Whether running on the public cloud or a private cloud, the use of containers is ingrained in today’s devops oriented workflows. Having workloads set up to run under the mandated compliance requirements is thus necessary to fully exploit the potential of containers. This article focuses on how to build and run containers that comply with the US and Canada government FIPS140-2 data protection standard. To build Ubuntu 18.04 FIPS140-2 compliant containers you will need the FIPS140-2 certified packages, that can be accessed with an Ubuntu Advantage subscription or with Ubuntu Pro on AWS
In our example we will demonstrate building a FIPS container on an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace. They are preconfigured and optimized for the US and Canada government’s FIPS140-2 data protection standard. They are premium images designed by Canonical and provide the Ubuntu Advantage benefits, without the need for a subscription. Key features include live kernel patching, enabling longer uptimes, and FIPS140-2 certified components to be used for FedRAMP, HIPAA, and PCI use cases. Ubuntu Pro is backed by a 10-year maintenance commitment by Canonical.
Without getting into details of FIPS140-2 it is important to underline that a key concept of FIPS is that its requirements cover the whole system, from kernel to the cryptographic FIPS packages. So when referring to a FIPS container, we are referring to a container image that contains the Ubuntu FIPS cryptographic packages (e.g., libgcrypt, openssl). As container images use the host kernel, that container must run under an Ubuntu FIPS enabled kernel in order to comply with the FIPS requirements . As a rule of thumb, each Ubuntu FIPS container must run under the equivalent Ubuntu version system, with FIPS enabled in the kernel.
The system that will generate the FIPS container must have an Ubuntu Advantage subscription attached to it, or it can be an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace.
To keep things simple, in this article, we will demonstrate how to generate such a container on a public cloud instance (AWS or Azure). On AWS EC2 we will be using the ‘Ubuntu Pro FIPS 18.04 LTS’ AMI, and on Azure the ‘Ubuntu Pro FIPS 18.04 LTS’ image. The example is very similar when using an Ubuntu system with the Ubuntu Advantage subscription attached and FIPS enabled
Launch an ‘Ubuntu Pro FIPS 18.04 LTS’ on AWS or Azure. The instances come with FIPS enabled out of the box. The launched instance will be used to build and run the containers with the FIPS packages.
Once your FIPS worker instance is running, you can generate a FIPS-compliant container as follows. You can adjust the list of packages installed, to include only the necessary ones for your workload.
$ mkdir -p ubuntu18-fips/packages
# install docker
$ sudo apt-get update
$ sudo apt-get install -y docker.io
#start the docker daemon
$ sudo systemctl start docker
# download the FIPS components to be included in the container
$ sudo apt-get clean
$ sudo apt-get install -y --reinstall --download-only
openssh-client openssh-client-hmac openssh-server
openssh-server-hmac strongswan strongswan-hmac
openssh-sftp-server libstrongswan libstrongswan-standard-plugins
strongswan-starter strongswan-libcharon strongswan-charon
openssl libssl1.1 libssl1.1-hmac kcapi-tools libkcapi1
# Next you’ll want to copy those deb packages to your build directory
$ cp /var/cache/apt/archives/*.deb ubuntu18-fips/packages/
$ cd ubuntu18-fips
$ cat >Dockerfile <<_EOF_
FROM ubuntu:18.04
RUN apt-get update
ADD packages packages/
RUN apt-get install -y ./packages/*.deb
RUN apt-get clean
RUN rm -rf ./packages
_EOF_
$ sudo docker build -t ubuntu18-fips .
To test your newly created container, inside the Ubuntu FIPS 18.04 LTS run:
$ sudo docker run -it ubuntu18-fips bash
Your container is now ready and can be pushed to your private registry and used to drive your workloads.
One of the most critical gaps in traditional Large Language Models (LLMs) is that they…
Canonical is continuously hiring new talent. Being a remote- first company, Canonical’s new joiners receive…
What is patching automation? With increasing numbers of vulnerabilities, there is a growing risk of…
Wouldn’t it be wonderful to wake up one day with a desire to explore AI…
Ubuntu and Ubuntu Pro supports Microsoft’s Azure Cobalt 100 Virtual Machines (VMs), powered by their…
Welcome to the Ubuntu Weekly Newsletter, Issue 870 for the week of December 8 –…