Use Ubuntu 22.04 for RabbitMQ 3.12.x (#644)

Continues to use Ubuntu 20.04 for 3.11, 3.10 and 3.9 Fixes #643 Use Ubuntu 22.04 as the base image Bump OpenSSL to 3.1.x series, use Ubuntu 22.04
2023-06-20 15:29:47 -07:00 · 2023-06-20 15:29:47 -07:00 · 0192a912d6
parent 8b63feadd4
commit 0192a912d6
12 changed files with 91 additions and 41 deletions
--- a/3.10/alpine/Dockerfile
+++ b/3.10/alpine/Dockerfile
@ -24,8 +24,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.10 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.10/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

--- a/3.10/ubuntu/Dockerfile
+++ b/3.10/ubuntu/Dockerfile
@ -6,7 +6,7 @@

 # The official Canonical Ubuntu Focal image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04 as build-base
+FROM ubuntu:22.04 as build-base

 RUN set -eux; \
 	apt-get update; \
@ -25,8 +25,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.10 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.10/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

@ -161,7 +161,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM ubuntu:20.04
+FROM ubuntu:22.04

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/3.11/alpine/Dockerfile
+++ b/3.11/alpine/Dockerfile
@ -24,8 +24,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.11 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.11/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

--- a/3.11/ubuntu/Dockerfile
+++ b/3.11/ubuntu/Dockerfile
@ -6,7 +6,7 @@

 # The official Canonical Ubuntu Focal image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04 as build-base
+FROM ubuntu:22.04 as build-base

 RUN set -eux; \
 	apt-get update; \
@ -25,8 +25,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.11 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.11/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

@ -161,7 +161,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM ubuntu:20.04
+FROM ubuntu:22.04

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/3.12/alpine/Dockerfile
+++ b/3.12/alpine/Dockerfile
@ -24,8 +24,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.12 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.12/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

--- a/3.12/ubuntu/Dockerfile
+++ b/3.12/ubuntu/Dockerfile
@ -6,7 +6,7 @@

 # The official Canonical Ubuntu Focal image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04 as build-base
+FROM ubuntu:22.04 as build-base

 RUN set -eux; \
 	apt-get update; \
@ -25,8 +25,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.12 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.12/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

@ -161,7 +161,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM ubuntu:20.04
+FROM ubuntu:22.04

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/3.9/alpine/Dockerfile
+++ b/3.9/alpine/Dockerfile
@ -24,8 +24,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.9 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.9/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

--- a/3.9/ubuntu/Dockerfile
+++ b/3.9/ubuntu/Dockerfile
@ -6,7 +6,7 @@

 # The official Canonical Ubuntu Focal image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04 as build-base
+FROM ubuntu:22.04 as build-base

 RUN set -eux; \
 	apt-get update; \
@ -25,8 +25,8 @@ ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.9 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.9/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252

-ENV OPENSSL_VERSION 3.0.9
-ENV OPENSSL_SOURCE_SHA256="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"
+ENV OPENSSL_VERSION 3.1.1
+ENV OPENSSL_SOURCE_SHA256="b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
 # https://www.openssl.org/community/otc.html
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"

@ -161,7 +161,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM ubuntu:20.04
+FROM ubuntu:22.04

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@ -1,5 +1,5 @@
 # Alpine Linux is not officially supported by the RabbitMQ team -- use at your own risk!
-FROM alpine:3.18 as build-base
+FROM alpine:{{ .alpine.version }} as build-base

 RUN apk add --no-cache \
 	build-base \
@ -191,7 +191,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM alpine:3.18
+FROM alpine:{{ .alpine.version }}

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/Dockerfile-ubuntu.template
+++ b/Dockerfile-ubuntu.template
@ -1,6 +1,6 @@
 # The official Canonical Ubuntu Focal image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
-FROM ubuntu:20.04 as build-base
+FROM ubuntu:{{ .ubuntu.version }} as build-base

 RUN set -eux; \
 	apt-get update; \
@ -191,7 +191,7 @@ RUN set -eux; \
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'

-FROM ubuntu:20.04
+FROM ubuntu:{{ .ubuntu.version }}

 COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
 COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
--- a/versions.json
+++ b/versions.json
@ -1,49 +1,73 @@
 {
  "3.10": {
+    "alpine": {
+      "version": "3.18"
+    },
    "openssl": {
-      "sha256": "eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90",
-      "version": "3.0.9"
+      "sha256": "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674",
+      "version": "3.1.1"
    },
    "otp": {
      "sha256": "83a36f3d90deef36adb615bbfb46cd327f0b76b7668e1f7f253fd66b4ae24518",
      "version": "25.3.2.2"
    },
+    "ubuntu": {
+      "version": "22.04"
+    },
    "version": "3.10.24"
  },
  "3.10-rc": null,
  "3.11": {
+    "alpine": {
+      "version": "3.18"
+    },
    "openssl": {
-      "sha256": "eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90",
-      "version": "3.0.9"
+      "sha256": "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674",
+      "version": "3.1.1"
    },
    "otp": {
      "sha256": "83a36f3d90deef36adb615bbfb46cd327f0b76b7668e1f7f253fd66b4ae24518",
      "version": "25.3.2.2"
    },
+    "ubuntu": {
+      "version": "22.04"
+    },
    "version": "3.11.18"
  },
  "3.11-rc": null,
  "3.12": {
+    "alpine": {
+      "version": "3.18"
+    },
    "openssl": {
-      "sha256": "eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90",
-      "version": "3.0.9"
+      "sha256": "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674",
+      "version": "3.1.1"
    },
    "otp": {
      "sha256": "83a36f3d90deef36adb615bbfb46cd327f0b76b7668e1f7f253fd66b4ae24518",
      "version": "25.3.2.2"
    },
+    "ubuntu": {
+      "version": "22.04"
+    },
    "version": "3.12.0"
  },
  "3.12-rc": null,
  "3.9": {
+    "alpine": {
+      "version": "3.18"
+    },
    "openssl": {
-      "sha256": "eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90",
-      "version": "3.0.9"
+      "sha256": "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674",
+      "version": "3.1.1"
    },
    "otp": {
      "sha256": "83a36f3d90deef36adb615bbfb46cd327f0b76b7668e1f7f253fd66b4ae24518",
      "version": "25.3.2.2"
    },
+    "ubuntu": {
+      "version": "22.04"
+    },
    "version": "3.9.29"
  },
  "3.9-rc": null
--- a/versions.sh
+++ b/versions.sh
@ -1,6 +1,20 @@
 #!/usr/bin/env bash
 set -Eeuo pipefail

+declare -A alpineVersions=(
+	[3.9]='3.18'
+	[3.10]='3.18'
+	[3.11]='3.18'
+	[3.12]='3.18'
+)
+
+declare -A ubuntuVersions=(
+	[3.9]='22.04'
+	[3.10]='22.04'
+	[3.11]='22.04'
+	[3.12]='22.04'
+)
+
 # https://www.rabbitmq.com/which-erlang.html ("Maximum supported Erlang/OTP")
 declare -A otpMajors=(
 	[3.9]='25'
@ -12,10 +26,10 @@ declare -A otpMajors=(
 # https://www.openssl.org/policies/releasestrat.html
 # https://www.openssl.org/source/
 declare -A opensslMajors=(
-	[3.9]='3.0'
-	[3.10]='3.0'
-	[3.11]='3.0'
-	[3.12]='3.0'
+	[3.9]='3.1'
+	[3.10]='3.1'
+	[3.11]='3.1'
+	[3.12]='3.1'
 )

 cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
@ -130,7 +144,13 @@ for version in "${versions[@]}"; do
 	# OpenSSL 3.0.5's sha256 file starts with a single space 😬
 	opensslSourceSha256="${opensslSourceSha256# }"

-	echo "$version: $fullVersion (otp $otpVersion, openssl $opensslVersion)"
+	alpineVersion="${alpineVersions[$rcVersion]}"
+	export alpineVersion
+
+	ubuntuVersion="${ubuntuVersions[$rcVersion]}"
+	export ubuntuVersion
+
+	echo "$version: $fullVersion (otp $otpVersion, openssl $opensslVersion, alpine, $alpineVersion, ubuntu $ubuntuVersion)"

 	json="$(
 		jq <<<"$json" -c '
@ -144,6 +164,12 @@ for version in "${versions[@]}"; do
 					version: env.otpVersion,
 					sha256: env.otpSourceSha256,
 				},
+				alpine: {
+					version: env.alpineVersion
+				},
+				ubuntu: {
+					version: env.ubuntuVersion
+				},
 			}
 		'
 	)"