NR-268776 add Dockerfile.fips with fips compliant base image

* add a new Dockerfile to be used when building fips compliant infra-agent container image * update existing Dockerfile to use ubuntu as the base image for building infra-agent container image
newrelic · Nov 22, 2024 · 4e3c887 · 4e3c887
1 parent 4ab2fe4
commit 4e3c887
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 23 deletions.
diff --git a/build/container/Dockerfile b/build/container/Dockerfile
@@ -1,4 +1,5 @@
-ARG base_image=alpine:3.20
+# Public Ubuntu base image
+ARG base_image=ubuntu:22.04
 
 FROM $base_image AS core
 
@@ -23,22 +24,16 @@ LABEL com.newrelic.image.version=$image_version \
       com.newrelic.maintainer="[email protected]" \
       com.newrelic.description="New Relic Infrastructure agent for monitoring the underlying host."
 
-ENV NRIA_IS_CONTAINERIZED true
-ENV NRIA_OVERRIDE_HOST_ROOT /host
+ENV NRIA_IS_CONTAINERIZED=true
+ENV NRIA_OVERRIDE_HOST_ROOT=/host
 
-RUN apk --no-cache upgrade
+RUN apt-get update && apt-get upgrade -y
 
-RUN apk add --no-cache --upgrade \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
-    # Embed required dlls:
-    # ldd /usr/bin/newrelic-infra
-    #   /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
-    #   libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
-    #   libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x7f2bbbd0f000)
-    # As musl and glibc are compatible, this symlink fixes the missing dependency
-    && mkdir /lib64 \
-    && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 \
-    && apk add --no-cache tini
+    tini \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 # Tini is now available at /sbin/tini
 ENTRYPOINT ["/sbin/tini", "--"]
@@ -49,21 +44,23 @@ CMD ["/usr/bin/newrelic-infra-service"]
 #################################
 FROM core AS forwarder
 
-RUN apk add --no-cache \
-        curl
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        curl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
-RUN addgroup -g 2000 nri-agent && adduser -D -H -u 1000 -G nri-agent nri-agent
+RUN addgroup --gid 2000 nri-agent && adduser -D -H -u 1000 -G nri-agent nri-agent
 USER nri-agent
 
-ENV NRIA_OVERRIDE_HOST_ROOT ""
-ENV NRIA_IS_SECURE_FORWARD_ONLY true
+ENV NRIA_OVERRIDE_HOST_ROOT=""
+ENV NRIA_IS_SECURE_FORWARD_ONLY=true
 
 #################################
 # K8s events forwarder
 #################################
 FROM forwarder AS k8s-events-forwarder
 
-ENV NRIA_HTTP_SERVER_ENABLED true
+ENV NRIA_HTTP_SERVER_ENABLED=true
 
 #################################
 # BASE
@@ -79,8 +76,10 @@ LABEL com.newrelic.nri-docker.version=$nri_docker_version \
       com.newrelic.nri-flex.version=$nri_flex_version \
       com.newrelic.nri-prometheus.version=$nri_prometheus_version
 
-RUN apk add --no-cache \
-        ntpsec \
-        curl
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ntp \
+        curl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY $nri_pkg_dir /
diff --git a/build/container/Dockerfile.fips b/build/container/Dockerfile.fips
@@ -0,0 +1,85 @@
+# FIPS compliant base image
+ARG base_image=cf-registry.nr-ops.net/newrelic/base-ubuntu:22.04-fips
+
+FROM $base_image AS core
+
+ARG image_version=0.0
+ARG agent_version=0.0
+ARG version_file=VERSION
+ARG agent_bin=newrelic-infra
+
+# Add the agent binary
+COPY $agent_bin /usr/bin/newrelic-infra
+COPY ${agent_bin}-ctl /usr/bin/newrelic-infra-ctl
+COPY ${agent_bin}-service /usr/bin/newrelic-infra-service
+
+# Add all static assets
+COPY assets /newrelic
+
+# Add the VERSION file
+COPY $version_file /newrelic/VERSION
+
+LABEL com.newrelic.image.version=$image_version \
+      com.newrelic.infra-agent.version=$agent_version \
+      com.newrelic.maintainer="[email protected]" \
+      com.newrelic.description="FIPS Compliant New Relic Infrastructure agent for monitoring the underlying host."
+
+ENV NRIA_IS_CONTAINERIZED=true
+ENV NRIA_OVERRIDE_HOST_ROOT=/host
+
+RUN apt-get update && apt-get upgrade -y
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    tini \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Tini is now available at /sbin/tini
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["/usr/bin/newrelic-infra-service"]
+
+#################################
+# Forwarder
+#################################
+FROM core AS forwarder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        curl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN addgroup --gid 2000 nri-agent && adduser -D -H -u 1000 -G nri-agent nri-agent
+USER nri-agent
+
+ENV NRIA_OVERRIDE_HOST_ROOT=""
+ENV NRIA_IS_SECURE_FORWARD_ONLY=true
+
+#################################
+# K8s events forwarder
+#################################
+FROM forwarder AS k8s-events-forwarder
+
+ENV NRIA_HTTP_SERVER_ENABLED=true
+
+#################################
+# BASE
+#################################
+FROM core AS base
+
+ARG nri_pkg_dir
+ARG nri_docker_version
+ARG nri_flex_version
+ARG nri_prometheus_version
+
+LABEL com.newrelic.nri-docker.version=$nri_docker_version \
+      com.newrelic.nri-flex.version=$nri_flex_version \
+      com.newrelic.nri-prometheus.version=$nri_prometheus_version
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ntp \
+        curl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY $nri_pkg_dir /