animaxcg
commented
2 years ago In doing research it seems that /etc/system-fips being mounted is a requirement that comes from running containers on a host os and isn't actually proof that the host OS is FIPS compliant just that a file exists. That file contains nothing that makes a system FIPS compliant but is purely a signal to modules on the container that fips is enabled. If fargate host OS is amazon's responsibility and it is fips enabled can you not do the below and be fips compliant?
So could you not just create that file on the container and it would be compliant? Or is there a way that docker can tell a dir is really mounted from the host server?
cat /etc/system-fips
# FIPS module installation complete
mbtran1
Community Note
Tell us about your request
We have a requirement to be FedRAMP authorized for some of our services, and along with that comes a need for FIPS validated cryptography. We really want to use Fargate as it solves some problems beautifully for us.
Which service(s) is this request for? Fargate
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
This is fundamentally a compliance checkbox, but an important one. We have containers that run both Amazon Linux 2 and RHEL UBI. I'm pretty sure that in each case, the OpenSSL libraries inside the container are expecting to see
/proc/sys/crypto/fips_enabledhave a value of "1". If that is the case then OpenSSL automatically enables FIPS mode.Red Hat mentions in the RHEL 7 security guide that RHEL containers expect to see a file
/etc/system-fipsshould be mounted from the host into the container.I'm not sure how Amazon Linux 2 would handle this.
In the long run, the goal is that the whole Fargate runtime environment - both our container and the underlying Fargate host - would be able to run with FIPS compliant cryptography.
Are you currently working around this issue?
This is a blocker for us in Fargate. We're looking at running ECS with EC2, but would vastly prefer to just use Fargate.