Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions Earthfile
Original file line number Diff line number Diff line change
Expand Up @@ -708,8 +708,15 @@ base-image:

LET APT_UPGRADE_FLAGS="-y"
IF [ "$UPDATE_KERNEL" = "false" ]
RUN if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION" ; fi && \
if dpkg -l linux-image-generic > /dev/null; then apt-mark hold linux-image-generic linux-headers-generic linux-generic; fi
RUN apt-get update && \
if dpkg -l "linux-image-generic-hwe-$OS_VERSION" > /dev/null 2>&1; then apt-mark hold "linux-image-generic-hwe-$OS_VERSION" "linux-headers-generic-hwe-$OS_VERSION" "linux-generic-hwe-$OS_VERSION"; fi && \
if dpkg -l linux-image-generic > /dev/null 2>&1; then \
apt-mark hold linux-image-generic linux-headers-generic linux-generic; \
latest_kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1 | awk -F '-' '{print $1"-"$2}'); \
for pkg in linux-image-${latest_kernel}-generic linux-modules-${latest_kernel}-generic linux-modules-extra-${latest_kernel}-generic; do \
if dpkg -l "$pkg" > /dev/null 2>&1; then apt-mark hold "$pkg"; fi; \
done; \
fi
ELSE
SET APT_UPGRADE_FLAGS="-y --with-new-pkgs"
RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
Expand All @@ -733,8 +740,13 @@ base-image:
dosfstools \ # Utilities for creating and checking FAT file systems.
rsync \ # Used for efficient file synchronization and transfer.
cryptsetup-bin \ # Provides tools for setting up encrypted disks.
udev && \ # Device manager for the Linux kernel, required for managing device nodes.
udev \ # Device manager for the Linux kernel, required for managing device nodes.
dracut \ # Required for initramfs (custom base images like ubuntu24.04-byoi-stig need this after purge).
dracut-live && \ # Required for live/squashfs boot; apt autoremove may remove it otherwise.
latest_kernel=$(printf '%s\n' /lib/modules/* | xargs -n1 basename | sort -V | tail -1 | awk -F '-' '{print $1"-"$2}') && \
apt-mark manual linux-image-${latest_kernel}-generic linux-modules-${latest_kernel}-generic linux-modules-extra-${latest_kernel}-generic 2>/dev/null || true && \
apt-mark unhold linux-image-generic linux-headers-generic linux-generic 2>/dev/null || true && \
(apt-get purge -y --allow-change-held-packages linux-image-generic linux-headers-generic linux-generic || true) && \
if [ "$FIPS_ENABLED" = "true" ]; then \
# When FIPS is enabled, we need to remove any non-FIPS kernel packages (e.g., 5.15 HWE) to avoid conflicts.
# However, some kernel packages may be held (apt-mark hold), which causes `apt-get purge` to fail with:
Expand All @@ -745,9 +757,9 @@ base-image:
| grep -v "$latest_kernel" | grep -v fips); do \
apt-mark unhold "$pkg" || true; \
done && \
apt-get purge -y $(dpkg -l | awk '/^.i\s+linux-(image|headers|modules)/ {print $2}' | grep -v "${latest_kernel}" | grep -v fips); \
apt-get purge -y $(dpkg -l | awk '/^.i\s+linux-(image|headers|modules)/ {print $2}' | grep -E 'linux-(image|headers|modules)-[0-9]' | grep -v "${latest_kernel}" | grep -v fips); \
else \
apt-get purge -y $(dpkg -l | awk '/^ii\s+linux-(image|headers|modules)/ {print $2}' | grep -v "${latest_kernel}"); \
apt-get purge -y $(dpkg -l | awk '/^ii\s+linux-(image|headers|modules)/ {print $2}' | grep -E 'linux-(image|headers|modules)-[0-9]' | grep -v "${latest_kernel}"); \
fi && \
apt-get autoremove -y && \
rm -rf /var/lib/apt/lists/*
Expand Down
191 changes: 191 additions & 0 deletions ubuntu-stig/Dockerfile.ubuntu24.04
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
FROM quay.io/kairos/kairos-init:v0.5.28 AS kairos-init
FROM ubuntu:24.04

ARG KAIROS_VERSION=v3.5.9
ENV DEBIAN_FRONTEND=noninteractive

RUN --mount=type=bind,from=kairos-init,src=/kairos-init,dst=/kairos-init /kairos-init -l debug --version "${KAIROS_VERSION}" -m "generic" -t "false"

# Enable universe repository for scap-security-guide
RUN apt-get update && apt-get install -y --no-install-recommends software-properties-common && \
add-apt-repository universe && \
apt-get update

# Configure dracut to skip problematic modules before installation
# This prevents errors with livenet/network module dependencies during install
RUN mkdir -p /etc/dracut.conf.d && \
echo 'omit_dracutmodules+=" livenet network network-legacy systemd-networkd "' > /etc/dracut.conf.d/99-skip-livenet.conf && \
echo 'hostonly="no"' >> /etc/dracut.conf.d/99-skip-livenet.conf

# Install packages, allowing dracut post-install failures
# Dracut post-install scripts will fail due to livenet/network dependencies,
# but packages will be installed. We regenerate initramfs manually later anyway.
RUN set +e && \
apt-get install -y --no-install-recommends \
squashfs-tools \
dracut-live \
efibootmgr \
dhcpcd5 \
auditd \
sudo \
systemd \
parted \
dracut \
e2fsprogs \
dosfstools \
coreutils \
dmsetup \
grub2-common \
grub-pc-bin \
grub-efi-amd64-bin \
grub-efi-amd64-signed \
which \
nano \
gawk \
haveged \
policykit-1 \
ncurses-base \
tar \
kbd \
lvm2 \
zstd \
openssh-server \
openssh-client \
shim-signed \
open-vm-tools \
open-iscsi \
iptables ethtool socat iproute2 conntrack \
linux-image-generic \
cloud-guest-utils \
rsync jq \
ssg-base ssg-debderived \
openscap-scanner \
ufw; \
INSTALL_EXIT=$?; \
if [ $INSTALL_EXIT -ne 0 ]; then \
echo "Package installation had errors (likely dracut post-install), attempting to fix..."; \
dpkg --configure -a || true; \
apt-get install -f -y || true; \
fi; \
set -e

# Ensure kernel packages and their dependencies are properly installed
# This is critical for the Earthfile kernel cleanup step
RUN apt-get update && \
echo "Checking for held packages..." && \
HELD_PKGS=$(apt-mark showhold | grep -E "linux-image|linux-modules" || true) && \
if [ -n "$HELD_PKGS" ]; then \
echo "Found held kernel packages, unholding them:"; \
echo "$HELD_PKGS"; \
echo "$HELD_PKGS" | xargs -r apt-mark unhold || true; \
fi && \
apt-get install -y --no-install-recommends --fix-broken && \
apt-get install -y --no-install-recommends -f && \
echo "Verifying linux-image-generic installation..." && \
if dpkg -l | grep -q "^ii.*linux-image-generic"; then \
echo "linux-image-generic is installed"; \
echo "Checking its dependencies..."; \
apt-cache depends linux-image-generic | grep "Depends:" | head -10 || true; \
echo "Installed kernel packages:"; \
dpkg -l | grep -E "^ii.*linux-(image|modules)" | head -10 || true; \
echo "Ensuring kernel dependencies are installed..."; \
apt-get install -y --no-install-recommends linux-image-generic || true; \
else \
echo "WARNING: linux-image-generic is not installed!"; \
fi && \
apt-get clean && rm -rf /var/lib/apt/lists/*

RUN sed -i 's/\bsource\b/./g' /system/oem/00_rootfs.yaml
RUN sed -i 's/\bsource\b/./g' /system/oem/09_openrc_services.yaml
RUN sed -i 's/\bsource\b/./g' /system/oem/50_recovery.yaml

RUN mkdir -p /run/lock
RUN touch /usr/libexec/.keep

# Configure systemd services
RUN systemctl enable systemd-networkd
RUN systemctl enable systemd-resolved
RUN systemctl enable ssh
RUN systemctl enable systemd-udevd
RUN systemctl enable systemd-logind.service
# Disable dhcpcd - it conflicts with systemd-networkd; both request DHCP and cause dual IPs
RUN systemctl disable dhcpcd 2>/dev/null || true

COPY overlay/ubuntu24.04/ /

# OpenSCAP workaround: create dummy rpmrc so CPE/platform detection doesn't error on Ubuntu
# (OpenSCAP expects RPM files; Debian/Ubuntu has none - causes "Unknown IO error" in scans)
RUN mkdir -p /usr/lib/rpm && echo '# Dummy for OpenSCAP CPE on Debian/Ubuntu' > /usr/lib/rpm/rpmrc

RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && \
ln -sf "${kernel#/boot/}" /boot/vmlinuz
# Create dummy dracut modules to satisfy dependencies
# This prevents dracut from failing when dracut-live requires network modules
RUN mkdir -p /usr/lib/dracut/modules.d/35systemd-networkd && \
echo '#!/bin/bash' > /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
echo '# Dummy module to satisfy dracut-live dependencies' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
echo 'check() { return 0; }' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
echo 'install() { return 0; }' >> /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
chmod +x /usr/lib/dracut/modules.d/35systemd-networkd/module-setup.sh && \
mkdir -p /usr/lib/dracut/modules.d/45network-legacy && \
echo '#!/bin/bash' > /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
echo '# Dummy module to satisfy dracut-live dependencies' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
echo 'check() { return 0; }' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
echo 'install() { return 0; }' >> /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh && \
chmod +x /usr/lib/dracut/modules.d/45network-legacy/module-setup.sh
# Regenerate initramfs with dracut
RUN kernel=$(ls /lib/modules | head -n1) && \
dracut -v -N --no-hostonly -f "/boot/initrd-${kernel}" "${kernel}" && \
ln -sf "initrd-${kernel}" /boot/initrd && depmod -a "${kernel}"
RUN rm -rf /boot/initramfs-*

# Ensure kernel packages are properly installed and dependencies are satisfied
# This prevents issues when the Earthfile tries to purge old kernels
RUN echo "Verifying kernel package installation..." && \
KERNEL_PKG=$(dpkg -l | grep "^ii.*linux-image-generic" | awk '{print $2}' || echo "") && \
if [ -n "$KERNEL_PKG" ]; then \
echo "Found kernel package: $KERNEL_PKG"; \
echo "Checking dependencies..."; \
apt-get update && \
apt-get install -y --no-install-recommends --fix-broken && \
apt-get install -y --no-install-recommends -f && \
echo "Kernel packages:" && \
dpkg -l | grep -E "linux-image|linux-modules" | head -10 || true; \
fi && \
apt-get clean && rm -rf /var/lib/apt/lists/*

# Verify STIG content is available, install full scap-security-guide if needed
RUN echo "Checking for STIG XCCDF files..." && \
echo "Installed SSG packages:" && \
dpkg -l | grep -E "ssg|scap" || echo "No SSG packages found" && \
echo "Files provided by ssg-base:" && \
dpkg -L ssg-base 2>/dev/null | grep -E "\.xml$|ds\.xml" | head -10 || echo "ssg-base not installed or no XML files" && \
echo "Files provided by ssg-debderived:" && \
dpkg -L ssg-debderived 2>/dev/null | grep -E "\.xml$|ds\.xml" | head -10 || echo "ssg-debderived not installed or no XML files" && \
if [ ! -f "/usr/share/xml/scap/ssg/content/ssg-ubuntu2404-ds.xml" ] && \
[ ! -f "/usr/share/scap-security-guide/ssg-ubuntu2404-ds.xml" ] && \
[ ! -f "/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml" ]; then \
echo "STIG files not found, attempting to install full scap-security-guide package..."; \
apt-get update && \
apt-get install -y --no-install-recommends scap-security-guide || \
(echo "scap-security-guide not available, listing all STIG files:" && \
find /usr/share -name "*ubuntu*ds.xml" -type f 2>/dev/null | head -20 || echo "No Ubuntu STIG files found" && \
echo "All SSG XML files:" && \
find /usr/share -name "*ssg*.xml" -type f 2>/dev/null | head -20 || echo "No SSG XML files found"); \
apt-get clean && rm -rf /var/lib/apt/lists/*; \
else \
echo "STIG XCCDF file found!"; \
fi

# Note: Some remediation rules may fail (e.g., download-dependent rules) - this is expected
# Static STIG content (optional): for reproducible releases, run scripts/update-stig-content.sh
# Without static content: build uses system scap-security-guide (latest STIG for customers who want current content)
COPY static/ /tmp/stig-static/
COPY stig-remediate.sh /tmp/stig-remediate.sh
RUN chmod +x /tmp/stig-remediate.sh && \
/tmp/stig-remediate.sh 2>&1 && \
rm -f /tmp/stig-remediate.sh

RUN mkdir -p /etc/luet/repos.conf.d
## Clear cache
RUN rm -rf /var/cache/* && journalctl --vacuum-size=1K && rm -f /etc/machine-id
Loading