# SPDX-License-Identifier: MIT

#     Copyright (c) 2024 SUSE LLC

# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon.

# The content of THIS FILE IS AUTOGENERATED and should not be manually modified.
# It is maintained by the BCI team and generated by
# https://github.com/SUSE/BCI-dockerfile-generator

# Please submit bugfixes or comments via https://bugs.opensuse.org/
# You can contact the BCI team via https://github.com/SUSE/bci/discussions

#!UseOBSRepositories
#!ExclusiveArch: x86_64
#!BuildTag: suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%
#!BuildTag: suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%
#!BuildTag: suse/ltss/sle15.4/bci-base-fips:latest
#!BuildName: suse-ltss-sle15.4-bci-base-fips-%OS_VERSION_ID_SP%
#!BuildVersion: 15.4
FROM suse/ltss/sle15.4/sle15:15.4

RUN set -euo pipefail; \
    zypper -n install --no-recommends sles-ltss-release coreutils crypto-policies-scripts; \
    zypper -n clean; \
    rm -rf {/target,}/var/log/{alternatives.log,lastlog,tallylog,zypper.log,zypp/history,YaST2}

# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.sle.base-fips
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE LTSS BCI 15 SP4 FIPS-140-3"
LABEL org.opencontainers.image.description="15 SP4 FIPS-140-3 container based on the SLE LTSS Base Container Image."
LABEL org.opencontainers.image.version="%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/long-term-service-pack-support/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.source="%SOURCEURL%"
LABEL org.opencontainers.image.ref.name="%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.opensuse.reference="registry.suse.com/suse/ltss/sle15.4/bci-base-fips:%OS_VERSION_ID_SP%.%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.supportlevel.until="2026-12-31"
LABEL com.suse.eula="sle-eula"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle#suse-linux-enterprise-server-15"
LABEL com.suse.release-stage="released"
# endlabelprefix
LABEL io.artifacthub.package.readme-url="%SOURCEURL%/README.md"
LABEL usage="This container should only be used on a FIPS enabled host (fips=1 on kernel cmdline)."
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/openssl-1_1-1.1.1l-150400.7.28.1.x86_64.rpm
COPY openssl-1_1-1.1.1l-150400.7.28.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/libopenssl1_1-1.1.1l-150400.7.28.1.x86_64.rpm
COPY libopenssl1_1-1.1.1l-150400.7.28.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/openssl-1_1.28168/libopenssl1_1-hmac-1.1.1l-150400.7.28.1.x86_64.rpm
COPY libopenssl1_1-hmac-1.1.1l-150400.7.28.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/libgcrypt.28151/libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm
COPY libgcrypt20-1.9.4-150400.6.8.1.x86_64.rpm .
#!RemoteAssetUrl: https://api.opensuse.org/public/build/SUSE:SLE-15-SP4:Update/pool/x86_64/libgcrypt.28151/libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm
COPY libgcrypt20-hmac-1.9.4-150400.6.8.1.x86_64.rpm .
RUN set -euo pipefail; \
    [ $(LC_ALL=C rpm --checksig -v *rpm | \
        grep -c -E "^ *V3.*key ID 39db7c82: OK") = 5 ] \
    && rpm -Uvh --oldpackage --force *.rpm \
    && rm -vf *.rpm \
    && rpmqpack | grep -E '(openssl|libgcrypt)' | xargs zypper -n addlock
RUN set -euo pipefail; update-crypto-policies --no-reload --set FIPS

ENV GNUTLS_FORCE_FIPS_MODE=1
ENV LIBGCRYPT_FORCE_FIPS_MODE=1
ENV LIBICA_FIPS_FLAG=1
ENV NSS_FIPS=1
ENV OPENSSL_FIPS=1
ENV OPENSSL_FORCE_FIPS_MODE=1