FROM registry.access.redhat.com/ubi9/ubi:latest

SHELL ["/bin/bash", "-c"]

ARG DEBIAN_FRONTEND="noninteractive"

ARG GO_VERSION=1.24.3 # Latest stable version for Coder 2.20.3

ARG NODE_VERSION=20.19.0 # Latest LTS version

ARG NVM_DIR=/usr/local/nvm

RUN dnf update -y && \

dnf install -y \

bash \

bash-completion \

bind-utils \

ca-certificates \

cmake \

crypto-policies \

crypto-policies-scripts \

curl \

dnsutils \

file \

findutils \

fipscheck \

git \

gnupg \

graphviz \

htop \

iproute \

iputils \

jq \

less \

lsof \

make \

man \

net-tools \

openssh-server \

openssl \

openssl-fips \

pkg-config \

python3 \

python3-pip \

rsync \

screen \

strace \

sudo \

tmux \

traceroute \

unzip \

util-linux \

vim \

wget \

which \

zip \

zsh && \

dnf clean all && \

# Configure FIPS-compliant policies - explicitly set FIPS mode

update-crypto-policies --set FIPS && \

# Verify FIPS mode is active

update-crypto-policies --show

RUN curl --silent --show-error --location \

"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \

-o /usr/local/go.tar.gz && \

# Verify Go checksum to ensure FIPS compliance

echo "$(curl -s https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz.sha256) /usr/local/go.tar.gz" | sha256sum --check && \

mkdir -p /usr/local/go && \

tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1

ENV PATH=$PATH:/usr/local/go/bin

RUN dnf install -y dnf-plugins-core && \

dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo && \

dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \

systemctl enable docker

RUN wget -O /tmp/terraform.zip "https://releases.hashicorp.com/terraform/1.11.5/terraform_1.11.5_linux_amd64.zip" && \

wget -O /tmp/terraform_SHA256SUMS "https://releases.hashicorp.com/terraform/1.11.5/terraform_1.11.5_SHA256SUMS" && \

grep linux_amd64 /tmp/terraform_SHA256SUMS | sha256sum --check --status && \

unzip /tmp/terraform.zip -d /usr/local/bin && \

rm -f /tmp/terraform.zip /tmp/terraform_SHA256SUMS && \

chmod +x /usr/local/bin/terraform && \

terraform version

RUN mkdir -p $NVM_DIR && \

# Download NVM with verification

curl -o nvm_install.sh https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.8/install.sh && \

echo "$(curl -s https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.8/install.sh | sha256sum | cut -d ' ' -f1) nvm_install.sh" | sha256sum --check && \

bash nvm_install.sh && \

# Install Node using NVM with FIPS-compatible settings

source $NVM_DIR/nvm.sh && \

# Force Node to use OpenSSL FIPS

export NODE_OPTIONS="--openssl-config=/etc/crypto-policies/back-ends/openssl.config" && \

nvm install $NODE_VERSION && \

nvm use $NODE_VERSION && \

nvm alias default $NODE_VERSION && \

# Verify that Node.js will use FIPS compliant crypto

node -e "console.log('FIPS mode:', process.versions.openssl)"

ENV PATH=$NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH

RUN npm install -g [email protected] && \

npm install -g [email protected]

RUN dnf install -y 'dnf-command(config-manager)' && \

dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo && \

dnf install -y gh

RUN systemctl enable \

docker \

ssh

RUN useradd coder \

--create-home \

--shell=/bin/bash \

--groups=wheel \

--uid=1000 \

--user-group && \

echo "coder ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder && \

chmod 0440 /etc/sudoers.d/coder

RUN groupadd -f docker && \

usermod -aG docker coder

RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \

echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \

echo "X11UseLocalhost no" >>/etc/ssh/sshd_config

ENV GOPATH="/home/coder/go"

ENV PATH="$GOPATH/bin:$PATH"

ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"

ENV OPENSSL_FORCE_FIPS_MODE=1

ENV NODE_OPTIONS="--max-old-space-size=8192 --openssl-config=/etc/crypto-policies/back-ends/openssl.config"

ENV PYTHONHTTPSVERIFY=1

USER coder

WORKDIR /home/coder

This template creates a Red Hat Enterprise Linux (RHEL) compatible development environment using the [envbuilder](https://github.com/coder/envbuilder) tool. It's based on the Red Hat Universal Base Image (UBI 9) which provides a RHEL-compatible environment that meets Federal Information Processing Standards (FIPS) requirements for high-security enterprise environments. This template is optimized for Coder v2.20.3.

- Built on Red Hat Universal Base Image (UBI 9)

- Compatible with Coder v2.20.3

- FIPS 140-2/140-3 compliant security configuration

- Validated cryptographic modules and libraries

- FIPS-enforced OpenSSL, Node.js, and Python configurations

- SELinux enabled in enforcing mode for security compliance

- Latest development toolchain with:

- Go 1.24.3 (FIPS-validated)

- Node.js 20.19.0 (LTS, FIPS-configured)

- Terraform 1.11.5

- Docker with latest components

- Integration with updated Coder modules for IDE support and productivity

- Systemd service management for proper service initialization

- Verified checksums for all downloaded software components

- Enforces the use of FIPS 140-2/140-3 validated cryptographic modules

- Restricts cryptographic algorithms to NIST-approved algorithms

- Configures OpenSSL in FIPS mode with proper validation

- Forces Node.js to use FIPS-compliant OpenSSL configuration

- Verifies integrity of all downloaded packages with SHA-256 checksums

- Maintains SELinux in enforcing mode for system integrity

1. Create a new workspace using this template

2. The template will build a Red Hat compatible container using the devcontainer.json

3. Connect to your workspace with your preferred IDE (VS Code, JetBrains Gateway)

The startup script runs your `~/personalize` file if it exists, allowing you to customize your environment further.

Your home directory under `/home/coder` is persisted as a Docker volume, preserving your settings between workspace restarts.

- **Devcontainer Repository**: Git repository containing the devcontainer.json

- **Devcontainer Directory**: Directory within the repository containing the devcontainer.json

- **Region**: Geographic region for hosting your workspace

- FIPS 140-2/140-3 compliance fully enabled and enforced

- Cryptographic module validation at startup

- SELinux set to enforcing mode for mandatory access control

- SHA-256 checksum verification for all downloads

- Restricted cryptographic algorithms to NIST-approved only

- Red Hat security updates and vulnerability patching

- Enterprise-grade security policies with proper audit logging

This template is specifically designed for environments with Red Hat Enterprise Linux requirements, providing a compatible development environment that meets enterprise security and compliance standards while still enabling modern development workflows.

- Some tools may require additional configuration to work with SELinux enabled

- If you encounter permissions issues, you may need to adjust SELinux contexts

For troubleshooting or questions, please reach out to the DevOps team or the template maintainer.

{

"name": "Red Hat Development Environment",

"build": {

"dockerfile": "Dockerfile"

},

"features": {},

"runArgs": ["--cap-add=SYS_PTRACE"]

}