Valentin Viennot
on 25 May 2022
Create FIPS-enabled Ubuntu container images with 10-year security updates
Canonical’s UA and Pro customers can now fully benefit from their subscriptions directly in containerised environments and pipelines. The new UA client release (27.7+) makes it easier to enable FIPS mode in Ubuntu containers. It also automatically signs up CI/CD builds for 10-year security updates to never worry about production container images getting timely patches for high and critical CVEs.
Built for DevOps and Cloud Developers
We previously had a working solution to build and run FIPS-enabled containers on Ubuntu 18.04, but listening to and working with customers made it clear that it was anything but ideal. The workaround was complex and risked leaving credentials in the FIPS-enabled OCI image. It also required A LOT of steps and was poorly documented.
Containers are meant to be ephemeral and ubiquitous, and so are their builds. Whether it’s Azure Container Registry Tasks, AWS CodePipeline, Google Cloud Build, or Tekton pipelines, our customers are making the most of native container build facilities. They use public cloud services and serverless CI/CD functions to build their OCI images, eventually storing them in private repositories they trust.
As a result, we wanted to build an out-of-the-box solution that could run on any cloud-native service and environment and not only limited to Ubuntu Pro machines. That way, we would have the best solution to continuously build and run Ubuntu premium containers on any cloud platform, including on-prem CI/CDs.
This is now available to all users with the latest UA client, from a Dockerfile.
Read the “How to enable Ubuntu Advantage services in a Dockerfile” how-to guide on GitHub.
FIPS-enabled NGINX Docker image with
10-year updates on Ubuntu Pro 20.04
The latest UA (Ubuntu Advantage) client — the way Pro users access advanced Ubuntu features such as FIPS, CIS hardening, and Extended Security Maintenance — now fully supports containerised environments for OCI images to build and run. The resulting container images are required to run on UA-enabled or Ubuntu Pro hosts and VMs.
Did you know Ubuntu Advantage is free for personal use? Get started now.
How does it work? Here’s a simple example of building an NGINX container image using FIPS140-2 certified packages from Ubuntu. FIPS140-2 certified components enable FedRAMP, HIPAA, and PCI use cases. Additionally, in FIPS mode or not, enabling UA in container builds will ensure the built artefacts include the latest security updates. Ubuntu Pro packages are backed by a 10-year maintenance commitment by Canonical.
The UA subscription is passed as a build secret, using the following YAML syntax:
# ua-attach-config.yaml
token: <secret token from ubuntu.com/advantage>
enable_services:
- fips-updates
- esm-infra
The following Dockerfile and commands create an NGINX Docker image with FIPS-certified OpenSSL on Ubuntu 20.04 (FIPS mode is not yet available for the latest 22.04) passing the above ua-attach-config.yaml as a build secret. We start from Canonical’s prebuilt Ubuntu-based NGINX LTS image on AWS, enabling FIPS mode and ESM updates:
# Dockerfile
FROM public.ecr.aws/lts/nginx:1.18-20.04_beta
RUN --mount=type=secret,id=ua-attach-config \
apt-get update \
# install the UA client
&& apt-get install --no-install-recommends -y \
ubuntu-advantage-tools ca-certificates \
# attach a UA subscription
&& ua attach --attach-config /run/secrets/ua-attach-config \
# upgrade packages eligible for FIPS/ESM updates
&& apt-get upgrade -y \
&& apt-get install --no-install-recommends -y openssl \
# don’t forget to clean the layer and remove secrets!
# this removes the UA client and any authentication files
&& apt-get purge --auto-remove -y \
ubuntu-advantage-tools ca-certificates && \
rm -rf /var/lib/apt/lists/*
The FIPS-enabled NGINX docker image can be built using the following command, on any host and platform, for example using Docker BuildKit or Podman:
> DOCKER_BUILDKIT=1 docker build . --secret id=ua-attach-config,src=ua-attach-config.yaml -t nginx-fips:1.18
You can quickly get started by launching an Ubuntu Pro FIPS host on AWS EC2 and then validate that FIPS mode is indeed enabled for the built image following the instructions here. Note that you must be running on an UA-enabled/Ubuntu Pro host in FIPS mode in order to achieve FIPS compliance and in compliance with the usage licence, and that distribution of images built with UA services requires an agreement with Canonical.
# Example instructions available at:
# https://github.com/valentincanonical/ubuntu-ua-fips-nginx-example
> docker run --rm --name nginx-fips nginx-fips:1.18
> docker exec -it nginx-fips dpkg-query --show openssl
openssl 1.1.1f-1ubuntu2.fips.2.8
Easy, right? Make sure to read the How-to guide and to follow the comprehensive “Create an Ubuntu FIPS Docker image” related tutorial on the UA client GitHub repository for the latest up-to-date documentation.
And if you prefer to use prebuilt container images hardened and maintained by Canonical directly, you can read more about our LTS Docker images portfolio.
Please note NGINX’s statement, “NGINX tests and verifies that NGINX Plus operates correctly when it is run on a FIPS enabled OS that is running in FIPS mode. NGINX cannot make similar statements for NGINX Open Source […].” This example is only meant to be a proof-of-concept example and you should make appropriate considerations when trying to achieve full FIPS compliance.
Beyond FIPS mode on OCI images
You are now ready to add your UA/Ubuntu Pro credentials to your container build pipelines and start building 10-year secure and, if needed, FIPS container images.
If you want to understand better how compliance concepts apply to the world of container images, be sure to watch the “Rethinking compliance in a containerised world” talk recording from the Open Source Summit conference in Austin.
You can also read more about FIPS in Ubuntu containers and cloud VMs on the certifications section of our website.