From 896cbe1ebc10f177d9c0e113f951fcc1a2c08813 Mon Sep 17 00:00:00 2001
From: Richard Lau <rlau@redhat.com>
Date: Wed, 31 May 2023 23:44:37 +0100
Subject: [PATCH 1/2] ansible: add Ubuntu 22.04 sharedlibs container

Add an Ubuntu 22.04 based sharedlibs container, intended to eventually
replace the Ubuntu 18.04 based one.

Changes compared to the Ubuntu 18.04 container:
- Add FIPS variant for OpenSSL 3.0.
- Add OpenSSL 3.1.
- Dropped older versions of ICU that were used for Node.js 14.
---
 .../ubuntu2204_sharedlibs.Dockerfile.j2       | 136 ++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2

diff --git a/ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2 b/ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2
new file mode 100644
index 000000000..d878a0b78
--- /dev/null
+++ b/ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2
@@ -0,0 +1,136 @@
+FROM ubuntu:22.04
+
+ENV LC_ALL C
+ENV USER {{ server_user }}
+ENV JOBS {{ server_jobs | default(ansible_processor_vcpus) }}
+ENV SHELL /bin/bash
+ENV HOME /home/{{ server_user }}
+ENV PATH /usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV NODE_COMMON_PIPE /home/{{ server_user }}/test.pipe
+ENV NODE_TEST_DIR /home/{{ server_user }}/tmp
+ENV OSTYPE linux-gnu
+ENV OSVARIANT docker
+ENV DESTCPU {{ arch }}
+ENV ARCH {{ arch }}
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get install apt-utils -y && \
+    apt-get dist-upgrade -y && apt-get install -y \
+      ccache \
+      g++ \
+      gcc \
+      git \
+      openjdk-17-jre-headless \
+      pkg-config \
+      curl \
+      python3-pip \
+      python-is-python3 \
+      libfontconfig1 \
+      libtool \
+      automake
+
+RUN pip3 install tap2junit=={{ tap2junit_version }}
+
+RUN addgroup --gid {{ server_user_gid.stdout_lines[0] }} {{ server_user }}
+
+RUN adduser --gid {{ server_user_gid.stdout_lines[0] }} --uid {{ server_user_uid.stdout_lines[0] }} --disabled-password --gecos {{ server_user }} {{ server_user }}
+
+ENV ICU68DIR=/opt/icu-68.1 \
+    ICU69DIR=/opt/icu-69.1 \
+    ICU71DIR=/opt/icu-71.1
+
+RUN for ICU_ENV in $(env | grep ICU..DIR); do \
+    ICU_PREFIX=$(echo $ICU_ENV | cut -d '=' -f 2) && \
+    ICU_VERSION=$(echo $ICU_PREFIX | cut -d '-' -f 2) && \
+    ICU_MAJOR=$(echo $ICU_VERSION | cut -d '.' -f 1) && \
+    ICU_MINOR=$(echo $ICU_VERSION | cut -d '.' -f 2) && \
+    mkdir -p /tmp/icu-$ICU_VERSION && \
+    cd /tmp/icu-$ICU_VERSION && \
+    curl -sL "https://github.com/unicode-org/icu/releases/download/release-$ICU_MAJOR-$ICU_MINOR/icu4c-${ICU_MAJOR}_$ICU_MINOR-src.tgz" | tar zxv --strip=1 && \
+    cd source && \
+    ./runConfigureICU Linux --prefix=$ICU_PREFIX && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/icu-$ICU_VERSION; \
+    done
+
+ENV OPENSSL111VER 1.1.1u
+ENV OPENSSL111DIR /opt/openssl-$OPENSSL111VER
+
+RUN mkdir -p /tmp/openssl_$OPENSSL111VER && \
+    cd /tmp/openssl_$OPENSSL111VER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL111VER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL111DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl_$OPENSSL111VER
+
+# OpenSSL FIPS validation occurs post-release, and not for every version.
+# See https://www.openssl.org/docs/fips.html and the version documented in the
+# certificate and security policy.
+ENV OPENSSL30FIPSVER 3.0.8
+ENV OPENSSL30FIPSDIR /opt/openssl-$OPENSSL30FIPSVER-fips
+
+RUN mkdir -p /tmp/openssl-$OPENSSL30FIPSVER && \
+    cd /tmp/openssl-$OPENSSL30FIPSVER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL30FIPSVER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL30FIPSDIR enable-fips && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL30FIPSVER
+# Install the FIPS provider. Update OpenSSL config file to enable FIPS.
+RUN LD_LIBRARY_PATH=$OPENSSL30FIPSDIR/lib64 $OPENSSL30FIPSDIR/bin/openssl fipsinstall \
+      -module $OPENSSL30FIPSDIR/lib64/ossl-modules/fips.so -provider_name fips \
+      -out $OPENSSL30FIPSDIR/ssl/fipsmodule.cnf && \
+      sed -i -r "s|^# (.include fipsmodule.cnf)|.include $OPENSSL30FIPSDIR\/ssl\/fipsmodule.cnf|g" $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r '/^providers = provider_sect/a alg_section = evp_properties' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r 's/^# (fips = fips_sect)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r 's/^# (activate = 1)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      echo "\n[evp_properties]\ndefault_properties = \"fips=yes\"\n" >> $OPENSSL30FIPSDIR/ssl/openssl.cnf
+
+ENV OPENSSL30VER 3.0.8+quic
+ENV OPENSSL30DIR /opt/openssl-$OPENSSL30VER
+
+RUN mkdir -p /tmp/openssl-$OPENSSL30VER && \
+    cd /tmp/openssl-$OPENSSL30VER && \
+    git clone https://github.com/quictls/openssl.git -b openssl-$OPENSSL30VER --depth 1 && \
+    cd openssl && \
+    ./config --prefix=$OPENSSL30DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL30VER
+
+ENV OPENSSL31VER 3.1.1
+ENV OPENSSL31DIR /opt/openssl-$OPENSSL31VER
+
+RUN mkdir -p /tmp/openssl-$OPENSSL31VER && \
+    cd /tmp/openssl-$OPENSSL31VER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL31VER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL31DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL31VER
+
+ENV ZLIBVER 1.2.13
+ENV ZLIB12DIR /opt/zlib_$ZLIBVER
+
+RUN mkdir -p /tmp/zlib_$ZLIBVER && \
+    cd /tmp/zlib_$ZLIBVER && \
+    curl -sL https://zlib.net/fossils/zlib-$ZLIBVER.tar.gz | tar zxv --strip=1 && \
+    ./configure --prefix=$ZLIB12DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/zlib_$ZLIBVER
+
+VOLUME /home/{{ server_user }}/ /home/{{ server_user }}/.ccache
+
+USER iojs:iojs
+
+ENV CCACHE_TEMPDIR /home/iojs/.ccache/{{ item.name }}
+
+CMD cd /home/iojs \
+  && curl https://ci.nodejs.org/jnlpJars/agent.jar -O \
+  && java -Xmx{{ server_ram|default('128m') }} \
+          -jar /home/{{ server_user }}/agent.jar \
+          -jnlpUrl {{ jenkins_url }}/computer/{{ item.name }}/jenkins-agent.jnlp \
+          -secret {{ item.secret }}

From 2c2a5b6da7055fcc9cb0259dd0c3a0f1ab493300 Mon Sep 17 00:00:00 2001
From: Richard Lau <rlau@redhat.com>
Date: Fri, 2 Jun 2023 02:22:57 +0100
Subject: [PATCH 2/2] ansible: upgrade softlayer Docker host

Upgrade the Softlayer Docker host from Ubuntu 18.04 to Ubuntu 22.04.
Rename the host from "test-softlayer-ubuntu1804_docker-x64-1" to
"test-ibm-ubuntu2204_docker-x64-1".
---
 ansible/inventory.yml                          |  2 +-
 .../docker/tasks/partials/repo/ubuntu2204.yml  | 18 ++++++++++++++++++
 ansible/roles/docker/vars/main.yml             |  5 ++++-
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/docker/tasks/partials/repo/ubuntu2204.yml

diff --git a/ansible/inventory.yml b/ansible/inventory.yml
index a378c2935..8a740f5c6 100644
--- a/ansible/inventory.yml
+++ b/ansible/inventory.yml
@@ -179,6 +179,7 @@ hosts:
         rhel8-x64-3: {ip: 52.117.26.13, build_test_v8: yes}
         ubuntu1804-x64-1: {ip: 52.117.26.14, alias: jenkins-workspace-6}
         ubuntu1804-x64-2: {ip: 50.97.245.9}
+        ubuntu2204_docker-x64-1: {ip: 52.117.26.9}
 
     - equinix_mnx:
         smartos18-x64-3: {ip: 147.28.162.102}
@@ -343,4 +344,3 @@ hosts:
         debian9-x64-1: {ip: 169.60.150.88}
         debian10-x64-1: {ip: 169.44.16.126}
         ubuntu1404-x64-1: {ip: 50.97.245.5}
-        ubuntu1804_docker-x64-1: {ip: 52.117.26.9}
diff --git a/ansible/roles/docker/tasks/partials/repo/ubuntu2204.yml b/ansible/roles/docker/tasks/partials/repo/ubuntu2204.yml
new file mode 100644
index 000000000..f66cf40ce
--- /dev/null
+++ b/ansible/roles/docker/tasks/partials/repo/ubuntu2204.yml
@@ -0,0 +1,18 @@
+---
+
+#
+# add Docker repo
+#
+
+- name: "repo : add Ubuntu Docker repo key"
+  ansible.builtin.apt_key:
+    state: present
+    url: https://download.docker.com/linux/ubuntu/gpg
+
+- name: "repo : add Ubuntu Docker repo"
+  ansible.builtin.apt_repository:
+    repo: "deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+  register: has_updated_package_repo
+
+- name: "repo : update apt cache"
+  apt: update_cache=yes
diff --git a/ansible/roles/docker/vars/main.yml b/ansible/roles/docker/vars/main.yml
index 58c874af0..79756e964 100644
--- a/ansible/roles/docker/vars/main.yml
+++ b/ansible/roles/docker/vars/main.yml
@@ -9,7 +9,7 @@ ssh_config: /etc/ssh/sshd_config
 sshd_service_name: 'sshd'
 
 ntp_service: {
-  systemd: ['debian8', 'debian9', 'debian10', 'ubuntu1604', 'ubuntu1804']
+  systemd: ['debian8', 'debian9', 'debian10', 'ubuntu1604', 'ubuntu1804', 'ubuntu2204']
 }
 
 common_packages: [
@@ -18,6 +18,9 @@ common_packages: [
 # you can either add os family or os to this list (see smartos)
 # but the playbook chooses os over family - not both
 packages: {
+  ubuntu2204: [
+    'docker.io',
+  ],
   ubuntu2004: [
     'docker.io',
   ],