Disable FIPS mode in Docker container during apt-get update

Resolves error with libgcrypt on bookworm: Fatal error in libgcrypt, requested algo not in md context
DataBiosphere · Nov 20, 2024 · 7323945 · 7323945
1 parent a94f54d
commit 7323945
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 2 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -3,4 +3,5 @@
 !common.mk
 !requirements*.txt
 !bin/keys/docker-apt-keyring.pgp
+!fips_enabled
 requirements.all.txt
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -11,6 +11,7 @@ workflow:
 variables:
   azul_image: $CI_REGISTRY_IMAGE
   azul_image_tag: $CI_PIPELINE_ID
+  azul_proc_sys_crypto: /proc/sys/crypto
 
 stages:
   - build_image

diff --git a/Dockerfile b/Dockerfile
@@ -46,7 +46,9 @@ RUN mkdir terraform \
 RUN install -m 0755 -d /etc/apt/keyrings
 COPY --chmod=0644 bin/keys/docker-apt-keyring.pgp /etc/apt/keyrings/docker.gpg
 ARG azul_docker_version
-RUN set -o pipefail \
+ARG azul_proc_sys_crypto
+RUN --mount=type=bind,source=fips_enabled,target=${azul_proc_sys_crypto}/fips_enabled \
+    set -o pipefail \
     && ( \
       echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" \
       | tee /etc/apt/sources.list.d/docker.list \

diff --git a/Makefile b/Makefile
@@ -36,15 +36,18 @@ $(eval $(call requirements,_runtime_deps,requirements_pip,,))
 define docker
 .PHONY: docker$1
 docker$1: check_docker
+	echo 0 > fips_enabled
 	docker build \
 	       --build-arg azul_docker_registry=$$(azul_docker_registry) \
 	       --build-arg azul_python_image=$$(azul_python_image) \
 	       --build-arg azul_docker_version=$$(azul_docker_version) \
 	       --build-arg azul_terraform_version=$$(azul_terraform_version) \
 	       --build-arg PIP_DISABLE_PIP_VERSION_CHECK=$$(PIP_DISABLE_PIP_VERSION_CHECK) \
 	       --build-arg make_target=requirements$2 \
+	       --build-arg azul_proc_sys_crypto=$$(azul_proc_sys_crypto) \
 	       --tag $$(azul_image)$3:$$(azul_image_tag) \
 	       .
+	rm fips_enabled
 
 .PHONY: docker$1_push
 docker$1_push: docker$1

diff --git a/environment.py b/environment.py
@@ -901,5 +901,13 @@ def env() -> Mapping[str, Optional[str]]:
         # in the Azul VPC. This subnet can't overlap the VPC CIDR and the subnet
         # mask must be less than 22 bits.
         #
-        'azul_vpn_subnet': None
+        'azul_vpn_subnet': None,
+
+        # When building the Azul dockerfile on a FIPS mode enabled system (e.g.
+        # GitLab), this variable should be set to `/proc/sys/crypto`, the path
+        # where a `fips_enabled` file will be mounted. This is required for the
+        # command `apt-get update` to succeed which would otherwise fail on
+        # Debian bookworm with FIPS mode enabled.
+        #
+        'azul_proc_sys_crypto': '/tmp'
     }