Your submission was sent successfully! Close

Menu Close menu
  1. Blog
  2. Article

Massimiliano Gori
on 21 February 2022

Building and running FIPS containers on Ubuntu 18.04

containers FIPS Security Security certifications and compliance Ubuntu Pro

Whether running on the public cloud or a private cloud, the use of containers is ingrained in today’s devops oriented workflows. Having workloads set up to run under the mandated compliance requirements is thus necessary to fully exploit the potential of containers. This article focuses on how to build and run containers that comply with the US and Canada government FIPS140-2 data protection standard. To build Ubuntu 18.04 FIPS140-2 compliant containers you will need the FIPS140-2 certified packages, that can be accessed with an Ubuntu Advantage subscription or with Ubuntu Pro on AWS or Azure

In our example we will demonstrate building a FIPS container on an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace. They are preconfigured and optimized for the US and Canada government’s FIPS140-2 data protection standard. They are premium images designed by Canonical and provide the Ubuntu Advantage benefits, without the need for a subscription. Key features include live kernel patching, enabling longer uptimes, and FIPS140-2 certified components to be used for FedRAMP, HIPAA, and PCI use cases. Ubuntu Pro is backed by a 10-year maintenance commitment by Canonical.

FIPS requirements

Without getting into details of FIPS140-2 it is important to underline that a key concept of FIPS is that its requirements cover the whole system, from kernel to the cryptographic FIPS packages. So when referring to a FIPS container, we are referring to a container image that contains the Ubuntu FIPS cryptographic packages (e.g., libgcrypt, openssl). As container images use the host kernel, that container must run under an Ubuntu FIPS enabled kernel in order to comply with the FIPS requirements . As a rule of thumb, each Ubuntu FIPS container must run under the equivalent Ubuntu version system, with FIPS enabled in the kernel.

Setting up the system to generate a container

The system that will generate the FIPS container must have an Ubuntu Advantage subscription attached to it, or it can be an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace.

To keep things simple, in this article, we will demonstrate how to generate such a container on a public cloud instance (AWS or Azure). On AWS EC2 we will be using the ‘Ubuntu Pro FIPS 18.04 LTS’ AMI, and on Azure the ‘Ubuntu Pro FIPS 18.04 LTS’ image. The example is very similar when using an Ubuntu system with the Ubuntu Advantage subscription attached and FIPS enabled

Generate the container with the necessary FIPS components

Launch an ‘Ubuntu Pro FIPS 18.04 LTS’ on AWS or Azure. The instances come with FIPS enabled out of the box. The launched instance will be used to build and run the containers with the FIPS packages.

Once your FIPS worker instance is running, you can generate a FIPS-compliant container as follows. You can adjust the list of packages installed, to include only the necessary ones for your workload.

$ mkdir -p ubuntu18-fips/packages

# install docker
$ sudo apt-get update
$ sudo apt-get install -y docker.io

#start the docker daemon
$ sudo systemctl start docker

# download the FIPS components to be included in the container
$ sudo apt-get clean
$ sudo apt-get install -y --reinstall --download-only \
    openssh-client openssh-client-hmac openssh-server \
    openssh-server-hmac strongswan strongswan-hmac \
    openssh-sftp-server libstrongswan libstrongswan-standard-plugins \
    strongswan-starter strongswan-libcharon strongswan-charon \
    openssl libssl1.1 libssl1.1-hmac kcapi-tools libkcapi1

# Next you’ll want to copy those deb packages to your build directory
$ cp /var/cache/apt/archives/*.deb ubuntu18-fips/packages/
$ cd ubuntu18-fips
$ cat >Dockerfile <<_EOF_
FROM ubuntu:18.04

RUN apt-get update
ADD packages packages/
RUN apt-get install -y ./packages/*.deb 
RUN apt-get clean
RUN rm -rf ./packages
_EOF_

$ sudo docker build -t ubuntu18-fips .

To test your newly created container, inside the Ubuntu FIPS 18.04 LTS run:

$ sudo docker run -it ubuntu18-fips bash

Your container is now ready and can be pushed to your private registry and used to drive your workloads.

Summary

  • You can create and run FIPS-enabled containers on any host with a valid Ubuntu Advantage subscription or on Ubuntu Pro FIPS images.
  • You can run FIPS-enabled containers only on FIPS-enabled hosts to comply with the FIPS140-2 requirements.

Related posts

Canonical
5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...

Aaron Whitehouse
24 November 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 3

Cloud and server Article

Applying updates across a fleet of multiple Ubuntu instances is a balance of security and service uptime. We explore best practices to maximise stability. ...

Canonical
21 November 2023

Canonical announces the general availability of chiselled Ubuntu containers

Canonical announcements Article

Production-ready, secure-by-design, ultra-small containers with chiselled Ubuntu Canonical announced today the general availability of chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime ...