-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
SUSE Update Bot
committed
Sep 3, 2024
1 parent
9c56c01
commit af88c51
Showing
88 changed files
with
261 additions
and
4,108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
version: 2 | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "daily" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
--- | ||
name: Check whether packages are missing on OBS | ||
|
||
on: | ||
push: | ||
branches: | ||
- 'sle15-sp3' | ||
|
||
jobs: | ||
create-issues-for-dan: | ||
name: create an issue for Dan to create the packages in devel:BCI | ||
runs-on: ubuntu-latest | ||
container: ghcr.io/dcermak/bci-ci:latest | ||
|
||
strategy: | ||
fail-fast: false | ||
|
||
steps: | ||
# we need all branches for the build checks | ||
- uses: actions/checkout@v3 | ||
with: | ||
fetch-depth: 0 | ||
ref: main | ||
token: ${{ secrets.CHECKOUT_TOKEN }} | ||
|
||
- uses: actions/cache@v3 | ||
with: | ||
path: ~/.cache/pypoetry/virtualenvs | ||
key: poetry-${{ hashFiles('poetry.lock') }} | ||
|
||
- name: fix the file permissions of the repository | ||
run: chown -R $(id -un):$(id -gn) . | ||
|
||
- name: install python dependencies | ||
run: poetry install | ||
|
||
- name: find the packages that are missing | ||
run: | | ||
pkgs=$(poetry run scratch-build-bot --os-version 3 find_missing_packages) | ||
if [[ ${pkgs} = "" ]]; then | ||
echo "missing_pkgs=false" >> $GITHUB_ENV | ||
else | ||
echo "missing_pkgs=true" >> $GITHUB_ENV | ||
echo "pkgs=${pkgs}" >> $GITHUB_ENV | ||
fi | ||
cat test-build.env >> $GITHUB_ENV | ||
env: | ||
OSC_PASSWORD: ${{ secrets.OSC_PASSWORD }} | ||
OSC_USER: "defolos" | ||
|
||
- uses: JasonEtco/create-an-issue@v2 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
update_existing: true | ||
filename: ".github/create-package.md" | ||
if: env.missing_pkgs == 'true' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# SPDX-License-Identifier: MIT | ||
|
||
# Copyright (c) 2024 SUSE LLC | ||
|
||
# All modifications and additions to the file contributed by third parties | ||
# remain the property of their copyright owners, unless otherwise agreed | ||
# upon. | ||
|
||
# The content of THIS FILE IS AUTOGENERATED and should not be manually modified. | ||
# It is maintained by the BCI team and generated by | ||
# https://github.com/SUSE/BCI-dockerfile-generator | ||
|
||
# Please submit bugfixes or comments via https://bugs.opensuse.org/ | ||
# You can contact the BCI team via https://github.com/SUSE/bci/discussions | ||
|
||
#!ExclusiveArch: x86_64 | ||
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP% | ||
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE% | ||
#!BuildName: suse-ltss-sle15.3-bci-base-fips-%OS_VERSION_ID_SP% | ||
#!BuildVersion: 15.3 | ||
FROM suse/ltss/sle15.3/sle15:15.3 | ||
|
||
RUN set -euo pipefail; zypper -n in --no-recommends sles-ltss-release fipscheck; zypper -n clean; rm -rf /var/log/{lastlog,tallylog,zypper.log,zypp/history,YaST2} | ||
|
||
# Define labels according to https://en.opensuse.org/Building_derived_containers | ||
# labelprefix=com.suse.sle.base-fips | ||
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" | ||
LABEL org.opencontainers.image.title="SLE LTSS BCI 15 SP3 FIPS-140-2" | ||
LABEL org.opencontainers.image.description="15 SP3 FIPS-140-2 container based on the SLE LTSS Base Container Image." | ||
LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%.%RELEASE%" | ||
LABEL org.opencontainers.image.url="https://www.suse.com/products/long-term-service-pack-support/" | ||
LABEL org.opencontainers.image.created="%BUILDTIME%" | ||
LABEL org.opencontainers.image.vendor="SUSE LLC" | ||
LABEL org.opencontainers.image.source="%SOURCEURL%" | ||
LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%.%RELEASE%" | ||
LABEL org.opensuse.reference="registry.suse.com/suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%" | ||
LABEL org.openbuildservice.disturl="%DISTURL%" | ||
LABEL com.suse.supportlevel="l3" | ||
LABEL com.suse.supportlevel.until="2025-12-31" | ||
LABEL com.suse.eula="sle-eula" | ||
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle#suse-linux-enterprise-server-15" | ||
LABEL com.suse.release-stage="released" | ||
# endlabelprefix | ||
LABEL io.artifacthub.package.readme-url="%SOURCEURL%/README.md" | ||
LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)." | ||
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/openssl-1_1-1.1.1d-11.20.1.x86_64.rpm | ||
COPY openssl-1_1-1.1.1d-11.20.1.x86_64.rpm . | ||
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm | ||
COPY libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm . | ||
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm | ||
COPY libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm . | ||
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-1.8.2-8.36.1.x86_64.rpm | ||
COPY libgcrypt20-1.8.2-8.36.1.x86_64.rpm . | ||
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm | ||
COPY libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm . | ||
RUN set -euo pipefail; \ | ||
[ $(LC_ALL=C rpm --checksig -v *rpm | \ | ||
grep -c -E "^ *V3.*key ID 39db7c82: OK") = 5 ] \ | ||
&& rpm -Uvh --oldpackage --force *.rpm \ | ||
&& rm -vf *.rpm \ | ||
&& rpmqpack | grep -E '(openssl|libgcrypt)' | xargs zypper -n addlock | ||
|
||
ENV OPENSSL_FIPS=1 | ||
ENV OPENSSL_FORCE_FIPS_MODE=1 | ||
ENV LIBGCRYPT_FORCE_FIPS_MODE=1 | ||
ENV GNUTLS_FORCE_FIPS_MODE=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
|
||
# The SUSE Linux Enterprise 15 SP3 LTSS FIPS-140-2 container image | ||
|
||
![Access Protected](https://img.shields.io/badge/Requires_login_for_access-orange) | ||
![Long Term Service Pack Support](https://img.shields.io/badge/LTSS-Yes-orange) | ||
[![SLSA](https://img.shields.io/badge/SLSA_(v0.1)-Level_4-Green)](https://documentation.suse.com/sbp/server-linux/html/SBP-SLSA4/) | ||
[![Provenance: Available](https://img.shields.io/badge/Provenance-Available-Green)](https://documentation.suse.com/container/all/html/Container-guide/index.html#container-verify) | ||
|
||
## Description | ||
|
||
|
||
This SUSE Linux Enterprise 15 SP3 LTSS-based container image includes the | ||
SLES 15 FIPS-140-2 certified OpenSSL and libgcrypt modules. The image is | ||
designed to run on a FIPS-140-2 compliant SUSE Linux Enterprise Server 15 SP3 | ||
host environment. Although it is configured to enforce FIPS mode, the FIPS | ||
certification requires a host kernel in FIPS mode to be fully compliant. | ||
|
||
The [FIPS-140-2 certified OpenSSL module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3991.pdf) | ||
is a cryptographic module that provides a FIPS-140-2 compliant | ||
cryptographic library. The module is certified by the National | ||
Institute of Standards and Technology (NIST). | ||
|
||
The FIPS-140-2 certified OpenSSL module is a drop-in replacement for the | ||
standard OpenSSL library. It provides the same functionality as the standard | ||
OpenSSL library, with additional security features to meet the FIPS-140-2 | ||
requirements. | ||
|
||
Similarly, the [FIPS-140-2 certified libgcrypt module](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3848.pdf) | ||
is a drop-in replacement for the standard libgcrypt library. It provides the | ||
same functionality as the standard libgcrypt library, with the additional | ||
security features enforced to meet FIPS-140-2 requirements. | ||
|
||
|
||
## Usage | ||
The image is configured to enforce the use of FIPS mode by default, | ||
independent of the host environment setup by specifying the following | ||
environment variables: | ||
* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode | ||
* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel | ||
* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing | ||
|
||
Below is a list of other environment variables that can be used to configure the OpenSSL library: | ||
|
||
* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate | ||
the acceptable key sizes of RSA. | ||
## Accessing the container image | ||
|
||
Accessing this container image requires a valid SUSE subscription. In order | ||
to access the container image, you must login to the SUSE Registry with your credentials. | ||
There are three ways to do that which are described below. The first two methods | ||
leverage the system registration of your host system, while the third method | ||
requires you to obtain the organisation SCC mirroring credentials. | ||
|
||
### Use the system registration of your host system | ||
|
||
If the host system you are using to build or run a container is already registered with | ||
the correct subscription required for accessing the LTSS container images, you can use | ||
the registration information from the host to log in to the registry. | ||
|
||
The file `/etc/zypp/credentials.d/SCCcredentials` contains a username and a password. | ||
These credentials allow you to access any container that is available under the | ||
subscription of the respective host system. You can use these credentials to log | ||
in to SUSE Registry using the following commands | ||
(use the leading space before the echo command to avoid storing the credentials in the | ||
shell history): | ||
|
||
```ShellSession | ||
set +o history | ||
echo PASSWORD | podman login -u USERNAME --password-stdin registry.suse.com | ||
set -o history | ||
``` | ||
|
||
### Use a separate SUSE Customer Center registration code | ||
|
||
If the host system is not registered with SUSE Customer Center, you can use a valid | ||
SUSE Customer Center registration code to log in to the registry: | ||
|
||
```ShellSession | ||
set +o history | ||
echo SCC_REGISTRATION_CODE | podman login -u "regcode" --password-stdin registry.suse.com | ||
set -o history | ||
``` | ||
The user parameter in this case is the verbatim string `regcode`, and | ||
`SCC_REGISTRATION_CODE` is the actual registration code obtained from SUSE. | ||
|
||
### Use the organization mirroring credentials | ||
|
||
You can also use the organization mirroring credentials to log in to the | ||
SUSE Registry: | ||
|
||
```ShellSession | ||
set +o history | ||
echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com | ||
set -o history | ||
``` | ||
|
||
These credentials give you access to all subscriptions the organization owns, | ||
including those related to container images in the SUSE Registry. | ||
The credentials are highly privileged and should be preferably used for | ||
a private mirroring registry only. | ||
## Licensing | ||
|
||
`SPDX-License-Identifier: MIT` | ||
|
||
This documentation and the build recipe are licensed as MIT. | ||
The container itself contains various software components under various open source licenses listed in the associated | ||
Software Bill of Materials (SBOM). | ||
|
||
This image is based on [SUSE Linux Enterprise Server](https://www.suse.com/products/server/), a reliable, | ||
secure, and scalable server operating system built to power mission-critical workloads in physical and virtual environments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
<services> | ||
<service mode="buildtime" name="docker_label_helper"/> | ||
<service mode="buildtime" name="kiwi_metainfo_helper"/> | ||
<service mode="buildtime" name="kiwi_label_helper"/> | ||
</services> |
Oops, something went wrong.