search

defenseunicorns / uds-rke2-image-builder

Packer builds to produce STIG'd RKE2 images
7 stars 0 forks source link

Build hardened VM image with Packer #1

Closed mjnagel closed 1 year ago

mjnagel commented 1 year ago

This should be built via Packer, in a CI pipeline. We should be able to build for both AWS (AMI) and Nutanix.

Requirements:

We should also aim to support as much local dev as possible.

### Tasks
- [x] Create repo to hold packer builds
- [x] Consume base Ubuntu + add STIGs in packer build for AMI
- [x] Add github workflow to build out AMI using packer
- [x] Pre-install RKE2 in packer build for AMI
- [ ] https://github.com/defenseunicorns/uds-package-dubbd/issues/502
- [ ] https://github.com/defenseunicorns/uds-rke2-image-builder/issues/7
- [ ] https://github.com/defenseunicorns/uds-rke2-image-builder/issues/8
- [ ] https://github.com/defenseunicorns/uds-rke2-image-builder/issues/10
- [ ] https://github.com/defenseunicorns/uds-rke2-image-builder/issues/29
mjnagel commented 1 year ago

Noting here that FIPS is a "paid feature" for Ubuntu, so it won't be in the scope of our "prebuilt image". Approach we can take:

This won't be quick as seamless as we might hope for but still provides automation around the image building to the extent possible with license limitations.

mjnagel commented 1 year ago

Followed this approach for RKE2 - https://docs.rke2.io/install/airgap#tarball-method

mjnagel commented 1 year ago

Tentatively moving to review. Two follow on tasks we might have to look at:

jacobbmay commented 1 year ago

Regarding FIPS on RHEL: ideally whatever base image we build off of should already have that enabled to ensure the image is actually FIPS compliant. If it is enabled post install it is possible that it isn't actually compliant even though it is enabled.

mjnagel commented 1 year ago

Closing this out - follow on issues with be at the repo level. Initial epic effort is completed.