Whether running on the public cloud or a private cloud, the use of containers is ingrained in today’s devops oriented workflows. Having workloads set up to run under the mandated compliance requirements is thus necessary to fully exploit the potential of containers. This article focuses on how to build and run containers that comply with the US and Canada government FIPS140-2 data protection standard. To build Ubuntu FIPS140-2 compliant containers you will need the FIPS140-2 certified packages, that can be accessed with an Ubuntu Advantage subscription or with Ubuntu Pro on AWS or Azure
In our example we will demonstrate building a FIPS container on an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace. They are preconfigured and optimized for the US and Canada government’s FIPS140-2 data protection standard. They are premium images designed by Canonical and provide the Ubuntu Advantage benefits, without the need for a subscription. Key features include live kernel patching, enabling longer uptimes, and FIPS140-2 certified components to be used for FedRAMP, HIPAA, and PCI use cases. Ubuntu Pro is backed by a 10-year maintenance commitment by Canonical.
Without getting into details of FIPS140-2 it is important to underline that a key concept of FIPS is that its requirements cover the whole system, from kernel to the cryptographic FIPS packages. So when referring to a FIPS container, we are referring to a container image that contains the Ubuntu FIPS cryptographic packages (e.g., libgcrypt, openssl). As container images use the host kernel, that container must run under an Ubuntu FIPS enabled kernel in order to comply with the FIPS requirements . As a rule of thumb, each Ubuntu FIPS container must run under the equivalent Ubuntu version system, with FIPS enabled in the kernel.
The system that will generate the FIPS container must have an Ubuntu Advantage subscription attached to it, or it can be an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace.
To keep things simple, in this article, we will demonstrate how to generate such a container on a public cloud instance (AWS or Azure). On AWS EC2 we will be using the ‘Ubuntu Pro FIPS 18.04 LTS’ AMI, and on Azure the ‘Ubuntu Pro FIPS 18.04 LTS’ image. The example is very similar when using an Ubuntu system with the Ubuntu Advantage subscription attached and FIPS enabled
Generate the container with the necessary FIPS components
Launch an ‘Ubuntu Pro FIPS 18.04 LTS’ on AWS or Azure. The instances come with FIPS enabled out of the box. The launched instance will be used to build and run the containers with the FIPS packages.
Once your FIPS worker instance is running, you can generate a FIPS-compliant container as follows. You can adjust the list of packages installed, to include only the necessary ones for your workload.
$ mkdir -p ubuntu18-fips/packages # install docker $ sudo apt-get update $ sudo apt-get install -y docker.io #start the docker daemon $ sudo systemctl start docker # download the FIPS components to be included in the container $ sudo apt-get clean $ sudo apt-get install -y --reinstall --download-only openssh-client openssh-client-hmac openssh-server openssh-server-hmac strongswan strongswan-hmac openssh-sftp-server libstrongswan libstrongswan-standard-plugins strongswan-starter strongswan-libcharon strongswan-charon openssl libssl1.1 libssl1.1-hmac kcapi-tools libkcapi1 # Next you’ll want to copy those deb packages to your build directory $ cp /var/cache/apt/archives/*.deb ubuntu18-fips/packages/ $ cd ubuntu18-fips $ cat >Dockerfile <<_EOF_ FROM ubuntu:18.04 RUN apt-get update ADD packages packages/ RUN apt-get install -y ./packages/*.deb RUN apt-get clean RUN rm -rf ./packages _EOF_ $ sudo docker build -t ubuntu18-fips .
To test your newly created container, inside the Ubuntu FIPS 18.04 LTS run:
$ sudo docker run -it ubuntu18-fips bash
Your container is now ready and can be pushed to your private registry and used to drive your workloads.
- You can create and run FIPS-enabled containers on any host with a valid Ubuntu Advantage subscription or on Ubuntu Pro FIPS images.
- You can run FIPS-enabled containers only on FIPS-enabled hosts to comply with the FIPS140-2 requirements.