Add Universal Base Image (UBI) build to CI system

[danbev]

Description

This issue purposes adding a build for Universal Base Image (UBI) 8.1, which is based on RHEL, to the CI system.

Motivation

The motivation for doing this is that UBI 8.1 contains a system OpenSSL version that has FIPS support and this build would be configured to dynamically link to that OpenSSL version. This would allow us to exercise the FIPS code path which is currently not done. This is not something that happens often but there has been one occasion where code was committed to master which failed to compiler when fips was enabled: nodejs/node@17d87d5

Docker build instructions

$ docker pull registry.access.redhat.com/ubi8:8.1
$ docker run --ipc=host -ti registry.access.redhat.com/ubi8:8.1 /bin/bash
$ yum install -y git gcc-c++ which make python3 openssl-devel procps-ng
$ git clone https://github.com/nodejs/node.git
$ cd node
$ update-crypto-policies --set LEGACY
$ export OPENSSL_ENABLE_MD5_VERIFY=true
$ ./configure --openssl-system-ca-path=/etc/pki/tls/certs/ca-bundle.crt --shared-openssl --openssl-is-fips
$ make -j8 test

Currently there is one test failure which is covered by nodejs/node#31715

[rvagg]

Nice! Do you have time to set up a preliminary version of a Dockerfile for this? See the Dockerfiles in here: https://github.com/nodejs/build/tree/master/ansible/roles/docker/templates, the one that it might be close to is ubuntu1804_sharedlibs.Dockerfile.j2 where we previously had FIPS tests running. Basically the image needs to be set up so that a Node repo can be mounted and compiled, the environment variables tell it where to link. Might not be needed for this image though if it's the default openssl installed I suppose.

Do you know if you can FROM registry.access.redhat.com/ubi8:8.1 in a Dockerfile? If not then we'll have to do some extra Ansible work to pull from a custom registry.

[richardlau]

@rvagg I’ll take a look at this.

[richardlau]

Do you know if you can FROM registry.access.redhat.com/ubi8:8.1 in a Dockerfile? If not then we'll have to do some extra Ansible work to pull from a custom registry.

From my preliminary experiments it appears that you can.

I've currently got a local dockerfile built based on UBI 8.1 and am currently building Node.js inside of it.

Some notes:

$ update-crypto-policies --set LEGACY

this appears to want root.
@danbev For my own education, why is this LEGACY and not FIPS (https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8) if we're testing FIPS?

[danbev]

For my own education, why is this LEGACY and not FIPS

Sorry, about the late reply (I forgot that I had an email filter set up). This is to enable other test to pass which would not otherwise if the security policy was set to DEFAULT or FIPS.

[richardlau]

@danbev
We now have four UBI 8.1 containers in the CI based off the Dockerfile template in ansible/roles/docker/templates/ubi81.Dockerfile.j2:

• test-digitalocean-ubi81_container-x64-1
• test-digitalocean-ubi81_container-x64-2
• test-joyent-ubi81_container-x64-1
• test-softlayer-ubi81_container-x64-1

node-test-commit-linux-containered has been extended to build on them for Node.js >= 13.

e.g. this build is against current master: https://ci.nodejs.org/job/node-test-commit-linux-containered/18480/nodes=ubi81_sharedlibs_openssl111fips_x64/ (all tests passed)

[danbev]

@richardlau Very nice 🎉 Thank you very much for setting this up!