mirror of
https://github.com/livebook-dev/livebook.git
synced 2025-01-01 20:51:44 +08:00
Security focused alternative image (#2526)
This commit is contained in:
parent
0be8491d11
commit
9eb5cbde2c
4 changed files with 53 additions and 0 deletions
|
@ -224,6 +224,9 @@ The following environment variables can be used to configure Livebook on boot:
|
||||||
cluster. Must be "name" (long names) or "sname" (short names). Note that this
|
cluster. Must be "name" (long names) or "sname" (short names). Note that this
|
||||||
sets RELEASE_DISTRIBUTION if present when creating a release. Defaults to "sname".
|
sets RELEASE_DISTRIBUTION if present when creating a release. Defaults to "sname".
|
||||||
|
|
||||||
|
* `LIVEBOOK_FIPS` - if set to "true" will try to enable the FIPS mode on startup.
|
||||||
|
See more details in [the documentation](https://hexdocs.pm/livebook/fips.html).
|
||||||
|
|
||||||
* `LIVEBOOK_FORCE_SSL_HOST` - sets a host to redirect to if the request is not over HTTPS.
|
* `LIVEBOOK_FORCE_SSL_HOST` - sets a host to redirect to if the request is not over HTTPS.
|
||||||
Note it does not apply when accessing Livebook via localhost. Defaults to nil.
|
Note it does not apply when accessing Livebook via localhost. Defaults to nil.
|
||||||
|
|
||||||
|
|
39
docs/deployment/fips.md
Normal file
39
docs/deployment/fips.md
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# FIPS mode
|
||||||
|
|
||||||
|
For environments that require security hardening, you might need to turn on FIPS ([Federal Information Processing Standards](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards)) mode. Turning FIPS is a complex procedure, this just enables you to do it.
|
||||||
|
|
||||||
|
You will need to have an Erlang installation that has been compiled with [FIPS enabled](https://www.erlang.org/doc/apps/crypto/fips).
|
||||||
|
|
||||||
|
## Docker example
|
||||||
|
|
||||||
|
To do this in Docker, you will need to build it differently. Below is an example Dockerfile with FIPS-enabled Erlang/Elixir base image. You can use it as a base image for building Livebook. See the Livebook Dockerfile for further reference.
|
||||||
|
|
||||||
|
```docker
|
||||||
|
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1137
|
||||||
|
# Set environment variables for path and language
|
||||||
|
ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
|
# Install system dependencies and clean cache in one layer
|
||||||
|
RUN microdnf install -y unzip autoconf git ncurses-devel openssl-devel gcc gcc-c++ make automake perl clang wget tar cmake glibc-locale-source glibc-langpack-en && \
|
||||||
|
microdnf clean all && \
|
||||||
|
rm -rf /var/cache/yum
|
||||||
|
|
||||||
|
WORKDIR /install
|
||||||
|
|
||||||
|
# Download, configure, and install Erlang/OTP with FIPS enabled
|
||||||
|
ARG ERLANG_VERSION
|
||||||
|
RUN wget https://github.com/erlang/otp/archive/OTP-${ERLANG_VERSION}.tar.gz && \
|
||||||
|
tar -xzvf OTP-${ERLANG_VERSION}.tar.gz && \
|
||||||
|
cd otp-OTP-${ERLANG_VERSION} && \
|
||||||
|
./otp_build autoconf && \
|
||||||
|
./configure --enable-fips && \
|
||||||
|
make && make install
|
||||||
|
|
||||||
|
# Clone, checkout, and install Elixir
|
||||||
|
ARG ELIXIR_VERSION
|
||||||
|
RUN git clone https://github.com/elixir-lang/elixir.git && \
|
||||||
|
cd elixir && \
|
||||||
|
git checkout v${ELIXIR_VERSION} && \
|
||||||
|
make compile && \
|
||||||
|
make install
|
||||||
|
```
|
|
@ -233,6 +233,16 @@ defmodule Livebook do
|
||||||
if agent_name = Livebook.Config.agent_name!("LIVEBOOK_AGENT_NAME") do
|
if agent_name = Livebook.Config.agent_name!("LIVEBOOK_AGENT_NAME") do
|
||||||
config :livebook, :agent_name, agent_name
|
config :livebook, :agent_name, agent_name
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if Livebook.Config.boolean!("LIVEBOOK_FIPS", false) do
|
||||||
|
if :crypto.enable_fips_mode(true) do
|
||||||
|
IO.puts("[Livebook] FIPS mode enabled")
|
||||||
|
else
|
||||||
|
Livebook.Config.abort!(
|
||||||
|
"Requested FIPS mode via LIVEBOOK_FIPS, but this Erlang installation was compiled without FIPS support"
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
|
|
1
mix.exs
1
mix.exs
|
@ -220,6 +220,7 @@ defmodule Livebook.MixProject do
|
||||||
"docs/use_cases.md",
|
"docs/use_cases.md",
|
||||||
"docs/authentication.md",
|
"docs/authentication.md",
|
||||||
"docs/deployment/docker.md",
|
"docs/deployment/docker.md",
|
||||||
|
"docs/deployment/fips.md",
|
||||||
"docs/deployment/basic_auth.md",
|
"docs/deployment/basic_auth.md",
|
||||||
"docs/deployment/cloudflare.md",
|
"docs/deployment/cloudflare.md",
|
||||||
"docs/deployment/google_iap.md",
|
"docs/deployment/google_iap.md",
|
||||||
|
|
Loading…
Reference in a new issue