Alpine Base Image
Support for Alpine Linux in Iron Bank
Iron Bank is happy to announce the availability of Alpine Linux! Starting with the recent Alpine 3.17 release, we now offer an alpine base image and corresponding apk repositories you can use for your applications in Iron Bank.
FROM registry1.dso.mil/ironbank/opensource/alpinelinux/alpine:3.17
RUN apk update && \
apk --no-cache upgrade && \
apk --no-cache add <package> && \
rm -rf /var/cache/apk/*
Overview
Alpine is a Linux distribution that focuses on being small, simple, and secure. It leverages busybox for common utilities and bundles musl libc instead of glibc to decrease its overall footprint.
Info
The Iron Bank alpine image is only 10 Mb, compared to ubi (207 Mb), ubi8-minimal (147 Mb), and ubi8-micro (29 Mb).
What does the Iron Bank image provide?
Since Alpine is such a lightweight distribution with only a handful of packages installed, there is not much to do in terms of container hardening. The main difference between the upstream and Iron Bank image is we compile and enable the OpenSSL 3.0 FIPS Provider by default.
/usr/lib/ossl-modules/fips.so
See below for additional FIPS configuration.
Note
You can find the complete Dockerfile to our image here.
What packages are included?
Here are the packages installed by default in the base image. Only 16 packages!
- alpine-baselayout - Alpine base dir structure and init scripts
- alpine-baselayout-data - Alpine base dir structure and init scripts
- alpine-keys - Public keys for Alpine Linux packages
- apk-tools - Alpine Package Keeper - package manager for alpine
- busybox - Size optimized toolbox of many common UNIX utilities
- busybox-binsh - busybox ash /bin/sh
- ca-certificates - Common CA certificates PEM files from Mozilla
- ca-certificates-bundle - Pre generated bundle of Mozilla certs
- libc-utils - Meta package to pull in correct libc
- libcrypto3 - Crypto library from openssl
- libssl3 - SSL shared libraries
- musl - the musl c library (libc) implementation
- musl-utils - the musl c library (libc) implementation
- scanelf - Scan ELF binaries for stuff
- ssl_client - EXternal ssl_client for busybox wget
- zlib - A compression/decompression Library
FIPS Configuration
Iron Bank makes the following changes to the openssl.cnf
to enable the FIPS provider.
.include /etc/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate=1
Verifying the OpenSSL 3.0 FIPS Module
The busybox implementation for wget uses the ssl_client package which dynamically links libssl and libcrypto. We can use this to see the FIPS Provider in action.
$ ldd /usr/bin/ssl_client
/lib/ld-musl-x86_64.so.1 (0x7f1e85819000)
libcrypto.so.3 => /lib/libcrypto.so.3 (0x7f1e8541d000)
libssl.so.3 => /lib/libssl.so.3 (0x7f1e85389000)
libc.musl-x86_64.so.1 => /lib/ld-musl-x86_64.so.1 (0x7f1e85819000)
Let's see what happens if we use the official alpine image from DockerHub with a non-compliant key exchange like DH1024.
$ docker run --rm -it alpine:3.17.0 wget -q -O - https://dh1024.badssl.com/
<!DOCTYPE html>
<html>
...
<div id="footer">
This site uses an ephemeral Diffie-Hellman key exchange<br>over a 1024-bit group.
</div>
</body>
</html>
That works. Now let's try the alpine image provided by Iron Bank:
$ docker run --rm -it registry1.dso.mil/ironbank/opensource/alpinelinux/alpine \
wget --server-response -q -O - https://dh1024.badssl.com/
Connecting to dh1024.badssl.com
48DB52B85B7F0000:error:0A000066:SSL routines:tls_process_ske_dhe:bad dh value:ssl/statem/statem_clnt.c:2085:
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer
As expected, the SSL connection fails because the server tries to use a key exchange the FIPS Provider does not support.
Conclusion
Alpine Linux is a lightweight linux distribution that uses musl libc instead of GNU libc. Because of its small size and footprint, it can be a good choice for your containers. Iron Bank enables the FIPS provider for OpenSSL by default so applications that link libssl3.so
will automatically take advantage of it.
Over the coming months we will be adding more base images, so stay tuned!