Skip to content

Commit

Permalink
Test build for #1092
Browse files Browse the repository at this point in the history
  • Loading branch information
SUSE Update Bot committed Sep 3, 2024
1 parent 9c56c01 commit af88c51
Show file tree
Hide file tree
Showing 88 changed files with 261 additions and 4,108 deletions.
7 changes: 7 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
2 changes: 1 addition & 1 deletion .github/workflows/changelog_checker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:

- name: check the changelog
run: |
poetry run ./scratch-build-bot.py \
poetry run scratch-build-bot \
--os-version 3 -vvvv \
changelog_check \
--base-ref origin/${{ github.base_ref }} \
Expand Down
57 changes: 57 additions & 0 deletions .github/workflows/find-missing-packages.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
name: Check whether packages are missing on OBS

on:
push:
branches:
- 'sle15-sp3'

jobs:
create-issues-for-dan:
name: create an issue for Dan to create the packages in devel:BCI
runs-on: ubuntu-latest
container: ghcr.io/dcermak/bci-ci:latest

strategy:
fail-fast: false

steps:
# we need all branches for the build checks
- uses: actions/checkout@v3
with:
fetch-depth: 0
ref: main
token: ${{ secrets.CHECKOUT_TOKEN }}

- uses: actions/cache@v3
with:
path: ~/.cache/pypoetry/virtualenvs
key: poetry-${{ hashFiles('poetry.lock') }}

- name: fix the file permissions of the repository
run: chown -R $(id -un):$(id -gn) .

- name: install python dependencies
run: poetry install

- name: find the packages that are missing
run: |
pkgs=$(poetry run scratch-build-bot --os-version 3 find_missing_packages)
if [[ ${pkgs} = "" ]]; then
echo "missing_pkgs=false" >> $GITHUB_ENV
else
echo "missing_pkgs=true" >> $GITHUB_ENV
echo "pkgs=${pkgs}" >> $GITHUB_ENV
fi
cat test-build.env >> $GITHUB_ENV
env:
OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }}
OSC_USER: "defolos"

- uses: JasonEtco/create-an-issue@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
update_existing: true
filename: ".github/create-package.md"
if: env.missing_pkgs == 'true'
122 changes: 15 additions & 107 deletions .obs/workflows.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,122 +3,30 @@ staging_build:
steps:
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: python-3.6
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: python-3.9
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: rmt-nginx
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: pcp-image
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: rmt-server
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: golang-1.18
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: ruby-2.5-image
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: nodejs-14
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: nodejs-16
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: openjdk-11-devel
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: openjdk-11
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: init
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: rmt-mariadb
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: rmt-mariadb-client
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: minimal
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
- branch_package:
source_project: home:defolos:BCI:CR:SLE-15-SP3
source_package: micro
source_package: base-fips-image
target_project: home:defolos:BCI:CR:SLE-15-SP3:Staging
filters:
event: pull_request

refresh_devel_BCI:
refresh_staging_project:
steps:
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: python-3.6
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: python-3.9
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: rmt-nginx
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: pcp-image
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: rmt-server
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: golang-1.18
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: ruby-2.5-image
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: nodejs-14
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: nodejs-16
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: openjdk-11-devel
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: openjdk-11
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: init
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: rmt-mariadb
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: rmt-mariadb-client
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: minimal
project: home:defolos:BCI:CR:SLE-15-SP3
package: _project
filters:
event: push
branches:
only:
- sle15-sp3


refresh_devel_BCI:
steps:
- trigger_services:
project: devel:BCI:SLE-15-SP3
package: micro
package: base-fips-image
filters:
event: push
branches:
only:
- sle15-sp3
66 changes: 66 additions & 0 deletions base-fips-image/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# SPDX-License-Identifier: MIT

# Copyright (c) 2024 SUSE LLC

# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon.

# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
# It is maintained by the BCI team and generated by
# https://github.com/SUSE/BCI-dockerfile-generator

# Please submit bugfixes or comments via https://bugs.opensuse.org/
# You can contact the BCI team via https://github.com/SUSE/bci/discussions

#!ExclusiveArch: x86_64
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%
#!BuildName: suse-ltss-sle15.3-bci-base-fips-%OS_VERSION_ID_SP%
#!BuildVersion: 15.3
FROM suse/ltss/sle15.3/sle15:15.3

RUN set -euo pipefail; zypper -n in --no-recommends sles-ltss-release fipscheck; zypper -n clean; rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2}

# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.sle.base-fips
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE LTSS BCI 15 SP3 FIPS-140-2"
LABEL org.opencontainers.image.description="15 SP3 FIPS-140-2 container based on the SLE LTSS Base Container Image."
LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/long-term-service-pack-support/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.source="%SOURCEURL%"
LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.opensuse.reference="registry.suse.com/suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.supportlevel.until="2025-12-31"
LABEL com.suse.eula="sle-eula"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle#suse-linux-enterprise-server-15"
LABEL com.suse.release-stage="released"
# endlabelprefix
LABEL io.artifacthub.package.readme-url="%SOURCEURL%/README.md"
LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/openssl-1_1-1.1.1d-11.20.1.x86_64.rpm
COPY openssl-1_1-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm
COPY libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm
COPY libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-1.8.2-8.36.1.x86_64.rpm
COPY libgcrypt20-1.8.2-8.36.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm
COPY libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm .
RUN set -euo pipefail; \
[ $(LC_ALL=C rpm --checksig -v *rpm | \
grep -c -E "^ *V3.*key ID 39db7c82: OK") = 5 ] \
&& rpm -Uvh --oldpackage --force *.rpm \
&& rm -vf *.rpm \
&& rpmqpack | grep -E '(openssl|libgcrypt)' | xargs zypper -n addlock

ENV OPENSSL_FIPS=1
ENV OPENSSL_FORCE_FIPS_MODE=1
ENV LIBGCRYPT_FORCE_FIPS_MODE=1
ENV GNUTLS_FORCE_FIPS_MODE=1
110 changes: 110 additions & 0 deletions base-fips-image/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@

# The SUSE Linux Enterprise 15 SP3 LTSS FIPS-140-2 container image

![Access Protected](https://img.shields.io/badge/Requires_login_for_access-orange)
![Long Term Service Pack Support](https://img.shields.io/badge/LTSS-Yes-orange)
[![SLSA](https://img.shields.io/badge/SLSA_(v0.1)-Level_4-Green)](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/)
[![Provenance: Available](https://img.shields.io/badge/Provenance-Available-Green)](https://documentation.suse.com/container/all/html/Container-guide/index.html#container-verify)

## Description


This SUSE Linux Enterprise 15 SP3 LTSS-based container image includes the
SLES 15 FIPS-140-2 certified OpenSSL and libgcrypt modules. The image is
designed to run on a FIPS-140-2 compliant SUSE Linux Enterprise Server 15 SP3
host environment. Although it is configured to enforce FIPS mode, the FIPS
certification requires a host kernel in FIPS mode to be fully compliant.

The [FIPS-140-2 certified OpenSSL module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3991.pdf)
is a cryptographic module that provides a FIPS-140-2 compliant
cryptographic library. The module is certified by the National
Institute of Standards and Technology (NIST).

The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the
standard OpenSSL library. It provides the same functionality as the standard
OpenSSL library, with additional security features to meet the FIPS-140-2
requirements.

Similarly, the [FIPS-140-2 certified libgcrypt module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3848.pdf)
is a drop-in replacement for the standard libgcrypt library. It provides the
same functionality as the standard libgcrypt library, with the additional
security features enforced to meet FIPS-140-2 requirements.


## Usage
The image is configured to enforce the use of FIPS mode by default,
independent of the host environment setup by specifying the following
environment variables:
* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode
* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel
* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing

Below is a list of other environment variables that can be used to configure the OpenSSL library:

* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate
the acceptable key sizes of RSA.
## Accessing the container image

Accessing this container image requires a valid SUSE subscription. In order
to access the container image, you must login to the SUSE Registry with your credentials.
There are three ways to do that which are described below. The first two methods
leverage the system registration of your host system, while the third method
requires you to obtain the organisation SCC mirroring credentials.

### Use the system registration of your host system

If the host system you are using to build or run a container is already registered with
the correct subscription required for accessing the LTSS container images, you can use
the registration information from the host to log in to the registry.

The file `/etc/zypp/credentials.d/SCCcredentials` contains a username and a password.
These credentials allow you to access any container that is available under the
subscription of the respective host system. You can use these credentials to log
in to SUSE Registry using the following commands
(use the leading space before the echo command to avoid storing the credentials in the
shell history):

```ShellSession
set +o history
echo PASSWORD | podman login -u USERNAME --password-stdin registry.suse.com
set -o history
```

### Use a separate SUSE Customer Center registration code

If the host system is not registered with SUSE Customer Center, you can use a valid
SUSE Customer Center registration code to log in to the registry:

```ShellSession
set +o history
echo SCC_REGISTRATION_CODE | podman login -u "regcode" --password-stdin registry.suse.com
set -o history
```
The user parameter in this case is the verbatim string `regcode`, and
`SCC_REGISTRATION_CODE` is the actual registration code obtained from SUSE.

### Use the organization mirroring credentials

You can also use the organization mirroring credentials to log in to the
SUSE Registry:

```ShellSession
set +o history
echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com
set -o history
```

These credentials give you access to all subscriptions the organization owns,
including those related to container images in the SUSE Registry.
The credentials are highly privileged and should be preferably used for
a private mirroring registry only.
## Licensing

`SPDX-License-Identifier: MIT`

This documentation and the build recipe are licensed as MIT.
The container itself contains various software components under various open source licenses listed in the associated
Software Bill of Materials (SBOM).

This image is based on [SUSE Linux Enterprise Server](https://www.suse.com/products/server/), a reliable,
secure, and scalable server operating system built to power mission-critical workloads in physical and virtual environments.
2 changes: 1 addition & 1 deletion init/_service → base-fips-image/_service
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<services>
<service mode="buildtime" name="docker_label_helper"/>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="kiwi_label_helper"/>
</services>
Loading

0 comments on commit af88c51

Please sign in to comment.