0 commit comments