Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ansible: add Ubuntu 22.04 sharedlibs container #3371

Merged
merged 2 commits into from
Jun 12, 2023

Conversation

richardlau
Copy link
Member

Add an Ubuntu 22.04 based sharedlibs container, intended to eventually replace the Ubuntu 18.04 based one.

Changes compared to the Ubuntu 18.04 container:

  • Add FIPS variant for OpenSSL 3.0.
  • Add OpenSSL 3.1.
  • Dropped older versions of ICU that were used for Node.js 14.

@richardlau
Copy link
Member Author

In draft while I test the new container (being done in https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/). I have a single test container, test-softlayer-ubuntu2204_sharedlibs_container-x64-1, on the Softlayer Docker host.

This started as adding a variant of OpenSSL 3.0 with FIPS enabled, and then I also added OpenSSL 3.1 and figured I'd create a new container based on Ubuntu 22.04 as we'll eventually need to replace the Ubuntu 18.04 containers.

@targos
Copy link
Member

targos commented Jun 1, 2023

Just a question: since the host is still running on Ubuntu 18.04, how can we know whether Ubuntu 22.04 is able to run with the host's kernel? I tried googling this, but didn't find any answer.

@richardlau
Copy link
Member Author

I don't have an answer to that either. I guess the same question applies to the Alpine containers running on it.

AFAICT from the two runs of https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/ I've had so far, the existing node-test-commit-linux-containered (the original job) sub-jobs are passing in the Ubuntu 22.04 container.

I could try updating the host OS to Ubuntu 22.04?

@richardlau richardlau force-pushed the openssl-containers branch 2 times, most recently from 8751485 to 8aad3b5 Compare June 1, 2023 12:28
@targos
Copy link
Member

targos commented Jun 1, 2023

I could try updating the host OS to Ubuntu 22.04?

Doesn't have to be done now if everything works, but we should do it soon (Ubuntu 18.04 is EoL).

@richardlau richardlau force-pushed the openssl-containers branch from 8aad3b5 to cd27edc Compare June 2, 2023 01:25
Add an Ubuntu 22.04 based sharedlibs container, intended to eventually
replace the Ubuntu 18.04 based one.

Changes compared to the Ubuntu 18.04 container:
- Add FIPS variant for OpenSSL 3.0.
- Add OpenSSL 3.1.
- Dropped older versions of ICU that were used for Node.js 14.
Upgrade the Softlayer Docker host from Ubuntu 18.04 to Ubuntu 22.04.
Rename the host from "test-softlayer-ubuntu1804_docker-x64-1" to
"test-ibm-ubuntu2204_docker-x64-1".
@richardlau richardlau force-pushed the openssl-containers branch from cd27edc to 2c2a5b6 Compare June 2, 2023 11:25
@richardlau
Copy link
Member Author

richardlau commented Jun 2, 2023

parallel/test-tls-dhe fails on v18.x-staging in the Ubuntu 22.04 container:
https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/7/
with

SSL routines:tls_process_ske_dhe:dh key too small

e.g. https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/7/nodes=ubuntu2204_sharedlibs_shared_x64/console

10:01:39 not ok 2807 parallel/test-tls-dhe
10:01:39   ---
10:01:39   duration_ms: 0.550
10:01:39   severity: fail
10:01:39   exitcode: 1
10:01:39   stack: |-
10:01:39     node:assert:991
10:01:39         throw newErr;
10:01:39         ^
10:01:39     
10:01:39     AssertionError [ERR_ASSERTION]: ifError got unwanted exception: Command failed: /home/iojs/build/workspace/richardlau-node-test-commit-linux-containered/out/Release/openssl-cli s_client -connect 127.0.0.1:45863 -cipher DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
10:01:39     Can't use SSL_get_servername
10:01:39     depth=0 C = US, ST = CA, L = SF, O = Joyent, OU = Node.js, CN = agent2, emailAddress = ry@tinyclouds.org
10:01:39     verify error:num=18:self-signed certificate
10:01:39     verify return:1
10:01:39     depth=0 C = US, ST = CA, L = SF, O = Joyent, OU = Node.js, CN = agent2, emailAddress = ry@tinyclouds.org
10:01:39     verify return:1
10:01:39     40B7E174147F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key too small:../deps/openssl/openssl/ssl/statem/statem_clnt.c:2100:
10:01:39     
10:01:39         at /home/iojs/build/workspace/richardlau-node-test-commit-linux-containered/test/common/index.js:410:12
10:01:39         at /home/iojs/build/workspace/richardlau-node-test-commit-linux-containered/test/common/index.js:447:15
10:01:39         at ChildProcess.exithandler (node:child_process:427:5)
10:01:39         at ChildProcess.exithandler (node:child_process:419:12)
10:01:39         at ChildProcess.emit (node:events:513:28)
10:01:39         at maybeClose (node:internal/child_process:1091:16)
10:01:39         at ChildProcess._handle.onexit (node:internal/child_process:302:5) {
10:01:39       generatedMessage: false,
10:01:39       code: 'ERR_ASSERTION',
10:01:39       actual: Error: Command failed: /home/iojs/build/workspace/richardlau-node-test-commit-linux-containered/out/Release/openssl-cli s_client -connect 127.0.0.1:45863 -cipher DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
10:01:39       Can't use SSL_get_servername
10:01:39       depth=0 C = US, ST = CA, L = SF, O = Joyent, OU = Node.js, CN = agent2, emailAddress = ry@tinyclouds.org
10:01:39       verify error:num=18:self-signed certificate
10:01:39       verify return:1
10:01:39       depth=0 C = US, ST = CA, L = SF, O = Joyent, OU = Node.js, CN = agent2, emailAddress = ry@tinyclouds.org
10:01:39       verify return:1
10:01:39       40B7E174147F0000:error:0A00018A:SSL routines:tls_process_ske_dhe:dh key too small:../deps/openssl/openssl/ssl/statem/statem_clnt.c:2100:
10:01:39       
10:01:39           at ChildProcess.exithandler (node:child_process:419:12)
10:01:39           at ChildProcess.emit (node:events:513:28)
10:01:39           at maybeClose (node:internal/child_process:1091:16)
10:01:39           at ChildProcess._handle.onexit (node:internal/child_process:302:5) {
10:01:39         code: 1,
10:01:39         killed: false,
10:01:39         signal: null,
10:01:39         cmd: '/home/iojs/build/workspace/richardlau-node-test-commit-linux-containered/out/Release/openssl-cli s_client -connect 127.0.0.1:45863 -cipher DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'
10:01:39       },
10:01:39       expected: null,
10:01:39       operator: 'ifError'
10:01:39     }
10:01:39     
10:01:39     Node.js v18.16.1-pre
10:01:39   ...

This looks like nodejs/node#48192 so we'd need that merged before switching node-test-commit-linux-containered over to the Ubuntu 22.04 containers. The test is not failing for v16.x-staging -- most likely to some new feature/test not being backported to it.

@richardlau
Copy link
Member Author

richardlau commented Jun 2, 2023

Test runs with Ubuntu 22.04 container:

branch job notes
main https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/10/
v20.x-staging https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/9/
v18.x-staging https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/7/ Requires nodejs/node#48192 to be backported
v16.x-staging https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/11/

New tests:

  • OpenSSL 3.1 -- requires test: adapt tests for OpenSSL 3.1 node#47859 (currently on main but no release staging branch).
  • OpenSSL 3.0 FIPS has 54 failures. Will open an issue to track. Node.js 16 has a lot more failures -- suspect missing backports for FIPS and not worth doing with Node.js 16 in maintenance (i.e. skip for Node.js 16).

@richardlau richardlau marked this pull request as ready for review June 8, 2023 17:03
@richardlau
Copy link
Member Author

This is ready for review. We can't swap node-test-commit-linux-containered over to the new containers for the existing jobs until nodejs/node#48192 lands on v18.x-staging but that's all independent of these Ansible changes anyway.

The new OpenSSL 3.1 testing requires nodejs/node#47859 (test fixes) on all release lines, or VersionSelector changes to exclude running it on older releases.

OpenSSL 3.0 FIPS testing won't be added until nodejs/node#48379 is resolved.

Copy link
Member

@mhdawson mhdawson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@richardlau richardlau merged commit 4c23513 into nodejs:main Jun 12, 2023
@richardlau richardlau deleted the openssl-containers branch June 12, 2023 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants