Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FIPS env var to build crossbuild images for FIPS compliance #495

Merged
merged 1 commit into from
Feb 7, 2025
Merged

Add FIPS env var to build crossbuild images for FIPS compliance #495

merged 1 commit into from
Feb 7, 2025
+76 −7

Conversation

michel-laterman
Copy link
Contributor

Create images that use the microsoft/go toolchain instead of the upstream go one so that crossbuild images can be used in order to make FIPS compliant binaries.

FIPS images can be created by setting FIPS=true, i.e.:

FIPS=true make -C go -f Makefile.debian11 build

Images will have their tag extension end in -fips

@mergify Mergify
Copy link

mergify bot commented Jan 27, 2025

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d is the label to automatically backport to the 1./d branch. /d is the digit
    NOTE: backport-skip has been added to this pull request.

@michel-laterman
Copy link
Contributor Author

It looks like the builds are inconsistent; specifically the pcap installation

For the last buildkite execution debian11 failed when installing pcap with fips set to false

> [linux/arm64->amd64 final 4/4] RUN cd /libpcap/libpcap-1.8.1         && CC=aarch64-linux-gnu-gcc ./configure --enable-usb=no --enable-bluetooth=no --enable-dbus=no --host=aarch64-unknown-linux-gnu --with-pcap=linux         && make:
--
  | 3.680 checking build system type... aarch64-unknown-linux-gnu
  | 4.955 checking host system type... aarch64-unknown-linux-gnu
  | 5.357 checking target system type... aarch64-unknown-linux-gnu
  | 5.364 checking for aarch64-unknown-linux-gnu-gcc... aarch64-linux-gnu-gcc
  | 6.018 checking whether the C compiler works... no
  | 6.392 configure: error: in `/libpcap/libpcap-1.8.1':
  | 6.394 configure: error: C compiler cannot create executables
  | 6.394 See `config.log' for more details

yet when fips was set to true the debian11 build succeeded

There is also inconsistent behaviour when compared across builds, i.e the previous commit (where I fixed a typo in the label) https://buildkite.com/elastic/golang-crossbuild/builds/723
has debian10 fips:false as a failure, but this one succeeded with the most recent commit.

There is also an issue with the main branch around pcap, as well as other PRs (like #494)

@michel-laterman michel-laterman mentioned this pull request Jan 28, 2025
Closed
@michel-laterman
Copy link
Contributor Author

The most recent attempt had a segfault when compiling pcap for debian 9 fipst true:

202.1 aarch64-linux-gnu-gcc -fvisibility=hidden -fpic -I.  -DBUILDING_PCAP -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2    -c bpf_filter.c
--
  | 202.3 aarch64-linux-gnu-gcc: internal compiler error: Segmentation fault (program cc1)
  | 202.3 Please submit a full bug report,

This image was correctly built previously
Could the buildkite runners be under-resourcing the docker builds?

@v1v
Copy link
Member

v1v commented Jan 30, 2025

Could the buildkite runners be under-resourcing the docker builds?

I've been told you can configure the machineType settings to use a bigger VM. So far the current one is n1-standard-4.

image

how did I know the type?

  1. Go to https://buildkite.com/elastic/golang-crossbuild/builds/728
  2. Click on Timeline
  3. Look for Agent Targeting Rules.

How can you change the machine type?

  1. Go to https://github.com/elastic/golang-crossbuild/blob/main/.buildkite/pipeline.yml
  2. Search for:
        agents:
          provider: "gcp"
  1. And use
        agents:
          provider: "gcp"
          machineType: "<CHANGEME>"

And <CHANGEME> should be one valid value, for instance pick one Machine types from https://cloud.google.com/compute/docs/general-purpose-machines

@michel-laterman
Copy link
Contributor Author

I tried to use n4-standard-4 but it looks like we can't find any runners: The job, :linux: Staging / Ubuntu X86_64 - Makefile - fips: false, has been canceled as it failed to get an agent after 5 tries.

I've updated the x86_64 builders to n1-standard-8 (from the default n1-standard-4) and so far only the debian12 fips:true job has failed (during pcap installation); i'm going to rerun a couple times to see if it's just a flakey build.

@michel-laterman
Copy link
Contributor Author

buildkite test this

@michel-laterman
Copy link
Contributor Author

I don't think increasing instance sizes helps

simitt
simitt reviewed Jan 31, 2025
View reviewed changes
@michel-laterman
Copy link
Contributor Author

I've tried running FIPS="false" buildkite/scripts/build.sh Makefile.debian11 on an n2-standard-8 buildkite VM and it completed successfully; however this has failed in the latest build.

@jlind23
Copy link
Contributor

jlind23 commented Feb 4, 2025

@michel-laterman what our next options are then?

@mergify Mergify
Copy link

mergify bot commented Feb 5, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b FIPS-build upstream/FIPS-build
git merge upstream/main
git push upstream FIPS-build

@michel-laterman
Copy link
Contributor Author

I've squashed my changes and rebased onto #502, i'll let this run (as a sanity check) but will likely need to disable ppc builds on debian12 in order to get this working

@michel-laterman
Add FIPS env var to build crossbuild images for FIPS compliance
80c95b4 
Add FIPS env var that will use the microsoft/go toolchain instead of the
standard upstream go toolchain for crossbuild images. Images created in
this way will have CGO enabled by default and have
GOEXPERIMENT=systemcrypto set so that binaries created in the image are
FIPS compliant by default.
@michel-laterman
Copy link
Contributor Author

Rebased on main now that #504 has been merged

@elasticmachine
Copy link

💚 Build Succeeded

History

@elasticmachine
Copy link

💚 Build Succeeded

History

@elasticmachine
Copy link

elasticmachine commented Feb 6, 2025
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

History

@michel-laterman michel-laterman marked this pull request as ready for review February 7, 2025 17:07
@michel-laterman michel-laterman requested review from a team as code owners February 7, 2025 17:07
simitt
simitt approved these changes Feb 7, 2025
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@michel-laterman michel-laterman merged commit 765cc6b into main Feb 7, 2025
10 checks passed
@michel-laterman michel-laterman deleted the FIPS-build branch February 7, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v1v v1v v1v left review comments

@simitt simitt simitt approved these changes

@jlind23 jlind23 jlind23 approved these changes

@michalpristas michalpristas Awaiting requested review from michalpristas michalpristas is a code owner automatically assigned from elastic/elastic-agent-control-plane

@pkoutsovasilis pkoutsovasilis Awaiting requested review from pkoutsovasilis pkoutsovasilis is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees
No one assigned
Labels
backport-skip
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@michel-laterman @v1v @jlind23 @elasticmachine @simitt