From 571de605346a93739051660ccee26717bb5412cb Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 12:18:41 +0530 Subject: [PATCH 01/12] Updating docker dependencies for 8.0.2-cp2 --- pom.xml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/pom.xml b/pom.xml index 1ab9b44ea3..ddd3538b48 100644 --- a/pom.xml +++ b/pom.xml @@ -35,25 +35,23 @@ ${io.confluent.common-docker.version}-${docker.ubi9.os_type} 8.0.2 - 8.10-1755105495 - 9.6-1754345610 - 9.6-1760515502 + 8.10-1761032271 + 9.7-1762965531 + 9.7-1762956380 1:3.2.2-6.el9_5.1 3.1.2 1.21.1-8.el9_4 7.92-3.el9 - 3.9.21-2.el9_6.2 - 1.34-7.el9 - 1.21.1-8.el9_4 - 7.92-3.el9 + 3.9.23-2.el9 + 2:1.34-7.el9 3.3.17-14.el9 1.21.1-8.el9_6 - 20210202-11.el9_6.3 + 20210202-15.el9_7 3.23-6.el9 5.2.5-8.el9_0 - 2.34-168.el9_6.23 + 2.34-231.el9_7.2 1:4.8.0-7.el9 20240828-2.git626aa59.el9_5 From 868c0f3bc7e846c0443d85a102658d9fa11e3908 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 13:23:33 +0530 Subject: [PATCH 02/12] FIPS fixes --- base-java/Dockerfile.ubi9 | 13 +++++++------ base-java/openssl-fips.cnf | 2 +- base/Dockerfile.ubi9 | 11 ++++++----- base/openssl-fips.cnf | 2 +- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index f554aa2004..584d602e8a 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -56,9 +56,10 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo # ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries +# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. @@ -71,18 +72,18 @@ RUN microdnf --nodocs -y install yum \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips \ + && ./Configure enable-fips --prefix=/opt/openssl --openssldir=/opt/openssl/ssl \ && make > /dev/null 2>&1 \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ - && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && microdnf install -y \ "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ "findutils${FINDUTILS_VERSION}" \ "hostname${HOSTNAME_VERSION}" \ "temurin-21-jre${TEMURIN_JDK_VERSION}" \ + && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ @@ -95,7 +96,7 @@ RUN microdnf --nodocs -y install yum \ RUN update-crypto-policies --set FIPS COPY license.txt /licenses -COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /opt/openssl/ssl/openssl-fips.cnf COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub diff --git a/base-java/openssl-fips.cnf b/base-java/openssl-fips.cnf index a697595091..e000ec95f8 100644 --- a/base-java/openssl-fips.cnf +++ b/base-java/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /usr/local/ssl/fipsmodule.cnf +.include /opt/openssl/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index a03962f018..3f2252b278 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -87,9 +87,10 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ # ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries +# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. @@ -102,7 +103,7 @@ RUN microdnf --nodocs -y install yum \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips \ + && ./Configure enable-fips --prefix=/opt/openssl --openssldir=/opt/openssl/ssl \ && make > /dev/null 2>&1 \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ @@ -153,7 +154,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}" COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/ COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/ -COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /opt/openssl/ssl/openssl-fips.cnf COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new diff --git a/base/openssl-fips.cnf b/base/openssl-fips.cnf index a697595091..e000ec95f8 100644 --- a/base/openssl-fips.cnf +++ b/base/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /usr/local/ssl/fipsmodule.cnf +.include /opt/openssl/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect From ff9ef8709eba6d430d4aef7cec8c73b68eb1cc17 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 13:59:53 +0530 Subject: [PATCH 03/12] Fix order of setting path --- base-java/Dockerfile.ubi9 | 10 ++++------ base/Dockerfile.ubi9 | 10 ++++------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 584d602e8a..efabc188cc 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -55,12 +55,6 @@ gpgcheck=1 \n\ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries -# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH - # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. @@ -92,6 +86,10 @@ RUN microdnf --nodocs -y install yum \ && mkdir /licenses \ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures +# Set OpenSSL environment variables after all package installations to avoid affecting package managers +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH + # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 3f2252b278..c105828246 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -86,12 +86,6 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries -# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH - # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. @@ -140,6 +134,10 @@ RUN microdnf --nodocs -y install yum \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures +# Set OpenSSL environment variables after all package installations to avoid affecting package managers +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH + # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS From ba5a97a60d2d4e687b93e16fdfabf7959f027fb6 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 14:27:36 +0530 Subject: [PATCH 04/12] Revert "Fix order of setting path" This reverts commit ff9ef8709eba6d430d4aef7cec8c73b68eb1cc17. --- base-java/Dockerfile.ubi9 | 10 ++++++---- base/Dockerfile.ubi9 | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index efabc188cc..584d602e8a 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -55,6 +55,12 @@ gpgcheck=1 \n\ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo +# ENV required when manually installing openssl, +# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries +# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH + # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. @@ -86,10 +92,6 @@ RUN microdnf --nodocs -y install yum \ && mkdir /licenses \ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures -# Set OpenSSL environment variables after all package installations to avoid affecting package managers -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH - # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index c105828246..3f2252b278 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -86,6 +86,12 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo +# ENV required when manually installing openssl, +# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries +# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths +ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +ENV PATH=/opt/openssl/bin:$PATH + # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. @@ -134,10 +140,6 @@ RUN microdnf --nodocs -y install yum \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures -# Set OpenSSL environment variables after all package installations to avoid affecting package managers -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH - # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS From 4965afb74a628eff4bb4c2d6698b2ea08134fe28 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 14:27:46 +0530 Subject: [PATCH 05/12] Revert "FIPS fixes" This reverts commit 868c0f3bc7e846c0443d85a102658d9fa11e3908. --- base-java/Dockerfile.ubi9 | 13 ++++++------- base-java/openssl-fips.cnf | 2 +- base/Dockerfile.ubi9 | 11 +++++------ base/openssl-fips.cnf | 2 +- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 584d602e8a..f554aa2004 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -56,10 +56,9 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo # ENV required when manually installing openssl, -# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries -# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. @@ -72,18 +71,18 @@ RUN microdnf --nodocs -y install yum \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips --prefix=/opt/openssl --openssldir=/opt/openssl/ssl \ + && ./Configure enable-fips \ && make > /dev/null 2>&1 \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ + && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && microdnf install -y \ "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ "findutils${FINDUTILS_VERSION}" \ "hostname${HOSTNAME_VERSION}" \ "temurin-21-jre${TEMURIN_JDK_VERSION}" \ - && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ @@ -96,7 +95,7 @@ RUN microdnf --nodocs -y install yum \ RUN update-crypto-policies --set FIPS COPY license.txt /licenses -COPY openssl-fips.cnf /opt/openssl/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub diff --git a/base-java/openssl-fips.cnf b/base-java/openssl-fips.cnf index e000ec95f8..a697595091 100644 --- a/base-java/openssl-fips.cnf +++ b/base-java/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /opt/openssl/ssl/fipsmodule.cnf +.include /usr/local/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 3f2252b278..a03962f018 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -87,10 +87,9 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ # ENV required when manually installing openssl, -# Install OpenSSL to /opt/openssl to avoid conflicts with system libraries -# Update LD_LIBRARY_PATH to include both system and custom OpenSSL paths -ENV LD_LIBRARY_PATH=/opt/openssl/lib64:/opt/openssl/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH -ENV PATH=/opt/openssl/bin:$PATH +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. @@ -103,7 +102,7 @@ RUN microdnf --nodocs -y install yum \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips --prefix=/opt/openssl --openssldir=/opt/openssl/ssl \ + && ./Configure enable-fips \ && make > /dev/null 2>&1 \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ @@ -154,7 +153,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}" COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/ COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/ -COPY openssl-fips.cnf /opt/openssl/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new diff --git a/base/openssl-fips.cnf b/base/openssl-fips.cnf index e000ec95f8..a697595091 100644 --- a/base/openssl-fips.cnf +++ b/base/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /opt/openssl/ssl/fipsmodule.cnf +.include /usr/local/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect From 4b805912218f247bf641f4a46286fc864bd0377a Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 16:27:08 +0530 Subject: [PATCH 06/12] ai fix with fips testing --- base-java/Dockerfile.ubi9 | 59 ++++++++++++++++++++++------------ base-java/openssl-fips.cnf | 2 +- base/Dockerfile.ubi9 | 66 ++++++++++++++++++++++++-------------- base/openssl-fips.cnf | 2 +- 4 files changed, 83 insertions(+), 46 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index f554aa2004..aedb8a0144 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -55,47 +55,66 @@ gpgcheck=1 \n\ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH - -# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. -# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. -# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. -# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description +# Install system packages first to establish baseline RUN microdnf --nodocs -y install yum \ && yum --nodocs -q update -y \ - && yum --nodocs -q install -y wget tar gzip make perl gcc \ + && microdnf install -y \ + "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ + "findutils${FINDUTILS_VERSION}" \ + "hostname${HOSTNAME_VERSION}" \ + "temurin-21-jre${TEMURIN_JDK_VERSION}" \ + && yum clean all \ + && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures + +# Install FIPS-compliant OpenSSL to custom prefix to avoid conflicts with system Python +# This approach maintains FIPS compliance while preserving system stability +RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ - && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips \ + && echo "installing FIPS compliant openssl to /opt/openssl-fips" \ + && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \ && make > /dev/null 2>&1 \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ + && echo "initializing FIPS module..." \ + && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module /opt/openssl-fips/lib64/ossl-modules/fips.so \ + && echo "FIPS module initialized successfully" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ - && microdnf install -y \ - "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ - "findutils${FINDUTILS_VERSION}" \ - "hostname${HOSTNAME_VERSION}" \ - "temurin-21-jre${TEMURIN_JDK_VERSION}" \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ - && mkdir /licenses \ - && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures + && mkdir /licenses + +# Set environment for FIPS OpenSSL only when needed - don't interfere with system Python +ENV FIPS_OPENSSL_PATH=/opt/openssl-fips +ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS +# Validate FIPS OpenSSL installation using Chainguard FIPS test +RUN yum install -y gcc make \ + && curl -sSL https://github.com/chainguard-dev/openssl-fips-test/archive/refs/heads/main.tar.gz -o /tmp/openssl-fips-test.tar.gz \ + && cd /tmp && tar -xzf openssl-fips-test.tar.gz \ + && cd openssl-fips-test-main \ + && echo "Building Chainguard OpenSSL FIPS test tool..." \ + && export PKG_CONFIG_PATH=/opt/openssl-fips/lib64/pkgconfig:/opt/openssl-fips/lib/pkgconfig:$PKG_CONFIG_PATH \ + && export CPPFLAGS="-I/opt/openssl-fips/include" \ + && export LDFLAGS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib" \ + && make OPENSSL_CFLAGS="-I/opt/openssl-fips/include" OPENSSL_LIBS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib -lssl -lcrypto" \ + && echo "Running comprehensive FIPS validation test..." \ + && OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib ./openssl-fips-test \ + && echo "✅ Chainguard FIPS OpenSSL validation passed!" \ + && cd / && rm -rf /tmp/openssl-fips-test* \ + && yum remove -y gcc make --setopt=clean_requirements_on_remove=1 + COPY license.txt /licenses -COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub diff --git a/base-java/openssl-fips.cnf b/base-java/openssl-fips.cnf index a697595091..0ba5df735a 100644 --- a/base-java/openssl-fips.cnf +++ b/base-java/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /usr/local/ssl/fipsmodule.cnf +.include /opt/openssl-fips/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index a03962f018..25cb174a02 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -86,29 +86,9 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH - -# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. -# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. -# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. -# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description +# Install system packages first to establish baseline and avoid Python conflicts RUN microdnf --nodocs -y install yum \ && yum --nodocs -q update -y \ - && yum --nodocs -q install -y wget tar gzip make perl gcc \ - && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ - && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ - && cd openssl${OPENSSL_VERSION} \ - && echo "installing FIPS compliant openssl" \ - && ./Configure enable-fips \ - && make > /dev/null 2>&1 \ - && make install > /dev/null 2>&1 \ - && echo "successfully installed FIPS compliant openssl" \ - && cd .. \ - && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ - && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && yum --nodocs install -y --setopt=install_weak_deps=False \ git \ "wget${WGET_VERSION}" \ @@ -132,16 +112,54 @@ RUN microdnf --nodocs -y install yum \ && python3 -m pip install --upgrade "setuptools${PYTHON_SETUPTOOLS_VERSION}" \ && python3 -m pip install --prefer-binary --prefix=/usr/local --upgrade "${PYTHON_CONFLUENT_DOCKER_UTILS_INSTALL_SPEC}" \ && yum remove -y git \ + && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures + +# Install FIPS-compliant OpenSSL to custom prefix to avoid conflicts with system Python +# This approach maintains FIPS compliance while preserving system stability +RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ + && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ + && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ + && cd openssl${OPENSSL_VERSION} \ + && echo "installing FIPS compliant openssl to /opt/openssl-fips" \ + && ./Configure enable-fips --prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl \ + && make > /dev/null 2>&1 \ + && make install > /dev/null 2>&1 \ + && echo "successfully installed FIPS compliant openssl" \ + && echo "initializing FIPS module..." \ + && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module /opt/openssl-fips/lib64/ossl-modules/fips.so \ + && echo "FIPS module initialized successfully" \ + && cd .. \ + && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ + && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ - && chown appuser:appuser -R /etc/confluent/ /usr/logs \ - && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures + && chown appuser:appuser -R /etc/confluent/ /usr/logs + +# Set environment for FIPS OpenSSL only when needed - don't interfere with system Python +ENV FIPS_OPENSSL_PATH=/opt/openssl-fips +ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS +# Validate FIPS OpenSSL installation using Chainguard FIPS test +RUN yum install -y gcc make \ + && curl -sSL https://github.com/chainguard-dev/openssl-fips-test/archive/refs/heads/main.tar.gz -o /tmp/openssl-fips-test.tar.gz \ + && cd /tmp && tar -xzf openssl-fips-test.tar.gz \ + && cd openssl-fips-test-main \ + && echo "Building Chainguard OpenSSL FIPS test tool..." \ + && export PKG_CONFIG_PATH=/opt/openssl-fips/lib64/pkgconfig:/opt/openssl-fips/lib/pkgconfig:$PKG_CONFIG_PATH \ + && export CPPFLAGS="-I/opt/openssl-fips/include" \ + && export LDFLAGS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib" \ + && make OPENSSL_CFLAGS="-I/opt/openssl-fips/include" OPENSSL_LIBS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib -lssl -lcrypto" \ + && echo "Running comprehensive FIPS validation test..." \ + && OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib ./openssl-fips-test \ + && echo "✅ Chainguard FIPS OpenSSL validation passed!" \ + && cd / && rm -rf /tmp/openssl-fips-test* \ + && yum remove -y gcc make --setopt=clean_requirements_on_remove=1 + # This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed. # The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which # is not advisable in terms of security posture. If set to false (which triggers a shell exit(1) if the check fails from the left @@ -153,7 +171,7 @@ RUN yum check-update || "${SKIP_SECURITY_UPDATE_CHECK}" COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/doc/* /usr/share/doc/${ARTIFACT_ID}/ COPY --chown=appuser:appuser target/${ARTIFACT_ID}-${PROJECT_VERSION}-package/share/java/${ARTIFACT_ID}/* /usr/share/java/${ARTIFACT_ID}/ -COPY openssl-fips.cnf /usr/local/ssl/openssl-fips.cnf +COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf COPY --chown=appuser:appuser include/etc/confluent/docker /etc/confluent/docker COPY --chown=appuser:appuser include/etc/cp-base-new /etc/cp-base-new diff --git a/base/openssl-fips.cnf b/base/openssl-fips.cnf index a697595091..0ba5df735a 100644 --- a/base/openssl-fips.cnf +++ b/base/openssl-fips.cnf @@ -48,7 +48,7 @@ tsa_policy3 = 1.2.3.4.5.7 # fips provider. It contains a named section e.g. [fips_sect] which is # referenced from the [provider_sect] below. # Refer to the OpenSSL security policy for more information. -.include /usr/local/ssl/fipsmodule.cnf +.include /opt/openssl-fips/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect From 275bd00d5366575915c931729eae77daf51c67c4 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 16:56:37 +0530 Subject: [PATCH 07/12] fixes testing --- base-java/Dockerfile.ubi9 | 22 +++++----------------- base-java/openssl-fips.cnf | 4 ++++ base/Dockerfile.ubi9 | 22 ++++++---------------- base/openssl-fips.cnf | 4 ++++ 4 files changed, 19 insertions(+), 33 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index aedb8a0144..5431f1c2dc 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -78,7 +78,9 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ && echo "initializing FIPS module..." \ - && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module /opt/openssl-fips/lib64/ossl-modules/fips.so \ + && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \ + && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \ + && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \ && echo "FIPS module initialized successfully" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ @@ -97,24 +99,10 @@ ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS -# Validate FIPS OpenSSL installation using Chainguard FIPS test -RUN yum install -y gcc make \ - && curl -sSL https://github.com/chainguard-dev/openssl-fips-test/archive/refs/heads/main.tar.gz -o /tmp/openssl-fips-test.tar.gz \ - && cd /tmp && tar -xzf openssl-fips-test.tar.gz \ - && cd openssl-fips-test-main \ - && echo "Building Chainguard OpenSSL FIPS test tool..." \ - && export PKG_CONFIG_PATH=/opt/openssl-fips/lib64/pkgconfig:/opt/openssl-fips/lib/pkgconfig:$PKG_CONFIG_PATH \ - && export CPPFLAGS="-I/opt/openssl-fips/include" \ - && export LDFLAGS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib" \ - && make OPENSSL_CFLAGS="-I/opt/openssl-fips/include" OPENSSL_LIBS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib -lssl -lcrypto" \ - && echo "Running comprehensive FIPS validation test..." \ - && OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib ./openssl-fips-test \ - && echo "✅ Chainguard FIPS OpenSSL validation passed!" \ - && cd / && rm -rf /tmp/openssl-fips-test* \ - && yum remove -y gcc make --setopt=clean_requirements_on_remove=1 - +# Copy FIPS configuration file COPY license.txt /licenses COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf + COPY --from=build-ub-package-dedupe /build/package_dedupe/package_dedupe /usr/bin/package_dedupe COPY --from=build-ub-package-dedupe /build/ub/ub /usr/bin/ub diff --git a/base-java/openssl-fips.cnf b/base-java/openssl-fips.cnf index 0ba5df735a..fd3d55e9b8 100644 --- a/base-java/openssl-fips.cnf +++ b/base-java/openssl-fips.cnf @@ -61,6 +61,10 @@ fips = fips_sect [alg_sect] default_properties = fips=yes +# FIPS provider configuration - this section is referenced from [provider_sect] +[fips_sect] +activate = 1 + # If no providers are activated explicitly, the default one is activated implicitly. # See man 7 OSSL_PROVIDER-default for more details. # diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 25cb174a02..1431597831 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -126,7 +126,9 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && make install > /dev/null 2>&1 \ && echo "successfully installed FIPS compliant openssl" \ && echo "initializing FIPS module..." \ - && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module /opt/openssl-fips/lib64/ossl-modules/fips.so \ + && FIPS_MODULE_PATH=$(find /opt/openssl-fips/lib* -name "fips.so" | head -1) \ + && echo "Found FIPS module at: ${FIPS_MODULE_PATH}" \ + && /opt/openssl-fips/bin/openssl fipsinstall -out /opt/openssl-fips/ssl/fipsmodule.cnf -module ${FIPS_MODULE_PATH} \ && echo "FIPS module initialized successfully" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ @@ -144,21 +146,9 @@ ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS -# Validate FIPS OpenSSL installation using Chainguard FIPS test -RUN yum install -y gcc make \ - && curl -sSL https://github.com/chainguard-dev/openssl-fips-test/archive/refs/heads/main.tar.gz -o /tmp/openssl-fips-test.tar.gz \ - && cd /tmp && tar -xzf openssl-fips-test.tar.gz \ - && cd openssl-fips-test-main \ - && echo "Building Chainguard OpenSSL FIPS test tool..." \ - && export PKG_CONFIG_PATH=/opt/openssl-fips/lib64/pkgconfig:/opt/openssl-fips/lib/pkgconfig:$PKG_CONFIG_PATH \ - && export CPPFLAGS="-I/opt/openssl-fips/include" \ - && export LDFLAGS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib" \ - && make OPENSSL_CFLAGS="-I/opt/openssl-fips/include" OPENSSL_LIBS="-L/opt/openssl-fips/lib64 -L/opt/openssl-fips/lib -lssl -lcrypto" \ - && echo "Running comprehensive FIPS validation test..." \ - && OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib ./openssl-fips-test \ - && echo "✅ Chainguard FIPS OpenSSL validation passed!" \ - && cd / && rm -rf /tmp/openssl-fips-test* \ - && yum remove -y gcc make --setopt=clean_requirements_on_remove=1 +# Copy FIPS configuration file +COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf + # This is a step that will cause the build to fail of the package manager detects a package update is availible and isn't installed. # The ARG SKIP_SECURITY_UPDATE_CHECK is an "escape" hatch if you want to by-pass this check and build the container anyways, which diff --git a/base/openssl-fips.cnf b/base/openssl-fips.cnf index 0ba5df735a..fd3d55e9b8 100644 --- a/base/openssl-fips.cnf +++ b/base/openssl-fips.cnf @@ -61,6 +61,10 @@ fips = fips_sect [alg_sect] default_properties = fips=yes +# FIPS provider configuration - this section is referenced from [provider_sect] +[fips_sect] +activate = 1 + # If no providers are activated explicitly, the default one is activated implicitly. # See man 7 OSSL_PROVIDER-default for more details. # From 3d1aaa68fa0ff0e30258f3ebfb5f25e9d12e5f63 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Mon, 17 Nov 2025 19:42:12 +0530 Subject: [PATCH 08/12] Add missing env vars --- base-java/Dockerfile.ubi9 | 1 + base/Dockerfile.ubi9 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 5431f1c2dc..714e43112f 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -95,6 +95,7 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ # Set environment for FIPS OpenSSL only when needed - don't interfere with system Python ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH +ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 1431597831..5eed0fbffd 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -132,7 +132,7 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && echo "FIPS module initialized successfully" \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ - && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ + && yum remove -y wget tar gzip make perl gcc --setopt=clean_requirements_on_remove=1 \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ @@ -142,6 +142,7 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ # Set environment for FIPS OpenSSL only when needed - don't interfere with system Python ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH +ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf # enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. RUN update-crypto-policies --set FIPS From edc35c24800b79154026fb50e823ec3a3c4b99d2 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Wed, 19 Nov 2025 10:46:34 +0530 Subject: [PATCH 09/12] Adding previous comments back, fixing installation order --- base-java/Dockerfile.ubi9 | 36 ++++++++++++++++++++++-------------- base/Dockerfile.ubi9 | 14 +++++++++++--- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 714e43112f..6f19e9964d 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -5,6 +5,9 @@ ARG DOCKER_UPSTREAM_TAG ARG GOLANG_VERSION ARG UBI_MINIMAL_VERSION ARG OPENSSL_VERSION +ARG CRYPTO_POLICIES_SCRIPTS_VERSION="" +ARG FINDUTILS_VERSION="" +ARG HOSTNAME_VERSION="" FROM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe RUN useradd --no-log-init --create-home --shell /bin/bash appuser @@ -55,20 +58,19 @@ gpgcheck=1 \n\ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# Install system packages first to establish baseline +# ENV required when manually installing openssl, +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +# Also include the FIPS OpenSSL installation path for library discovery +ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH + +# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. +# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. +# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. +# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description RUN microdnf --nodocs -y install yum \ && yum --nodocs -q update -y \ - && microdnf install -y \ - "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ - "findutils${FINDUTILS_VERSION}" \ - "hostname${HOSTNAME_VERSION}" \ - "temurin-21-jre${TEMURIN_JDK_VERSION}" \ - && yum clean all \ - && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures - -# Install FIPS-compliant OpenSSL to custom prefix to avoid conflicts with system Python -# This approach maintains FIPS compliance while preserving system stability -RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ + && yum --nodocs -q install -y wget tar gzip make perl gcc \ && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ @@ -85,14 +87,20 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ + && microdnf install -y \ + "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ + "findutils${FINDUTILS_VERSION}" \ + "hostname${HOSTNAME_VERSION}" \ + "temurin-21-jre${TEMURIN_JDK_VERSION}" \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ - && mkdir /licenses + && mkdir /licenses \ + && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures -# Set environment for FIPS OpenSSL only when needed - don't interfere with system Python +# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 5eed0fbffd..6f5df54dbf 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -86,6 +86,12 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo +# ENV required when manually installing openssl, +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +# Also include the FIPS OpenSSL installation path for library discovery +ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH + # Install system packages first to establish baseline and avoid Python conflicts RUN microdnf --nodocs -y install yum \ && yum --nodocs -q update -y \ @@ -114,8 +120,10 @@ RUN microdnf --nodocs -y install yum \ && yum remove -y git \ && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures -# Install FIPS-compliant OpenSSL to custom prefix to avoid conflicts with system Python -# This approach maintains FIPS compliance while preserving system stability +# Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. +# Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. +# Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. +# For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ @@ -139,7 +147,7 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs -# Set environment for FIPS OpenSSL only when needed - don't interfere with system Python +# Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf From 1abca7231eaece55272dedffe3e5e48dac3fac35 Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Wed, 19 Nov 2025 11:17:32 +0530 Subject: [PATCH 10/12] Fix LD PATH setting order --- base-java/Dockerfile.ubi9 | 44 +++++++++++++++++++++++---------------- base/Dockerfile.ubi9 | 15 +++++++------ 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 6f19e9964d..6d54221d3c 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -5,9 +5,9 @@ ARG DOCKER_UPSTREAM_TAG ARG GOLANG_VERSION ARG UBI_MINIMAL_VERSION ARG OPENSSL_VERSION -ARG CRYPTO_POLICIES_SCRIPTS_VERSION="" -ARG FINDUTILS_VERSION="" -ARG HOSTNAME_VERSION="" +ARG CRYPTO_POLICIES_SCRIPTS_VERSION +ARG FINDUTILS_VERSION +ARG HOSTNAME_VERSION FROM docker.io/golang:${GOLANG_VERSION} AS build-ub-package-dedupe RUN useradd --no-log-init --create-home --shell /bin/bash appuser @@ -27,6 +27,10 @@ FROM registry.access.redhat.com/ubi9-minimal:${UBI_MINIMAL_VERSION} AS REFRESH ARG OPENSSL_VERSION ARG PROJECT_VERSION ARG ARTIFACT_ID +ARG CRYPTO_POLICIES_SCRIPTS_VERSION +ARG FINDUTILS_VERSION +ARG HOSTNAME_VERSION +ARG TEMURIN_JDK_VERSION # Remember where we came from LABEL io.confluent.docker.git.repo="confluentinc/common-docker" @@ -58,19 +62,22 @@ gpgcheck=1 \n\ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -# Also include the FIPS OpenSSL installation path for library discovery -ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH +# Install system packages first to establish baseline +RUN microdnf --nodocs -y install yum \ + && yum --nodocs -q update -y \ + && microdnf install -y \ + "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ + "findutils${FINDUTILS_VERSION}" \ + "hostname${HOSTNAME_VERSION}" \ + "temurin-21-jre${TEMURIN_JDK_VERSION}" \ + && yum clean all \ + && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures # Install a FIPS-enabled version of OpenSSL. Only specific versions of OpenSSL support FIPS. Verify the supported versions at https://openssl-library.org/source/. # Consult the security policy document for the specific OpenSSL version to ensure proper installation in a FIPS-compliant manner. # Security document can also be found at https://openssl-library.org/source/ corresponding to every supported version of OpenSSL. # For details on the necessary configuration changes in openssl.cnf, please refer to the documentation at: https://docs.openssl.org/3.0/man7/fips_module/#description -RUN microdnf --nodocs -y install yum \ - && yum --nodocs -q update -y \ - && yum --nodocs -q install -y wget tar gzip make perl gcc \ +RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && wget -q https://github.com/openssl/openssl/releases/download/openssl${OPENSSL_VERSION}/openssl${OPENSSL_VERSION}.tar.gz \ && tar -xzf openssl${OPENSSL_VERSION}.tar.gz \ && cd openssl${OPENSSL_VERSION} \ @@ -87,18 +94,19 @@ RUN microdnf --nodocs -y install yum \ && cd .. \ && rm -rf openssl${OPENSSL_VERSION} openssl${OPENSSL_VERSION}.tar.gz \ && yum remove -y wget tar make perl gcc glibc-gconv-extra --setopt=clean_requirements_on_remove=1 \ - && microdnf install -y \ - "crypto-policies-scripts${CRYPTO_POLICIES_SCRIPTS_VERSION}" \ - "findutils${FINDUTILS_VERSION}" \ - "hostname${HOSTNAME_VERSION}" \ - "temurin-21-jre${TEMURIN_JDK_VERSION}" \ && yum clean all \ && rm -rf /tmp/* \ && mkdir -p /etc/confluent/docker /usr/logs \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ - && mkdir /licenses \ - && rm /etc/yum.repos.d/adoptium.repo # Remove temurin-jdk repo to reduce intermittent build failures + && mkdir /licenses + +# ENV required when manually installing openssl, +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +# Also include the FIPS OpenSSL installation path for library discovery +# Set AFTER system package installation to avoid interfering with build-time Python +ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH # Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured ENV FIPS_OPENSSL_PATH=/opt/openssl-fips diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 6f5df54dbf..98a5ad2c53 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -63,6 +63,8 @@ ARG HOSTNAME_VERSION="" ARG XZ_LIBS_VERSION="" ARG GLIBC_VERSION="" ARG CURL_VERSION="" +ARG FINDUTILS_VERSION="" +ARG CRYPTO_POLICIES_SCRIPTS_VERSION="" # Temurin JDK version ARG TEMURIN_JDK_VERSION="" @@ -86,12 +88,6 @@ gpgkey=https://adoptium.jfrog.io/artifactory/api/gpg/key/public \n\ " > /etc/yum.repos.d/adoptium.repo -# ENV required when manually installing openssl, -# for arm64 required binaries are present in /usr/local/lib -# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly -# Also include the FIPS OpenSSL installation path for library discovery -ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH - # Install system packages first to establish baseline and avoid Python conflicts RUN microdnf --nodocs -y install yum \ && yum --nodocs -q update -y \ @@ -147,6 +143,13 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs +# ENV required when manually installing openssl, +# for arm64 required binaries are present in /usr/local/lib +# for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly +# Also include the FIPS OpenSSL installation path for library discovery +# Set AFTER system package installation to avoid interfering with build-time Python +ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH + # Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH From f51c1664ecc5e1091afad8991c43457f4251426e Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Wed, 19 Nov 2025 11:43:02 +0530 Subject: [PATCH 11/12] update crypto policies version --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index ddd3538b48..6b30fd2303 100644 --- a/pom.xml +++ b/pom.xml @@ -53,7 +53,7 @@ 5.2.5-8.el9_0 2.34-231.el9_7.2 1:4.8.0-7.el9 - 20240828-2.git626aa59.el9_5 + 20250905-1.git377cc42.el9_7 21.3.1-1.el9 From c044c5dc9ba88c46cf5d9397da674d461654b5ed Mon Sep 17 00:00:00 2001 From: KrishVora01 Date: Wed, 19 Nov 2025 12:14:10 +0530 Subject: [PATCH 12/12] fix order of fips update --- base-java/Dockerfile.ubi9 | 9 +++++---- base/Dockerfile.ubi9 | 9 +++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/base-java/Dockerfile.ubi9 b/base-java/Dockerfile.ubi9 index 6d54221d3c..b416fea2ce 100644 --- a/base-java/Dockerfile.ubi9 +++ b/base-java/Dockerfile.ubi9 @@ -101,11 +101,15 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && chown appuser:appuser -R /etc/confluent/ /usr/logs \ && mkdir /licenses +# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables +# This avoids library conflicts with system Python during crypto-policies update +RUN update-crypto-policies --set FIPS + # ENV required when manually installing openssl, # for arm64 required binaries are present in /usr/local/lib # for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly # Also include the FIPS OpenSSL installation path for library discovery -# Set AFTER system package installation to avoid interfering with build-time Python +# Set AFTER crypto-policies update to avoid interfering with system Python ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH # Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured @@ -113,9 +117,6 @@ ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf -# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. -RUN update-crypto-policies --set FIPS - # Copy FIPS configuration file COPY license.txt /licenses COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf diff --git a/base/Dockerfile.ubi9 b/base/Dockerfile.ubi9 index 98a5ad2c53..db6a7f484b 100644 --- a/base/Dockerfile.ubi9 +++ b/base/Dockerfile.ubi9 @@ -143,11 +143,15 @@ RUN yum --nodocs -q install -y wget tar gzip make perl gcc \ && useradd --no-log-init --create-home --shell /bin/bash appuser \ && chown appuser:appuser -R /etc/confluent/ /usr/logs +# Enable FIPS in docker image BEFORE setting FIPS OpenSSL environment variables +# This avoids library conflicts with system Python during crypto-policies update +RUN update-crypto-policies --set FIPS + # ENV required when manually installing openssl, # for arm64 required binaries are present in /usr/local/lib # for amd64 required binaries are present in /usr/local/lib64, hence setting LD_LIBRARY_PATH accordingly # Also include the FIPS OpenSSL installation path for library discovery -# Set AFTER system package installation to avoid interfering with build-time Python +# Set AFTER crypto-policies update to avoid interfering with system Python ENV LD_LIBRARY_PATH=/opt/openssl-fips/lib64:/opt/openssl-fips/lib:/usr/local/lib64:/usr/local/lib:$LD_LIBRARY_PATH # Set environment for FIPS OpenSSL - ensure it's available in PATH and properly configured @@ -155,9 +159,6 @@ ENV FIPS_OPENSSL_PATH=/opt/openssl-fips ENV PATH=$FIPS_OPENSSL_PATH/bin:$PATH ENV OPENSSL_CONF=/opt/openssl-fips/ssl/openssl-fips.cnf -# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP. -RUN update-crypto-policies --set FIPS - # Copy FIPS configuration file COPY openssl-fips.cnf /opt/openssl-fips/ssl/openssl-fips.cnf