WIP: First pass at a reprodicible env for running under FIPS mode #16939
Conversation
This commit adds a dockerfile intended to serve as a portable environment for exploring running logstash in a FIPS compliant manner. The iteration at this commit focuses on running *only* the tests with the BC provider and trust stores. The same dockerfile has some commented out and unused config for doing manual exploration with LS. Eventually this will be split out into separate concerns.
|
Dockerfile
Outdated
There was a problem hiding this comment.
🤔 is there a place other than the project root for this? Maybe qa/fips/Dockerfile?
There was a problem hiding this comment.
Ah, yeah i'll look at moving this away from root.
test-init.gradle
Outdated
| } | ||
| } | ||
|
|
||
| gradle.taskGraph.whenReady { graph -> |
There was a problem hiding this comment.
should we wrap these tasks instead of changing them, or only execute this bit when an environment variable is set (and set that var in our Dockerfile)?
There was a problem hiding this comment.
I think so. I put up an attempt to do that but its not quite there yet. I do think your suggestion will be the way to go though in the end.
test-init.gradle
Outdated
| } | ||
| dependencies { | ||
| classpath files( | ||
| '/root/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bc-fips/2.0.0/ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab/bc-fips-2.0.0.jar', |
There was a problem hiding this comment.
🤔 what happens if we don't have them in the cache?
There was a problem hiding this comment.
Good point. this was a hack I added early on. I was hoping to avoid it or make it more dynamic. I'll continue to work at this, what is in this iteration here is unacceptable.
The major issue i'm running in to now is where exactly to make the tests use the BC providers. Too early, and I run in to issues not being able to download dependencies but too late and the tests will fail due to not being able to load. This iteration looks at moving away from a script wrapping tasks and instead moving it to the build.gradle in the tasks directly. At this point its actually regressed in the java tests. My current thinking is that by not explicitly adding the cached locations to the classpath i've broken something.
|
|
||
| apply plugin: 'jacoco' |
There was a problem hiding this comment.
I couldnt figure out a way to avoid downloading these deps at test time. I'll have to circle back to this.
In a previous iteration jvm options were attempted to be configured at the gradle level. This presented a challeng in rspec loading because webmock was not being loaded correctly with the fips providers. That initial approach was also problematic because it introduced a fork in configuration changes between configuring the JVM via the enviornment variables and files for running logstash in the container vs in the tests. This new apprach attempts to separate aout all of the test setup and building in gradle from a pure "just run the tests" task. The fundamental idea is that we dont want to use FIPS mode for downloading dependencies and building/preparing an environment we only want that configured at the very end. This apprach accomplishes that by teasing out the dependencies that trigger downloads etc in gradel from tasks that will only run the tests. The dockerfile order will call all the gradle tasks for setup, then configure FIPS mode and call the tests that should be run under fips mode.
donoghuc
force-pushed
the
fips-container-exploration
branch
from
37ac6eb to
a7224b0
Compare
💔 Build Failed
Failed CI Steps
History
|
|
Repro steps as outlined in the doc executed from the container env https://docs.google.com/document/d/1Rmw6rxQ_5KkjBZQLu0e3aVJJrHXZaXf1dZpQi7kmkQI/edit?usp=sharing |
This commit adds a dockerfile intended to serve as a portable environment for exploring running logstash in a FIPS compliant manner. The iteration at this commit focuses on running only the tests with the BC provider and trust stores. The same dockerfile has some commented out and unused config for doing manual exploration with LS. Eventually this will be split out into separate concerns.
WIP: DO NOT MERGE