![Page 1: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/1.jpg)
CLIP OS 5: Beta release
Timothée Ravier, Thibaut Sautereau
Agence nationale de la sécurité des systèmes d’information (ANSSI)
10 & 11 December 2019, Paris Open Source Summit
![Page 2: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/2.jpg)
About the ANSSI
◮ Agence nationale de la sécurité des systèmes d’information
◮ French authority in the area of cyberdefence, network and informationsecurity
◮ Provides its expertise and technical assistance to governmentdepartments and businesses and plays an enhanced role in supportingoperators of vital importance.
ANSSI CLIP OS 5: Beta release 2/37
![Page 3: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/3.jpg)
CLIP OS?
◮ Linux distribution developed by the ANSSI
◮ Initially only available internally
◮ Now open source, mostly under the LGPL v2.1+
◮ Code and issue tracker hosted on GitHub12:
◮ Version 4: available as reference and for upstream patch contribution
◮ Version 5: currently developed version, beta released in December 2019
1https://github.com/CLIPOS2https://github.com/CLIPOS-Archive
ANSSI CLIP OS 5: Beta release 3/37
![Page 4: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/4.jpg)
CLIP OS?
Not yet another Linux distribution
◮ Not a generic/multi-purpose distribution
Targets three main use cases
◮ Mobile office workstation
◮ Remote administration workstation
◮ IPsec gateway
ANSSI CLIP OS 5: Beta release 4/37
![Page 5: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/5.jpg)
Hardened OS
◮ Based on Gentoo Hardened
◮ Hardened Linux kernel and confined services
◮ No interactive root account available:
⇒ "Unprivileged" admin, audit and update roles
◮ Automatic updates using A/B partition model (similar to Android 7+)
◮ Multilevel security:
◮ Provide two isolated user environments
◮ Controlled interactions between isolated environments
ANSSI CLIP OS 5: Beta release 5/37
![Page 6: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/6.jpg)
5.0 Alpha features & security
![Page 7: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/7.jpg)
5.0 Alpha: Initial features
◮ Functional core (boot to command line shell)
◮ Strict split between:◮ Read Only: system executables, configuration and data◮ Read Write: runtime configuration, logs, user and application data
◮ Initial boot chain integrity:◮ Secure Boot (bootloader, initramfs, Linux kernel and its command line)◮ Read-only system partition protected by DM-Verity
◮ Initial hardware support: QEMU/KVM virtual machine
ANSSI CLIP OS 5: Beta release 7/37
![Page 8: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/8.jpg)
5.0 Beta features & security
![Page 9: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/9.jpg)
5.0 Beta features & security / TPM 2.0 Support
![Page 10: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/10.jpg)
TPM 2.0 Support
Goal:
◮ Transparent (no user interaction)encryption of writable systemstate partition
ANSSI CLIP OS 5: Beta release 10/37
![Page 11: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/11.jpg)
TPM 2.0 Support
Implementation:
◮ Complements existing SecureBoot support and Boot ChainIntegrity
ANSSI CLIP OS 5: Beta release 10/37
![Page 12: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/12.jpg)
TPM 2.0 Support
◮ Seal the encryption key andprovide it at boot time if machinein known-good state:◮ Rely on PCR 7: records
measure of Secure Boot state◮ Expected Secure Boot state ⇒
we booted a trusted EFI binary(kernel + initramfs + cmdline)
ANSSI CLIP OS 5: Beta release 10/37
![Page 13: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/13.jpg)
TPM 2.0 Support
◮ Using other PCRs is easy (e.g. PCR 0 to measure firmware integrity), butrequires some care to handle updates
◮ Use Intel’s implementation of the TPM2 Software Stack, from theinitramfs: tpm2-tss library via tpm2-tools binaries (may change)
ANSSI CLIP OS 5: Beta release 11/37
![Page 14: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/14.jpg)
5.0 Beta features & security / Update support
![Page 15: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/15.jpg)
Update model
Goals:
◮ Client side:◮ safe: applied while the system is online and in use◮ in-background: happen transparently to the user◮ atomic: list only valid options during boot◮ rollback: temporary fallback to a working version
ANSSI CLIP OS 5: Beta release 13/37
![Page 16: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/16.jpg)
Update model
Goals:
◮ Client side:◮ safe: applied while the system is online and in use◮ in-background: happen transparently to the user◮ atomic: list only valid options during boot◮ rollback: temporary fallback to a working version
◮ Server side:◮ client identification and version reporting◮ update channels
ANSSI CLIP OS 5: Beta release 13/37
![Page 17: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/17.jpg)
Update model
Goals:
◮ Client side:◮ safe: applied while the system is online and in use◮ in-background: happen transparently to the user◮ atomic: list only valid options during boot◮ rollback: temporary fallback to a working version
◮ Server side:◮ client identification and version reporting◮ update channels
Threats:
◮ Compromised update server
◮ Active man-in-the-middle attacker
◮ Active local attacker
ANSSI CLIP OS 5: Beta release 13/37
![Page 18: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/18.jpg)
Update support: Client
Bootloader
EFIversion X
EFIversion Y
EFI system partition LVM
Core ROversion X
Core ROversion Y
Corestate RW
CLIP OS system layout:
◮ UEFI boot only, following the Boot Loader Specification
◮ A/B partition setup using Logical Volumes for system Read-Onlypartitions (for example: Core)
◮ Single partition setup for stateful partitions
ANSSI CLIP OS 5: Beta release 14/37
![Page 19: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/19.jpg)
Update support: Client
Bootloader
EFIversion N
EFIversion N - 1
EFI system partition LVM
Coreversion N
Coreversion N - 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
ANSSI CLIP OS 5: Beta release 15/37
![Page 20: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/20.jpg)
Update support: Client
Bootloader
EFIversion N
EFIversion N - 1
EFI system partition LVM
Coreversion N
Coreversion N - 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
◮ Verify download integrity
ANSSI CLIP OS 5: Beta release 15/37
![Page 21: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/21.jpg)
Update support: Client
Bootloader
EFIversion N
EFI system partition LVM
Coreversion N
Coreversion N - 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
◮ Verify download integrity
◮ Remove the EFI binary associated with previous and soon unavailableversion
ANSSI CLIP OS 5: Beta release 15/37
![Page 22: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/22.jpg)
Update support: Client
Bootloader
EFIversion N
EFI system partition LVM
Coreversion N
Coreversion N + 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
◮ Verify download integrity
◮ Remove the EFI binary associated with previous and soon unavailableversion
◮ Install the Core partition in the currently unused Logical Volume or createa new one if only one exists
ANSSI CLIP OS 5: Beta release 15/37
![Page 23: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/23.jpg)
Update support: Client
Bootloader
EFIversion N
EFIversion N + 1
EFI system partition LVM
Coreversion N
Coreversion N + 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
◮ Verify download integrity
◮ Remove the EFI binary associated with previous and soon unavailableversion
◮ Install the Core partition in the currently unused Logical Volume or createa new one if only one exists
◮ Install the EFI binary with a name following the Boot Loader Specification
ANSSI CLIP OS 5: Beta release 15/37
![Page 24: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/24.jpg)
Update support: Client
Bootloader
EFIversion N
EFIversion N + 1
EFI system partition LVM
Coreversion N
Coreversion N + 1
Corestate
Implementation:
◮ Download the latest Core partition and EFI binary from the update server
◮ Verify download integrity
◮ Remove the EFI binary associated with previous and soon unavailableversion
◮ Install the Core partition in the currently unused Logical Volume or createa new one if only one exists
◮ Install the EFI binary with a name following the Boot Loader Specification
◮ Reboot the system to automatically boot the new version
ANSSI CLIP OS 5: Beta release 15/37
![Page 25: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/25.jpg)
Update support: Server
Initial version:
◮ Static files served over HTTPS
◮ Versioned directory layout
https://update.clip-os.org/
+-- dist
| +-- 5.0.0-alpha.2
| +-- clipos-core, clipos-core.sig
| +-- clipos-efiboot, clipos-efiboot.sig
+-- update
+-- v1
+-- clipos
+-- version
ANSSI CLIP OS 5: Beta release 16/37
![Page 26: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/26.jpg)
Update support: Server
Initial version:
◮ Static files served over HTTPS
◮ Versioned directory layout
https://update.clip-os.org/
+-- dist
| +-- 5.0.0-alpha.2
| +-- clipos-core, clipos-core.sig
| +-- clipos-efiboot, clipos-efiboot.sig
+-- update
+-- v1
+-- clipos
+-- version
Planned:
◮ Client statistics and version reporting
◮ Channel support
ANSSI CLIP OS 5: Beta release 16/37
![Page 27: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/27.jpg)
Update support: Security
Implemented:
◮ Client in Rust
◮ HTTPS with TLS 1.2+ only
◮ Root CA pinning
◮ Payload signatures using minisign
◮ Runtime rollback resistance (payload version stored with signature)
ANSSI CLIP OS 5: Beta release 17/37
![Page 28: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/28.jpg)
Update support: Security
Implemented:
◮ Client in Rust
◮ HTTPS with TLS 1.2+ only
◮ Root CA pinning
◮ Payload signatures using minisign
◮ Runtime rollback resistance (payload version stored with signature)
Unaddressed issues:
◮ Offline rollback resistance
◮ Update signing key compromise
ANSSI CLIP OS 5: Beta release 17/37
![Page 29: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/29.jpg)
Update support: Planned improvements
◮ Reduce client privileges (unprivileged network procecessing, etc.)
◮ Incremental updates using casync
◮ Bootloader update
◮ Free disk space checks
ANSSI CLIP OS 5: Beta release 18/37
![Page 30: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/30.jpg)
5.0 Beta features & security / IPsec support
![Page 31: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/31.jpg)
IPsec support
◮ Isolation using network namespaces◮ IPsec access using XFRM interfaces (similar to Wireguard)
Physicalinterface
Updater
openssh
IPsec only
NAT
Core
Application"Clear text"
Encrypted
XFRMinterface
Virtualinterface
ANSSI CLIP OS 5: Beta release 20/37
![Page 32: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/32.jpg)
IPsec support
◮ Latest strongSwan release (5.8.1):◮ Strict compile time configuration◮ Strict default strongSwan configuration◮ Confined unprivileged strongSwan daemon
◮ IPsec DR conformity in progress:◮ All available compile time and runtime configuration changes applied◮ All items requiring code changes and code review postponed to 5.0 stable
◮ IPsec aware nftables based firewalling:◮ Currently static rules generated at install time◮ Dynamically generated / template based rules postponed to 5.0 stable
ANSSI CLIP OS 5: Beta release 21/37
![Page 33: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/33.jpg)
5.0 Beta features & security / Linux kernelmaintenance
![Page 34: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/34.jpg)
linux-hardened
◮ Set of hardening patches initially maintained by Daniel Micay, many ofthem extracted from grsecurity/PaX
◮ Now maintained internally, in collaboration with Arch Linux
◮ Tends to shrink due to upstreamization, but some features regularlyrequire time-consuming adaptations
◮ ASLR improvements, memory sanitizing, slab cookies, a bit more__ro_after_init, etc.
ANSSI CLIP OS 5: Beta release 23/37
![Page 35: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/35.jpg)
Patches merged upstream
Former out-of-tree patch sets merged and maintained in CLIP OS but nowavailable upstream:
◮ Lockdown (in v5.4, as an LSM)
◮ STACKLEAK (since v4.20)
ANSSI CLIP OS 5: Beta release 24/37
![Page 36: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/36.jpg)
Running a recent kernel
Pros:
◮ Quickly benefit from new features◮ Kernel hardening (e.g. init_on_free, STRUCTLEAK_BYREF_ALL)◮ Security mechanisms (e.g. dm_verity, nf_tables)
◮ Receive more stable backports, especially security fixes
◮ Constant but easier (and less error-prone) work to keep in sync◮ As opposed to CLIP OS v4: massive work required once upon a time to
jump from one LTS to another
Cons:
◮ "Stable" kernels are far from being stable (but neither are LTS ones)◮ We uncover bugs, either in new features or due to uncompromising
combinations and configurations that nobody seems to use nor test◮ Several bugs reported to upstream, as well as missing backports
ANSSI CLIP OS 5: Beta release 25/37
![Page 37: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/37.jpg)
5.0 Beta features & security / Other features
![Page 38: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/38.jpg)
Other features
◮ Virtual testbed using Vagrant:◮ Includes test support for updates and IPsec
◮ Initial admin & audit roles (available over SSH)
◮ X260 hardware profile
◮ etc.
ANSSI CLIP OS 5: Beta release 27/37
![Page 39: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/39.jpg)
Project infrastructure
![Page 40: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/40.jpg)
Project infrastructure / Code review (Gerrit)
![Page 41: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/41.jpg)
Code review (Gerrit)
Gerrit:
◮ Powerful, Git-based, code review web application
◮ Deployed at: review.clip-os.org
ANSSI CLIP OS 5: Beta release 30/37
![Page 42: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/42.jpg)
Project infrastructure / Continuous Integration(GitLab CI)
![Page 43: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/43.jpg)
Continuous Integration (GitLab CI)
Why GitLab?
◮ Lots of features (Git LFS, container registry, artifact storage, etc.)
◮ Compatible with offline development environment requirements (DR/CD)
◮ Gerrit deployment now optional
◮ Good documentation, lots of high profile users
◮ GitLab CI integration
ANSSI CLIP OS 5: Beta release 32/37
![Page 44: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/44.jpg)
Continuous Integration (GitLab CI)
Why GitLab?
◮ Lots of features (Git LFS, container registry, artifact storage, etc.)
◮ Compatible with offline development environment requirements (DR/CD)
◮ Gerrit deployment now optional
◮ Good documentation, lots of high profile users
◮ GitLab CI integration
Why GitLab CI?
◮ Jobs described with simple YAML file & (Bash) scripts
◮ Container based:◮ mostly Docker for now◮ podman support in GitLab 12.6 (expected on 2019-12-22)
◮ Scheduler / worker split
ANSSI CLIP OS 5: Beta release 32/37
![Page 45: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/45.jpg)
Continuous Integration (GitLab CI)
Public CI with GitLab.com (gitlab.com/CLIPOS/ci):
◮ Weekly "from scratch" builds◮ Build Debian based work container◮ Build everything else from scratch◮ Takes approximately 2 hours 20 min
◮ Daily "incremental" builds◮ Re-use container image◮ Re-use SDKs from latest successful build◮ Re-use binary packages from latest successful build◮ Takes approximately 35 min
◮ Build results (artifacts) available at files.clip-os.org
◮ Now very easy to try the latest version of CLIP OS in QEMU:docs.clip-os.org/toolkit/quick-try.html
ANSSI CLIP OS 5: Beta release 33/37
![Page 46: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/46.jpg)
5.0 stable: Roadmap
![Page 47: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/47.jpg)
Roadmap: 5.0 stable
◮ Confined user environments (GUI)
◮ Multilevel support (Vserver-like LSM)
◮ Automated installation using PXE
◮ Fix all remaining issues required for qualification
ANSSI CLIP OS 5: Beta release 35/37
![Page 48: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/48.jpg)
Conclusion
CLIP OS 5 Beta:
◮ All the building blocks to create an IPsec gateway are now available◮ IPsec DR compatibility in progress, planned for final 5.0
◮ All the building blocks to create a server are now available◮ Update, IPsec client, Remote administration over SSH, etc.
Focus is now on user environments (GUI) and multi-level support:
◮ Use case 1: Mobile office workstation
◮ Use case 2: Remote administration workstation
ANSSI CLIP OS 5: Beta release 36/37
![Page 49: CLIP OS 5: Beta releaseGitLab CI integration Why GitLab CI? Jobs described with simple YAML file & (Bash) scripts Container based: mostly Docker for now podman support in GitLab 12.6](https://reader033.vdocuments.pub/reader033/viewer/2022050104/5f428fd41720d94e4c0e581d/html5/thumbnails/49.jpg)
Thanks!
� Website: clip-os.org
� Docs: docs.clip-os.org
� Sources: github.com/CLIPOS
� Bugs: github.com/CLIPOS/bugs