diff --git a/build.assets/Dockerfile-fips b/build.assets/Dockerfile-fips deleted file mode 100644 index 181ec49d7e13..000000000000 --- a/build.assets/Dockerfile-fips +++ /dev/null @@ -1,187 +0,0 @@ -# This Dockerfile makes the FIPS "build box": the container used to build official -# FIPS releases of Teleport and its documentation. - - -FROM ubuntu:18.04 as boringssl -# The below tools are required in order to build and compile the module: -# Clang compiler version 7.0.1 -# Go programming language version 1.12.7 -# Ninja build system version 1.9.0 -# -# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39 -# For more information please refer to the section 12. Guidance and Secure Operation of: -# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf - -RUN apt-get update -y --fix-missing && \ - apt-get -q -y upgrade && \ - apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ - apt-get install -q -y --no-install-recommends \ - build-essential \ - cmake \ - git \ - tar \ - xz-utils \ - unzip \ - zip \ - && \ - apt-get -y clean && \ - rm -rf /var/lib/apt/lists/* - - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ - echo "e74ce06d99ed9ce42898e22d2a966f71ae785bdf4edbded93e628d696858921a" "clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" | sha256sum --check && \ - tar xJf clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ - rm -f clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz -ENV PATH="/opt/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH" - - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \ - echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \ - tar xf go1.12.7.linux-amd64.tar.gz && \ - rm -f go1.12.7.linux-amd64.tar.gz && \ - chmod a+w /opt/go && \ - chmod a+w /var/lib && \ - chmod a-w / -ENV GOPATH="/go" \ - GOROOT="/opt/go" \ - PATH="$PATH:/opt/go/bin:/go/bin" - -RUN mkdir -p /opt && cd /opt && \ - curl -sLO https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip && \ - echo "1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305" "ninja-linux.zip" | sha256sum --check && \ - unzip ninja-linux.zip && \ - rm -f ninja-linux.zip && \ - mv /opt/ninja /usr/bin - -RUN mkdir -p /opt && cd /opt && \ - git clone https://github.com/google/boringssl.git && \ - cd boringssl && \ - git checkout ae223d6138807a13006342edfeef32e813246b39 && \ - mkdir build && \ - cd build && \ - cmake -DFIPS=1 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -GNinja .. && \ - ninja - - -# Use Ubuntu 18.04 as base to get an older glibc version. -# Using a newer base image will build against a newer glibc, which creates a -# runtime requirement for the host to have newer glibc too. For example, -# teleport built on any newer Ubuntu version will not run on Centos 7 because -# of this. -FROM ubuntu:18.04 - -COPY locale.gen /etc/locale.gen -COPY profile /etc/profile - -ENV LANGUAGE="en_US.UTF-8" \ - LANG="en_US.UTF-8" \ - LC_ALL="en_US.UTF-8" \ - LC_CTYPE="en_US.UTF-8" \ - DEBIAN_FRONTEND="noninteractive" - -RUN apt-get update -y --fix-missing && \ - apt-get -q -y upgrade && \ - apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ - apt-get install -q -y --no-install-recommends \ - clang-10 \ - clang-format-10 \ - gcc \ - git \ - gzip \ - libc6-dev \ - libelf-dev \ - libpam-dev \ - libsqlite3-0 \ - llvm-10 \ - locales \ - make \ - net-tools \ - openssh-client \ - pkg-config \ - tar \ - tree \ - unzip \ - zip \ - zlib1g-dev \ - && \ - dpkg-reconfigure locales && \ - apt-get -y clean && \ - rm -rf /var/lib/apt/lists/* - -ARG UID -ARG GID -RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ - mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) - -# Install etcd. -RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \ - cp etcd-v3.3.9-linux-amd64/etcd* /bin/) - -# Install Go. -ARG GOLANG_VERSION -RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \ - mkdir -p /go/src/github.com/gravitational/teleport && \ - chmod a+w /go && \ - chmod a+w /var/lib && \ - chmod a-w / -ENV GOEXPERIMENT=boringcrypto \ - GOPATH="/go" \ - GOROOT="/opt/go" \ - PATH="$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build" - -ARG BUILDARCH - -# Install Nodejs -ARG NODE_VERSION -ENV NODE_PATH="/usr/local/lib/nodejs-linux" -ENV PATH="$PATH:${NODE_PATH}/bin" -RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \ - export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \ - mkdir -p ${NODE_PATH} && \ - curl -o /tmp/nodejs.tar.xz -L ${NODE_URL} && \ - tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1 -RUN corepack enable yarn - -# Install libbpf -ARG LIBBPF_VERSION -RUN mkdir -p /opt && cd /opt && \ - curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \ - cd /opt/libbpf-${LIBBPF_VERSION}/src && \ - make && \ - make install - -# Install PAM module and policies for testing. -COPY pam/ /opt/pam_teleport/ -RUN make -C /opt/pam_teleport install - -ARG RUST_VERSION -ENV RUSTUP_HOME=/usr/local/rustup \ - CARGO_HOME=/usr/local/cargo \ - PATH=/usr/local/cargo/bin:$PATH \ - RUST_VERSION=$RUST_VERSION - -RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \ - mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME - -# Install Rust using the ci user, as that is the user that -# will run builds using the Rust toolchains we install here. -USER ci -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \ - rustup --version && \ - cargo --version && \ - rustc --version && \ - rustup component add rustfmt clippy && \ - rustup target add aarch64-unknown-linux-gnu - -# Copy BoringSSL into the final image -COPY --from=boringssl /opt/boringssl /opt/boringssl - -# set boring-rs crate env variables to point to pre-built binaries -# https://github.com/cloudflare/boring#support-for-pre-built-binaries -ENV BORING_BSSL_PATH=/opt/boringssl -ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include - -VOLUME ["/go/src/github.com/gravitational/teleport"] -EXPOSE 6600 2379 2380 diff --git a/build.assets/Makefile b/build.assets/Makefile index 84d6aab08670..63de1fcfea50 100644 --- a/build.assets/Makefile +++ b/build.assets/Makefile @@ -161,20 +161,7 @@ buildbox: # Builds a Docker buildbox for FIPS # .PHONY:buildbox-fips -buildbox-fips: - if [[ "$(BUILDBOX_FIPS_NAME)" == "$(BUILDBOX_FIPS)" ]]; then \ - if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_FIPS) || true; fi; \ - docker build \ - --build-arg UID=$(UID) \ - --build-arg GID=$(GID) \ - --build-arg BUILDARCH=$(RUNTIME_ARCH) \ - --build-arg GOLANG_VERSION=$(GOLANG_VERSION) \ - --build-arg NODE_VERSION=$(NODE_VERSION) \ - --build-arg RUST_VERSION=$(RUST_VERSION) \ - --build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \ - --cache-from $(BUILDBOX_FIPS) \ - --tag $(BUILDBOX_FIPS) -f Dockerfile-fips . ; \ - fi +buildbox-fips: buildbox-centos7-fips # # Builds a Docker buildbox for CentOS 7 builds @@ -226,20 +213,6 @@ buildbox-arm: buildbox --cache-from $(BUILDBOX_ARM) \ --tag $(BUILDBOX_ARM) -f Dockerfile-arm . -# -# Builds a Docker buildbox for ARMv7/ARM64 FIPS builds -# ARM buildboxes use a regular Teleport buildbox as a base which already has a user -# with the correct UID and GID created, so those arguments are not needed here. -# -.PHONY:buildbox-arm-fips -buildbox-arm-fips: buildbox-fips - @if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_ARM_FIPS) 2>&1 >/dev/null; then docker pull $(BUILDBOX_ARM_FIPS) || true; fi; - docker build \ - --build-arg BUILDBOX_VERSION=$(BUILDBOX_VERSION) \ - --cache-from $(BUILDBOX_FIPS) \ - --cache-from $(BUILDBOX_ARM_FIPS) \ - --tag $(BUILDBOX_ARM_FIPS) -f Dockerfile-arm-fips . - CONNECT_VERSION ?= $(VERSION) ifeq ($(CONNECT_VERSION),) CONNECT_VERSION := $(BUILDBOX_VERSION)-dev @@ -428,8 +401,7 @@ release-amd64: $(MAKE) release ARCH=amd64 FIDO2=yes .PHONY: release-amd64-fips -release-amd64-fips: - $(MAKE) release-fips ARCH=amd64 FIPS=yes BUILDBOX_FIPS_NAME=$(BUILDBOX_FIPS) +release-amd64-fips: release-amd64-centos7-fips .PHONY: release-386 release-386: diff --git a/build.assets/images.mk b/build.assets/images.mk index bc45106a60a3..5eb8a3b2aa9b 100644 --- a/build.assets/images.mk +++ b/build.assets/images.mk @@ -6,11 +6,9 @@ BUILDBOX_VERSION ?= teleport14 BUILDBOX_BASE_NAME ?= public.ecr.aws/gravitational/teleport-buildbox BUILDBOX=$(BUILDBOX_BASE_NAME):$(BUILDBOX_VERSION) -BUILDBOX_FIPS=$(BUILDBOX_BASE_NAME)-fips:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7=$(BUILDBOX_BASE_NAME)-centos7:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION) BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION) -BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION) BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION) BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION) BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)