Skip to content

Configure observability SRE container for FIPS #17297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 14, 2025
Merged

Configure observability SRE container for FIPS #17297

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion docker/templates/Dockerfile.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,12 +92,18 @@ RUN dnf -y upgrade && \
<% arch_command = 'uname -m' -%>
# Minimal distributions do not ship with en language packs.
<% locale = 'C.UTF-8' -%>
<% elsif %w(wolfi observability-sre).include?(image_flavor) %>
<% elsif image_flavor == 'wolfi' %>
<% base_image = 'docker.elastic.co/wolfi/chainguard-base' -%>
<% package_manager = 'apk' -%>
<% arch_command = 'uname -m' -%>
# Minimal distributions do not ship with en language packs.
<% locale = 'C.UTF-8' -%>
<% elsif image_flavor == 'observability-sre' %>
<% base_image = 'docker.elastic.co/wolfi/chainguard-base-fips' -%>
<% package_manager = 'apk' -%>
<% arch_command = 'uname -m' -%>
# Minimal distributions do not ship with en language packs.
<% locale = 'C.UTF-8' -%>
<% else -%>
<% base_image = 'ubuntu:20.04' -%>
<% package_manager = 'apt-get' -%>
Expand Down Expand Up @@ -175,6 +181,56 @@ WORKDIR /usr/share/logstash
ENV ELASTIC_CONTAINER true
ENV PATH=/usr/share/logstash/bin:$PATH

# Add FIPS configuration for observability-sre image flavor
<% if image_flavor == 'observability-sre' -%>

RUN mkdir -p /usr/share/logstash/config/security

# Copy JVM security configuration files from the unpacked tarball
RUN cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.security /usr/share/logstash/config/security/ && \
cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.policy /usr/share/logstash/config/security/ && \
chown --recursive logstash:root /usr/share/logstash/config/security/

# Convert JKS to BCFKS for truststore and keystore
RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
-srckeystore /usr/share/logstash/jdk/lib/security/cacerts \
-destkeystore /usr/share/logstash/config/security/cacerts.bcfks \
-srcstoretype jks \
-deststoretype bcfks \
-providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-deststorepass changeit \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to have these passwords configurable via an ENV parameter, or similar?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the desire it to leave it as the default as we are just converting the default. See the convention of using "changeit" here https://docs.oracle.com/javase/10/security/sample-truststores.htm

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. As soon as i get #17298 merged i'm going to rebase this branch and get the commit and PR comments all fixed up! thanks.

-srcstorepass changeit \
-noprompt

RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
-srckeystore /usr/share/logstash/jdk/lib/security/cacerts \
-destkeystore /usr/share/logstash/config/security/keystore.bcfks \
-srcstoretype jks \
-deststoretype bcfks \
-providerpath /usr/share/logstash/logstash-core/lib/jars/bc-fips-2.0.0.jar \
-provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-deststorepass changeit \
-srcstorepass changeit \
-noprompt

# Set Java security properties through LS_JAVA_OPTS
ENV LS_JAVA_OPTS="\
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be worth using JDK_JAVA_OPTIONS to ensure that any invocation of the JVM has the options prepended? If so, it may be useful to also include -Xbootclasspath/a to provide the bcfips jars.

Suggested change
ENV LS_JAVA_OPTS="\
ENV JDK_JAVA_OPTIONS="\
-Xbootclasspath/a="$(find /usr/share/logstash/logstash-core/lib/jars -name 'bc*-fips-*.jar' | awk '{printf colon $0; colon=":"}')"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For sure down to explore this more it a later iteration. That may be helpful for using the container for tests as well.

-Djava.security.properties=/usr/share/logstash/config/security/java.security \
-Djava.security.policy=/usr/share/logstash/config/security/java.policy \
-Djavax.net.ssl.keyStore=/usr/share/logstash/config/security/keystore.bcfks \
-Djavax.net.ssl.keyStoreType=BCFKS \
-Djavax.net.ssl.keyStoreProvider=BCFIPS \
-Djavax.net.ssl.keyStorePassword=changeit \
-Djavax.net.ssl.trustStore=/usr/share/logstash/config/security/cacerts.bcfks \
-Djavax.net.ssl.trustStoreType=BCFKS \
-Djavax.net.ssl.trustStoreProvider=BCFIPS \
-Djavax.net.ssl.trustStorePassword=changeit \
-Dssl.KeyManagerFactory.algorithm=PKIX \
-Dssl.TrustManagerFactory.algorithm=PKIX \
-Dorg.bouncycastle.fips.approved_only=true"
<% end -%>

# Provide a minimal configuration, so that simple invocations will provide
# a good experience.
<% if image_flavor == 'oss' -%>
Expand Down