Fix builds on `arm32v6` and `arm32v7`

Fix 1: `-march=armv7-a` -> `-march=armv7-a+pf` to fix openssl build on Debian.
Fix 2: move custom openssl and erlang into `/usr/local/erlang` to prevent system packages from accidentally using this openssl. `wget` on `arm32v7` was unable to download the RabbitMQ release over ssl because of the custom openssl (it just happens to work fine on other architectures).
Fix 3: remove `disable-dynamic-ssl-lib` from erlang config. On arm32v6 (Alpine), this embedding of openssl somehow misses the dynamically linked `libatomic`, so it would fail to run. This should save a little space in every image (~10MB).

3.10/alpine/Dockerfile

@@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -46,7 +50,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -71,8 +75,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -124,8 +130,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -135,19 +141,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -173,24 +180,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:3.18
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -201,10 +209,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.10/ubuntu/Dockerfile

@@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -68,12 +72,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -122,8 +128,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -133,19 +139,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -172,30 +179,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:22.04
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.11/alpine/Dockerfile

@@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -46,7 +50,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -71,8 +75,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -124,8 +130,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -135,19 +141,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -173,24 +180,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:3.18
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -201,10 +209,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.11/ubuntu/Dockerfile

@@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -68,12 +72,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -122,8 +128,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -133,19 +139,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -172,30 +179,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:22.04
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.12/alpine/Dockerfile

@@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -46,7 +50,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -71,8 +75,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -124,8 +130,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -135,19 +141,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -173,24 +180,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:3.18
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -201,10 +209,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.12/ubuntu/Dockerfile

@@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -68,12 +72,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -122,8 +128,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -133,19 +139,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -172,30 +179,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:22.04
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.13-rc/alpine/Dockerfile

@@ -35,6 +35,10 @@ ENV OTP_VERSION 26.0.2
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -46,7 +50,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -71,8 +75,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -124,8 +130,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -135,19 +141,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -173,24 +180,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:3.18
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -201,10 +209,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.13-rc/ubuntu/Dockerfile

@@ -36,6 +36,10 @@ ENV OTP_VERSION 26.0.2
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75db
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -68,12 +72,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -122,8 +128,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -133,19 +139,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -172,30 +179,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:22.04
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.9/alpine/Dockerfile

@@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -46,7 +50,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -71,8 +75,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -124,8 +130,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -135,19 +141,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -173,24 +180,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:3.18
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -201,10 +209,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

3.9/ubuntu/Dockerfile

@@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -68,12 +72,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -87,10 +92,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -122,8 +128,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -133,19 +139,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -172,30 +179,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:22.04
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

Dockerfile-alpine.template

@@ -69,6 +69,10 @@ ENV OTP_VERSION {{ .otp.version }}
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -80,7 +84,7 @@ RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -105,8 +109,9 @@ RUN set -eux; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		aarch64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
-		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \
+		armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		ppc64le) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
@@ -121,10 +126,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir=/usr/local/lib \
+		--libdir="$INSTALL_PATH_PREFIX/lib" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -158,8 +164,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	export CFLAGS='-g -O2'; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -169,19 +175,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -207,24 +214,25 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM alpine:{{ .alpine.version }}
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Ensure run-time dependencies are installed
 	runDeps="$( \
@@ -235,10 +243,10 @@ RUN set -eux; \
 	)"; \
 	apk add --no-cache --virtual .otp-run-deps $runDeps; \
 	\
-# Check that OpenSSL still works after purging build dependencies
+# Check that OpenSSL still works after copying from previous builder
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\

Dockerfile-ubuntu.template

@@ -70,6 +70,10 @@ ENV OTP_VERSION {{ .otp.version }}
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}"
 
+# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
+ENV INSTALL_PATH_PREFIX='/usr/local/erlang'
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
+
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
@@ -78,7 +82,7 @@ ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}"
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
-	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
+	OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
@@ -102,12 +106,13 @@ RUN set -eux; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
-# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
-		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \
+# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
+# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
+		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
@@ -121,10 +126,11 @@ RUN set -eux; \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
-		--libdir="/usr/local/lib/$debMultiarch" \
+		--libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath="/usr/local/lib/$debMultiarch" \
+		-Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \
 		${opensslExtraConfig:-} \
 	; \
 # Compile, install OpenSSL, verify that the command-line works & development headers are present
@@ -156,8 +162,8 @@ RUN set -eux; \
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
+# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
+	export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
@@ -167,19 +173,20 @@ RUN set -eux; \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
+		--prefix="$INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
 		--disable-hipe \
 		--disable-sctp \
 		--disable-silent-rules \
+		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
-		--enable-builtin-zlib \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
+		--with-ssl="$INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
@@ -206,30 +213,31 @@ RUN set -eux; \
 	make install; \
 	\
 # Remove unnecessary files
-	find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
-	find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' +
+	find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 
 FROM ubuntu:{{ .ubuntu.version }}
 
-COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/
+# INSTALL_PATH_PREFIX is in a different stage, so define it again
-COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/
+ENV INSTALL_PATH_PREFIX /usr/local/erlang
-COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/
+COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX"
+ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH"
 
 ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 
 RUN set -eux; \
 # Configure OpenSSL to use system certs
-	ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \
+	ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
-	sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \
+	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-	    -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \
+		-e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
-	sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \
+	sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	openssl version; \
 	openssl version -d; \
 	\