Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-748680: Update node fips docker image and re-add fips test #500

Merged
merged 34 commits into from
Sep 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
5b0b97c
Set centos7 node version to 14.17
sfc-gh-ext-simba-lf May 23, 2023
685badb
Re-add fips test
sfc-gh-ext-simba-lf May 23, 2023
70ced69
Merge branch 'master' of https://github.com/snowflakedb/snowflake-con…
sfc-gh-ext-simba-lf Jun 20, 2023
2fc1108
issue 207 - Update docker image to node18/openssl3 and enable fips
sfc-gh-ext-simba-lf Jun 23, 2023
9dee392
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Jun 28, 2023
503bf46
issue 207 - Fix spaces and remove "--enable-fips" flag
sfc-gh-ext-simba-lf Jul 21, 2023
5bb32c6
Merge branch 'centos7node' of https://github.com/snowflakedb/snowflak…
sfc-gh-ext-simba-lf Jul 21, 2023
9e5d547
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Jul 24, 2023
61477c4
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Jul 31, 2023
587592d
issue 217 - Use node 18.17.0 (LTS) for the FIPS docker image
sfc-gh-ext-simba-lf Aug 3, 2023
4a950e1
Merge branch 'centos7node' of https://github.com/snowflakedb/snowflak…
sfc-gh-ext-simba-lf Aug 3, 2023
7c3b729
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Aug 4, 2023
6ae3969
Merge branch 'master' of https://github.com/snowflakedb/snowflake-con…
sfc-gh-ext-simba-lf Aug 10, 2023
84884f2
SNOW-748680: Add FIPS image to the node matrix for Linux builds
sfc-gh-ext-simba-lf Aug 10, 2023
4c7d48e
SNOW-748680: Use legacy provider for openssl
sfc-gh-ext-simba-lf Aug 10, 2023
4586732
SNOW-748680: Revert using legacy provider for openssl
sfc-gh-ext-simba-lf Aug 10, 2023
00025eb
SNOW-748680: Update "aws-sdk" to 2.14
sfc-gh-ext-simba-lf Aug 11, 2023
f2b9aa0
SNOW-748680: Revert update "aws-sdk" to 2.14
sfc-gh-ext-simba-lf Aug 11, 2023
c7ebad2
Merge branch 'master' of https://github.com/snowflakedb/snowflake-con…
sfc-gh-ext-simba-lf Aug 21, 2023
32444ca
SNOW-748680: Add FIPS image to the node matrix for Linux builds
sfc-gh-ext-simba-lf Aug 21, 2023
6fd4e26
SNOW-748680: Run "npm audit fix" for FIPS build
sfc-gh-ext-simba-lf Aug 21, 2023
7dbf1b1
SNOW-748680: Revert running "npm audit fix" for FIPS build
sfc-gh-ext-simba-lf Aug 21, 2023
03c8ec1
SNOW-749232: Upgrade to aws-sdk v3
sfc-gh-dprzybysz Aug 4, 2023
c32e677
SNOW-749232: Fix s3 unit tests
sfc-gh-dprzybysz Aug 11, 2023
73e03b7
Set centos7 node version to 14.17
sfc-gh-ext-simba-lf May 23, 2023
d286ad2
issue 207 - Update docker image to node18/openssl3 and enable fips
sfc-gh-ext-simba-lf Jun 23, 2023
7f557b1
issue 207 - Fix spaces and remove "--enable-fips" flag
sfc-gh-ext-simba-lf Jul 21, 2023
aff9f8f
issue 217 - Use node 18.17.0 (LTS) for the FIPS docker image
sfc-gh-ext-simba-lf Aug 3, 2023
4b59571
SNOW-748680: Add FIPS image to the node matrix for Linux builds
sfc-gh-ext-simba-lf Aug 10, 2023
5722e21
SNOW-748680: Run "npm audit fix" for FIPS build
sfc-gh-ext-simba-lf Aug 21, 2023
55f43ae
SNOW-748680: Revert running "npm audit fix" for FIPS build
sfc-gh-ext-simba-lf Aug 21, 2023
9af77d5
Merge branch 'centos7node' of https://github.com/snowflakedb/snowflak…
sfc-gh-ext-simba-lf Sep 14, 2023
542383a
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Sep 15, 2023
837470a
Merge branch 'master' into centos7node
sfc-gh-ext-simba-lf Sep 21, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ jobs:
strategy:
fail-fast: false
matrix:
image: [ 'nodejs-centos7-node14']
image: [ 'nodejs-centos7-node14', 'nodejs-centos7-fips']
cloud: [ 'AWS', 'AZURE', 'GCP' ]
steps:
- uses: actions/checkout@v1
Expand Down
40 changes: 30 additions & 10 deletions ci/image/Dockerfile.nodejs-centos7-fips-test
Original file line number Diff line number Diff line change
Expand Up @@ -35,29 +35,49 @@ SHELL [ "/usr/bin/scl", "enable", "devtoolset-8"]

# node-fips environment variables
ENV NODE_HOME $HOME/node
ENV NODEJS_VERSION 14.0.0
ENV FIPSDIR $HOME/install-openssl-fips
sfc-gh-igarish marked this conversation as resolved.
Show resolved Hide resolved
ENV OPENSSL_VERSION 2.0.16
ENV NODEJS_VERSION 18.17.0
ENV OPENSSL_VERSION 3.0.8
ENV PKG_CONFIG_PATH "/usr/local/lib64/pkgconfig"
ENV LD_LIBRARY_PATH "${LD_LIBRARY_PATH}:/usr/local/lib64"
ENV OPENSSL_CONF /usr/local/ssl/openssl.cnf
ENV FIPSCONF /usr/local/ssl/fipsmodule.cnf
ENV OPENSSL_MODULES=/usr/local/lib64/ossl-modules

# Install OpenSSL
# Install OpenSSL
RUN cd $HOME
RUN curl https://www.openssl.org/source/openssl-fips-$OPENSSL_VERSION.tar.gz -o $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
RUN curl https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz -o $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
RUN tar -xvf $HOME/openssl-fips-$OPENSSL_VERSION.tar.gz
RUN mv openssl-fips-$OPENSSL_VERSION $HOME/openssl-fips
RUN mv openssl-$OPENSSL_VERSION $HOME/openssl-fips
RUN cd $HOME/openssl-fips


# Install OpenSSL dependencies
RUN yum -y install perl-IPC-Cmd
RUN yum -y install perl-Digest-SHA
RUN yum -y install openssl-devel

# You must run ONLY these commands when building the FIPS version of OpenSSL
RUN cd $HOME/openssl-fips && ./config && make && make install

RUN cd $HOME/openssl-fips && ./config enable-fips && make && make install

# Enable FIPS by editing the openssl.cnf file
RUN sed -i "s/openssl_conf = openssl_init/nodejs_conf = openssl_init/g" $OPENSSL_CONF
RUN sed -i "s/# .include fipsmodule.cnf/.include ${FIPSCONF//\//\\/}/g" $OPENSSL_CONF
RUN sed -i 's/# fips = fips_sect/fips = fips_sect/g' $OPENSSL_CONF
RUN sed -i 's/# activate = 1/activate = 1/g' $OPENSSL_CONF
RUN sed -i '55ialg_section = algorithm_sect' $OPENSSL_CONF
RUN sed -i '75idefault_properties = fips=yes' $OPENSSL_CONF
RUN sed -i '75i[algorithm_sect]' $OPENSSL_CONF

# Download and build NodeJS
RUN git clone --branch v$NODEJS_VERSION https://github.com/nodejs/node.git $NODE_HOME
RUN gcc --version
RUN g++ --version
RUN cd $NODE_HOME && ./configure --openssl-fips=$FIPSDIR && make -j2 &> /dev/null && make install
RUN cd $NODE_HOME && ./configure --shared-openssl --shared-openssl-libpath=/usr/local/lib64 --shared-openssl-includes=/usr/local/include/openssl --openssl-is-fips && make -j2 &> /dev/null && make install
# Should be $NODEJS_VERSION
RUN node --version
# Should be $OPENSSL_VERSION
RUN node -p "process.versions.openssl"
# Should be 1 (FIPS is enabled by default)
RUN node -p 'crypto.getFips()'

# workspace
RUN mkdir -p /home/user
Expand Down
Loading