From 2baebb910ff77303a152ed90cef775cde03d5eb6 Mon Sep 17 00:00:00 2001 From: Calvin Shum Date: Tue, 30 Sep 2025 17:21:08 -0700 Subject: [PATCH 01/19] try another sku with lower core counts Update vhd-scanning.sh Update vhd-scanning.sh Revert "try another sku with lower core counts" This reverts commit a5094f08049619f21372b78a8c0b7fec48b8972d. --- vhdbuilder/packer/vhd-scanning.sh | 111 ++++++++++++++++++++++++++---- 1 file changed, 97 insertions(+), 14 deletions(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index accdeca4bf6..296b26b1d1c 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -84,11 +84,6 @@ if [ "${OS_TYPE}" = "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" = "True" ]; then VM_OPTIONS+=" --security-type TrustedLaunch --enable-secure-boot true --enable-vtpm true" fi -if [ "${OS_TYPE}" = "Linux" ] && grep -q "cvm" <<< "$FEATURE_FLAGS"; then - # We completely re-assign the VM_OPTIONS string here to ensure that no artifacts from earlier conditionals are included - VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" -fi - # GB200 specific VM options for scanning (uses standard ARM64 VM for now) if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then echo "GB200: Using standard ARM64 VM options for scanning" @@ -101,16 +96,104 @@ if [ -z "$SCANNING_NIC_ID" ]; then exit 1 fi -az vm create --resource-group $RESOURCE_GROUP_NAME \ - --name $SCAN_VM_NAME \ - --image $VHD_IMAGE \ - --nics $SCANNING_NIC_ID \ - --admin-username $SCAN_VM_ADMIN_USERNAME \ - --admin-password $SCAN_VM_ADMIN_PASSWORD \ - --os-disk-size-gb 50 \ - ${VM_OPTIONS} \ - --assign-identity "${UMSI_RESOURCE_ID}" +# Enable FIPS 140-3 compliance feature if not already enabled +echo "Checking FIPS 140-3 compliance feature registration..." +FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv 2>/dev/null || echo "NotRegistered") +if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then + echo "Registering FIPS 140-3 compliance feature..." + az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance + # Poll until registered (timeout after 5 minutes) + TIMEOUT=300 + ELAPSED=0 + while [ "$FIPS_FEATURE_STATE" != "Registered" ] && [ $ELAPSED -lt $TIMEOUT ]; do + sleep 10 + ELAPSED=$((ELAPSED + 10)) + FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) + echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" + done + + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then + echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." + else + echo "FIPS 140-3 feature registered successfully. Refreshing provider..." + az provider register -n Microsoft.Compute + fi +else + echo "FIPS 140-3 compliance feature already registered" +fi + +# Prepare VM creation parameters +VM_SIZE="Standard_D8ds_v5" + +# shellcheck disable=SC3010 +if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then + VM_SIZE="Standard_D8pds_v5" +fi + +# GB200 specific VM options for scanning (uses standard ARM64 VM for now) +if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then + echo "GB200: Using standard ARM64 VM options for scanning" + # Additional GB200-specific VM options can be added here when GB200 SKUs are available +fi + +# Build the VM request body (simplified for FIPS testing) +VM_BODY=$(cat < Date: Fri, 3 Oct 2025 03:47:20 -0700 Subject: [PATCH 02/19] Update vhd-scanning.sh --- vhdbuilder/packer/vhd-scanning.sh | 126 +++++++++++++++++++----------- 1 file changed, 82 insertions(+), 44 deletions(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 296b26b1d1c..017f7531e54 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -96,49 +96,73 @@ if [ -z "$SCANNING_NIC_ID" ]; then exit 1 fi -# Enable FIPS 140-3 compliance feature if not already enabled -echo "Checking FIPS 140-3 compliance feature registration..." -FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv 2>/dev/null || echo "NotRegistered") -if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then - echo "Registering FIPS 140-3 compliance feature..." - az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance - - # Poll until registered (timeout after 5 minutes) - TIMEOUT=300 - ELAPSED=0 - while [ "$FIPS_FEATURE_STATE" != "Registered" ] && [ $ELAPSED -lt $TIMEOUT ]; do - sleep 10 - ELAPSED=$((ELAPSED + 10)) - FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) - echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" - done - +# Function to check if this is Ubuntu 22.04 + FIPS scenario +is_ubuntu_2204_fips() { + # Check if this is Ubuntu with FIPS enabled + if [[ "${OS_SKU}" == "Ubuntu" ]] || [[ "${OS_SKU}" == "Ubuntu2204" ]]; then + # Check various FIPS indicators + if [[ "${OS_SKU}" == "Ubuntu2204" ]] || + [[ "${SKU_NAME:-}" == *"Fips"* ]] || + [[ "${SKU_NAME:-}" == *"fips"* ]] || + ([[ "${FEATURE_FLAGS,,}" == *"fips"* ]] && [[ "${OS_VERSION}" == "22.04" ]]); then + return 0 + fi + fi + return 1 +} + +# Only register FIPS feature for Ubuntu 22.04 + FIPS scenarios +if is_ubuntu_2204_fips; then + echo "Detected Ubuntu 22.04 + FIPS scenario, enabling FIPS 140-3 compliance..." + + # Enable FIPS 140-3 compliance feature if not already enabled + echo "Checking FIPS 140-3 compliance feature registration..." + FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv 2>/dev/null || echo "NotRegistered") if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then - echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." + echo "Registering FIPS 140-3 compliance feature..." + az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance + + # Poll until registered (timeout after 5 minutes) + TIMEOUT=300 + ELAPSED=0 + while [ "$FIPS_FEATURE_STATE" != "Registered" ] && [ $ELAPSED -lt $TIMEOUT ]; do + sleep 10 + ELAPSED=$((ELAPSED + 10)) + FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) + echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" + done + + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then + echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." + else + echo "FIPS 140-3 feature registered successfully. Refreshing provider..." + az provider register -n Microsoft.Compute + fi else - echo "FIPS 140-3 feature registered successfully. Refreshing provider..." - az provider register -n Microsoft.Compute + echo "FIPS 140-3 compliance feature already registered" fi -else - echo "FIPS 140-3 compliance feature already registered" fi -# Prepare VM creation parameters -VM_SIZE="Standard_D8ds_v5" +# Create VM using appropriate method based on scenario +if is_ubuntu_2204_fips; then + echo "Creating VM with FIPS 140-3 encryption using REST API..." -# shellcheck disable=SC3010 -if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then - VM_SIZE="Standard_D8pds_v5" -fi + # Prepare VM creation parameters + VM_SIZE="Standard_D8ds_v5" -# GB200 specific VM options for scanning (uses standard ARM64 VM for now) -if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then - echo "GB200: Using standard ARM64 VM options for scanning" - # Additional GB200-specific VM options can be added here when GB200 SKUs are available -fi + # shellcheck disable=SC3010 + if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then + VM_SIZE="Standard_D8pds_v5" + fi -# Build the VM request body (simplified for FIPS testing) -VM_BODY=$(cat < Date: Fri, 3 Oct 2025 04:01:31 -0700 Subject: [PATCH 03/19] clean up the test script --- vhdbuilder/packer/fips-helper.sh | 107 ++++++++++++++++++ vhdbuilder/packer/vhd-scanning.sh | 174 ++++-------------------------- 2 files changed, 130 insertions(+), 151 deletions(-) create mode 100644 vhdbuilder/packer/fips-helper.sh diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh new file mode 100644 index 00000000000..e850b6cd40c --- /dev/null +++ b/vhdbuilder/packer/fips-helper.sh @@ -0,0 +1,107 @@ +#!/bin/bash +# FIPS Helper Functions for VHD Scanning +# This script contains functions related to FIPS 140-3 compliance for Ubuntu 22.04 + +# Function to check if this is Ubuntu 22.04 + FIPS scenario +is_ubuntu_2204_fips() { + # Check if this is Ubuntu with FIPS enabled + if [[ "${OS_SKU}" == "Ubuntu" ]] || [[ "${OS_SKU}" == "Ubuntu2204" ]]; then + # Check various FIPS indicators + if [[ "${OS_SKU}" == "Ubuntu2204" ]] || + [[ "${SKU_NAME:-}" == *"Fips"* ]] || + [[ "${SKU_NAME:-}" == *"fips"* ]] || + ([[ "${FEATURE_FLAGS,,}" == *"fips"* ]] && [[ "${OS_VERSION}" == "22.04" ]]); then + return 0 + fi + fi + return 1 +} + +# Function to ensure FIPS 140-3 compliance feature is registered +ensure_fips_feature_registered() { + echo "Detected Ubuntu 22.04 + FIPS scenario, enabling FIPS 140-3 compliance..." + + # Enable FIPS 140-3 compliance feature if not already enabled + echo "Checking FIPS 140-3 compliance feature registration..." + FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv 2>/dev/null || echo "NotRegistered") + + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then + echo "Registering FIPS 140-3 compliance feature..." + az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance + + # Poll until registered (timeout after 5 minutes) + local TIMEOUT=300 + local ELAPSED=0 + while [ "$FIPS_FEATURE_STATE" != "Registered" ] && [ $ELAPSED -lt $TIMEOUT ]; do + sleep 10 + ELAPSED=$((ELAPSED + 10)) + FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) + echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" + done + + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then + echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." + else + echo "FIPS 140-3 feature registered successfully. Refreshing provider..." + az provider register -n Microsoft.Compute + fi + else + echo "FIPS 140-3 compliance feature already registered" + fi +} + +# Function to build FIPS-enabled VM request body +build_fips_vm_body() { + local location="$1" + local vm_name="$2" + local admin_username="$3" + local admin_password="$4" + local image_id="$5" + local nic_id="$6" + local umsi_resource_id="$7" + local vm_size="$8" + + cat </dev/null || echo "NotRegistered") - if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then - echo "Registering FIPS 140-3 compliance feature..." - az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance - - # Poll until registered (timeout after 5 minutes) - TIMEOUT=300 - ELAPSED=0 - while [ "$FIPS_FEATURE_STATE" != "Registered" ] && [ $ELAPSED -lt $TIMEOUT ]; do - sleep 10 - ELAPSED=$((ELAPSED + 10)) - FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) - echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" - done - - if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then - echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." - else - echo "FIPS 140-3 feature registered successfully. Refreshing provider..." - az provider register -n Microsoft.Compute - fi - else - echo "FIPS 140-3 compliance feature already registered" - fi -fi - # Create VM using appropriate method based on scenario if is_ubuntu_2204_fips; then + # Source the FIPS helper functions + FULL_PATH=$(realpath $0) + CDIR=$(dirname $FULL_PATH) + source "$CDIR/fips-helper.sh" + + # register FIPS feature + ensure_fips_feature_registered echo "Creating VM with FIPS 140-3 encryption using REST API..." # Prepare VM creation parameters @@ -161,51 +126,16 @@ if is_ubuntu_2204_fips; then # Additional GB200-specific VM options can be added here when GB200 SKUs are available fi - # Build the VM request body for FIPS scenario - VM_BODY=$(cat < Date: Fri, 3 Oct 2025 04:05:31 -0700 Subject: [PATCH 04/19] Update vhd-scanning.sh --- vhdbuilder/packer/vhd-scanning.sh | 60 ++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 796507660f1..39943ee5c73 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -305,4 +305,62 @@ requiresCISScan() { return 1 fi return 0 # Requires scan -} \ No newline at end of file +} + +# First check if this OS requires CIS scanning +if ! requiresCISScan "${OS_SKU}" "${OS_VERSION}"; then + echo "CIS scan not required for ${OS_SKU} ${OS_VERSION}" + capture_benchmark "${SCRIPT_NAME}_cis_report_skipped" + capture_benchmark "${SCRIPT_NAME}_overall" true + process_benchmarks + exit 0 +fi + +CIS_SCRIPT_PATH="$CDIR/cis-report.sh" +CIS_REPORT_TXT_NAME="cis-report-${BUILD_ID}-${TIMESTAMP}.txt" +CIS_REPORT_HTML_NAME="cis-report-${BUILD_ID}-${TIMESTAMP}.html" + +# Upload cisassessor tarball to storage account +if [ "${ARCHITECTURE,,}" = "arm64" ]; then + CISASSESSOR_LOCAL_PATH="$CDIR/../cisassessor-arm64.tar.gz" +else + CISASSESSOR_LOCAL_PATH="$CDIR/../cisassessor-amd64.tar.gz" +fi +CISASSESSOR_BLOB_NAME="cisassessor-${BUILD_ID}-${TIMESTAMP}.tar.gz" +az storage blob upload --container-name "${SIG_CONTAINER_NAME}" --file "${CISASSESSOR_LOCAL_PATH}" --name "${CISASSESSOR_BLOB_NAME}" --account-name "${STORAGE_ACCOUNT_NAME}" --auth-mode login + +# Run CIS report script on VM (pass storage info) +ret=$(az vm run-command invoke \ + --command-id RunShellScript \ + --name $SCAN_VM_NAME \ + --resource-group $RESOURCE_GROUP_NAME \ + --scripts @$CIS_SCRIPT_PATH \ + --parameters "CISASSESSOR_BLOB_NAME=${CISASSESSOR_BLOB_NAME}" \ + "STORAGE_ACCOUNT_NAME=${STORAGE_ACCOUNT_NAME}" \ + "SIG_CONTAINER_NAME=${SIG_CONTAINER_NAME}" \ + "AZURE_MSI_RESOURCE_STRING=${AZURE_MSI_RESOURCE_STRING}" \ + "ENABLE_TRUSTED_LAUNCH=${ENABLE_TRUSTED_LAUNCH}" \ + "CIS_REPORT_TXT_NAME=${CIS_REPORT_TXT_NAME}" \ + "CIS_REPORT_HTML_NAME=${CIS_REPORT_HTML_NAME}" \ + "TEST_VM_ADMIN_USERNAME=${SCAN_VM_ADMIN_USERNAME}" \ + "OS_SKU=${OS_SKU}" +) +echo "$ret" +msg=$(echo -E "$ret" | jq -r '.value[].message') +echo "$msg" + +# Download CIS report files to working directory +az storage blob download --container-name "${SIG_CONTAINER_NAME}" --name "${CIS_REPORT_TXT_NAME}" --file cis-report.txt --account-name "${STORAGE_ACCOUNT_NAME}" --auth-mode login +az storage blob download --container-name "${SIG_CONTAINER_NAME}" --name "${CIS_REPORT_HTML_NAME}" --file cis-report.html --account-name "${STORAGE_ACCOUNT_NAME}" --auth-mode login + +# Remove CIS report blobs from storage +az storage blob delete --account-name "${STORAGE_ACCOUNT_NAME}" --container-name "${SIG_CONTAINER_NAME}" --name "${CIS_REPORT_TXT_NAME}" --auth-mode login +az storage blob delete --account-name "${STORAGE_ACCOUNT_NAME}" --container-name "${SIG_CONTAINER_NAME}" --name "${CIS_REPORT_HTML_NAME}" --auth-mode login +# Remove CIS assessor tarball blob from storage +az storage blob delete --account-name "${STORAGE_ACCOUNT_NAME}" --container-name "${SIG_CONTAINER_NAME}" --name "${CISASSESSOR_BLOB_NAME}" --auth-mode login + +echo -e "CIS Report Script Completed\n\n\n" +capture_benchmark "${SCRIPT_NAME}_cis_report_upload_and_download" + +capture_benchmark "${SCRIPT_NAME}_overall" true +process_benchmarks \ No newline at end of file From 186484febefa2a1b2da10fbda670dfbf45e34bef Mon Sep 17 00:00:00 2001 From: Calvin Shum Date: Fri, 3 Oct 2025 04:16:31 -0700 Subject: [PATCH 05/19] refactor --- vhdbuilder/packer/fips-helper.sh | 40 +++++++++++++++++++++++++++++++ vhdbuilder/packer/vhd-scanning.sh | 40 ++----------------------------- 2 files changed, 42 insertions(+), 38 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index e850b6cd40c..ff52d680351 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -105,3 +105,43 @@ build_fips_vm_body() { } EOF } + +# Function to create FIPS-enabled VM using REST API +create_fips_vm() { + echo "Creating VM with FIPS 140-3 encryption using REST API..." + + # Prepare VM creation parameters + local VM_SIZE="Standard_D8ds_v5" + + # shellcheck disable=SC3010 + if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then + VM_SIZE="Standard_D8pds_v5" + fi + + # GB200 specific VM options for scanning (uses standard ARM64 VM for now) + if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then + echo "GB200: Using standard ARM64 VM options for scanning" + # Additional GB200-specific VM options can be added here when GB200 SKUs are available + fi + + # Build the VM request body for FIPS scenario + local VM_BODY=$(build_fips_vm_body \ + "$PACKER_BUILD_LOCATION" \ + "$SCAN_VM_NAME" \ + "$SCAN_VM_ADMIN_USERNAME" \ + "$SCAN_VM_ADMIN_PASSWORD" \ + "$VHD_IMAGE" \ + "$SCANNING_NIC_ID" \ + "$UMSI_RESOURCE_ID" \ + "$VM_SIZE") + + # Create the VM using REST API + az rest \ + --method put \ + --url "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/virtualMachines/${SCAN_VM_NAME}?api-version=2024-11-01" \ + --body "$VM_BODY" + + # Wait for VM to be ready + echo "Waiting for VM to be ready..." + az vm wait --created --name $SCAN_VM_NAME --resource-group $RESOURCE_GROUP_NAME +} diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 39943ee5c73..9c73476e928 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -108,45 +108,9 @@ if is_ubuntu_2204_fips; then CDIR=$(dirname $FULL_PATH) source "$CDIR/fips-helper.sh" - # register FIPS feature + # Register FIPS feature and create VM using REST API ensure_fips_feature_registered - echo "Creating VM with FIPS 140-3 encryption using REST API..." - - # Prepare VM creation parameters - VM_SIZE="Standard_D8ds_v5" - - # shellcheck disable=SC3010 - if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then - VM_SIZE="Standard_D8pds_v5" - fi - - # GB200 specific VM options for scanning (uses standard ARM64 VM for now) - if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then - echo "GB200: Using standard ARM64 VM options for scanning" - # Additional GB200-specific VM options can be added here when GB200 SKUs are available - fi - - # Build the VM request body for FIPS scenario using helper function - VM_BODY=$(build_fips_vm_body \ - "$PACKER_BUILD_LOCATION" \ - "$SCAN_VM_NAME" \ - "$SCAN_VM_ADMIN_USERNAME" \ - "$SCAN_VM_ADMIN_PASSWORD" \ - "$VHD_IMAGE" \ - "$SCANNING_NIC_ID" \ - "$UMSI_RESOURCE_ID" \ - "$VM_SIZE") - - # Create the VM using REST API - az rest \ - --method put \ - --url "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/virtualMachines/${SCAN_VM_NAME}?api-version=2024-11-01" \ - --body "$VM_BODY" - - # Wait for VM to be ready - echo "Waiting for VM to be ready..." - az vm wait --created --name $SCAN_VM_NAME --resource-group $RESOURCE_GROUP_NAME - + create_fips_vm else echo "Creating VM using standard az vm create command..." From 6e26082e61f3331d978e7b6781c9e9fd4f926247 Mon Sep 17 00:00:00 2001 From: Calvin Shum Date: Fri, 3 Oct 2025 04:19:53 -0700 Subject: [PATCH 06/19] Update vhd-scanning.sh --- vhdbuilder/packer/vhd-scanning.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 9c73476e928..b50fb4b77e6 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -107,7 +107,7 @@ if is_ubuntu_2204_fips; then FULL_PATH=$(realpath $0) CDIR=$(dirname $FULL_PATH) source "$CDIR/fips-helper.sh" - + # Register FIPS feature and create VM using REST API ensure_fips_feature_registered create_fips_vm @@ -327,4 +327,4 @@ echo -e "CIS Report Script Completed\n\n\n" capture_benchmark "${SCRIPT_NAME}_cis_report_upload_and_download" capture_benchmark "${SCRIPT_NAME}_overall" true -process_benchmarks \ No newline at end of file +process_benchmarks From f85d958f46458ee63a5df468212b63a1580f8dfa Mon Sep 17 00:00:00 2001 From: Calvin Shum Date: Fri, 3 Oct 2025 04:42:53 -0700 Subject: [PATCH 07/19] Update fips-helper.sh --- vhdbuilder/packer/fips-helper.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index ff52d680351..56a3982e6ea 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -4,15 +4,9 @@ # Function to check if this is Ubuntu 22.04 + FIPS scenario is_ubuntu_2204_fips() { - # Check if this is Ubuntu with FIPS enabled - if [[ "${OS_SKU}" == "Ubuntu" ]] || [[ "${OS_SKU}" == "Ubuntu2204" ]]; then - # Check various FIPS indicators - if [[ "${OS_SKU}" == "Ubuntu2204" ]] || - [[ "${SKU_NAME:-}" == *"Fips"* ]] || - [[ "${SKU_NAME:-}" == *"fips"* ]] || - ([[ "${FEATURE_FLAGS,,}" == *"fips"* ]] && [[ "${OS_VERSION}" == "22.04" ]]); then - return 0 - fi + # Check if it's Ubuntu AND version is 22.04 AND FIPS is enabled + if [[ "${OS_SKU}" == "Ubuntu" ]] && [[ "${OS_VERSION}" == "22.04" ]] && [[ "${ENABLE_FIPS,,}" == "true" ]]; then + return 0 fi return 1 } From 2dda3f8e3c47e696b9103ad09cbace96d35557e4 Mon Sep 17 00:00:00 2001 From: Calvin Shum Date: Mon, 6 Oct 2025 21:41:53 -0700 Subject: [PATCH 08/19] fix bug --- vhdbuilder/packer/fips-helper.sh | 9 --------- vhdbuilder/packer/vhd-scanning.sh | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index 56a3982e6ea..aa3417db0d2 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -2,15 +2,6 @@ # FIPS Helper Functions for VHD Scanning # This script contains functions related to FIPS 140-3 compliance for Ubuntu 22.04 -# Function to check if this is Ubuntu 22.04 + FIPS scenario -is_ubuntu_2204_fips() { - # Check if it's Ubuntu AND version is 22.04 AND FIPS is enabled - if [[ "${OS_SKU}" == "Ubuntu" ]] && [[ "${OS_VERSION}" == "22.04" ]] && [[ "${ENABLE_FIPS,,}" == "true" ]]; then - return 0 - fi - return 1 -} - # Function to ensure FIPS 140-3 compliance feature is registered ensure_fips_feature_registered() { echo "Detected Ubuntu 22.04 + FIPS scenario, enabling FIPS 140-3 compliance..." diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index b50fb4b77e6..495644b0d2a 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -102,7 +102,7 @@ if [ -z "$SCANNING_NIC_ID" ]; then fi # Create VM using appropriate method based on scenario -if is_ubuntu_2204_fips; then +if [[ "${OS_SKU}" == "Ubuntu" ]] && [[ "${OS_VERSION}" == "22.04" ]] && [[ "${ENABLE_FIPS,,}" == "true" ]]; then # Source the FIPS helper functions FULL_PATH=$(realpath $0) CDIR=$(dirname $FULL_PATH) From 30612c22fc60e81be91d01ff79482751beba21c3 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Thu, 22 Jan 2026 20:15:46 +0000 Subject: [PATCH 09/19] Add 2204 FIPS to sig config, tests, and build pipeline --- .pipelines/.vsts-vhd-builder-release.yaml | 4 ++-- pkg/agent/datamodel/sig_config.go | 4 ++-- pkg/agent/datamodel/sig_config_test.go | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.pipelines/.vsts-vhd-builder-release.yaml b/.pipelines/.vsts-vhd-builder-release.yaml index 0232751fdff..e24c42c588c 100644 --- a/.pipelines/.vsts-vhd-builder-release.yaml +++ b/.pipelines/.vsts-vhd-builder-release.yaml @@ -128,11 +128,11 @@ parameters: - name: build2204fipscontainerd displayName: Build 2204 FIPS containerd type: boolean - default: false + default: true - name: build2204fipsgen2containerd displayName: Build 2204 FIPS Gen2 containerd type: boolean - default: false + default: true - name: build2204arm64gen2containerd displayName: Build 2204 ARM64 Gen2 containerd type: boolean diff --git a/pkg/agent/datamodel/sig_config.go b/pkg/agent/datamodel/sig_config.go index bc8d3a93ca1..7fc3bec5405 100644 --- a/pkg/agent/datamodel/sig_config.go +++ b/pkg/agent/datamodel/sig_config.go @@ -429,14 +429,14 @@ var ( ResourceGroup: AKSUbuntuResourceGroup, Gallery: AKSUbuntuGalleryName, Definition: "2204fipscontainerd", - Version: "202404.09.0", // TODO(artunduman): Update version when the image is ready + Version: LinuxSIGImageVersion, } SIGUbuntuFipsContainerd2204Gen2ImageConfigTemplate = SigImageConfigTemplate{ ResourceGroup: AKSUbuntuResourceGroup, Gallery: AKSUbuntuGalleryName, Definition: "2204gen2fipscontainerd", - Version: "202404.09.0", // TODO(artunduman): Update version when the image is ready + Version: LinuxSIGImageVersion, } SIGUbuntuArm64Containerd2204Gen2ImageConfigTemplate = SigImageConfigTemplate{ diff --git a/pkg/agent/datamodel/sig_config_test.go b/pkg/agent/datamodel/sig_config_test.go index e2a50774ea1..0143d78092e 100644 --- a/pkg/agent/datamodel/sig_config_test.go +++ b/pkg/agent/datamodel/sig_config_test.go @@ -10,6 +10,8 @@ var _ = Describe("GetMaintainedLinuxSIGImageConfigMap", func() { expected := map[Distro]SigImageConfig{ AKSUbuntuFipsContainerd2004: SIGUbuntuFipsContainerd2004ImageConfigTemplate.WithOptions(), AKSUbuntuFipsContainerd2004Gen2: SIGUbuntuFipsContainerd2004Gen2ImageConfigTemplate.WithOptions(), + AKSUbuntuFipsContainerd2204: SIGUbuntuFipsContainerd2204ImageConfigTemplate.WithOptions(), + AKSUbuntuFipsContainerd2204Gen2: SIGUbuntuFipsContainerd2204Gen2ImageConfigTemplate.WithOptions(), AKSUbuntuArm64Containerd2204Gen2: SIGUbuntuArm64Containerd2204Gen2ImageConfigTemplate.WithOptions(), AKSUbuntuArm64Containerd2404Gen2: SIGUbuntuArm64Containerd2404Gen2ImageConfigTemplate.WithOptions(), AKSUbuntuArm64GB200Containerd2404Gen2: SIGUbuntuArm64GB200Containerd2404Gen2ImageConfigTemplate.WithOptions(), From 8b44033a911840e2f62917f60b811dd5d8203d42 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Thu, 22 Jan 2026 21:47:20 +0000 Subject: [PATCH 10/19] convert script from bash to posix compatible --- vhdbuilder/packer/vhd-scanning.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 1cdeb089020..2ea29e310d5 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -102,7 +102,7 @@ if [ -z "$SCANNING_NIC_ID" ]; then fi # Create VM using appropriate method based on scenario -if [[ "${OS_SKU}" == "Ubuntu" ]] && [[ "${OS_VERSION}" == "22.04" ]] && [[ "${ENABLE_FIPS,,}" == "true" ]]; then +if [ "${OS_SKU}" = "Ubuntu" ] && [ "${OS_VERSION}" = "22.04" ] && [ "$(printf %s "${ENABLE_FIPS}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then # Source the FIPS helper functions FULL_PATH=$(realpath $0) CDIR=$(dirname $FULL_PATH) From c01eb3149c3250403bdb4312e8542d2348ecb21c Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Fri, 23 Jan 2026 17:46:51 +0000 Subject: [PATCH 11/19] add fips disclaimer --- vhdbuilder/packer/fips-helper.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index aa3417db0d2..4fbcb813c30 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -1,5 +1,11 @@ #!/bin/bash # FIPS Helper Functions for VHD Scanning + +# FIPS 140-3 encryption is not automatically supported in Linux VMs. +# Because not all extensions are onboarded to FIPS 140-3 yet, subscriptions must register the Microsoft.Compute/OptInToFips1403Compliance feature. +# After reguster the feature, the VM must be created via Azure REST API calls to enable support for FIPS 140-3. +# There is currently no ETA for when FIPS 140-3 encryption is natively supported, but all information can be found here: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux-fips + # This script contains functions related to FIPS 140-3 compliance for Ubuntu 22.04 # Function to ensure FIPS 140-3 compliance feature is registered @@ -9,11 +15,11 @@ ensure_fips_feature_registered() { # Enable FIPS 140-3 compliance feature if not already enabled echo "Checking FIPS 140-3 compliance feature registration..." FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv 2>/dev/null || echo "NotRegistered") - + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then echo "Registering FIPS 140-3 compliance feature..." az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance - + # Poll until registered (timeout after 5 minutes) local TIMEOUT=300 local ELAPSED=0 @@ -23,7 +29,7 @@ ensure_fips_feature_registered() { FIPS_FEATURE_STATE=$(az feature show --namespace Microsoft.Compute --name OptInToFips1403Compliance --query 'properties.state' -o tsv) echo "Feature state: $FIPS_FEATURE_STATE (waited ${ELAPSED}s)" done - + if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." else @@ -45,7 +51,7 @@ build_fips_vm_body() { local nic_id="$6" local umsi_resource_id="$7" local vm_size="$8" - + cat < Date: Fri, 23 Jan 2026 17:49:22 +0000 Subject: [PATCH 12/19] typo --- vhdbuilder/packer/fips-helper.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index 4fbcb813c30..70562fa1cec 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -3,7 +3,7 @@ # FIPS 140-3 encryption is not automatically supported in Linux VMs. # Because not all extensions are onboarded to FIPS 140-3 yet, subscriptions must register the Microsoft.Compute/OptInToFips1403Compliance feature. -# After reguster the feature, the VM must be created via Azure REST API calls to enable support for FIPS 140-3. +# After registering the feature, the VM must be created via Azure REST API calls to enable support for FIPS 140-3. # There is currently no ETA for when FIPS 140-3 encryption is natively supported, but all information can be found here: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux-fips # This script contains functions related to FIPS 140-3 compliance for Ubuntu 22.04 From f1073bc5893aabd5a58dbc023fb4983dff3c95b4 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Fri, 23 Jan 2026 20:58:53 +0000 Subject: [PATCH 13/19] pass vm size into fips helper script --- vhdbuilder/packer/fips-helper.sh | 17 ++--------------- vhdbuilder/packer/vhd-scanning.sh | 11 +++++++---- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index 70562fa1cec..8647ec717fb 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -99,22 +99,9 @@ EOF # Function to create FIPS-enabled VM using REST API create_fips_vm() { + local vm_size="$1" echo "Creating VM with FIPS 140-3 encryption using REST API..." - # Prepare VM creation parameters - local VM_SIZE="Standard_D8ds_v5" - - # shellcheck disable=SC3010 - if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then - VM_SIZE="Standard_D8pds_v5" - fi - - # GB200 specific VM options for scanning (uses standard ARM64 VM for now) - if [ "${OS_TYPE}" = "Linux" ] && grep -q "GB200" <<< "$FEATURE_FLAGS"; then - echo "GB200: Using standard ARM64 VM options for scanning" - # Additional GB200-specific VM options can be added here when GB200 SKUs are available - fi - # Build the VM request body for FIPS scenario local VM_BODY=$(build_fips_vm_body \ "$PACKER_BUILD_LOCATION" \ @@ -124,7 +111,7 @@ create_fips_vm() { "$VHD_IMAGE" \ "$SCANNING_NIC_ID" \ "$UMSI_RESOURCE_ID" \ - "$VM_SIZE") + "$vm_size") # Create the VM using REST API az rest \ diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 2ea29e310d5..81aa085a4b4 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -74,10 +74,12 @@ function cleanup() { trap cleanup EXIT capture_benchmark "${SCRIPT_NAME}_set_variables_and_create_scan_resource_group" -VM_OPTIONS="--size Standard_D8ds_v5" +VM_SIZE="Standard_D8ds_v5" +VM_OPTIONS="--size $VM_SIZE" # shellcheck disable=SC3010 if [[ "${ARCHITECTURE,,}" == "arm64" ]]; then - VM_OPTIONS="--size Standard_D8pds_v5" + VM_SIZE="Standard_D8pds_v5" + VM_OPTIONS="--size $VM_SIZE" fi if [ "${OS_TYPE}" = "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" = "True" ]; then @@ -85,8 +87,9 @@ if [ "${OS_TYPE}" = "Linux" ] && [ "${ENABLE_TRUSTED_LAUNCH}" = "True" ]; then fi if [ "${OS_TYPE}" = "Linux" ] && grep -q "cvm" <<< "$FEATURE_FLAGS"; then + VM_SIZE="Standard_DC8ads_v5" # We completely re-assign the VM_OPTIONS string here to ensure that no artifacts from earlier conditionals are included - VM_OPTIONS="--size Standard_DC8ads_v5 --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" + VM_OPTIONS="--size $VM_SIZE --security-type ConfidentialVM --enable-secure-boot true --enable-vtpm true --os-disk-security-encryption-type VMGuestStateOnly --specialized true" fi # GB200 specific VM options for scanning (uses standard ARM64 VM for now) @@ -110,7 +113,7 @@ if [ "${OS_SKU}" = "Ubuntu" ] && [ "${OS_VERSION}" = "22.04" ] && [ "$(printf %s # Register FIPS feature and create VM using REST API ensure_fips_feature_registered - create_fips_vm + create_fips_vm "$VM_SIZE" else echo "Creating VM using standard az vm create command..." From 0763a82c83369809a8cb14c65637a887adea9af7 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 18:09:42 +0000 Subject: [PATCH 14/19] Add error handling to fail faster --- vhdbuilder/packer/fips-helper.sh | 32 +++++++++++++++++++++++++------ vhdbuilder/packer/vhd-scanning.sh | 12 +++++++++--- 2 files changed, 35 insertions(+), 9 deletions(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index 8647ec717fb..d6717813937 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -19,6 +19,11 @@ ensure_fips_feature_registered() { if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then echo "Registering FIPS 140-3 compliance feature..." az feature register --namespace Microsoft.Compute --name OptInToFips1403Compliance + local az_register_exit_code=$? + if [ "$az_register_exit_code" -ne 0 ]; then + echo "Error: Failed to register FIPS 140-3 compliance feature (exit code: $az_register_exit_code)" >&2 + return "$az_register_exit_code" + fi # Poll until registered (timeout after 5 minutes) local TIMEOUT=300 @@ -31,11 +36,12 @@ ensure_fips_feature_registered() { done if [ "$FIPS_FEATURE_STATE" != "Registered" ]; then - echo "Warning: FIPS 140-3 feature registration timed out. Continuing anyway..." - else - echo "FIPS 140-3 feature registered successfully. Refreshing provider..." - az provider register -n Microsoft.Compute + echo "Error: FIPS 140-3 feature registration timed out after ${TIMEOUT}s" >&2 + return 1 fi + + echo "FIPS 140-3 feature registered successfully. Refreshing provider..." + az provider register -n Microsoft.Compute else echo "FIPS 140-3 compliance feature already registered" fi @@ -119,7 +125,21 @@ create_fips_vm() { --url "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.Compute/virtualMachines/${SCAN_VM_NAME}?api-version=2024-11-01" \ --body "$VM_BODY" - # Wait for VM to be ready + # Check for errors in the REST API call + local az_rest_exit_code=$? + if [ "$az_rest_exit_code" -ne 0 ]; then + echo "Error: Failed to create VM with FIPS 140-3 encryption via REST API (exit code: $az_rest_exit_code)" >&2 + return "$az_rest_exit_code" + fi + + # Wait for VM to be ready (timeout after 10 minutes) echo "Waiting for VM to be ready..." - az vm wait --created --name $SCAN_VM_NAME --resource-group $RESOURCE_GROUP_NAME + az vm wait --created --name $SCAN_VM_NAME --resource-group $RESOURCE_GROUP_NAME --timeout 600 + + # Check for errors in the Azure CLI wait command + local az_wait_exit_code=$? + if [ "$az_wait_exit_code" -ne 0 ]; then + echo "Error: Failed to await VM readiness (exit code: $az_wait_exit_code)" >&2 + return "$az_wait_exit_code" + fi } diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 81aa085a4b4..98fe3d4ab09 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -111,9 +111,9 @@ if [ "${OS_SKU}" = "Ubuntu" ] && [ "${OS_VERSION}" = "22.04" ] && [ "$(printf %s CDIR=$(dirname $FULL_PATH) source "$CDIR/fips-helper.sh" - # Register FIPS feature and create VM using REST API - ensure_fips_feature_registered - create_fips_vm "$VM_SIZE" + # Register FIPS feature and create VM using REST API. Exit if any step fails. + ensure_fips_feature_registered || exit $? + create_fips_vm "$VM_SIZE" || exit $? else echo "Creating VM using standard az vm create command..." @@ -127,6 +127,12 @@ else --os-disk-size-gb 50 \ ${VM_OPTIONS} \ --assign-identity "${UMSI_RESOURCE_ID}" + + local az_vm_create_exit_code=$? + if [ $az_vm_create_exit_code -ne 0 ]; then + echo "Error: Failed to create VM" >&2 + exit 1 + fi fi capture_benchmark "${SCRIPT_NAME}_create_scan_vm" From 1ef2126b4b79023dcd947bb0652eede9e6ef815c Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 18:13:22 +0000 Subject: [PATCH 15/19] typo --- vhdbuilder/packer/vhd-scanning.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 98fe3d4ab09..92c5a3efbbb 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -128,7 +128,7 @@ else ${VM_OPTIONS} \ --assign-identity "${UMSI_RESOURCE_ID}" - local az_vm_create_exit_code=$? + az_vm_create_exit_code=$? if [ $az_vm_create_exit_code -ne 0 ]; then echo "Error: Failed to create VM" >&2 exit 1 From 46c5638788baa5ee7a117795fc4d3d7bee61f686 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 18:26:55 +0000 Subject: [PATCH 16/19] uppercase variable --- vhdbuilder/packer/vhd-scanning.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index 92c5a3efbbb..d546daf96cb 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -128,8 +128,8 @@ else ${VM_OPTIONS} \ --assign-identity "${UMSI_RESOURCE_ID}" - az_vm_create_exit_code=$? - if [ $az_vm_create_exit_code -ne 0 ]; then + AZ_VM_CREATE_EXIT_CODE=$? + if [ $AZ_VM_CREATE_EXIT_CODE -ne 0 ]; then echo "Error: Failed to create VM" >&2 exit 1 fi From 92cebe1d9994136ffd378b945d033540656f7be8 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 18:58:05 +0000 Subject: [PATCH 17/19] disable tracing for sensitive commands --- vhdbuilder/packer/fips-helper.sh | 6 +++++- vhdbuilder/packer/vhd-scanning.sh | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/vhdbuilder/packer/fips-helper.sh b/vhdbuilder/packer/fips-helper.sh index d6717813937..b3b3b612fd0 100644 --- a/vhdbuilder/packer/fips-helper.sh +++ b/vhdbuilder/packer/fips-helper.sh @@ -108,6 +108,8 @@ create_fips_vm() { local vm_size="$1" echo "Creating VM with FIPS 140-3 encryption using REST API..." + # Disable tracing to prevent password from appearing in logs + set +x # Build the VM request body for FIPS scenario local VM_BODY=$(build_fips_vm_body \ "$PACKER_BUILD_LOCATION" \ @@ -127,6 +129,8 @@ create_fips_vm() { # Check for errors in the REST API call local az_rest_exit_code=$? + # Re-enable tracing after sensitive command + set -x if [ "$az_rest_exit_code" -ne 0 ]; then echo "Error: Failed to create VM with FIPS 140-3 encryption via REST API (exit code: $az_rest_exit_code)" >&2 return "$az_rest_exit_code" @@ -136,7 +140,7 @@ create_fips_vm() { echo "Waiting for VM to be ready..." az vm wait --created --name $SCAN_VM_NAME --resource-group $RESOURCE_GROUP_NAME --timeout 600 - # Check for errors in the Azure CLI wait command + # Check for errors in the az wait command local az_wait_exit_code=$? if [ "$az_wait_exit_code" -ne 0 ]; then echo "Error: Failed to await VM readiness (exit code: $az_wait_exit_code)" >&2 diff --git a/vhdbuilder/packer/vhd-scanning.sh b/vhdbuilder/packer/vhd-scanning.sh index d546daf96cb..8175b297f5f 100755 --- a/vhdbuilder/packer/vhd-scanning.sh +++ b/vhdbuilder/packer/vhd-scanning.sh @@ -117,6 +117,8 @@ if [ "${OS_SKU}" = "Ubuntu" ] && [ "${OS_VERSION}" = "22.04" ] && [ "$(printf %s else echo "Creating VM using standard az vm create command..." + # Disable tracing to prevent password from appearing in logs + set +x # Use the standard VM creation approach for all other scenarios az vm create --resource-group $RESOURCE_GROUP_NAME \ --name $SCAN_VM_NAME \ @@ -128,7 +130,10 @@ else ${VM_OPTIONS} \ --assign-identity "${UMSI_RESOURCE_ID}" + # Check for errors in the az vm create command AZ_VM_CREATE_EXIT_CODE=$? + # Re-enable tracing after sensitive command + set -x if [ $AZ_VM_CREATE_EXIT_CODE -ne 0 ]; then echo "Error: Failed to create VM" >&2 exit 1 From 860c2a1cc25b05ad398c617641378613e74f5969 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 22:18:09 +0000 Subject: [PATCH 18/19] Add e2e for 2204 fips --- e2e/config/vhd.go | 18 ++++++++++++++++++ e2e/scenario_test.go | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/e2e/config/vhd.go b/e2e/config/vhd.go index 8e5244183fd..8afe684f4e6 100644 --- a/e2e/config/vhd.go +++ b/e2e/config/vhd.go @@ -64,6 +64,24 @@ var ( Distro: datamodel.AKSUbuntuContainerd2204Gen2, Gallery: imageGalleryLinux, } + VHDUbuntu2204Gen2ContainerdFIPS = &Image{ + Name: "2204gen2containerdfips", + OS: OSUbuntu, + Arch: "amd64", + Distro: datamodel.AKSUbuntuFipsContainerd2204Gen2, + Gallery: imageGalleryLinux, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } + VHDUbuntu2204ContainerdFIPS = &Image{ + Name: "2204containerdfips", + OS: OSUbuntu, + Arch: "amd64", + Distro: datamodel.AKSUbuntuFipsContainerd2204, + Gallery: imageGalleryLinux, + // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs + UnsupportedSecureTLSBootstrapping: true, + } VHDAzureLinuxV2Gen2Arm64 = &Image{ Name: "AzureLinuxV2gen2arm64", OS: OSAzureLinux, diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go index 925b435329e..a1448243443 100644 --- a/e2e/scenario_test.go +++ b/e2e/scenario_test.go @@ -388,6 +388,48 @@ func Test_Ubuntu2204(t *testing.T) { }) } +func Test_Ubuntu2204_FIPS(t *testing.T) { + RunScenario(t, &Scenario{ + Description: "Tests that a node using the Ubuntu 2204 FIPS VHD can be properly bootstrapped", + Config: Config{ + Cluster: ClusterKubenet, + VHD: config.VHDUbuntu2204ContainerdFIPS, + BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { + // Check that we don't leak these secrets if they're + // set (which they mostly aren't in these scenarios). + nbc.ContainerService.Properties.CertificateProfile.ClientPrivateKey = "client cert private key" + nbc.ContainerService.Properties.ServicePrincipalProfile.Secret = "SP secret" + }, + Validator: func(ctx context.Context, s *Scenario) { + ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) + ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) + ValidateSSHServiceEnabled(ctx, s) + }, + }, + }) +} + +func Test_Ubuntu2204_FIPS_Gen2(t *testing.T) { + RunScenario(t, &Scenario{ + Description: "Tests that a node using the Ubuntu 2204 Gen2 FIPS VHD can be properly bootstrapped", + Config: Config{ + Cluster: ClusterKubenet, + VHD: config.VHDUbuntu2204Gen2ContainerdFIPS, + BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { + // Check that we don't leak these secrets if they're + // set (which they mostly aren't in these scenarios). + nbc.ContainerService.Properties.CertificateProfile.ClientPrivateKey = "client cert private key" + nbc.ContainerService.Properties.ServicePrincipalProfile.Secret = "SP secret" + }, + Validator: func(ctx context.Context, s *Scenario) { + ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) + ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) + ValidateSSHServiceEnabled(ctx, s) + }, + }, + }) +} + func Test_Ubuntu2204_EntraIDSSH(t *testing.T) { RunScenario(t, &Scenario{ Description: "Tests that a node using Ubuntu 2204 VHD with Entra ID SSH can be properly bootstrapped and SSH private key authentication is disabled", From e25052fad4e9c9346eb9ccc0a94f8860c4bb48c6 Mon Sep 17 00:00:00 2001 From: Mark Ibrahim Date: Mon, 26 Jan 2026 22:43:59 +0000 Subject: [PATCH 19/19] remove e2e --- e2e/config/vhd.go | 18 ------------------ e2e/scenario_test.go | 42 ------------------------------------------ 2 files changed, 60 deletions(-) diff --git a/e2e/config/vhd.go b/e2e/config/vhd.go index 8afe684f4e6..8e5244183fd 100644 --- a/e2e/config/vhd.go +++ b/e2e/config/vhd.go @@ -64,24 +64,6 @@ var ( Distro: datamodel.AKSUbuntuContainerd2204Gen2, Gallery: imageGalleryLinux, } - VHDUbuntu2204Gen2ContainerdFIPS = &Image{ - Name: "2204gen2containerdfips", - OS: OSUbuntu, - Arch: "amd64", - Distro: datamodel.AKSUbuntuFipsContainerd2204Gen2, - Gallery: imageGalleryLinux, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, - } - VHDUbuntu2204ContainerdFIPS = &Image{ - Name: "2204containerdfips", - OS: OSUbuntu, - Arch: "amd64", - Distro: datamodel.AKSUbuntuFipsContainerd2204, - Gallery: imageGalleryLinux, - // Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs - UnsupportedSecureTLSBootstrapping: true, - } VHDAzureLinuxV2Gen2Arm64 = &Image{ Name: "AzureLinuxV2gen2arm64", OS: OSAzureLinux, diff --git a/e2e/scenario_test.go b/e2e/scenario_test.go index a1448243443..925b435329e 100644 --- a/e2e/scenario_test.go +++ b/e2e/scenario_test.go @@ -388,48 +388,6 @@ func Test_Ubuntu2204(t *testing.T) { }) } -func Test_Ubuntu2204_FIPS(t *testing.T) { - RunScenario(t, &Scenario{ - Description: "Tests that a node using the Ubuntu 2204 FIPS VHD can be properly bootstrapped", - Config: Config{ - Cluster: ClusterKubenet, - VHD: config.VHDUbuntu2204ContainerdFIPS, - BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { - // Check that we don't leak these secrets if they're - // set (which they mostly aren't in these scenarios). - nbc.ContainerService.Properties.CertificateProfile.ClientPrivateKey = "client cert private key" - nbc.ContainerService.Properties.ServicePrincipalProfile.Secret = "SP secret" - }, - Validator: func(ctx context.Context, s *Scenario) { - ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) - ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) - ValidateSSHServiceEnabled(ctx, s) - }, - }, - }) -} - -func Test_Ubuntu2204_FIPS_Gen2(t *testing.T) { - RunScenario(t, &Scenario{ - Description: "Tests that a node using the Ubuntu 2204 Gen2 FIPS VHD can be properly bootstrapped", - Config: Config{ - Cluster: ClusterKubenet, - VHD: config.VHDUbuntu2204Gen2ContainerdFIPS, - BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) { - // Check that we don't leak these secrets if they're - // set (which they mostly aren't in these scenarios). - nbc.ContainerService.Properties.CertificateProfile.ClientPrivateKey = "client cert private key" - nbc.ContainerService.Properties.ServicePrincipalProfile.Secret = "SP secret" - }, - Validator: func(ctx context.Context, s *Scenario) { - ValidateInstalledPackageVersion(ctx, s, "moby-containerd", components.GetExpectedPackageVersions("containerd", "ubuntu", "r2204")[0]) - ValidateInstalledPackageVersion(ctx, s, "moby-runc", components.GetExpectedPackageVersions("runc", "ubuntu", "r2204")[0]) - ValidateSSHServiceEnabled(ctx, s) - }, - }, - }) -} - func Test_Ubuntu2204_EntraIDSSH(t *testing.T) { RunScenario(t, &Scenario{ Description: "Tests that a node using Ubuntu 2204 VHD with Entra ID SSH can be properly bootstrapped and SSH private key authentication is disabled",