FIPS in containers and VMs

This page describes the tweaks required to the standard FIPS installation process when installing on clouds and containers.

Containers

Building your own container

The manual installation process will need to be used for manually-built Ubuntu FIPS systems in containers.

In containers, the FIPS validated kernel must be running in the host.
The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container as necessary and will run in FIPS mode as long as the host has FIPS enabled.

Check this post for more information on building your own container.

Ubuntu Pro FIPS

It is not necessary to open a support ticket for the Ubuntu Pro FIPS images that are available on some public cloud providers, such as AWS and Azure.

Ubuntu Pro FIPS images have the FIPS packages installed and configured out-of-the-box.

Both Azure and AWS have Ubuntu Pro FIPS pre-built machine images.

AWS

The most recent AWS Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

NVME-backed instances can only boot using the AWS Ubuntu Xenial kernel. They require a special feature only found in this kernel. A FIPS kernel cannot replace nor be used in this type of instance.

The Bionic AWS kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-aws-fips metapackage instead of ubuntu-fips.

Note: Canonical ships Ubuntu Pro FIPS pre-built images on AWS; using these images avoids the need to do manual FIPS configuration.

Azure

The most recent Azure Ubuntu Xenial kernels will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

The Azure Ubuntu Xenial kernel contains custom features as well as performance features that are not available in the FIPS kernel.

The Bionic Azure kernel has a FIPS validation. Please see the main FIPS page for module specifics. Use the ubuntu-azure-fips metapackage instead of ubuntu-fips.

Note: Canonical ships Ubuntu Pro FIPS pre-built images on Azure; using these images avoids the need to do manual FIPS configuration.

Google GCE

The most recent Google GCE Ubuntu Xenial kernel will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

Local VMs

If the VM runs a kernel that updates the FIPS kernel, follow the above instructions in Latest Xenial Kernels.

Local LXD

In LXD containers, the FIPS kernel should not be installed in the Container, but only in the Hypervisor. As the kernel is shared from the host to the container, it will have the FIPS enabled kernel after it has been enabled in the host.

The remaining FIPS modules, openssh server, openssh client, openssl, and strongswan may be installed into the Container and run in FIPS mode.

Local Private Cloud

It is possible the cloud instance contains an Ubuntu Xenial kernel that will update the FIPS kernel. Thus the FIPS kernel will not automatically become the default upon installing and rebooting. Follow the above instructions in Latest Xenial Kernels.

container blog link is broken - https://ubuntu.com/blog/building-and-running-fips-containers-on-ubuntu

Hi,

This post is published on https://ubuntu.com/security/certifications/docs/fips-cloud-containers, I don’t believe we have a such a blog post.

Can you give us the original source where you saw https://ubuntu.com/blog/building-and-running-fips-containers-on-ubuntu ?

Hey carkod,

i think the previous comment was referring to the link in

Check this post for more information on building your own container.

which I have already updated!

Hello,

This page is pretty out of date.

  • It references an old blog post that doesn’t follow the recommended way of getting fips packages in containers.
  • It doesn’t reference anything newer than bionic
  • It references FIPS cloud images, but doesn’t point out how to use them when those are the easiest way to use fips in the clouds where they exist.
  • It doesn’t reference pro enable fips, and instead exposes details that the user doesn’t need to care about, such as the package name of ubuntu-azure-fips vs ubuntu-fips.
  • It says “follow the above instructions in Latest Xenial Kernels” frequently, but I’m not sure what that is referring to.

Yet this page is a top hit when searching for “ubuntu fips containers”. I suggest we delete this page or start making large updates to it.