-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ansible: add Ubuntu 22.04 sharedlibs container
Add an Ubuntu 22.04 based sharedlibs container, intended to eventually replace the Ubuntu 18.04 based one. Changes compared to the Ubuntu 18.04 container: - Add FIPS variant for OpenSSL 3.0. - Add OpenSSL 3.1. - Dropped older versions of ICU that were used for Node.js 14.
- Loading branch information
1 parent
50f8b32
commit 784d0f1
Showing
1 changed file
with
137 additions
and
0 deletions.
There are no files selected for viewing
137 changes: 137 additions & 0 deletions
137
ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
FROM ubuntu:22.04 | ||
|
||
ENV LC_ALL C | ||
ENV USER {{ server_user }} | ||
ENV JOBS {{ server_jobs | default(ansible_processor_vcpus) }} | ||
ENV SHELL /bin/bash | ||
ENV HOME /home/{{ server_user }} | ||
ENV PATH /usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin | ||
ENV NODE_COMMON_PIPE /home/{{ server_user }}/test.pipe | ||
ENV NODE_TEST_DIR /home/{{ server_user }}/tmp | ||
ENV OSTYPE linux-gnu | ||
ENV OSVARIANT docker | ||
ENV DESTCPU {{ arch }} | ||
ENV ARCH {{ arch }} | ||
ENV DEBIAN_FRONTEND noninteractive | ||
|
||
RUN apt-get update && apt-get install apt-utils -y && \ | ||
apt-get dist-upgrade -y && apt-get install -y \ | ||
ccache \ | ||
g++ \ | ||
gcc \ | ||
git \ | ||
openjdk-17-jre-headless \ | ||
pkg-config \ | ||
curl \ | ||
python3-pip \ | ||
python-is-python3 \ | ||
libfontconfig1 \ | ||
libtool \ | ||
automake | ||
|
||
RUN pip3 install tap2junit=={{ tap2junit_version }} | ||
|
||
RUN addgroup --gid {{ server_user_gid.stdout_lines[0] }} {{ server_user }} | ||
|
||
RUN adduser --gid {{ server_user_gid.stdout_lines[0] }} --uid {{ server_user_uid.stdout_lines[0] }} --disabled-password --gecos {{ server_user }} {{ server_user }} | ||
|
||
ENV ICU69DIR=/opt/icu-69.1 \ | ||
ICU71DIR=/opt/icu-71.1 | ||
|
||
RUN for ICU_ENV in $(env | grep ICU..DIR); do \ | ||
ICU_PREFIX=$(echo $ICU_ENV | cut -d '=' -f 2) && \ | ||
ICU_VERSION=$(echo $ICU_PREFIX | cut -d '-' -f 2) && \ | ||
ICU_MAJOR=$(echo $ICU_VERSION | cut -d '.' -f 1) && \ | ||
ICU_MINOR=$(echo $ICU_VERSION | cut -d '.' -f 2) && \ | ||
mkdir -p /tmp/icu-$ICU_VERSION && \ | ||
cd /tmp/icu-$ICU_VERSION && \ | ||
curl -sL "https://github.com/unicode-org/icu/releases/download/release-$ICU_MAJOR-$ICU_MINOR/icu4c-${ICU_MAJOR}_$ICU_MINOR-src.tgz" | tar zxv --strip=1 && \ | ||
cd source && \ | ||
./runConfigureICU Linux --prefix=$ICU_PREFIX && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/icu-$ICU_VERSION; \ | ||
done | ||
|
||
ENV OPENSSL111VER 1.1.1u | ||
ENV OPENSSL111DIR /opt/openssl-$OPENSSL111VER | ||
|
||
RUN mkdir -p /tmp/openssl_$OPENSSL111VER && \ | ||
cd /tmp/openssl_$OPENSSL111VER && \ | ||
curl -sL https://www.openssl.org/source/openssl-$OPENSSL111VER.tar.gz | tar zxv --strip=1 && \ | ||
./config --prefix=$OPENSSL111DIR && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/openssl_$OPENSSL111VER | ||
|
||
# OpenSSL FIPS validation occurs post-release, and not for every version. | ||
# See https://www.openssl.org/docs/fips.html and the version documented in the | ||
# certificate and security policy. | ||
ENV OPENSSL30FIPSVER 3.0.8 | ||
ENV OPENSSL30FIPSDIR /opt/openssl-$OPENSSL30FIPSVER-fips | ||
|
||
RUN mkdir -p /tmp/openssl-$OPENSSL30FIPSVER && \ | ||
cd /tmp/openssl-$OPENSSL30FIPSVER && \ | ||
curl -sL https://www.openssl.org/source/openssl-$OPENSSL30FIPSVER.tar.gz | tar zxv --strip=1 && \ | ||
./config --prefix=$OPENSSL30FIPSDIR enable-fips && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/openssl-$OPENSSL30FIPSVER | ||
# Install the FIPS provider. Update OpenSSL config file to enable FIPS. | ||
RUN LD_LIBRARY_PATH=$OPENSSL30FIPSDIR/lib64 $OPENSSL30FIPSDIR/bin/openssl fipsinstall \ | ||
-module $OPENSSL30FIPSDIR/lib64/ossl-modules/fips.so -provider_name fips \ | ||
-out $OPENSSL30FIPSDIR/ssl/fipsmodule.cnf && \ | ||
sed -i -r '/^providers = provider_sect/a alg_section = evp_properties' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \ | ||
sed -i -r 's/^# (fips = fips_sect)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \ | ||
sed -i -r "s|^# (.include fipsmodule.cnf)|.include $OPENSSL30FIPSDIR\/ssl\/fipsmodule.cnf|g" $OPENSSL30FIPSDIR/ssl/openssl.cnf && \ | ||
echo "\n"\ | ||
"[evp_properties]\n"\ | ||
"default_properties = \"fips=yes\"\n"\ | ||
>> $OPENSSL30FIPSDIR/ssl/openssl.cnf | ||
|
||
ENV OPENSSL30VER 3.0.8+quic | ||
ENV OPENSSL30DIR /opt/openssl-$OPENSSL30VER | ||
|
||
RUN mkdir -p /tmp/openssl-$OPENSSL30VER && \ | ||
cd /tmp/openssl-$OPENSSL30VER && \ | ||
git clone https://github.com/quictls/openssl.git -b openssl-$OPENSSL30VER --depth 1 && \ | ||
cd openssl && \ | ||
./config --prefix=$OPENSSL30DIR && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/openssl-$OPENSSL30VER | ||
|
||
ENV OPENSSL31VER 3.1.1 | ||
ENV OPENSSL31DIR /opt/openssl-$OPENSSL31VER | ||
|
||
RUN mkdir -p /tmp/openssl-$OPENSSL31VER && \ | ||
cd /tmp/openssl-$OPENSSL31VER && \ | ||
curl -sL https://www.openssl.org/source/openssl-$OPENSSL31VER.tar.gz | tar zxv --strip=1 && \ | ||
./config --prefix=$OPENSSL31DIR && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/openssl-$OPENSSL31VER | ||
|
||
ENV ZLIBVER 1.2.13 | ||
ENV ZLIB12DIR /opt/zlib_$ZLIBVER | ||
|
||
RUN mkdir -p /tmp/zlib_$ZLIBVER && \ | ||
cd /tmp/zlib_$ZLIBVER && \ | ||
curl -sL https://zlib.net/fossils/zlib-$ZLIBVER.tar.gz | tar zxv --strip=1 && \ | ||
./configure --prefix=$ZLIB12DIR && \ | ||
make -j $JOBS && \ | ||
make install && \ | ||
rm -rf /tmp/zlib_$ZLIBVER | ||
|
||
VOLUME /home/{{ server_user }}/ /home/{{ server_user }}/.ccache | ||
|
||
USER iojs:iojs | ||
|
||
ENV CCACHE_TEMPDIR /home/iojs/.ccache/{{ item.name }} | ||
|
||
CMD cd /home/iojs \ | ||
&& curl https://ci.nodejs.org/jnlpJars/agent.jar -O \ | ||
&& java -Xmx{{ server_ram|default('128m') }} \ | ||
-jar /home/{{ server_user }}/agent.jar \ | ||
-jnlpUrl {{ jenkins_url }}/computer/{{ item.name }}/jenkins-agent.jnlp \ | ||
-secret {{ item.secret }} |