From 54b5bd526b6a0e6f92680e95f028c18f6860d148 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 4 Feb 2019 14:16:30 -0800 Subject: [PATCH 1/2] Fix shared library loading preference on non-x86 architectures (especially those like aarch64 which sort lexicographically ahead of "libc.conf") See https://bugs.debian.org/685706 for the upstream bug report --- 3.7-rc/ubuntu/Dockerfile | 3 +++ 3.7/ubuntu/Dockerfile | 3 +++ 3.8-rc/ubuntu/Dockerfile | 3 +++ Dockerfile-ubuntu.template | 3 +++ 4 files changed, 12 insertions(+) diff --git a/3.7-rc/ubuntu/Dockerfile b/3.7-rc/ubuntu/Dockerfile index 5c61709..d9f06d4 100644 --- a/3.7-rc/ubuntu/Dockerfile +++ b/3.7-rc/ubuntu/Dockerfile @@ -80,6 +80,9 @@ RUN set -eux; \ make install_sw install_ssldirs; \ cd ..; \ rm -rf "$OPENSSL_PATH"*; \ +# this is included in "/etc/ld.so.conf.d/libc.conf", but on arm64, it gets overshadowed by "/etc/ld.so.conf.d/aarch64-linux-gnu.conf" (vs "/etc/ld.so.conf.d/x86_64-linux-gnu.conf") so the precedence isn't correct -- we install our own file to overcome that and ensure any .so files in /usr/local/lib (especially OpenSSL's libssl.so) are preferred appropriately regardless of the target architecture +# see https://bugs.debian.org/685706 + echo '/usr/local/lib' > /etc/ld.so.conf.d/000-openssl-libc.conf; \ ldconfig; \ # use Debian's CA certificates rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ diff --git a/3.7/ubuntu/Dockerfile b/3.7/ubuntu/Dockerfile index 5903c2f..5177b8e 100644 --- a/3.7/ubuntu/Dockerfile +++ b/3.7/ubuntu/Dockerfile @@ -80,6 +80,9 @@ RUN set -eux; \ make install_sw install_ssldirs; \ cd ..; \ rm -rf "$OPENSSL_PATH"*; \ +# this is included in "/etc/ld.so.conf.d/libc.conf", but on arm64, it gets overshadowed by "/etc/ld.so.conf.d/aarch64-linux-gnu.conf" (vs "/etc/ld.so.conf.d/x86_64-linux-gnu.conf") so the precedence isn't correct -- we install our own file to overcome that and ensure any .so files in /usr/local/lib (especially OpenSSL's libssl.so) are preferred appropriately regardless of the target architecture +# see https://bugs.debian.org/685706 + echo '/usr/local/lib' > /etc/ld.so.conf.d/000-openssl-libc.conf; \ ldconfig; \ # use Debian's CA certificates rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ diff --git a/3.8-rc/ubuntu/Dockerfile b/3.8-rc/ubuntu/Dockerfile index d469091..48f24b4 100644 --- a/3.8-rc/ubuntu/Dockerfile +++ b/3.8-rc/ubuntu/Dockerfile @@ -80,6 +80,9 @@ RUN set -eux; \ make install_sw install_ssldirs; \ cd ..; \ rm -rf "$OPENSSL_PATH"*; \ +# this is included in "/etc/ld.so.conf.d/libc.conf", but on arm64, it gets overshadowed by "/etc/ld.so.conf.d/aarch64-linux-gnu.conf" (vs "/etc/ld.so.conf.d/x86_64-linux-gnu.conf") so the precedence isn't correct -- we install our own file to overcome that and ensure any .so files in /usr/local/lib (especially OpenSSL's libssl.so) are preferred appropriately regardless of the target architecture +# see https://bugs.debian.org/685706 + echo '/usr/local/lib' > /etc/ld.so.conf.d/000-openssl-libc.conf; \ ldconfig; \ # use Debian's CA certificates rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 6292ebb..9094b4f 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -80,6 +80,9 @@ RUN set -eux; \ make install_sw install_ssldirs; \ cd ..; \ rm -rf "$OPENSSL_PATH"*; \ +# this is included in "/etc/ld.so.conf.d/libc.conf", but on arm64, it gets overshadowed by "/etc/ld.so.conf.d/aarch64-linux-gnu.conf" (vs "/etc/ld.so.conf.d/x86_64-linux-gnu.conf") so the precedence isn't correct -- we install our own file to overcome that and ensure any .so files in /usr/local/lib (especially OpenSSL's libssl.so) are preferred appropriately regardless of the target architecture +# see https://bugs.debian.org/685706 + echo '/usr/local/lib' > /etc/ld.so.conf.d/000-openssl-libc.conf; \ ldconfig; \ # use Debian's CA certificates rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ From c3af691fc3dfcaa608ecbe2d8017a41c7616be64 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 4 Feb 2019 15:18:39 -0800 Subject: [PATCH 2/2] Add "i386" to Travis to help catch multiarch issues (and a fix for OpenSSL's) --- .travis.yml | 16 ++++++++++++++++ 3.7-rc/alpine/Dockerfile | 5 +++++ 3.7-rc/ubuntu/Dockerfile | 5 +++++ 3.7/alpine/Dockerfile | 5 +++++ 3.7/ubuntu/Dockerfile | 5 +++++ 3.8-rc/alpine/Dockerfile | 5 +++++ 3.8-rc/ubuntu/Dockerfile | 5 +++++ Dockerfile-alpine.template | 5 +++++ Dockerfile-ubuntu.template | 5 +++++ update.sh | 1 + 10 files changed, 57 insertions(+) diff --git a/.travis.yml b/.travis.yml index d36ce1a..fe7387e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,11 +3,17 @@ services: docker env: - VERSION=3.8-rc VARIANT=ubuntu + - VERSION=3.8-rc VARIANT=ubuntu ARCH=i386 - VERSION=3.8-rc VARIANT=alpine + - VERSION=3.8-rc VARIANT=alpine ARCH=i386 - VERSION=3.7-rc VARIANT=ubuntu + - VERSION=3.7-rc VARIANT=ubuntu ARCH=i386 - VERSION=3.7-rc VARIANT=alpine + - VERSION=3.7-rc VARIANT=alpine ARCH=i386 - VERSION=3.7 VARIANT=ubuntu + - VERSION=3.7 VARIANT=ubuntu ARCH=i386 - VERSION=3.7 VARIANT=alpine + - VERSION=3.7 VARIANT=alpine ARCH=i386 install: - git clone https://github.com/docker-library/official-images.git ~/official-images @@ -17,6 +23,16 @@ before_script: - wget -qO- 'https://github.com/tianon/pgp-happy-eyeballs/raw/master/hack-my-builds.sh' | bash - cd "$VERSION/$VARIANT" - image="$(awk 'toupper($1) == "FROM" { print $2; exit }' management/Dockerfile)" + - | + ( + set -Eeuo pipefail + set -x + if [ -n "${ARCH:-}" ]; then + from="$(awk '$1 == toupper("FROM") { print $2 }' Dockerfile)" + docker pull "$ARCH/$from" + docker tag "$ARCH/$from" "$from" + fi + ) script: - | diff --git a/3.7-rc/alpine/Dockerfile b/3.7-rc/alpine/Dockerfile index 4419a2b..2e6ff66 100644 --- a/3.7-rc/alpine/Dockerfile +++ b/3.7-rc/alpine/Dockerfile @@ -67,6 +67,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/3.7-rc/ubuntu/Dockerfile b/3.7-rc/ubuntu/Dockerfile index d9f06d4..cedc5e9 100644 --- a/3.7-rc/ubuntu/Dockerfile +++ b/3.7-rc/ubuntu/Dockerfile @@ -74,6 +74,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/3.7/alpine/Dockerfile b/3.7/alpine/Dockerfile index 4e1be7c..0e4cacd 100644 --- a/3.7/alpine/Dockerfile +++ b/3.7/alpine/Dockerfile @@ -67,6 +67,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/3.7/ubuntu/Dockerfile b/3.7/ubuntu/Dockerfile index 5177b8e..7c8e0da 100644 --- a/3.7/ubuntu/Dockerfile +++ b/3.7/ubuntu/Dockerfile @@ -74,6 +74,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/3.8-rc/alpine/Dockerfile b/3.8-rc/alpine/Dockerfile index d600fe7..a90f242 100644 --- a/3.8-rc/alpine/Dockerfile +++ b/3.8-rc/alpine/Dockerfile @@ -67,6 +67,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/3.8-rc/ubuntu/Dockerfile b/3.8-rc/ubuntu/Dockerfile index 48f24b4..65d70b1 100644 --- a/3.8-rc/ubuntu/Dockerfile +++ b/3.8-rc/ubuntu/Dockerfile @@ -74,6 +74,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 9e9c4d8..7ec257d 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -67,6 +67,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 9094b4f..119acdf 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -74,6 +74,11 @@ RUN set -eux; \ \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ ./config --openssldir="$OPENSSL_CONFIG_DIR"; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present make -j "$(getconf _NPROCESSORS_ONLN)"; \ diff --git a/update.sh b/update.sh index 3a49d62..1519d31 100755 --- a/update.sh +++ b/update.sh @@ -116,6 +116,7 @@ for version in "${versions[@]}"; do Dockerfile-management.template \ > "$version/$variant/management/Dockerfile" + travisEnv='\n - VERSION='"$version"' VARIANT='"$variant ARCH=i386$travisEnv" travisEnv='\n - VERSION='"$version"' VARIANT='"$variant$travisEnv" done done