From 9eb5cbde2cd6c0a9a6023d0ce82072d2c8081f97 Mon Sep 17 00:00:00 2001 From: Ed Bond Date: Mon, 22 Apr 2024 22:48:42 +0200 Subject: [PATCH] Security focused alternative image (#2526) --- README.md | 3 +++ docs/deployment/fips.md | 39 +++++++++++++++++++++++++++++++++++++++ lib/livebook.ex | 10 ++++++++++ mix.exs | 1 + 4 files changed, 53 insertions(+) create mode 100644 docs/deployment/fips.md diff --git a/README.md b/README.md index 010f2bc03..21a0d4a18 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,9 @@ The following environment variables can be used to configure Livebook on boot: cluster. Must be "name" (long names) or "sname" (short names). Note that this sets RELEASE_DISTRIBUTION if present when creating a release. Defaults to "sname". + * `LIVEBOOK_FIPS` - if set to "true" will try to enable the FIPS mode on startup. + See more details in [the documentation](https://hexdocs.pm/livebook/fips.html). + * `LIVEBOOK_FORCE_SSL_HOST` - sets a host to redirect to if the request is not over HTTPS. Note it does not apply when accessing Livebook via localhost. Defaults to nil. diff --git a/docs/deployment/fips.md b/docs/deployment/fips.md new file mode 100644 index 000000000..5918167d9 --- /dev/null +++ b/docs/deployment/fips.md @@ -0,0 +1,39 @@ +# FIPS mode + +For environments that require security hardening, you might need to turn on FIPS ([Federal Information Processing Standards](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards)) mode. Turning FIPS is a complex procedure, this just enables you to do it. + +You will need to have an Erlang installation that has been compiled with [FIPS enabled](https://www.erlang.org/doc/apps/crypto/fips). + +## Docker example + +To do this in Docker, you will need to build it differently. Below is an example Dockerfile with FIPS-enabled Erlang/Elixir base image. You can use it as a base image for building Livebook. See the Livebook Dockerfile for further reference. + +```docker +FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1137 +# Set environment variables for path and language +ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# Install system dependencies and clean cache in one layer +RUN microdnf install -y unzip autoconf git ncurses-devel openssl-devel gcc gcc-c++ make automake perl clang wget tar cmake glibc-locale-source glibc-langpack-en && \ + microdnf clean all && \ + rm -rf /var/cache/yum + +WORKDIR /install + +# Download, configure, and install Erlang/OTP with FIPS enabled +ARG ERLANG_VERSION +RUN wget https://github.com/erlang/otp/archive/OTP-${ERLANG_VERSION}.tar.gz && \ + tar -xzvf OTP-${ERLANG_VERSION}.tar.gz && \ + cd otp-OTP-${ERLANG_VERSION} && \ + ./otp_build autoconf && \ + ./configure --enable-fips && \ + make && make install + +# Clone, checkout, and install Elixir +ARG ELIXIR_VERSION +RUN git clone https://github.com/elixir-lang/elixir.git && \ + cd elixir && \ + git checkout v${ELIXIR_VERSION} && \ + make compile && \ + make install +``` diff --git a/lib/livebook.ex b/lib/livebook.ex index 44036e626..c02036ad8 100644 --- a/lib/livebook.ex +++ b/lib/livebook.ex @@ -233,6 +233,16 @@ defmodule Livebook do if agent_name = Livebook.Config.agent_name!("LIVEBOOK_AGENT_NAME") do config :livebook, :agent_name, agent_name end + + if Livebook.Config.boolean!("LIVEBOOK_FIPS", false) do + if :crypto.enable_fips_mode(true) do + IO.puts("[Livebook] FIPS mode enabled") + else + Livebook.Config.abort!( + "Requested FIPS mode via LIVEBOOK_FIPS, but this Erlang installation was compiled without FIPS support" + ) + end + end end @doc """ diff --git a/mix.exs b/mix.exs index c5ed6ffda..6002def58 100644 --- a/mix.exs +++ b/mix.exs @@ -220,6 +220,7 @@ defmodule Livebook.MixProject do "docs/use_cases.md", "docs/authentication.md", "docs/deployment/docker.md", + "docs/deployment/fips.md", "docs/deployment/basic_auth.md", "docs/deployment/cloudflare.md", "docs/deployment/google_iap.md",