Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIPS / build] Optimize FIPS image size / build process. Fix OpenSSL target. #183204

Merged
merged 2 commits into from May 13, 2024
Merged

[FIPS / build] Optimize FIPS image size / build process. Fix OpenSSL target. #183204

merged 2 commits into from May 13, 2024

Conversation

Ikuni17
Copy link
Contributor

@Ikuni17 Ikuni17 commented May 10, 2024
edited

Closes elastic/kibana-operations#60

  • Improve cleanup after OpenSSL install to reduce compressed image size by 30% (582MB now).
    • About 30% larger than standard Kibana UBI image (410MB) still.
    • It might be possible to reduce the image further by compiling OpenSSL in step 0, but we might switch to the wolfi image so I think we can hold off for now. Also not sure if OpenSSL will be FIPS compliant / link properly in that setup.
  • Fixes OpenSSL compilation so that it does not overwrite the OS version and break OS functionality.
  • Redirect make stdout to reduce log size and unnecessary noise.
  • Refactor to use variables for OpenSSL version and path.

Testing to validate FIPS is enabled

  1. Pull docker.elastic.co/kibana-ci/kibana-ubi-fips:8.15.0-SNAPSHOT-80183622154e15459f3010199ad611f7ec5a2d98
  2. Run the image and attach shell to the container
  3. node/bin/node --enable-fips --openssl-config=/usr/share/kibana/config/nodejs.cnf -p 'crypto.getFips()'

@Ikuni17 Ikuni17 added Team:Operations Team label for Operations Team release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting ci:build-docker-fips Build Docker FIPS image v8.15.0 labels May 10, 2024
@Ikuni17 Ikuni17 self-assigned this May 10, 2024
@Ikuni17
Copy link
Contributor Author

Ikuni17 commented May 10, 2024

/ci

@Ikuni17 Ikuni17 changed the title target kibana only with opensll. better cleanup. reduce make noise [FIPS / build] Optimize FIPS image size / build process. Fix OpenSSL target. May 10, 2024
Ikuni17
Ikuni17 commented May 10, 2024
View reviewed changes
src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
Comment on lines +141 to +144
./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \
make -j $(nproc) > /dev/null ; \
make install > /dev/null ; \
rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit hard to see in the diff, these are the main changes.

@Ikuni17 Ikuni17 marked this pull request as ready for review May 10, 2024 23:56
@Ikuni17 Ikuni17 requested a review from a team as a code owner May 10, 2024 23:56
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-operations (Team:Operations)

@kibana-ci
Copy link
Collaborator

kibana-ci commented May 13, 2024
edited

💚 Build Succeeded

  • Buildkite Build
  • Commit: cf8bd57
  • Kibana UBI FIPS Image: docker.elastic.co/kibana-ci/kibana-ubi-fips:8.15.0-SNAPSHOT-cf8bd57a3848b19aa5f9fb2fc1ab168d01f5c61d

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @Ikuni17

@Ikuni17 Ikuni17 merged commit b60d6fc into elastic:main May 13, 2024
18 checks passed
@Ikuni17 Ikuni17 deleted the fix/60/optimize-fips-img branch May 13, 2024 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbudz jbudz jbudz approved these changes

Assignees

@Ikuni17 Ikuni17

Labels
backport:skip This commit does not require backporting ci:build-docker-fips Build Docker FIPS image release_note:skip Skip the PR/issue when compiling release notes Team:Operations Team label for Operations Team v8.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Ikuni17 @elasticmachine @kibana-ci @jbudz