Building and running FIPS containers on Ubuntu 18.04

This article was last updated 2 years ago.


Whether running on the public cloud or a private cloud, the use of containers is ingrained in today’s devops oriented workflows. Having workloads set up to run under the mandated compliance requirements is thus necessary to fully exploit the potential of containers. This article focuses on how to build and run containers that comply with the US and Canada government FIPS140-2 data protection standard. To build Ubuntu 18.04 FIPS140-2 compliant containers you will need the FIPS140-2 certified packages, that can be accessed with an Ubuntu Advantage subscription or with Ubuntu Pro on AWS or Azure

In our example we will demonstrate building a FIPS container on an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace. They are preconfigured and optimized for the US and Canada government’s FIPS140-2 data protection standard. They are premium images designed by Canonical and provide the Ubuntu Advantage benefits, without the need for a subscription. Key features include live kernel patching, enabling longer uptimes, and FIPS140-2 certified components to be used for FedRAMP, HIPAA, and PCI use cases. Ubuntu Pro is backed by a 10-year maintenance commitment by Canonical.

FIPS requirements

Without getting into details of FIPS140-2 it is important to underline that a key concept of FIPS is that its requirements cover the whole system, from kernel to the cryptographic FIPS packages. So when referring to a FIPS container, we are referring to a container image that contains the Ubuntu FIPS cryptographic packages (e.g., libgcrypt, openssl). As container images use the host kernel, that container must run under an Ubuntu FIPS enabled kernel in order to comply with the FIPS requirements . As a rule of thumb, each Ubuntu FIPS container must run under the equivalent Ubuntu version system, with FIPS enabled in the kernel.

Setting up the system to generate a container

The system that will generate the FIPS container must have an Ubuntu Advantage subscription attached to it, or it can be an Ubuntu Pro FIPS image. Ubuntu Pro FIPS images are available in AWS Marketplace and Azure Marketplace.

To keep things simple, in this article, we will demonstrate how to generate such a container on a public cloud instance (AWS or Azure). On AWS EC2 we will be using the ‘Ubuntu Pro FIPS 18.04 LTS’ AMI, and on Azure the ‘Ubuntu Pro FIPS 18.04 LTS’ image. The example is very similar when using an Ubuntu system with the Ubuntu Advantage subscription attached and FIPS enabled

Generate the container with the necessary FIPS components

Launch an ‘Ubuntu Pro FIPS 18.04 LTS’ on AWS or Azure. The instances come with FIPS enabled out of the box. The launched instance will be used to build and run the containers with the FIPS packages.

Once your FIPS worker instance is running, you can generate a FIPS-compliant container as follows. You can adjust the list of packages installed, to include only the necessary ones for your workload.

$ mkdir -p ubuntu18-fips/packages

# install docker
$ sudo apt-get update
$ sudo apt-get install -y docker.io

#start the docker daemon
$ sudo systemctl start docker

# download the FIPS components to be included in the container
$ sudo apt-get clean
$ sudo apt-get install -y --reinstall --download-only \
    openssh-client openssh-client-hmac openssh-server \
    openssh-server-hmac strongswan strongswan-hmac \
    openssh-sftp-server libstrongswan libstrongswan-standard-plugins \
    strongswan-starter strongswan-libcharon strongswan-charon \
    openssl libssl1.1 libssl1.1-hmac kcapi-tools libkcapi1

# Next you’ll want to copy those deb packages to your build directory
$ cp /var/cache/apt/archives/*.deb ubuntu18-fips/packages/
$ cd ubuntu18-fips
$ cat >Dockerfile <<_EOF_
FROM ubuntu:18.04

RUN apt-get update
ADD packages packages/
RUN apt-get install -y ./packages/*.deb 
RUN apt-get clean
RUN rm -rf ./packages
_EOF_

$ sudo docker build -t ubuntu18-fips .

To test your newly created container, inside the Ubuntu FIPS 18.04 LTS run:

$ sudo docker run -it ubuntu18-fips bash

Your container is now ready and can be pushed to your private registry and used to drive your workloads.

Summary

  • You can create and run FIPS-enabled containers on any host with a valid Ubuntu Advantage subscription or on Ubuntu Pro FIPS images.
  • You can run FIPS-enabled containers only on FIPS-enabled hosts to comply with the FIPS140-2 requirements.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

6 facts for CentOS users who are holding on

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started!

How Ubuntu keeps you secure with KEV prioritisation

The Known Exploited Vulnerabilities Catalog (KEV) is a database published by the US Cybersecurity and Infrastructure Security Agency (CISA) that serves as a...

How Canonical enables PCI-DSS compliance

Anyone who deals with online payments will have heard of PCI-DSS. The Payment Card Industry Data Security Standard is a comprehensive security control...