From 5ee61cf864131c831601edc048bf2af68b3df14f Mon Sep 17 00:00:00 2001 From: Isa Farnik Date: Tue, 22 Oct 2024 12:04:10 -0700 Subject: [PATCH] chore(fips): use ubuntu 24.04 fips pkgs & image (#10473) --- .github/matrix-full.yml | 16 +- .../kong-ee/ubuntu_fips_is_noble.yml | 4 + scripts/explain_manifest/config.py | 3 +- .../fixtures/ubuntu-24.04-amd64-fips.txt | 285 ++++++++++++++++++ 4 files changed, 305 insertions(+), 3 deletions(-) create mode 100644 changelog/unreleased/kong-ee/ubuntu_fips_is_noble.yml create mode 100644 scripts/explain_manifest/fixtures/ubuntu-24.04-amd64-fips.txt diff --git a/.github/matrix-full.yml b/.github/matrix-full.yml index 71e20afb2470..5c40d7416274 100644 --- a/.github/matrix-full.yml +++ b/.github/matrix-full.yml @@ -40,6 +40,11 @@ build-packages: package: deb bazel-args: --platforms=//:generic-crossbuild-aarch64 check-manifest-suite: ubuntu-24.04-arm64 +- label: ubuntu-24.04-fips + image: ubuntu:24.04 + package: deb + bazel-args: --//:fips=true + check-manifest-suite: ubuntu-24.04-amd64-fips # Debian @@ -135,9 +140,10 @@ build-images: docker-platforms: linux/amd64, linux/arm64 check-manifest-suite: docker-image-ubuntu-24.04 - label: ubuntu-fips - base-image: ubuntu:22.04 + base-image: ubuntu:24.04 package: deb - artifact-from: ubuntu-22.04-fips + artifact-from: ubuntu-24.04-fips + check-manifest-suite: docker-image-ubuntu-24.04 # Debian - label: debian @@ -221,6 +227,12 @@ release-packages: artifact-version: 24.04 artifact-type: ubuntu artifact: kong.arm64.deb +- label: ubuntu-24.04-fips + package: deb + artifact-from: ubuntu-24.04-fips + artifact-version: 24.04 + artifact-type: ubuntu + artifact: kong.amd64.deb # Debian - label: debian-11 diff --git a/changelog/unreleased/kong-ee/ubuntu_fips_is_noble.yml b/changelog/unreleased/kong-ee/ubuntu_fips_is_noble.yml new file mode 100644 index 000000000000..3937405c5462 --- /dev/null +++ b/changelog/unreleased/kong-ee/ubuntu_fips_is_noble.yml @@ -0,0 +1,4 @@ +--- +message: Added Ubuntu 24.04 (Noble Numbat) FIPS packages and image. +type: dependency +scope: Core diff --git a/scripts/explain_manifest/config.py b/scripts/explain_manifest/config.py index cabca95a822b..2d6438dc9b26 100644 --- a/scripts/explain_manifest/config.py +++ b/scripts/explain_manifest/config.py @@ -153,6 +153,7 @@ def transform(f: FileInfo): "libcxx_max_version": "3.4.29", "cxxabi_max_version": "1.3.13", }, + ee_suites: {}, } ), "debian-11-amd64": ExpectSuite( @@ -219,7 +220,7 @@ def transform(f: FileInfo): # ubuntu-22.04-arm64 targets[target.replace("-amd64", "-arm64")] = e - if target in ("el8-amd64", "el9-amd64", "ubuntu-20.04-amd64", "ubuntu-22.04-amd64"): + if target in ("el8-amd64", "el9-amd64", "ubuntu-20.04-amd64", "ubuntu-22.04-amd64", "ubuntu-24.04-amd64"): e = deepcopy(targets[target]) e.manifest = e.manifest.replace("-amd64.txt", "-amd64-fips.txt") # Ubuntu 22.04 (amd64) FIPS diff --git a/scripts/explain_manifest/fixtures/ubuntu-24.04-amd64-fips.txt b/scripts/explain_manifest/fixtures/ubuntu-24.04-amd64-fips.txt new file mode 100644 index 000000000000..4cc4cf160ee5 --- /dev/null +++ b/scripts/explain_manifest/fixtures/ubuntu-24.04-amd64-fips.txt @@ -0,0 +1,285 @@ +- Path : /etc/kong/kong.logrotate + +- Path : /etc/logrotate.d/kong-enterprise-edition + Link : /etc/kong/kong.logrotate + Type : link + +- Path : /lib/systemd/system/kong-enterprise-edition.service + +- Path : /usr/local/kong/gui + Type : directory + +- Path : /usr/local/kong/include/google + Type : directory + +- Path : /usr/local/kong/include/kong + Type : directory + +- Path : /usr/local/kong/lib/engines-3/afalg.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/engines-3/capi.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/engines-3/loader_attic.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/engines-3/padlock.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libada.so + Needed : + - libstdc++.so.6 + - libgcc_s.so.1 + - libc.so.6 + +- Path : /usr/local/kong/lib/libcrypto.so.3 + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libexpat.so.1.9.2 + Needed : + - libc.so.6 + +- Path : /usr/local/kong/lib/libexslt.so.0.8.23 + Needed : + - libxslt.so.1 + - libxml2.so.2 + - libm.so.6 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libjq.so.1.0.4 + Needed : + - libm.so.6 + - libonig.so.5 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/liblicense_utils.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libonig.so.5.3.0 + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libpasswdqc.so.1 + Needed : + - libc.so.6 + +- Path : /usr/local/kong/lib/libsnappy.so + Needed : + - libstdc++.so.6 + - libgcc_s.so.1 + - libc.so.6 + +- Path : /usr/local/kong/lib/libssl.so.3 + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/libxml2.so.2.12.9 + Needed : + - libz.so.1 + - libm.so.6 + - libc.so.6 + +- Path : /usr/local/kong/lib/libxslt.so.1.1.42 + Needed : + - libxml2.so.2 + - libm.so.6 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/ossl-modules/fips.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/lib/ossl-modules/legacy.so + Needed : + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/kong/portal + Type : directory + +- Path : /usr/local/kong-tools/bin/curl + Needed : + - libstdc++.so.6 + - libm.so.6 + - libssl.so.3 + - libcrypto.so.3 + - libz.so.1 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/bcrypt.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lfs.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lpeg.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lsyslog.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lua-utf8.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lua_pack.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lua_system_constants.so + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/lxp.so + Needed : + - libexpat.so.1 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/mime/core.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/pb.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/socket/core.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/socket/serial.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/socket/unix.so + Needed : + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/ssl.so + Needed : + - libssl.so.3 + - libcrypto.so.3 + - libc.so.6 + Runpath : /usr/local/kong/lib + +- Path : /usr/local/lib/lua/5.1/yaml.so + Needed : + - libyaml-0.so.2 + - libc.so.6 + +- Path : /usr/local/openresty/lualib/cjson.so + Needed : + - libc.so.6 + +- Path : /usr/local/openresty/lualib/librestysignal.so + +- Path : /usr/local/openresty/lualib/rds/parser.so + Needed : + - libc.so.6 + +- Path : /usr/local/openresty/lualib/redis/parser.so + Needed : + - libc.so.6 + +- Path : /usr/local/openresty/nginx/modules/ngx_wasmx_module.so + Needed : + - libm.so.6 + - libgcc_s.so.1 + - libc.so.6 + - ld-linux-x86-64.so.2 + Runpath : /usr/local/openresty/luajit/lib:/usr/local/kong/lib:/usr/local/openresty/lualib + +- Path : /usr/local/openresty/nginx/sbin/nginx + Needed : + - libcrypt.so.1 + - libluajit-5.1.so.2 + - libm.so.6 + - libssl.so.3 + - libcrypto.so.3 + - libz.so.1 + - libc.so.6 + Runpath : /usr/local/openresty/luajit/lib:/usr/local/kong/lib:/usr/local/openresty/lualib + Modules : + - lua-kong-nginx-module + - lua-kong-nginx-module/stream + - lua-resty-events + - lua-resty-lmdb + - ngx_brotli + - ngx_wasmx_module + OpenSSL : OpenSSL 3.2.3 3 Sep 2024 + DWARF : True + DWARF - ngx_http_request_t related DWARF DIEs: True + +- Path : /usr/local/openresty/site/lualib/libatc_router.so + Needed : + - libgcc_s.so.1 + - libc.so.6 + - ld-linux-x86-64.so.2 + +- Path : /usr/local/openresty/site/lualib/libjson_threat_protection.so + Needed : + - libgcc_s.so.1 + - libc.so.6 + - ld-linux-x86-64.so.2 + +- Path : /usr/local/openresty/site/lualib/liblua_resty_jsonschema_rs.so + Needed : + - libgcc_s.so.1 + - libm.so.6 + - libc.so.6 + - ld-linux-x86-64.so.2 + +- Path : /usr/local/openresty/site/lualib/libsimdjson_ffi.so + Needed : + - libstdc++.so.6 + - libgcc_s.so.1 + - libc.so.6 + +- Path : /usr/local/share/lua/5.1/kong/portal + Type : directory + +- Path : /usr/local/share/xml/xsd + Type : directory +