[CIVIS-11019] ubuntu 22.04 fips enabled base image for linuxserver (#1)

* PR template

* remove jenkins things

* remove source list files

* remove extra files

* remove extra files

* Refactor Dockerfile to use FIPS-compliant base image

- Replace multi-stage build with gabemendoza1/cloudcode-baseimage-ubuntu-fips:jammy-22.04
- Remove Ubuntu Cloud Image extraction and Alpine stage
- Remove sources.list copy (already configured in base image)
- Add s6-overlay installation for LinuxServer.io compatibility
- Add LinuxServer.io mod scripts (docker-mods, package-install, lsiown)
- Conditionally create abc user (911:911) if not exists
- Maintain full LinuxServer.io ecosystem on FIPS foundation

🤖 Generated with [opencode](https://opencode.ai)

Co-Authored-By: opencode <[email protected]>

* cleanup docker compose

* reduce

* python

* save

* save

* optmized installs

* remove more workflows

* remove Python dependencies from Ubuntu FIPS base image

🤖 Generated with [opencode](https://opencode.ai)

Co-Authored-By: opencode <[email protected]>

* build in codebuild

* fixed buildspec

* update merge_master.yaml and release.yaml

* docker build kit

* remove echos

* set ecr image tag name and related things

* update buildspec defs

* base image name

* remove extra compose args

* simplify buildspecs

* styling

* remove .env.example

* move build policy up

* save

* /config

* /root

* simplify Dockerfile

* update placeholders

* latest

* fixed buildspec yamls

* disable chowning of /config

* fix pr template

---------

Co-authored-by: opencode <[email protected]>

Author: thatguyinabeanie

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,43 +1,38 @@
-<!--- Provide a general summary of your changes in the Title above -->
+## Description
 
-[linuxserverurl]: https://linuxserver.io
-[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl]
+Required: Please provide a brief description of what this pull request is trying to accomplish.
 
+>
 
-<!--- Before submitting a pull request please check the following -->
+## Context, Consequences, & Considerations
 
-<!---  If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR  -->
-<!---  Ask yourself if this modification is something the whole userbase will benefit from, if this is a specific change for corner case functionality or plugins please look at making a Docker Mod or local script  https://blog.linuxserver.io/2019/09/14/customizing-our-containers/ -->
-<!---  That if the PR is addressing an existing issue include, closes #<issue number> , in the body of the PR commit message   -->
-<!---  You have included links to any files / patches etc your PR may be using in the body of the PR commit message -->
-<!--- We maintain a changelog of major revisions to the container at the end of readme-vars.yml in the root of this repository, please add your changes there if appropriate -->
+Required: Please step through the following list, pausing at each item to consider your change in relation to the item's context.
+Check the box to mark that it applies, and enter your relevant notes under the item.
 
+- [ ] Security: This has security implications. This includes (but not limited to) adding users, modifying user/app permissions, network rules/policies, changing a system interconnection, or changing an authorization strategy.
+  - [ ] This PR does not require security review. These changes are part of a project plan that has already undergone security review. The link is provided below.
+  - [ ] This PR requires security review. Add the `security` label to this PR then request a review from the [Security Code Reviewers Team](https://github.com/orgs/civisanalytics/teams/security-code-reviewers).
 
-<!--- Coding guidelines: -->
-<!--- 1. Installed packages in the Dockerfiles should be in alphabetical order -->
-<!--- 2. Changes to Dockerfile should be replicated in Dockerfile.armhf and Dockerfile.aarch64 if applicable -->
-<!--- 3. Indentation style (tabs vs 4 spaces vs 1 space) should match the rest of the document -->
-<!--- 4. Readme is auto generated from readme-vars.yml, make your changes there -->
+>
 
-------------------------------
+- [ ] Execution: This change requires commands to be run outside of the normal merge.
 
- - [ ] I have read the [contributing](https://github.com/linuxserver/docker-baseimage-ubuntu/blob/jammy/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
+>
 
-------------------------------
+- [ ] Impact: This change may cause service interruptions.
 
-<!--- We welcome all PR’s though this doesn’t guarantee it will be accepted. -->
+>
 
-## Description:
-<!--- Describe your changes in detail -->
+- [ ] Testing: How did you test this change (unit tests, acceptance tests, etc.)? Did you do any manual testing?
 
-## Benefits of this PR and context:
-<!--- Please explain why we should accept this PR. If this fixes an outstanding bug, please reference the issue # -->
+>
 
-## How Has This Been Tested?
-<!--- Please describe in detail how you tested your changes. -->
-<!--- Include details of your testing environment, and the tests you ran to -->
-<!--- see how your change affects other areas of the code, etc. -->
+- [ ] Testing: How will you confirm this change once it's merged?
 
+>
 
-## Source / References:
-<!--- Please include any forum posts/github links relevant to the PR -->
+- [ ] Documentation: Documentation to reflect this change has been added to Confluence or Zendesk.
+
+>
+
+- [ ] **All items of the checklist have been considered and this PR description is complete.**

.github/workflows/call_issue_pr_tracker.yml

@@ -42,3 +42,4 @@ Network Trash Folder
 Temporary Items
 .apdisk
 .jenkins-external
+.env

.github/workflows/call_issues_cron.yml

@@ -1,57 +1,58 @@
 # syntax=docker/dockerfile:1
 
-FROM alpine:3 as rootfs-stage
+# ECR and base image configuration - extracted from CodeBuild environment
+ARG ECR_ACCOUNT_ID
+ARG ECR_REGION=us-east-1
+ARG BASE_IMAGE_NAME=civis-ubuntu-fips
+ARG BASE_IMAGE_TAG=22.04
+ARG ECR_URI=${ECR_ACCOUNT_ID}.dkr.ecr-fips.${ECR_REGION}.amazonaws.com/${BASE_IMAGE_NAME}:${BASE_IMAGE_TAG}
+
+FROM ${ECR_URI} as ubuntu-fips-s6
 
-# environment
 ENV REL=jammy
 ENV ARCH=amd64
 
-# install packages
-RUN \
-  apk add --no-cache \
-    bash \
-    curl \
-    tzdata \
-    xz
-
-# grab base tarball
-RUN \
-  mkdir /root-out && \
-  curl -o \
-    /rootfs.tar.gz -L \
-    https://partner-images.canonical.com/core/${REL}/current/ubuntu-${REL}-core-cloudimg-${ARCH}-root.tar.gz && \
-  tar xf \
-    /rootfs.tar.gz -C \
-    /root-out && \
-  rm -rf \
-    /root-out/var/log/*
-
-# set version for s6 overlay
 ARG S6_OVERLAY_VERSION="3.1.6.2"
 ARG S6_OVERLAY_ARCH="x86_64"
 
+# Install base development tools (no Python)
+RUN apt-get update && apt-get install -y \
+  curl \
+  tzdata \
+  build-essential \
+  libpq-dev \
+  git \
+  ca-certificates \
+  openssl \
+  xz-utils \
+  libssl-dev && \
+  # Clean up
+  rm -rf /var/lib/apt/lists/* && \
+  # Update CA certificates to ensure SSL/TLS works properly
+  update-ca-certificates
+
 # add s6 overlay
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
-RUN tar -C /root-out -Jxpf /tmp/s6-overlay-noarch.tar.xz
+RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${S6_OVERLAY_ARCH}.tar.xz /tmp
-RUN tar -C /root-out -Jxpf /tmp/s6-overlay-${S6_OVERLAY_ARCH}.tar.xz
+RUN tar -C / -Jxpf /tmp/s6-overlay-${S6_OVERLAY_ARCH}.tar.xz
 
 # add s6 optional symlinks
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-noarch.tar.xz /tmp
-RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz
+RUN tar -C / -Jxpf /tmp/s6-overlay-symlinks-noarch.tar.xz
 ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-symlinks-arch.tar.xz /tmp
-RUN tar -C /root-out -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz
+RUN tar -C / -Jxpf /tmp/s6-overlay-symlinks-arch.tar.xz
+
+FROM ubuntu-fips-s6 as linuxserver-base
 
-# Runtime stage
-FROM scratch
-COPY --from=rootfs-stage /root-out/ /
 ARG BUILD_DATE
 ARG VERSION
 ARG MODS_VERSION="v3"
 ARG PKG_INST_VERSION="v1"
 ARG LSIOWN_VERSION="v1"
+
 LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="TheLamer"
+LABEL maintainer="civisanalytics"
 
 ADD --chmod=744 "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/docker-mods.${MODS_VERSION}" "/docker-mods"
 ADD --chmod=744 "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/package-install.${PKG_INST_VERSION}" "/etc/s6-overlay/s6-rc.d/init-mods-package-install/run"
@@ -69,9 +70,6 @@ ENV HOME="/root" \
   VIRTUAL_ENV=/lsiopy \
   PATH="/lsiopy/bin:$PATH"
 
-# copy sources
-COPY sources.list /etc/apt/
-
 RUN \
   echo "**** Ripped from Ubuntu Docker Logic ****" && \
   set -xe && \
@@ -129,7 +127,8 @@ RUN \
     /app \
     /config \
     /defaults \
-    /lsiopy && \
+    /lsiopy \
+    /workspace && \
   echo "**** cleanup ****" && \
   apt-get autoremove && \
   apt-get clean && \