This repository builds FIPS 140-compliant multi-arch Docker images of the Curity Identity Server on top of Ubuntu 22.04 with the FIPS-validated OpenSSL provider enabled via Ubuntu Pro.
Images are built for both linux/amd64 and linux/arm64 and the container runs idsvr --fips-mode.
versions.yaml— list of Curity Identity Server versions to build, with their commit hash and Jenkins build numbers per arch.docker/Dockerfile— the single Dockerfile used for all versions;VERSION,COMMIT, andTARGETARCHare passed as build args.docker/first-run— first-run script copied into the image.update-multiplatform-images.sh— daily rebuild script (see below).
-
dockerwithbuildx -
awsCLI, authenticated for thecurity-idsvr-build-artifactsS3 bucket -
yq(mikefarah) andjq -
An Ubuntu Pro guest token exported as
TOKEN:export TOKEN=$(sudo pro api u.pro.attach.guest.get_guest_token.v1 | jq -r .data.attributes.guest_token)
Edit versions.yaml and append an entry with the version, commit hash, and the Jenkins build numbers for each architecture:
versions:
- version: "11.2.2"
commit: "62159c9a2f"
builds:
linux-x86: 101
linux-arm: 20The release tarballs are pulled from S3 by the script — there is no manual download step.
Since the base OS regularly receives security patches, update-multiplatform-images.sh is run daily to ensure published images contain the latest fixes.
For every entry in versions.yaml the script:
- Pulls the published image (both arches) and compares its layer hashes against a freshly-pulled
ubuntu:22.04. - If the base has changed (or
FORCE_UPDATE_VERSIONmatches the version), downloads the release tarballs from S3, extracts them into a per-version build context, and runsdocker buildx build --pull --platform linux/amd64,linux/arm64againstdocker/Dockerfile. - If
PUSH_IMAGESis set, the resulting multi-arch image is pushed to the registry.
Per-version build contexts under build-context/<version>/ ensure each buildx invocation only sees the artifacts for the version being built. Downloaded tarballs are cached under downloads/ and reused across runs; extracted contents are removed after a successful build.
| Variable | Required | Default | Description |
|---|---|---|---|
TOKEN |
yes | — | Ubuntu Pro token used to attach inside the build. |
PUSH_IMAGES |
no | (unset) | When set, the built image is pushed to the registry. Without this, multi-arch buildx output stays in the buildx cache and is not loaded into the local daemon. |
FORCE_UPDATE_VERSION |
no | (unset) | Substring match against version; forces a rebuild even if the base image hasn't changed. |
The Curity Identity Server is a Java-based product and can run in many docker setups.
The default docker image runs as a low-privilege 10001 user account (idsvr).
Customers can update this user account and apply their own image policy when required.
If you deploy with the Kubernetes runAsNonRoot security context, the image already satisfies it (UID 10001):
spec:
securityContext:
runAsNonRoot: true
containers:
- name: curity
image: custom_idsvr_fips:latestIf you need to install extra tools, overlay this image. Operations that require root should switch user temporarily:
[//]: # (todo) update the repository
FROM curity.azurecr.io/curity/idsvr-fips:11.2.2
USER root
RUN apt-get install -y curl
USER 10001:10000Copying resources, such as plugins, can be done like so:
COPY --chown=10001:10000 custom-plugin.jar /opt/idsvr/usr/share/plugins/custom-plugin-group/Pull requests are welcome. To do so, just fork this repo, and submit a pull request.
The software running in the Docker containers produced by the Dockerfiles maintained in this repository is licensed by Curity AB and others. The Docker-related files and resources maintained in this repository are licensed under the Apache 2 license.
Please visit curity.io for more information about the Curity Identity Server.
Copyright (C) 2026 Curity AB.