orndorffgrant
commented
3 weeks ago Hello! Thanks for the feedback.
[4] is a blog post and shouldn't be treated as documentation IMO. I consider it a bug in [3] that it refers to [4]. [3] looks generally pretty out of date and the original author no longer works for Canonical. It should probably be re-written and if it has a docker section, it should point to or somehow re-use [1] or [2]. I just left a comment on [3] hoping to spur some activity there. Feel free to chime in as well.
I'm not sure I exactly understand the criticism of [1] and [2]. [2] is a general how-to-guide with nothing specific to fips in it. [1] is a tutorial that applies the general content of [2] to the specific task of creating a fips container with some crypto-related packages installed.
but the example provided is a different way of enabling FIPS
Maybe I'm missing something.
The example attach config is:
token: TOKEN
enable_services:
- service1
- service2
- service3which won't work as-is.
Is it the step in the Dockerfile that does apt-get install -y openssl that seems fips-ish? openssl also gets updates in ESM, so strictly speaking it is not really fips-specific, but I could see that being confusing. Would it be less confusing if we replaced openssl there with a more obvious example package, such as hello?
Please describe the question or issue you're facing with "Create an Ubuntu FIPS Docker image - Ubuntu Pro Client documentation". Hey there folks, I'm just pointing out that there's (at least?) three separate guides and docs out there for how to create a FIPS-enabled docker container. There's these two[1][2] that are on the Pro docs page - one is a tutorial and one is a how-to, but their steps are nearly identical (with some minor differences). [2] is supposed to be more generally about how to enable Pro services in a docker container, but the example provided is a different way of enabling FIPS to what the actual [1] steps are.
Then there's this[3] which tells you to read this[4], which is once again very similar but slightly different. All this leads to confusion about which method would be "preferred", if any, or at least an explanation of how/why each approach is different and why one might be beneficial over another.
Thanks!
[1] https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image/ [2] https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/enable_in_dockerfile/ [3] https://ubuntu.com/security/certifications/docs/fips-cloud-containers [4] https://ubuntu.com/blog/building-and-running-fips-containers-on-ubuntu18-04
Reported from: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image/