-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "Remove unused FIPS build boxes (#26859)"
This reverts commit fafa16a.
- Loading branch information
Showing
3 changed files
with
219 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,187 @@ | ||
# This Dockerfile makes the FIPS "build box": the container used to build official | ||
# FIPS releases of Teleport and its documentation. | ||
|
||
|
||
FROM ubuntu:18.04 as boringssl | ||
# The below tools are required in order to build and compile the module: | ||
# Clang compiler version 7.0.1 | ||
# Go programming language version 1.12.7 | ||
# Ninja build system version 1.9.0 | ||
# | ||
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39 | ||
# For more information please refer to the section 12. Guidance and Secure Operation of: | ||
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf | ||
|
||
RUN apt-get update -y --fix-missing && \ | ||
apt-get -q -y upgrade && \ | ||
apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ | ||
apt-get install -q -y --no-install-recommends \ | ||
build-essential \ | ||
cmake \ | ||
git \ | ||
tar \ | ||
xz-utils \ | ||
unzip \ | ||
zip \ | ||
&& \ | ||
apt-get -y clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
|
||
RUN mkdir -p /opt && cd /opt && \ | ||
curl -sLO https://releases.llvm.org/7.0.1/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ | ||
echo "e74ce06d99ed9ce42898e22d2a966f71ae785bdf4edbded93e628d696858921a" "clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz" | sha256sum --check && \ | ||
tar xJf clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz && \ | ||
rm -f clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04.tar.xz | ||
ENV PATH="/opt/clang+llvm-7.0.1-x86_64-linux-gnu-ubuntu-18.04/bin:$PATH" | ||
|
||
|
||
RUN mkdir -p /opt && cd /opt && \ | ||
curl -sLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \ | ||
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \ | ||
tar xf go1.12.7.linux-amd64.tar.gz && \ | ||
rm -f go1.12.7.linux-amd64.tar.gz && \ | ||
chmod a+w /opt/go && \ | ||
chmod a+w /var/lib && \ | ||
chmod a-w / | ||
ENV GOPATH="/go" \ | ||
GOROOT="/opt/go" \ | ||
PATH="$PATH:/opt/go/bin:/go/bin" | ||
|
||
RUN mkdir -p /opt && cd /opt && \ | ||
curl -sLO https://github.com/ninja-build/ninja/releases/download/v1.9.0/ninja-linux.zip && \ | ||
echo "1b1235f2b0b4df55ac6d80bbe681ea3639c9d2c505c7ff2159a3daf63d196305" "ninja-linux.zip" | sha256sum --check && \ | ||
unzip ninja-linux.zip && \ | ||
rm -f ninja-linux.zip && \ | ||
mv /opt/ninja /usr/bin | ||
|
||
RUN mkdir -p /opt && cd /opt && \ | ||
git clone https://github.com/google/boringssl.git && \ | ||
cd boringssl && \ | ||
git checkout ae223d6138807a13006342edfeef32e813246b39 && \ | ||
mkdir build && \ | ||
cd build && \ | ||
cmake -DFIPS=1 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -GNinja .. && \ | ||
ninja | ||
|
||
|
||
# Use Ubuntu 18.04 as base to get an older glibc version. | ||
# Using a newer base image will build against a newer glibc, which creates a | ||
# runtime requirement for the host to have newer glibc too. For example, | ||
# teleport built on any newer Ubuntu version will not run on Centos 7 because | ||
# of this. | ||
FROM ubuntu:18.04 | ||
|
||
COPY locale.gen /etc/locale.gen | ||
COPY profile /etc/profile | ||
|
||
ENV LANGUAGE="en_US.UTF-8" \ | ||
LANG="en_US.UTF-8" \ | ||
LC_ALL="en_US.UTF-8" \ | ||
LC_CTYPE="en_US.UTF-8" \ | ||
DEBIAN_FRONTEND="noninteractive" | ||
|
||
RUN apt-get update -y --fix-missing && \ | ||
apt-get -q -y upgrade && \ | ||
apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \ | ||
apt-get install -q -y --no-install-recommends \ | ||
clang-10 \ | ||
clang-format-10 \ | ||
gcc \ | ||
git \ | ||
gzip \ | ||
libc6-dev \ | ||
libelf-dev \ | ||
libpam-dev \ | ||
libsqlite3-0 \ | ||
llvm-10 \ | ||
locales \ | ||
make \ | ||
net-tools \ | ||
openssh-client \ | ||
pkg-config \ | ||
tar \ | ||
tree \ | ||
unzip \ | ||
zip \ | ||
zlib1g-dev \ | ||
&& \ | ||
dpkg-reconfigure locales && \ | ||
apt-get -y clean && \ | ||
rm -rf /var/lib/apt/lists/* | ||
|
||
ARG UID | ||
ARG GID | ||
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ | ||
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) | ||
|
||
# Install etcd. | ||
RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \ | ||
cp etcd-v3.3.9-linux-amd64/etcd* /bin/) | ||
|
||
# Install Go. | ||
ARG GOLANG_VERSION | ||
RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \ | ||
mkdir -p /go/src/github.com/gravitational/teleport && \ | ||
chmod a+w /go && \ | ||
chmod a+w /var/lib && \ | ||
chmod a-w / | ||
ENV GOEXPERIMENT=boringcrypto \ | ||
GOPATH="/go" \ | ||
GOROOT="/opt/go" \ | ||
PATH="$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build" | ||
|
||
ARG BUILDARCH | ||
|
||
# Install Nodejs | ||
ARG NODE_VERSION | ||
ENV NODE_PATH="/usr/local/lib/nodejs-linux" | ||
ENV PATH="$PATH:${NODE_PATH}/bin" | ||
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \ | ||
export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \ | ||
mkdir -p ${NODE_PATH} && \ | ||
curl -o /tmp/nodejs.tar.xz -L ${NODE_URL} && \ | ||
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1 | ||
RUN corepack enable yarn | ||
|
||
# Install libbpf | ||
ARG LIBBPF_VERSION | ||
RUN mkdir -p /opt && cd /opt && \ | ||
curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \ | ||
cd /opt/libbpf-${LIBBPF_VERSION}/src && \ | ||
make && \ | ||
make install | ||
|
||
# Install PAM module and policies for testing. | ||
COPY pam/ /opt/pam_teleport/ | ||
RUN make -C /opt/pam_teleport install | ||
|
||
ARG RUST_VERSION | ||
ENV RUSTUP_HOME=/usr/local/rustup \ | ||
CARGO_HOME=/usr/local/cargo \ | ||
PATH=/usr/local/cargo/bin:$PATH \ | ||
RUST_VERSION=$RUST_VERSION | ||
|
||
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \ | ||
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME | ||
|
||
# Install Rust using the ci user, as that is the user that | ||
# will run builds using the Rust toolchains we install here. | ||
USER ci | ||
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \ | ||
rustup --version && \ | ||
cargo --version && \ | ||
rustc --version && \ | ||
rustup component add rustfmt clippy && \ | ||
rustup target add aarch64-unknown-linux-gnu | ||
|
||
# Copy BoringSSL into the final image | ||
COPY --from=boringssl /opt/boringssl /opt/boringssl | ||
|
||
# set boring-rs crate env variables to point to pre-built binaries | ||
# https://github.com/cloudflare/boring#support-for-pre-built-binaries | ||
ENV BORING_BSSL_PATH=/opt/boringssl | ||
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include | ||
|
||
VOLUME ["/go/src/github.com/gravitational/teleport"] | ||
EXPOSE 6600 2379 2380 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters