Building and running FIPS containers on Ubuntu Pro FIPS


Canonical provides customers Ubuntu Pro images AWS Marketplace. Ubuntu Pro for AWS is a premium AMI designed by Canonical to provide additional coverage for production environments running in the cloud. It includes security and compliance services, enabled by default, in a form suitable for small to large-scale Linux enterprise operations — with no contract needed. Key features include live kernel patching, which provides instant security and longer uptimes, security patching of major open source workloads for production use, and certified components for FedRAMP, HIPAA, PCI and ISO use cases. Ubuntu Pro is backed by a 10-year maintenance commitment by Canonical.

One of the challenges early adopters of Pro faced was enabling FIPS modules for their deployments. While Canonical provided support for the same, they also wanted to make the customers have a better experience. Hence Canonical launched Ubuntu Pro with a pre-enabled FIPS module available for Ubuntu FIPS 18.04 and Ubuntu FIPS 16.04. It contains all the features of Ubuntu Pro, but is now FIPS enabled at launch!

In a containerized world, it is not enough to just launch an EC2 instance with a FIPS enabled Ubuntu. Customers are increasingly looking to build and run FIPS containers on Ubuntu Pro FIPS. This blog contains instructions to do the same. We have used the example of 18.04, but it is applicable for 16.04.

Launch EC2 instance using Ubuntu FIPS 18.04 LTS on AWS

Launch an Ubuntu FIPS 18.04 LTS on AWS. The instance comes with FIPS enabled out of the box. This instance will be used to build and run the containers with the FIPS packages.

Generating Docker containers with FIPS components

Once your FIPS worker is running, you can generate FIPS-compliant containers by bind mounting the worker’s apt configuration and installing packages directly. Note that the container LTS release should match the worker LTS release; in other words, use 18.04 LTS FIPS workers to generate 18.04 LTS FIPS containers.

Start by launching the container:

And then, once inside the container:

Include other packages and modifications as necessary above. Once the packages are installed, get the container ID, commit and tag the container as follows:

To test your newly created container:

About: Blog