[info=ade07541d1e02ab85548fcd14074c0a4]

OBS-URL: https://build.opensuse.org/package/show/devel:BCI:Tumbleweed/base-fips-image?expand=0&rev=1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

Dockerfile

@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: MIT
+
+#     Copyright (c) 2024 SUSE LLC
+
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon.
+
+# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
+# It is maintained by the BCI team and generated by
+# https://github.com/SUSE/BCI-dockerfile-generator
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# You can contact the BCI team via https://github.com/SUSE/bci/discussions
+
+#!UseOBSRepositories
+
+#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%
+#!BuildTag: opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%
+#!BuildTag: opensuse/bci/bci-base-fips:latest
+
+FROM opensuse/tumbleweed:latest
+
+RUN set -euo pipefail; \
+    zypper -n install --no-recommends openSUSE-release openSUSE-release-appliance-docker coreutils crypto-policies-scripts; \
+    zypper -n clean; \
+    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}
+
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=org.opensuse.bci.base-fips
+LABEL org.opencontainers.image.title="openSUSE Tumbleweed BCI FIPS-140-3"
+LABEL org.opencontainers.image.description="FIPS-140-3 container based on the openSUSE Tumbleweed Base Container Image."
+LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opencontainers.image.url="https://www.opensuse.org"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="openSUSE Project"
+LABEL org.opencontainers.image.source="%SOURCEURL%"
+LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.opensuse.reference="registry.opensuse.org/opensuse/bci/bci-base-fips:%OS_VERSION_ID_SP%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL org.opensuse.lifecycle-url="https://en.opensuse.org/Lifetime#openSUSE_BCI"
+LABEL org.opensuse.release-stage="released"
+# endlabelprefix
+LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/SUSE/BCI-dockerfile-generator/Tumbleweed/base-fips-image/README.md"
+LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
+RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS
+
+ENV GNUTLS_FORCE_FIPS_MODE=1
+ENV LIBGCRYPT_FORCE_FIPS_MODE=1
+ENV LIBICA_FIPS_FLAG=1
+ENV NSS_FIPS=1
+ENV OPENSSL_FIPS=1
+ENV OPENSSL_FORCE_FIPS_MODE=1

README.md

@@ -0,0 +1,33 @@
+
+# The SUSE Linux Enterprise FIPS-140-3 container image
+
+![Redistributable](https://img.shields.io/badge/Redistributable-Yes-green)
+
+## Description
+
+
+This base container image is configured with FIPS mode enabled by default, but
+does not include any certified binaries.
+
+
+## Usage
+The image is configured to enforce the use of FIPS mode by default,
+independent of the host environment setup by specifying the following
+environment variables:
+* `OPENSSL_FIPS=1`: Initialize the OpenSSL FIPS mode
+* `OPENSSL_FORCE_FIPS_MODE=1`: Set FIPS mode to enforcing independent of the host kernel
+* `LIBGCRYPT_FORCE_FIPS_MODE=1`: Set FIPS mode in libgcrypt to enforcing
+
+Below is a list of other environment variables that can be used to configure the OpenSSL library:
+
+* `OPENSSL_ENFORCE_MODULUS_BITS=1`: Restrict the OpenSSL module to only generate
+the acceptable key sizes of RSA.
+## Licensing
+
+`SPDX-License-Identifier: MIT`
+
+This documentation and the build recipe are licensed as MIT.
+The container itself contains various software components under various open source licenses listed in the associated
+Software Bill of Materials (SBOM).
+
+This image is based on [openSUSE Tumbleweed](https://get.opensuse.org/tumbleweed/).

_service

@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+</services>

base-fips-image.changes

@@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Thu Nov 28 12:15:09 UTC 2024 - SUSE Update Bot <bci-internal@suse.de>
+
+- First version of the FIPS-140-3 BCI