From a497ebe0e39cc84896e9cf827938202971429918 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Thu, 22 Feb 2024 14:42:08 -0800 Subject: [PATCH] add latest and greatest --- dockerfile_alpine.txt | 176 ------------------ dockerfile_alpine_cryptowheel.txt | 93 --------- dockerfile_ubuntu_cryptowheel_works.txt | 0 ...> dockerfile_ubuntu_python_doesnt_work.txt | 0 4 files changed, 269 deletions(-) delete mode 100644 dockerfile_alpine.txt delete mode 100644 dockerfile_alpine_cryptowheel.txt create mode 100644 dockerfile_ubuntu_cryptowheel_works.txt rename dockerfile_ubuntu_python.txt => dockerfile_ubuntu_python_doesnt_work.txt (100%) diff --git a/dockerfile_alpine.txt b/dockerfile_alpine.txt deleted file mode 100644 index 8a95811f7..000000000 --- a/dockerfile_alpine.txt +++ /dev/null @@ -1,176 +0,0 @@ -FROM alpine:3.19 - - -#### OPENSSL STUFF #### - -ARG OPENSSL_VERSION=3.0.8 - -# Make the fips module using FIPS-approved openssl 3.0.8 -RUN apk add --no-cache --virtual .build-deps \ - make gcc libgcc musl-dev linux-headers perl vim \ - && wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \ - && tar -xf openssl-${OPENSSL_VERSION}.tar.gz\ - && cd openssl-${OPENSSL_VERSION} \ - && ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \ - && make \ - && make install \ - && make install_fips - # && apk del .build-deps \ - # && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} - - - -# Add openssl to the path -ENV PATH="${PATH}:/usr/local/bin" - -# As per documentation, tests have to be run on every machine that uses -# openssl in FIPS mode -WORKDIR "/openssl-3.0.8" -RUN make tests - -# TODO NOTE that we are running tests against /openssl-3.0.8 and not -# against /usr/local/bin. Something is wrong with /usr/local/bin still! - -# TODO why does this say "/etc/ssl" and not "/usr/local/ssl"? -RUN echo "GET THE CONF DIRECTORY HERE" -RUN openssl version -d - - - -# See https://www.openssl.org/docs/manmaster/man7/fips_module.html -RUN echo -e '\ -config_diagnostics = 1\n\ -openssl_conf = openssl_init\n\ -\n\ -.include /usr/local/ssl/fipsmodule.cnf\n\ -\n\ -[openssl_init]\n\ -providers = provider_sect\n\ -alg_section = algorithm_sect\n\ -\n\ -[provider_sect]\n\ -fips = fips_sect\n\ -default = default_sect\n\ -\n\ -[default_sect]\n\ -activate = 1\n\ -\n\ -[algorithm_sect]\n\ -default_properties = fips=yes'\ ->> /usr/local/ssl/openssl.cnf - -# Just to look at what you think you wrote -# RUN cat /usr/local/ssl/openssl.cnf - - -# This tells us what versions of openssl we have and if any are FIPs providers -RUN echo "looking /openssl-3.0.8" -WORKDIR "/openssl-3.0.8" -RUN ls -l -RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers - - - -#### PYTHON STUFF #### - -# TODO Note that python does not build successfully with the version of openssl we made above -# It will build successful with a default installation of openssl -# The failure says we are missing a half dozen library files with names like lib-devz and lib-zdev, etc. -# But trying to apk add the listed files results in the same error - -# you can specify python version during image build -ARG PYTHON_VERSION=3.12.2 - -WORKDIR "/" - -# install build dependencies and needed tools -RUN apk add \ - wget \ - gcc \ - make \ - zlib-dev \ - libffi-dev \ - openssl-dev \ - musl-dev - -# download and extract python sources -RUN cd /opt \ - && wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \ - && tar xzf Python-${PYTHON_VERSION}.tgz - -# build python and remove left-over sources -RUN cd /opt/Python-${PYTHON_VERSION} \ - && ./configure --prefix=/usr/local --with-openssl=/openssl-3.0.8 -with-ensurepip=install \ - && make install \ - && rm /opt/Python-${PYTHON_VERSION}.tgz /opt/Python-${PYTHON_VERSION} -rf - -# python doesn't come with cryptography by default so make a fake requirements.txt file to pull -# cryptography in -RUN echo -e '\ -cryptography == 42.0.0'\ ->> ./requirements.txt - -RUN pip3 install -r ./requirements.txt - -# This is a little test everyone uses to see if cryptography is fips-enabled -RUN echo -e '\ -from cryptography.hazmat.backends import default_backend\n\ -def is_fips_enabled():\n\ - try:\n\ - backend = default_backend()\n\ - fips_mode = backend._fips_enabled\n\ - return fips_mode\n\ - except AttributeError:\n\ - return False\n\ -print(f"IS FIPS ENABLED? {is_fips_enabled()}")'\ ->> ./is_fips_enabled.py - -RUN echo "TRYING TO RUN is_fips_enabled.py" -RUN python3 ./is_fips_enabled.py - - - -# Abandoned effort to just build cryptography - -# It seems like we can't install cryptography until we install python, because we need pip -#Try to build cryptography https://cryptography.io/en/latest/installation/ -# RUN apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo pkgconfig -# RUN apk add py3-pip -# RUN pip3 install cryptography --no-binary cryptography -# RUN pip3 wheel --no-cache-dir --no-binary cryptography cryptography - -# TODO in theory if we could retrieve this wheel somehow, we could -# put it somewhere and notifications-utils could pull down this -# version of cartography. And if we did that, our app might be FIPS-compliant - -# TODO NEED TO GET PIP INSTALLED SOMEHOW\ - - -# RUN apk add --no-cache curl gcc python3 musl-dev python3 py3-pip libffi-dev openssl-dev git python3-dev - -# Break system packages to avoid 'system is externally managed' error -# We don't care about this system, and we don't care about poetry -# We are just using it to generate a cryptography wheel -# RUN pip install poetry --break-system-packages - -# ENV OPENSSL_FIPS=1 - -# RUN git clone https://github.com/pyca/cryptography.git -# RUN cd cryptography -# RUN ls -l -# WORKDIR /cryptography - - -# RUN poetry build - -# RUN echo "WTF" -# RUN ls -l - -# RUN apk del gcc musl-dev libffi-dev openssl-dev git python3-dev && \ -# rm -rf /var/cache/apk/* - -# WORKDIR /wheels - -# CMD ["cp", "-r", ".", "/target"] - -# docker run --rm -v "$(pwd)/wheels:/target" cryptography-builder diff --git a/dockerfile_alpine_cryptowheel.txt b/dockerfile_alpine_cryptowheel.txt deleted file mode 100644 index 70f6074b3..000000000 --- a/dockerfile_alpine_cryptowheel.txt +++ /dev/null @@ -1,93 +0,0 @@ -FROM alpine:3.19 - -RUN apk add python3 py3-pip - -#### OPENSSL STUFF #### - -ARG OPENSSL_VERSION=3.0.8 - -# Make the fips module using FIPS-approved openssl 3.0.8 -RUN apk add --no-cache --virtual .build-deps \ - make gcc libgcc musl-dev linux-headers perl vim \ - && wget https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz \ - && tar -xf openssl-${OPENSSL_VERSION}.tar.gz\ - && cd openssl-${OPENSSL_VERSION} \ - && ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \ - && make \ - && make install \ - && make install_fips - # && apk del .build-deps \ - # && rm -rf openssl-${OPENSSL_VERSION}.tar.gz openssl-${OPENSSL_VERSION} - - - -# Add openssl to the path -ENV PATH="${PATH}:/usr/local/bin" - -# As per documentation, tests have to be run on every machine that uses -# openssl in FIPS mode -WORKDIR "/openssl-3.0.8" -RUN make tests - -# TODO NOTE that we are running tests against /openssl-3.0.8 and not -# against /usr/local/bin. Something is wrong with /usr/local/bin still! - -# TODO why does this say "/etc/ssl" and not "/usr/local/ssl"? -RUN echo "GET THE CONF DIRECTORY HERE" -RUN openssl version -d - - - -# See https://www.openssl.org/docs/manmaster/man7/fips_module.html -RUN echo -e '\ -config_diagnostics = 1\n\ -openssl_conf = openssl_init\n\ -\n\ -.include /usr/local/ssl/fipsmodule.cnf\n\ -\n\ -[openssl_init]\n\ -providers = provider_sect\n\ -alg_section = algorithm_sect\n\ -\n\ -[provider_sect]\n\ -fips = fips_sect\n\ -default = default_sect\n\ -\n\ -[default_sect]\n\ -activate = 1\n\ -\n\ -[algorithm_sect]\n\ -default_properties = fips=yes'\ ->> /usr/local/ssl/openssl.cnf - -# Just to look at what you think you wrote -# RUN cat /usr/local/ssl/openssl.cnf - - -# This tells us what versions of openssl we have and if any are FIPs providers -RUN echo "looking /openssl-3.0.8" -WORKDIR "/openssl-3.0.8" -RUN ls -l -RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers - - -RUN set -e -WORKDIR "/" - -# Have to do --break-system-packages to avoid need for virtual env -# RUN virtualenv env -# RUN . env/bin/activate -RUN pip3 install -U setuptools --break-system-packages -RUN pip3 install -U wheel --break-system-packages -WORKDIR "/openssl-${OPENSSL_VERSION}" -RUN ./config no-shared no-ssl2 no-ssl3 -fPIC --prefix=/openssl-3.0.8/openssl -RUN make && make install -WORKDIR "/" -ARG OPENSSL_DIR="/openssl-3.0.8/openssl" -RUN pip wheel --no-cache-dir --no-binary cryptography cryptography - -# Fails missing some functions, one of which specifically references md. -# Documention at cryptography.io on how to build the wheel specifically says -# to use a non-fips compliant version of openssl to build with, so the guess -# is that fips-compliant openssl makes certain functions unavailable and makes -# the cryptography build blow up. diff --git a/dockerfile_ubuntu_cryptowheel_works.txt b/dockerfile_ubuntu_cryptowheel_works.txt new file mode 100644 index 000000000..e69de29bb diff --git a/dockerfile_ubuntu_python.txt b/dockerfile_ubuntu_python_doesnt_work.txt similarity index 100% rename from dockerfile_ubuntu_python.txt rename to dockerfile_ubuntu_python_doesnt_work.txt