Apache Airflow version

3.1.2

If "Other Airflow 2/3 version" selected, which one?

No response

What happened?

With FIPS mode enabled, apt update may not be called successfully, as the image was originally built without FIPS enabled.

What you think should happen instead?

The image should be built with FIPS turned on to begin with, so that when extending airflow base image with additional dependencies, the Fatal error: requiested algo not in md context error does not appear during an apt-get update.

How to reproduce

Turn FIPS mode on. Descend from any image after bullseye, when the exception allowing md5 verification with FIPS enabled was removed.

FROM apache/airflow:latest

USER root
RUN apt-get update

Operating System

Redhat 9.6

Versions of Apache Airflow Providers

Not relevant

Deployment

Other 3rd-party Helm chart

Deployment details

Not relevant -- just need to enable FIPS during your base image build. I have a pretty beefy machine that is crapping out on the Dockerfile.ci build during lto-wrapper (link time optimization) with args:

AIRFLOW_PYTHON_VERSION: 3.13.9
BASE_IMAGE: debian:bookworm-slim
# and the current commit hash from docker.io

So I've had to modify the build to disable link time optimization during python compilation. If you could break up the "install_os_dependencies.sh" script into layers so that the build can at least ratchet forward, that would make getting something in place more straightforward.

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct