Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Valentin Viennot
on 25 May 2022


Canonical’s UA and Pro customers can now fully benefit from their subscriptions directly in containerised environments and pipelines. The new UA client release (27.7+) makes it easier to enable FIPS mode in Ubuntu containers. It also automatically signs up CI/CD builds for 10-year security updates to never worry about production container images getting timely patches for high and critical CVEs.

Built for DevOps and Cloud Developers

We previously had a working solution to build and run FIPS-enabled containers on Ubuntu 18.04, but listening to and working with customers made it clear that it was anything but ideal. The workaround was complex and risked leaving credentials in the FIPS-enabled OCI image. It also required A LOT of steps and was poorly documented.

Containers are meant to be ephemeral and ubiquitous, and so are their builds. Whether it’s Azure Container Registry Tasks, AWS CodePipeline, Google Cloud Build, or Tekton pipelines, our customers are making the most of native container build facilities. They use public cloud services and serverless CI/CD functions to build their OCI images, eventually storing them in private repositories they trust.

As a result, we wanted to build an out-of-the-box solution that could run on any cloud-native service and environment and not only limited to Ubuntu Pro machines. That way, we would have the best solution to continuously build and run Ubuntu premium containers on any cloud platform, including on-prem CI/CDs.

This is now available to all users with the latest UA client, from a Dockerfile.

Read the “How to enable Ubuntu Advantage services in a Dockerfile” how-to guide on GitHub.

FIPS-enabled NGINX Docker image with
10-year updates on Ubuntu Pro 20.04

The latest UA (Ubuntu Advantage) client — the way Pro users access advanced Ubuntu features such as FIPS, CIS hardening, and Extended Security Maintenance — now fully supports containerised environments for OCI images to build and run. The resulting container images are required to run on UA-enabled or Ubuntu Pro hosts and VMs.

Did you know Ubuntu Advantage is free for personal use? Get started now.

How does it work? Here’s a simple example of building an NGINX container image using FIPS140-2 certified packages from Ubuntu. FIPS140-2 certified components enable FedRAMP, HIPAA, and PCI use cases. Additionally, in FIPS mode or not, enabling UA in container builds will ensure the built artefacts include the latest security updates. Ubuntu Pro packages are backed by a 10-year maintenance commitment by Canonical.

The UA subscription is passed as a build secret, using the following YAML syntax:

# ua-attach-config.yaml

token: <secret token from ubuntu.com/advantage>
enable_services:
  - fips-updates
  - esm-infra

The following Dockerfile and commands create an NGINX Docker image with FIPS-certified OpenSSL on Ubuntu 20.04 (FIPS mode is not yet available for the latest 22.04) passing the above ua-attach-config.yaml as a build secret. We start from Canonical’s prebuilt Ubuntu-based NGINX LTS image on AWS, enabling FIPS mode and ESM updates:

# Dockerfile

FROM public.ecr.aws/lts/nginx:1.18-20.04_beta

RUN --mount=type=secret,id=ua-attach-config \
    apt-get update \
    # install the UA client
   && apt-get install --no-install-recommends -y \
ubuntu-advantage-tools ca-certificates \
    # attach a UA subscription
    && ua attach --attach-config /run/secrets/ua-attach-config \
    # upgrade packages eligible for FIPS/ESM updates
    && apt-get upgrade -y \
    && apt-get install --no-install-recommends -y openssl \
    # don’t forget to clean the layer and remove secrets!
    # this removes the UA client and any authentication files
  && apt-get purge --auto-remove -y \
ubuntu-advantage-tools ca-certificates && \
rm -rf /var/lib/apt/lists/*

The FIPS-enabled NGINX docker image can be built using the following command, on any host and platform, for example using Docker BuildKit or Podman:

> DOCKER_BUILDKIT=1 docker build . --secret id=ua-attach-config,src=ua-attach-config.yaml -t nginx-fips:1.18

You can quickly get started by launching an Ubuntu Pro FIPS host on AWS EC2 and then validate that FIPS mode is indeed enabled for the built image following the instructions here. Note that you must be running on an UA-enabled/Ubuntu Pro host in FIPS mode in order to achieve FIPS compliance and in compliance with the usage licence, and that distribution of images built with UA services requires an agreement with Canonical.

# Example instructions available at:
# https://github.com/valentincanonical/ubuntu-ua-fips-nginx-example 

> docker run --rm --name nginx-fips nginx-fips:1.18
> docker exec -it nginx-fips dpkg-query --show openssl
openssl     1.1.1f-1ubuntu2.fips.2.8

Easy, right? Make sure to read the How-to guide and to follow the comprehensive “Create an Ubuntu FIPS Docker image” related tutorial on the UA client GitHub repository for the latest up-to-date documentation.

And if you prefer to use prebuilt container images hardened and maintained by Canonical directly, you can read more about our LTS Docker images portfolio.

Please note NGINX’s statement, “NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source […].” This example is only meant to be a proof-of-concept example and you should make appropriate considerations when trying to achieve full FIPS compliance.

Beyond FIPS mode on OCI images

You are now ready to add your UA/Ubuntu Pro credentials to your container build pipelines and start building 10-year secure and, if needed, FIPS container images.

Illustration Photo by Ian Taylor on Unsplash

If you want to understand better how compliance concepts apply to the world of container images, be sure to watch the “Rethinking compliance in a containerised world” talk recording from the Open Source Summit conference in Austin.

You can also read more about FIPS in Ubuntu containers and cloud VMs on the certifications section of our website.


Related posts


Canonical
5 September 2023

도커(Docker) 컨테이너 보안: 우분투 프로(Ubuntu Pro)로 FIPS 지원 컨테이너 이해하기

FIPS Security

오늘날 급변하는 디지털 환경에서 강력한 도커 컨테이너 보안 조치의 중요성은 아무리 강조해도 지나치지 않습니다. 컨테이너화된 계층도 규정 준수 표준의 적용을 받기 때문에 보안 문제 및 규정 준수 요구 사항이 발생합니다. 도커 컨테이너 보안 조치는 경량의 어플라이언스 유형 컨테이너(각 캡슐화 코드 및 해당 종속성)를 위협 및 취약성으로부터 보호하는 것을 수반합니다. 민감한 개인 데이터를 처리하는 데 의존하는 ...


Marina Khachatryan
2 November 2023

Meet the Canonical Federal and DOD team at Alamo Ace 2023

DISA STIG Article

Find us at the booth #54 or join a special joint session on November 14th at 2:15 PM. ...


Henry Coggill
7 December 2023

Ubuntu 22.04 FIPS 140-3 modules available for preview

FIPS Article

Canonical has been working with our testing lab partner, atsec information security, to prepare the cryptographic modules in Ubuntu 22.04 LTS (Jammy Jellyfish) for certification with NIST under the new FIPS 140-3 standard. The modules passed all of atsec’s algorithm validation tests and are in the queue awaiting NIST’s approval. We can’t ...