MM-64878: FIPS Build (#33809)
* pin to ubuntu-24.04
* always use FIPS compatible Postgres settings
* use sha256 for remote cluster IDs
* use sha256 for client config hash
* rework S3 backend to be FIPS compatible
* skip setup-node during build, since already in container
* support FIPS builds
* Dockerfile for FIPS image, using glibc-openssl-fips
* workaround entrypoint inconsistencies
* authenticate to DockerHub
* fix FIPS_ENABLED, add test-mmctl-fips
* decouple check-mattermost-vet from test/build steps
* fixup! decouple check-mattermost-vet from test/build steps
* only build-linux-amd64 for fips
* rm entrypoint workaround
* tweak comment grammar
* rm unused Dockerfile.fips (for now)
* ignore gpg import errors, since would fail later anyway
* for fips, only make package-linux-amd64
* set FIPS_ENABLED for build step
* Add a FIPS-specific list of prepackaged plugins
Note that the names are still temporary, since they are not uploaded to
S3 yet. We may need to tweak them when that happens.
* s/golangci-lint/check-style/
This ensures we run all the `check-style` checks: previously,
`modernize` was missing.
* pin go-vet to @v2, remove annoying comment
* add -fips to linux-amd64.tz.gz package
* rm unused setup-chainctl
* use BUILD_TYPE_NAME instead
* mv fips build to enterprise-only
* fixup! use BUILD_TYPE_NAME instead
* temporarily pre-package no plugins for FIPS
* split package-cleanup
* undo package-cleanup, just skip ARM, also test
* skip arm for FIPS in second target too
* fmt Makefile
* Revert "rm unused Dockerfile.fips (for now)"
This reverts commit 601e37e0fff7b7703540bb9e91961ad8bb83b2e7.
* reintroduce Dockerfile.fips and align with existing Dockerfile
* s/IMAGE/BUILD_IMAGE/
* bump the glibc-openssl-fips version
* rm redundant comment
* fix FIPS checks
* set PLUGIN_PACKAGES empty until prepackaged plugins ready
* upgrade glibc-openssl-fips, use non-dev version for final stage
* another BUILD_IMAGE case
* Prepackage the FIPS versions of plugins
* relocate FIPS_ENABLED initialization before use
* s/Config File MD5/Config File Hash/
* Update the FIPS plugin names and encode the + sign
* add /var/tmp for local socket manipulation
---------
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
2025-09-15 09:53:28 -04:00
|
|
|
# First stage - FIPS dev image with dependencies for building
|
2026-01-20 16:09:51 -05:00
|
|
|
FROM cgr.dev/mattermost.com/glibc-openssl-fips:15-dev@sha256:ab5285209fff77fbe56e58aeed6d7f557cf74c6f90d1d8ee26053003f039b419 AS builder
|
MM-64878: FIPS Build (#33809)
* pin to ubuntu-24.04
* always use FIPS compatible Postgres settings
* use sha256 for remote cluster IDs
* use sha256 for client config hash
* rework S3 backend to be FIPS compatible
* skip setup-node during build, since already in container
* support FIPS builds
* Dockerfile for FIPS image, using glibc-openssl-fips
* workaround entrypoint inconsistencies
* authenticate to DockerHub
* fix FIPS_ENABLED, add test-mmctl-fips
* decouple check-mattermost-vet from test/build steps
* fixup! decouple check-mattermost-vet from test/build steps
* only build-linux-amd64 for fips
* rm entrypoint workaround
* tweak comment grammar
* rm unused Dockerfile.fips (for now)
* ignore gpg import errors, since would fail later anyway
* for fips, only make package-linux-amd64
* set FIPS_ENABLED for build step
* Add a FIPS-specific list of prepackaged plugins
Note that the names are still temporary, since they are not uploaded to
S3 yet. We may need to tweak them when that happens.
* s/golangci-lint/check-style/
This ensures we run all the `check-style` checks: previously,
`modernize` was missing.
* pin go-vet to @v2, remove annoying comment
* add -fips to linux-amd64.tz.gz package
* rm unused setup-chainctl
* use BUILD_TYPE_NAME instead
* mv fips build to enterprise-only
* fixup! use BUILD_TYPE_NAME instead
* temporarily pre-package no plugins for FIPS
* split package-cleanup
* undo package-cleanup, just skip ARM, also test
* skip arm for FIPS in second target too
* fmt Makefile
* Revert "rm unused Dockerfile.fips (for now)"
This reverts commit 601e37e0fff7b7703540bb9e91961ad8bb83b2e7.
* reintroduce Dockerfile.fips and align with existing Dockerfile
* s/IMAGE/BUILD_IMAGE/
* bump the glibc-openssl-fips version
* rm redundant comment
* fix FIPS checks
* set PLUGIN_PACKAGES empty until prepackaged plugins ready
* upgrade glibc-openssl-fips, use non-dev version for final stage
* another BUILD_IMAGE case
* Prepackage the FIPS versions of plugins
* relocate FIPS_ENABLED initialization before use
* s/Config File MD5/Config File Hash/
* Update the FIPS plugin names and encode the + sign
* add /var/tmp for local socket manipulation
---------
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
2025-09-15 09:53:28 -04:00
|
|
|
# Setting bash as our shell, and enabling pipefail option
|
|
|
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
|
|
|
|
|
|
# Build Arguments
|
|
|
|
|
ARG PUID=2000
|
|
|
|
|
ARG PGID=2000
|
|
|
|
|
# MM_PACKAGE build arguments controls which version of mattermost to install, defaults to latest stable enterprise
|
|
|
|
|
# e.g. https://releases.mattermost.com/9.7.1/mattermost-9.7.1-linux-amd64.tar.gz
|
|
|
|
|
ARG MM_PACKAGE="https://latest.mattermost.com/mattermost-enterprise-linux"
|
|
|
|
|
|
|
|
|
|
# Install needed packages and indirect dependencies
|
|
|
|
|
USER 0:0
|
|
|
|
|
RUN apk add \
|
|
|
|
|
curl \
|
|
|
|
|
ca-certificates \
|
|
|
|
|
mailcap \
|
|
|
|
|
unrtf \
|
|
|
|
|
wv \
|
|
|
|
|
poppler-utils \
|
|
|
|
|
tzdata
|
|
|
|
|
|
|
|
|
|
# Set mattermost group/user and download Mattermost
|
|
|
|
|
RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
|
|
|
|
|
&& addgroup -g ${PGID} mattermost \
|
|
|
|
|
&& adduser -D -u ${PUID} -G mattermost -g "" -s /bin/sh -h /mattermost mattermost \
|
|
|
|
|
&& curl -L $MM_PACKAGE | tar -xvz \
|
|
|
|
|
&& chown -R mattermost:mattermost /mattermost /mattermost/data /mattermost/plugins /mattermost/client/plugins
|
|
|
|
|
|
|
|
|
|
# Create PostgreSQL client SSL directory structure for ssl_mode=require
|
|
|
|
|
RUN mkdir -p /mattermost/.postgresql \
|
|
|
|
|
&& chmod 700 /mattermost/.postgresql
|
|
|
|
|
|
|
|
|
|
# Create /var/tmp directory needed for local socket files
|
|
|
|
|
RUN mkdir -p /var/tmp \
|
|
|
|
|
&& chmod 755 /var/tmp
|
|
|
|
|
|
|
|
|
|
# Final stage using FIPS runtime image
|
|
|
|
|
FROM cgr.dev/mattermost.com/glibc-openssl-fips:15@sha256:7947eecc0d82fa3bc661aaca039bcd86d55fdf3ee581c8ecdef1b3c6f63fa83a
|
|
|
|
|
|
|
|
|
|
# Some ENV variables
|
|
|
|
|
ENV PATH="/mattermost/bin:${PATH}"
|
|
|
|
|
ENV MM_SERVICESETTINGS_ENABLELOCALMODE="true"
|
2025-11-12 13:16:44 -05:00
|
|
|
ENV MM_INSTALL_TYPE="docker"
|
MM-64878: FIPS Build (#33809)
* pin to ubuntu-24.04
* always use FIPS compatible Postgres settings
* use sha256 for remote cluster IDs
* use sha256 for client config hash
* rework S3 backend to be FIPS compatible
* skip setup-node during build, since already in container
* support FIPS builds
* Dockerfile for FIPS image, using glibc-openssl-fips
* workaround entrypoint inconsistencies
* authenticate to DockerHub
* fix FIPS_ENABLED, add test-mmctl-fips
* decouple check-mattermost-vet from test/build steps
* fixup! decouple check-mattermost-vet from test/build steps
* only build-linux-amd64 for fips
* rm entrypoint workaround
* tweak comment grammar
* rm unused Dockerfile.fips (for now)
* ignore gpg import errors, since would fail later anyway
* for fips, only make package-linux-amd64
* set FIPS_ENABLED for build step
* Add a FIPS-specific list of prepackaged plugins
Note that the names are still temporary, since they are not uploaded to
S3 yet. We may need to tweak them when that happens.
* s/golangci-lint/check-style/
This ensures we run all the `check-style` checks: previously,
`modernize` was missing.
* pin go-vet to @v2, remove annoying comment
* add -fips to linux-amd64.tz.gz package
* rm unused setup-chainctl
* use BUILD_TYPE_NAME instead
* mv fips build to enterprise-only
* fixup! use BUILD_TYPE_NAME instead
* temporarily pre-package no plugins for FIPS
* split package-cleanup
* undo package-cleanup, just skip ARM, also test
* skip arm for FIPS in second target too
* fmt Makefile
* Revert "rm unused Dockerfile.fips (for now)"
This reverts commit 601e37e0fff7b7703540bb9e91961ad8bb83b2e7.
* reintroduce Dockerfile.fips and align with existing Dockerfile
* s/IMAGE/BUILD_IMAGE/
* bump the glibc-openssl-fips version
* rm redundant comment
* fix FIPS checks
* set PLUGIN_PACKAGES empty until prepackaged plugins ready
* upgrade glibc-openssl-fips, use non-dev version for final stage
* another BUILD_IMAGE case
* Prepackage the FIPS versions of plugins
* relocate FIPS_ENABLED initialization before use
* s/Config File MD5/Config File Hash/
* Update the FIPS plugin names and encode the + sign
* add /var/tmp for local socket manipulation
---------
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
2025-09-15 09:53:28 -04:00
|
|
|
|
|
|
|
|
# Copy over metadata files needed by runtime
|
|
|
|
|
COPY --from=builder /etc/mime.types /etc
|
|
|
|
|
|
|
|
|
|
# Copy CA certificates for SSL/TLS validation with proper ownership
|
|
|
|
|
COPY --from=builder --chown=2000:2000 /etc/ssl/certs /etc/ssl/certs
|
|
|
|
|
|
|
|
|
|
# Copy document processing utilities and necessary support files
|
|
|
|
|
COPY --from=builder /usr/bin/pdftotext /usr/bin/pdftotext
|
|
|
|
|
COPY --from=builder /usr/bin/wvText /usr/bin/wvText
|
|
|
|
|
COPY --from=builder /usr/bin/wvWare /usr/bin/wvWare
|
|
|
|
|
COPY --from=builder /usr/bin/unrtf /usr/bin/unrtf
|
|
|
|
|
COPY --from=builder /usr/share/wv /usr/share/wv
|
|
|
|
|
|
|
|
|
|
# Copy necessary libraries for document processing utilities
|
|
|
|
|
COPY --from=builder /usr/lib/libpoppler.so* /usr/lib/
|
|
|
|
|
COPY --from=builder /usr/lib/libfreetype.so* /usr/lib/
|
|
|
|
|
COPY --from=builder /usr/lib/libpng16.so* /usr/lib/
|
|
|
|
|
COPY --from=builder /usr/lib/libwv.so* /usr/lib/
|
|
|
|
|
COPY --from=builder /usr/lib/libfontconfig.so* /usr/lib/
|
|
|
|
|
|
|
|
|
|
# Copy mattermost from builder stage
|
|
|
|
|
COPY --from=builder --chown=2000:2000 /mattermost /mattermost
|
|
|
|
|
|
|
|
|
|
# Copy group and passwd files including mattermost user
|
|
|
|
|
COPY --from=builder /etc/passwd /etc/passwd
|
|
|
|
|
COPY --from=builder /etc/group /etc/group
|
|
|
|
|
|
|
|
|
|
# Copy /var/tmp directory needed for local socket files
|
2025-09-17 10:36:30 -04:00
|
|
|
COPY --from=builder --chown=2000:2000 /var/tmp /var/tmp
|
MM-64878: FIPS Build (#33809)
* pin to ubuntu-24.04
* always use FIPS compatible Postgres settings
* use sha256 for remote cluster IDs
* use sha256 for client config hash
* rework S3 backend to be FIPS compatible
* skip setup-node during build, since already in container
* support FIPS builds
* Dockerfile for FIPS image, using glibc-openssl-fips
* workaround entrypoint inconsistencies
* authenticate to DockerHub
* fix FIPS_ENABLED, add test-mmctl-fips
* decouple check-mattermost-vet from test/build steps
* fixup! decouple check-mattermost-vet from test/build steps
* only build-linux-amd64 for fips
* rm entrypoint workaround
* tweak comment grammar
* rm unused Dockerfile.fips (for now)
* ignore gpg import errors, since would fail later anyway
* for fips, only make package-linux-amd64
* set FIPS_ENABLED for build step
* Add a FIPS-specific list of prepackaged plugins
Note that the names are still temporary, since they are not uploaded to
S3 yet. We may need to tweak them when that happens.
* s/golangci-lint/check-style/
This ensures we run all the `check-style` checks: previously,
`modernize` was missing.
* pin go-vet to @v2, remove annoying comment
* add -fips to linux-amd64.tz.gz package
* rm unused setup-chainctl
* use BUILD_TYPE_NAME instead
* mv fips build to enterprise-only
* fixup! use BUILD_TYPE_NAME instead
* temporarily pre-package no plugins for FIPS
* split package-cleanup
* undo package-cleanup, just skip ARM, also test
* skip arm for FIPS in second target too
* fmt Makefile
* Revert "rm unused Dockerfile.fips (for now)"
This reverts commit 601e37e0fff7b7703540bb9e91961ad8bb83b2e7.
* reintroduce Dockerfile.fips and align with existing Dockerfile
* s/IMAGE/BUILD_IMAGE/
* bump the glibc-openssl-fips version
* rm redundant comment
* fix FIPS checks
* set PLUGIN_PACKAGES empty until prepackaged plugins ready
* upgrade glibc-openssl-fips, use non-dev version for final stage
* another BUILD_IMAGE case
* Prepackage the FIPS versions of plugins
* relocate FIPS_ENABLED initialization before use
* s/Config File MD5/Config File Hash/
* Update the FIPS plugin names and encode the + sign
* add /var/tmp for local socket manipulation
---------
Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>
Co-authored-by: Mattermost Build <build@mattermost.com>
2025-09-15 09:53:28 -04:00
|
|
|
|
|
|
|
|
# We should refrain from running as privileged user
|
|
|
|
|
USER mattermost
|
|
|
|
|
|
|
|
|
|
# Healthcheck to make sure container is ready - using mmctl instead of curl for distroless compatibility
|
|
|
|
|
HEALTHCHECK --interval=30s --timeout=10s \
|
|
|
|
|
CMD ["/mattermost/bin/mmctl", "system", "status", "--local"]
|
|
|
|
|
|
|
|
|
|
# Configure entrypoint and command with proper permissions
|
|
|
|
|
WORKDIR /mattermost
|
|
|
|
|
CMD ["/mattermost/bin/mattermost"]
|
|
|
|
|
|
|
|
|
|
EXPOSE 8065 8067 8074 8075
|
|
|
|
|
|
|
|
|
|
# Declare volumes for mount point directories
|
|
|
|
|
VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]
|
