Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHOAISTRAT-214: Issue #362: feat(nbcs): build containers to be fips-ready #406

Merged
merged 1 commit into from
Nov 13, 2024
Merged

RHOAISTRAT-214: Issue #362: feat(nbcs): build containers to be fips-ready #406

merged 1 commit into from
Nov 13, 2024

Conversation

jiridanek
Copy link
Member

@jiridanek jiridanek commented Oct 2, 2024
edited
Loading

We are already having these flags enabled in downstream build as part of the devops initiative to build with fips. It makes lots of sense to me to enable these flags in odh Dockerfile as well, for consistency.

This is not intended to fully resolve https://issues.redhat.com/browse/RHOAISTRAT-214, but it's just a sensible first step done as a code improvement initiative, by following public advice in https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant.

Description

This PR was created by diffing the downstream and upstream dockerfile and then i made changes to upstream dockerfile to reflect the enhancements done downstream.

  1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect
  2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns

As a next step, cpaas Dockerfiles will need to be updated in turn with the new things here.

How Has This Been Tested?

GHA
running controller on fips-enabled cluster with no problems

  • quay.io/opendatahub/kubeflow-notebook-controller:pr-406
  • quay.io/opendatahub/odh-notebook-controller:pr-406

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@openshift-ci openshift-ci bot requested review from caponetto and dibryant October 2, 2024 09:46
@jiridanek
Copy link
Member Author

/retest

Looks like a flake, let's retrigger without thinking.

@jiridanek
Copy link
Member Author

First check, see that the expected fips-related symbols are in the binary

sh-4.4$ cat /manager | grep --binary-files=text -oh FIPS_mode
FIPS_mode
FIPS_mode
FIPS_mode
FIPS_mode
FIPS_mode
FIPS_mode

check that the binary is dynamically linked with libc

sh-4.4$ ldd /manager 
 linux-vdso.so.1 (0x00007ffe7ccbd000)
 libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f08a5cb3000)
 libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f08a5a93000)
 libdl.so.2 => /lib64/libdl.so.2 (0x00007f08a588f000)
 libc.so.6 => /lib64/libc.so.6 (0x00007f08a54b9000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f08a5ecb000)

https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant?source=sso#how_to_get_started

@jiridanek
Copy link
Member Author

There are no suspicious messages in the logs.

@jiridanek
Copy link
Member Author

For further improvements, we maybe should have /healthz endpoint that has some diagnostics, or just dump these into the log at startup

  • metadata about the binary, what it was built from, if it can be found
  • what are the dependencies, there is introspection api for go binaries so that they can write out their own deps
  • whether it's working in fips regimen or not

@jiridanek jiridanek mentioned this pull request Oct 2, 2024
Open
@jiridanek
Copy link
Member Author

And the notebook is spawned just fine, so, let's consider this tested.

I used fips-enabled https://console-openshift-console.apps.ods-qe-psi-06

I had to change oauth-proxy image digest to 4f8d66597feeb32bb18699326029f9a71a5aca4a57679d636b876377c2e95695.

@jiridanek jiridanek force-pushed the jd_dockerfile_improvements branch from 34e06b6 to f45a06e Compare October 2, 2024 11:24
@harshad16
Copy link
Member

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Do not merge this PR label Oct 2, 2024
@jiridanek jiridanek changed the base branch from v1.9-branch to main October 2, 2024 12:41
@jiridanek
Issue opendatahub-io#362: feat(nbcs): build containers to be fips-ready
0400fc3 
This takes inspiration from:

* The Notebooks 2.0 Dockerfile, which comes from a default recent Kubebuilder template, at
https://github.com/kubeflow/notebooks/blob/notebooks-v2/workspaces/controller/Dockerfile

* The Red Hat build Dockerfile (that's the Cachito part) in an internal repository.

This change brings multiple improvements:

1. Dockerfiles are brought closer together, especially to the Red Hat build; previously, sourcing things in a stand-alone RUN command had no effect
2. The openssl fips-compatible library is linked into the manager binaries, to proactively address fips concerns
@jiridanek jiridanek force-pushed the jd_dockerfile_improvements branch from f45a06e to 0400fc3 Compare October 2, 2024 12:42
@openshift-cherrypick-robot
Copy link

@jiridanek: once the present PR merges, I will cherry-pick it on top of v1.9-branch in a new PR and assign it to you.

In response to this:

/cherrypick v1.9-branch

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@harshad16
Copy link
Member

/cherrypick v1.9-branch

@jiridanek , please dont use cherrypick anymore for this repo,
main to v1.9-branch would be synced.
cherry-pick would only be needed , if some other content is not being moved.

@jiridanek jiridanek changed the title Issue #362: feat(nbcs): build containers to be fips-ready NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready Oct 4, 2024
jstourac
jstourac reviewed Oct 8, 2024
View reviewed changes
Copy link
Member

@jstourac jstourac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm in general

Two questions:

  1. Why TARGETARCH doesn't have a default value similarly as TARGETOS?
  2. Should we have the TARGETARCH defined in our Makefile?

@jiridanek jiridanek changed the title NO-JIRA: Issue #362: feat(nbcs): build containers to be fips-ready RHOAISTRAT-214: Issue #362: feat(nbcs): build containers to be fips-ready Nov 8, 2024
@jiridanek
Copy link
Member Author

/unhold
@harshad16 I think we should have this upstream, since it is working just fine, and we actually have it downstream already, also in the konflux build.

@openshift-ci openshift-ci bot removed the do-not-merge/hold Do not merge this PR label Nov 8, 2024
@jstourac
Copy link
Member

jstourac commented Nov 8, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Nov 8, 2024
@jiridanek
Copy link
Member Author

/approve
No point sitting on this; and our Dockerfiles don't affect downstream build, not in cpaas and not in conflux, so there's no impact to red hat.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiridanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 0d38196 into opendatahub-io:main Nov 13, 2024
15 checks passed
@jstourac jstourac mentioned this pull request Nov 13, 2024
Merged
@jiridanek jiridanek deleted the jd_dockerfile_improvements branch November 13, 2024 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jstourac jstourac jstourac left review comments

@caponetto caponetto Awaiting requested review from caponetto

@dibryant dibryant Awaiting requested review from dibryant

Assignees

@jstourac jstourac

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Build fips-ready
4 participants
@jiridanek @harshad16 @openshift-cherrypick-robot @jstourac