Skip to content

Commit

Permalink
ansible: add Ubuntu 22.04 sharedlibs container
Browse files Browse the repository at this point in the history
Add an Ubuntu 22.04 based sharedlibs container, intended to eventually
replace the Ubuntu 18.04 based one.

Changes compared to the Ubuntu 18.04 container:
- Add FIPS variant for OpenSSL 3.0.
- Add OpenSSL 3.1.
- Dropped older versions of ICU that were used for Node.js 14.
  • Loading branch information
richardlau committed May 31, 2023
1 parent 50f8b32 commit 784d0f1
Showing 1 changed file with 137 additions and 0 deletions.
137 changes: 137 additions & 0 deletions ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
FROM ubuntu:22.04

ENV LC_ALL C
ENV USER {{ server_user }}
ENV JOBS {{ server_jobs | default(ansible_processor_vcpus) }}
ENV SHELL /bin/bash
ENV HOME /home/{{ server_user }}
ENV PATH /usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV NODE_COMMON_PIPE /home/{{ server_user }}/test.pipe
ENV NODE_TEST_DIR /home/{{ server_user }}/tmp
ENV OSTYPE linux-gnu
ENV OSVARIANT docker
ENV DESTCPU {{ arch }}
ENV ARCH {{ arch }}
ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update && apt-get install apt-utils -y && \
apt-get dist-upgrade -y && apt-get install -y \
ccache \
g++ \
gcc \
git \
openjdk-17-jre-headless \
pkg-config \
curl \
python3-pip \
python-is-python3 \
libfontconfig1 \
libtool \
automake

RUN pip3 install tap2junit=={{ tap2junit_version }}

RUN addgroup --gid {{ server_user_gid.stdout_lines[0] }} {{ server_user }}

RUN adduser --gid {{ server_user_gid.stdout_lines[0] }} --uid {{ server_user_uid.stdout_lines[0] }} --disabled-password --gecos {{ server_user }} {{ server_user }}

ENV ICU69DIR=/opt/icu-69.1 \
ICU71DIR=/opt/icu-71.1

RUN for ICU_ENV in $(env | grep ICU..DIR); do \
ICU_PREFIX=$(echo $ICU_ENV | cut -d '=' -f 2) && \
ICU_VERSION=$(echo $ICU_PREFIX | cut -d '-' -f 2) && \
ICU_MAJOR=$(echo $ICU_VERSION | cut -d '.' -f 1) && \
ICU_MINOR=$(echo $ICU_VERSION | cut -d '.' -f 2) && \
mkdir -p /tmp/icu-$ICU_VERSION && \
cd /tmp/icu-$ICU_VERSION && \
curl -sL "https://github.com/unicode-org/icu/releases/download/release-$ICU_MAJOR-$ICU_MINOR/icu4c-${ICU_MAJOR}_$ICU_MINOR-src.tgz" | tar zxv --strip=1 && \
cd source && \
./runConfigureICU Linux --prefix=$ICU_PREFIX && \
make -j $JOBS && \
make install && \
rm -rf /tmp/icu-$ICU_VERSION; \
done

ENV OPENSSL111VER 1.1.1u
ENV OPENSSL111DIR /opt/openssl-$OPENSSL111VER

RUN mkdir -p /tmp/openssl_$OPENSSL111VER && \
cd /tmp/openssl_$OPENSSL111VER && \
curl -sL https://www.openssl.org/source/openssl-$OPENSSL111VER.tar.gz | tar zxv --strip=1 && \
./config --prefix=$OPENSSL111DIR && \
make -j $JOBS && \
make install && \
rm -rf /tmp/openssl_$OPENSSL111VER

# OpenSSL FIPS validation occurs post-release, and not for every version.
# See https://www.openssl.org/docs/fips.html and the version documented in the
# certificate and security policy.
ENV OPENSSL30FIPSVER 3.0.8
ENV OPENSSL30FIPSDIR /opt/openssl-$OPENSSL30FIPSVER-fips

RUN mkdir -p /tmp/openssl-$OPENSSL30FIPSVER && \
cd /tmp/openssl-$OPENSSL30FIPSVER && \
curl -sL https://www.openssl.org/source/openssl-$OPENSSL30FIPSVER.tar.gz | tar zxv --strip=1 && \
./config --prefix=$OPENSSL30FIPSDIR enable-fips && \
make -j $JOBS && \
make install && \
rm -rf /tmp/openssl-$OPENSSL30FIPSVER
# Install the FIPS provider. Update OpenSSL config file to enable FIPS.
RUN LD_LIBRARY_PATH=$OPENSSL30FIPSDIR/lib64 $OPENSSL30FIPSDIR/bin/openssl fipsinstall \
-module $OPENSSL30FIPSDIR/lib64/ossl-modules/fips.so -provider_name fips \
-out $OPENSSL30FIPSDIR/ssl/fipsmodule.cnf && \
sed -i -r '/^providers = provider_sect/a alg_section = evp_properties' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
sed -i -r 's/^# (fips = fips_sect)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
sed -i -r "s|^# (.include fipsmodule.cnf)|.include $OPENSSL30FIPSDIR\/ssl\/fipsmodule.cnf|g" $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
echo "\n"\
"[evp_properties]\n"\
"default_properties = \"fips=yes\"\n"\
>> $OPENSSL30FIPSDIR/ssl/openssl.cnf

ENV OPENSSL30VER 3.0.8+quic
ENV OPENSSL30DIR /opt/openssl-$OPENSSL30VER

RUN mkdir -p /tmp/openssl-$OPENSSL30VER && \
cd /tmp/openssl-$OPENSSL30VER && \
git clone https://github.com/quictls/openssl.git -b openssl-$OPENSSL30VER --depth 1 && \
cd openssl && \
./config --prefix=$OPENSSL30DIR && \
make -j $JOBS && \
make install && \
rm -rf /tmp/openssl-$OPENSSL30VER

ENV OPENSSL31VER 3.1.1
ENV OPENSSL31DIR /opt/openssl-$OPENSSL31VER

RUN mkdir -p /tmp/openssl-$OPENSSL31VER && \
cd /tmp/openssl-$OPENSSL31VER && \
curl -sL https://www.openssl.org/source/openssl-$OPENSSL31VER.tar.gz | tar zxv --strip=1 && \
./config --prefix=$OPENSSL31DIR && \
make -j $JOBS && \
make install && \
rm -rf /tmp/openssl-$OPENSSL31VER

ENV ZLIBVER 1.2.13
ENV ZLIB12DIR /opt/zlib_$ZLIBVER

RUN mkdir -p /tmp/zlib_$ZLIBVER && \
cd /tmp/zlib_$ZLIBVER && \
curl -sL https://zlib.net/fossils/zlib-$ZLIBVER.tar.gz | tar zxv --strip=1 && \
./configure --prefix=$ZLIB12DIR && \
make -j $JOBS && \
make install && \
rm -rf /tmp/zlib_$ZLIBVER

VOLUME /home/{{ server_user }}/ /home/{{ server_user }}/.ccache

USER iojs:iojs

ENV CCACHE_TEMPDIR /home/iojs/.ccache/{{ item.name }}

CMD cd /home/iojs \
&& curl https://ci.nodejs.org/jnlpJars/agent.jar -O \
&& java -Xmx{{ server_ram|default('128m') }} \
-jar /home/{{ server_user }}/agent.jar \
-jnlpUrl {{ jenkins_url }}/computer/{{ item.name }}/jenkins-agent.jnlp \
-secret {{ item.secret }}

0 comments on commit 784d0f1

Please sign in to comment.