#!ExclusiveArch: x86_64
# SPDX-License-Identifier: MIT
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%
#!BuildTag: suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%
#!BuildVersion: 15.3
FROM suse/sle15:15.3

MAINTAINER SUSE LLC (https://www.suse.com/)

# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.bci.base-fips
LABEL org.opencontainers.image.title="SLE LTSS BCI 15 SP3 FIPS-140-2"
LABEL org.opencontainers.image.description="15 SP3 FIPS-140-2 container based on the SLE LTSS Base Container Image."
LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.source="%SOURCEURL%"
LABEL org.opensuse.reference="registry.suse.com/suse/ltss/sle15.3/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="sle-eula"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle#suse-linux-enterprise-server-15"
LABEL com.suse.image-type="sle-bci"
LABEL com.suse.release-stage="released"
# endlabelprefix
LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."

RUN set -euo pipefail; zypper -n in --no-recommends fipscheck; zypper -n clean; rm -rf /var/log/*
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/openssl-1_1-1.1.1d-11.20.1.x86_64.rpm
COPY openssl-1_1-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm
COPY libopenssl1_1-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP2:Update/pool/x86_64/openssl-1_1.18804/libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm
COPY libopenssl1_1-hmac-1.1.1d-11.20.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-1.8.2-8.36.1.x86_64.rpm
COPY libgcrypt20-1.8.2-8.36.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP1:Update/pool/x86_64/libgcrypt.15117/libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm
COPY libgcrypt20-hmac-1.8.2-8.36.1.x86_64.rpm .
RUN set -euo pipefail;                 [ $(LC_ALL=C rpm --checksig -v *rpm |                     grep -c -E "^ *V3.*key ID 39db7c82: OK") = 5 ]                 && rpm -Uvh --oldpackage *.rpm                 && rm -vf *.rpm                 && rpmqpack | grep -E '(openssl|libgcrypt)'  | xargs zypper -n addlock
ENV OPENSSL_FORCE_FIPS_MODE=1