From 5080f219c3e0cb2babc1cf55e99f3b47dd867afc Mon Sep 17 00:00:00 2001 From: Joseph Ferguson Date: Thu, 24 Aug 2023 15:57:28 -0700 Subject: [PATCH 1/4] Fix builds on `arm32v6` and `arm32v7` Fix 1: `-march=armv7-a` -> `-march=armv7-a+pf` to fix openssl build on Debian. Fix 2: move custom openssl and erlang into `/usr/local/erlang` to prevent system packages from accidentally using this openssl. `wget` on `arm32v7` was unable to download the RabbitMQ release over ssl because of the custom openssl (it just happens to work fine on other architectures). Fix 3: remove `disable-dynamic-ssl-lib` from erlang config. On arm32v6 (Alpine), this embedding of openssl somehow misses the dynamically linked `libatomic`, so it would fail to run. This should save a little space in every image (~10MB). --- 3.10/alpine/Dockerfile | 50 ++++++++++++++++++++++---------------- 3.10/ubuntu/Dockerfile | 48 +++++++++++++++++++++--------------- 3.11/alpine/Dockerfile | 50 ++++++++++++++++++++++---------------- 3.11/ubuntu/Dockerfile | 48 +++++++++++++++++++++--------------- 3.12/alpine/Dockerfile | 50 ++++++++++++++++++++++---------------- 3.12/ubuntu/Dockerfile | 48 +++++++++++++++++++++--------------- 3.13-rc/alpine/Dockerfile | 50 ++++++++++++++++++++++---------------- 3.13-rc/ubuntu/Dockerfile | 48 +++++++++++++++++++++--------------- 3.9/alpine/Dockerfile | 50 ++++++++++++++++++++++---------------- 3.9/ubuntu/Dockerfile | 48 +++++++++++++++++++++--------------- Dockerfile-alpine.template | 50 ++++++++++++++++++++++---------------- Dockerfile-ubuntu.template | 48 +++++++++++++++++++++--------------- 12 files changed, 342 insertions(+), 246 deletions(-) diff --git a/3.10/alpine/Dockerfile b/3.10/alpine/Dockerfile index 7d182a9..50ede42 100644 --- a/3.10/alpine/Dockerfile +++ b/3.10/alpine/Dockerfile @@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -46,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -71,8 +75,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -124,8 +130,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -135,19 +141,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -173,24 +180,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -201,10 +209,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile index fbab2a9..2763e94 100644 --- a/3.10/ubuntu/Dockerfile +++ b/3.10/ubuntu/Dockerfile @@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188 RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -68,12 +72,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -122,8 +128,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -133,19 +139,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -172,30 +179,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.11/alpine/Dockerfile b/3.11/alpine/Dockerfile index b51e3ae..1937294 100644 --- a/3.11/alpine/Dockerfile +++ b/3.11/alpine/Dockerfile @@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -46,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -71,8 +75,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -124,8 +130,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -135,19 +141,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -173,24 +180,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -201,10 +209,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile index 4f17d07..223754c 100644 --- a/3.11/ubuntu/Dockerfile +++ b/3.11/ubuntu/Dockerfile @@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188 RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -68,12 +72,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -122,8 +128,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -133,19 +139,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -172,30 +179,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile index db6e0cc..2ba94ab 100644 --- a/3.12/alpine/Dockerfile +++ b/3.12/alpine/Dockerfile @@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -46,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -71,8 +75,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -124,8 +130,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -135,19 +141,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -173,24 +180,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -201,10 +209,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index 4aadcb3..8bed730 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188 RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -68,12 +72,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -122,8 +128,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -133,19 +139,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -172,30 +179,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.13-rc/alpine/Dockerfile b/3.13-rc/alpine/Dockerfile index def4f26..a72bb89 100644 --- a/3.13-rc/alpine/Dockerfile +++ b/3.13-rc/alpine/Dockerfile @@ -35,6 +35,10 @@ ENV OTP_VERSION 26.0.2 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -46,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -71,8 +75,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -124,8 +130,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -135,19 +141,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -173,24 +180,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -201,10 +209,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile index fd21dbf..fcadd62 100644 --- a/3.13-rc/ubuntu/Dockerfile +++ b/3.13-rc/ubuntu/Dockerfile @@ -36,6 +36,10 @@ ENV OTP_VERSION 26.0.2 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75db RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -68,12 +72,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -122,8 +128,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -133,19 +139,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -172,30 +179,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.9/alpine/Dockerfile b/3.9/alpine/Dockerfile index 6797f2d..4ebb74c 100644 --- a/3.9/alpine/Dockerfile +++ b/3.9/alpine/Dockerfile @@ -35,6 +35,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -46,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -71,8 +75,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -124,8 +130,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -135,19 +141,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -173,24 +180,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -201,10 +209,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile index 86067c9..c2dcaed 100644 --- a/3.9/ubuntu/Dockerfile +++ b/3.9/ubuntu/Dockerfile @@ -36,6 +36,10 @@ ENV OTP_VERSION 25.3.2.5 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -44,7 +48,7 @@ ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188 RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -68,12 +72,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -87,10 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -122,8 +128,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -133,19 +139,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -172,30 +179,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 25a852b..d466ab5 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -69,6 +69,10 @@ ENV OTP_VERSION {{ .otp.version }} # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -80,7 +84,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -105,8 +109,9 @@ RUN set -eux; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) aarch64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6' ;; \ - armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv6+fp' ;; \ + armv7) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ ppc64le) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ s390x) opensslMachine='linux64-s390x' ;; \ @@ -121,10 +126,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir=/usr/local/lib \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath=/usr/local/lib \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -158,8 +164,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -169,19 +175,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -207,24 +214,25 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:{{ .alpine.version }} -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ @@ -235,10 +243,10 @@ RUN set -eux; \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ -# Check that OpenSSL still works after purging build dependencies - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ +# Check that OpenSSL still works after copying from previous builder + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 0d72175..a748bc8 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -70,6 +70,10 @@ ENV OTP_VERSION {{ .otp.version }} # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}" +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages +ENV INSTALL_PATH_PREFIX='/usr/local/erlang' +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" + # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP @@ -78,7 +82,7 @@ ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \ + OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -102,12 +106,13 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) amd64) opensslMachine='linux-x86_64' ;; \ arm64) opensslMachine='linux-aarch64' ;; \ # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a' ;; \ +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ i386) opensslMachine='linux-x86' ;; \ ppc64el) opensslMachine='linux-ppc64le' ;; \ riscv64) opensslMachine='linux64-riscv64' ;; \ @@ -121,10 +126,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ + --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="/usr/local/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="/usr/local/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -156,8 +162,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib/$debMultiarch is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -167,19 +173,20 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ + --prefix="$INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ - --disable-dynamic-ssl-lib \ --disable-hipe \ --disable-sctp \ --disable-silent-rules \ + --enable-builtin-zlib \ --enable-clock-gettime \ --enable-hybrid-heap \ --enable-kernel-poll \ - --enable-builtin-zlib \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ + --with-ssl="$INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -206,30 +213,31 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find /usr/local/lib/erlang -type d -name examples -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name src -exec rm -rf '{}' +; \ - find /usr/local/lib/erlang -type d -name include -exec rm -rf '{}' + + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:{{ .ubuntu.version }} -COPY --from=erlang-builder /usr/local/bin/ /usr/local/bin/ -COPY --from=erlang-builder /usr/local/etc/ssl/ /usr/local/etc/ssl/ -COPY --from=erlang-builder /usr/local/lib/ /usr/local/lib/ +# INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV INSTALL_PATH_PREFIX /usr/local/erlang +COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" +ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private /usr/local/etc/ssl; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e '/\.include.*fips/s/.*/.include \/usr\/local\/etc\/ssl\/fipsmodule.cnf/' \ - -e '/# fips =/s/.*/fips = fips_sect/' /usr/local/etc/ssl/openssl.cnf; \ - sed -i.ORIG -e '/^activate/s/^/#/' /usr/local/etc/ssl/fipsmodule.cnf; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ openssl version; \ openssl version -d; \ \ From 8e4a8b15d8c75e8c3ac225a605ccda6a09c52704 Mon Sep 17 00:00:00 2001 From: Joseph Ferguson Date: Fri, 25 Aug 2023 14:50:54 -0700 Subject: [PATCH 2/4] Remove unnecessary `DEB_HOST_MULTIARCH`; test that custom openssl is being used --- 3.10/alpine/Dockerfile | 1 + 3.10/ubuntu/Dockerfile | 12 ++++++------ 3.11/alpine/Dockerfile | 1 + 3.11/ubuntu/Dockerfile | 12 ++++++------ 3.12/alpine/Dockerfile | 1 + 3.12/ubuntu/Dockerfile | 12 ++++++------ 3.13-rc/alpine/Dockerfile | 1 + 3.13-rc/ubuntu/Dockerfile | 12 ++++++------ 3.9/alpine/Dockerfile | 1 + 3.9/ubuntu/Dockerfile | 12 ++++++------ Dockerfile-alpine.template | 1 + Dockerfile-ubuntu.template | 12 ++++++------ 12 files changed, 42 insertions(+), 36 deletions(-) diff --git a/3.10/alpine/Dockerfile b/3.10/alpine/Dockerfile index 50ede42..0f896d9 100644 --- a/3.10/alpine/Dockerfile +++ b/3.10/alpine/Dockerfile @@ -213,6 +213,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile index 2763e94..ea45820 100644 --- a/3.10/ubuntu/Dockerfile +++ b/3.10/ubuntu/Dockerfile @@ -67,7 +67,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -94,9 +93,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -128,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -204,6 +203,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.11/alpine/Dockerfile b/3.11/alpine/Dockerfile index 1937294..b5c0dbb 100644 --- a/3.11/alpine/Dockerfile +++ b/3.11/alpine/Dockerfile @@ -213,6 +213,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile index 223754c..d9d004a 100644 --- a/3.11/ubuntu/Dockerfile +++ b/3.11/ubuntu/Dockerfile @@ -67,7 +67,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -94,9 +93,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -128,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -204,6 +203,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile index 2ba94ab..50ff9c6 100644 --- a/3.12/alpine/Dockerfile +++ b/3.12/alpine/Dockerfile @@ -213,6 +213,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index 8bed730..bcac171 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -67,7 +67,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -94,9 +93,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -128,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -204,6 +203,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.13-rc/alpine/Dockerfile b/3.13-rc/alpine/Dockerfile index a72bb89..b307508 100644 --- a/3.13-rc/alpine/Dockerfile +++ b/3.13-rc/alpine/Dockerfile @@ -213,6 +213,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile index fcadd62..4169691 100644 --- a/3.13-rc/ubuntu/Dockerfile +++ b/3.13-rc/ubuntu/Dockerfile @@ -67,7 +67,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -94,9 +93,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -128,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -204,6 +203,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.9/alpine/Dockerfile b/3.9/alpine/Dockerfile index 4ebb74c..44e090b 100644 --- a/3.9/alpine/Dockerfile +++ b/3.9/alpine/Dockerfile @@ -213,6 +213,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile index c2dcaed..0a58565 100644 --- a/3.9/ubuntu/Dockerfile +++ b/3.9/ubuntu/Dockerfile @@ -67,7 +67,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -94,9 +93,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -128,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -204,6 +203,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index d466ab5..727c750 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -247,6 +247,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index a748bc8..8d523b8 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -101,7 +101,6 @@ RUN set -eux; \ # Configure OpenSSL for compilation cd "$OPENSSL_PATH"; \ # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) - debMultiarch="$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ # OpenSSL's "config" script uses a lot of "uname"-based target detection... dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ # https://deb.debian.org/debian/dists/unstable/main/ @@ -128,9 +127,9 @@ RUN set -eux; \ enable-fips \ --prefix="$INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib/$debMultiarch" \ + --libdir="$INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -162,8 +161,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib/$debMultiarch" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib/$(dpkg-architecture --query DEB_HOST_MULTIARCH)"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -238,6 +237,7 @@ RUN set -eux; \ sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ From fecac447f881a1b1bd503d7833cb07fd263c01d0 Mon Sep 17 00:00:00 2001 From: Luke Bakken Date: Tue, 29 Aug 2023 11:15:58 -0700 Subject: [PATCH 3/4] Install Erlang and OpenSSL to /opt Erlang will be installed to `/opt/erlang` and OpenSSL to `/opt/openssl` --- 3.10/ubuntu/Dockerfile | 52 ++++++++++++++++++++------------------ 3.11/ubuntu/Dockerfile | 52 ++++++++++++++++++++------------------ 3.12/ubuntu/Dockerfile | 52 ++++++++++++++++++++------------------ 3.13-rc/ubuntu/Dockerfile | 52 ++++++++++++++++++++------------------ 3.9/ubuntu/Dockerfile | 52 ++++++++++++++++++++------------------ Dockerfile-ubuntu.template | 52 ++++++++++++++++++++------------------ 6 files changed, 168 insertions(+), 144 deletions(-) diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile index ea45820..0d418b6 100644 --- a/3.10/ubuntu/Dockerfile +++ b/3.10/ubuntu/Dockerfile @@ -37,8 +37,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -48,7 +48,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -91,11 +91,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -127,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -138,7 +138,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -151,7 +151,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -178,32 +178,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -225,7 +229,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile index d9d004a..2e645c2 100644 --- a/3.11/ubuntu/Dockerfile +++ b/3.11/ubuntu/Dockerfile @@ -37,8 +37,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -48,7 +48,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -91,11 +91,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -127,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -138,7 +138,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -151,7 +151,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -178,32 +178,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -225,7 +229,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index bcac171..e7251b1 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -37,8 +37,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -48,7 +48,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -91,11 +91,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -127,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -138,7 +138,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -151,7 +151,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -178,32 +178,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -225,7 +229,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile index 4169691..b800acc 100644 --- a/3.13-rc/ubuntu/Dockerfile +++ b/3.13-rc/ubuntu/Dockerfile @@ -37,8 +37,8 @@ ENV OTP_VERSION 26.0.2 ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -48,7 +48,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -91,11 +91,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -127,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -138,7 +138,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -151,7 +151,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -178,32 +178,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -225,7 +229,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile index 0a58565..64b3f0f 100644 --- a/3.9/ubuntu/Dockerfile +++ b/3.9/ubuntu/Dockerfile @@ -37,8 +37,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -48,7 +48,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -91,11 +91,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -127,8 +127,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -138,7 +138,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -151,7 +151,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -178,32 +178,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:22.04 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -225,7 +229,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 8d523b8..4cb48ed 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -71,8 +71,8 @@ ENV OTP_VERSION {{ .otp.version }} ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -82,7 +82,7 @@ ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" RUN set -eux; \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -125,11 +125,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -161,8 +161,8 @@ RUN set -eux; \ cd "$OTP_PATH"; \ export ERL_TOP="$OTP_PATH"; \ CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -172,7 +172,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -185,7 +185,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -212,32 +212,36 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM ubuntu:{{ .ubuntu.version }} -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Check that OpenSSL still works after copying from previous builder ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -259,7 +263,7 @@ ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" ENV RABBITMQ_HOME=/opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ From daf0c85adf02108dda23c62d5e18b739f58f2c89 Mon Sep 17 00:00:00 2001 From: Luke Bakken Date: Tue, 29 Aug 2023 13:33:26 -0700 Subject: [PATCH 4/4] Update alpine dockerfile to install Erlang and OpenSSL to /opt --- 3.10/alpine/Dockerfile | 59 +++++++++++++++++++++----------------- 3.10/ubuntu/Dockerfile | 8 +++--- 3.11/alpine/Dockerfile | 59 +++++++++++++++++++++----------------- 3.11/ubuntu/Dockerfile | 8 +++--- 3.12/alpine/Dockerfile | 59 +++++++++++++++++++++----------------- 3.12/ubuntu/Dockerfile | 8 +++--- 3.13-rc/alpine/Dockerfile | 59 +++++++++++++++++++++----------------- 3.13-rc/ubuntu/Dockerfile | 8 +++--- 3.9/alpine/Dockerfile | 59 +++++++++++++++++++++----------------- 3.9/ubuntu/Dockerfile | 8 +++--- Dockerfile-alpine.template | 59 +++++++++++++++++++++----------------- Dockerfile-ubuntu.template | 8 +++--- 12 files changed, 216 insertions(+), 186 deletions(-) diff --git a/3.10/alpine/Dockerfile b/3.10/alpine/Dockerfile index 0f896d9..80545e0 100644 --- a/3.10/alpine/Dockerfile +++ b/3.10/alpine/Dockerfile @@ -36,8 +36,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -50,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -92,11 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -131,7 +131,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -141,7 +141,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -154,7 +154,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -180,40 +180,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -241,11 +246,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.10.25 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.10/ubuntu/Dockerfile b/3.10/ubuntu/Dockerfile index 0d418b6..ccd1597 100644 --- a/3.10/ubuntu/Dockerfile +++ b/3.10/ubuntu/Dockerfile @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -189,7 +189,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:22.04 -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -225,8 +225,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.10.25 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH diff --git a/3.11/alpine/Dockerfile b/3.11/alpine/Dockerfile index b5c0dbb..d871f5a 100644 --- a/3.11/alpine/Dockerfile +++ b/3.11/alpine/Dockerfile @@ -36,8 +36,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -50,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -92,11 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -131,7 +131,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -141,7 +141,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -154,7 +154,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -180,40 +180,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -241,11 +246,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.11.21 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.11/ubuntu/Dockerfile b/3.11/ubuntu/Dockerfile index 2e645c2..66cf9c4 100644 --- a/3.11/ubuntu/Dockerfile +++ b/3.11/ubuntu/Dockerfile @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -189,7 +189,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:22.04 -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -225,8 +225,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.11.21 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH diff --git a/3.12/alpine/Dockerfile b/3.12/alpine/Dockerfile index 50ff9c6..58b46d5 100644 --- a/3.12/alpine/Dockerfile +++ b/3.12/alpine/Dockerfile @@ -36,8 +36,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -50,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -92,11 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -131,7 +131,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -141,7 +141,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -154,7 +154,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -180,40 +180,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -241,11 +246,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.12.2 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.12/ubuntu/Dockerfile b/3.12/ubuntu/Dockerfile index e7251b1..b00b77c 100644 --- a/3.12/ubuntu/Dockerfile +++ b/3.12/ubuntu/Dockerfile @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -189,7 +189,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:22.04 -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -225,8 +225,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.12.2 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH diff --git a/3.13-rc/alpine/Dockerfile b/3.13-rc/alpine/Dockerfile index b307508..be16a05 100644 --- a/3.13-rc/alpine/Dockerfile +++ b/3.13-rc/alpine/Dockerfile @@ -36,8 +36,8 @@ ENV OTP_VERSION 26.0.2 ENV OTP_SOURCE_SHA256="47853ea9230643a0a31004433f07a71c1b92d6e0094534f629e3b75dbc62f193" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -50,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -92,11 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -131,7 +131,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -141,7 +141,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -154,7 +154,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -180,40 +180,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -241,11 +246,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.13.0-beta.4 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.13-rc/ubuntu/Dockerfile b/3.13-rc/ubuntu/Dockerfile index b800acc..f45bb13 100644 --- a/3.13-rc/ubuntu/Dockerfile +++ b/3.13-rc/ubuntu/Dockerfile @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -189,7 +189,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:22.04 -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -225,8 +225,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.13.0-beta.4 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH diff --git a/3.9/alpine/Dockerfile b/3.9/alpine/Dockerfile index 44e090b..53b4536 100644 --- a/3.9/alpine/Dockerfile +++ b/3.9/alpine/Dockerfile @@ -36,8 +36,8 @@ ENV OTP_VERSION 25.3.2.5 ENV OTP_SOURCE_SHA256="1f899b4b1ef8569c08713b76bc54607a09503a1d188e6d61512036188cc356db" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -50,7 +50,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -92,11 +92,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -131,7 +131,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -141,7 +141,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -154,7 +154,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -180,40 +180,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:3.18 -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -241,11 +246,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.9.29 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/3.9/ubuntu/Dockerfile b/3.9/ubuntu/Dockerfile index 64b3f0f..0fcfddc 100644 --- a/3.9/ubuntu/Dockerfile +++ b/3.9/ubuntu/Dockerfile @@ -107,7 +107,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -189,7 +189,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:22.04 -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -225,8 +225,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION 3.9.29 # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 727c750..aed10a6 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -70,8 +70,8 @@ ENV OTP_VERSION {{ .otp.version }} ENV OTP_SOURCE_SHA256="{{ .otp.sha256 }}" # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV INSTALL_PATH_PREFIX='/usr/local/erlang' -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl # Install dependencies required to build Erlang/OTP from source # https://erlang.org/doc/installation_guide/INSTALL.html @@ -84,7 +84,7 @@ RUN set -eux; \ \ OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$INSTALL_PATH_PREFIX/etc/ssl"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Required by the crypto & ssl Erlang/OTP applications wget --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ @@ -126,11 +126,11 @@ RUN set -eux; \ ./Configure \ "$opensslMachine" \ enable-fips \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$INSTALL_PATH_PREFIX/lib" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$INSTALL_PATH_PREFIX/lib" \ + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ ${opensslExtraConfig:-} \ ; \ # Compile, install OpenSSL, verify that the command-line works & development headers are present @@ -141,7 +141,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -165,7 +165,7 @@ RUN set -eux; \ export ERL_TOP="$OTP_PATH"; \ export CFLAGS='-g -O2'; \ # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$INSTALL_PATH_PREFIX/lib"; \ + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ @@ -175,7 +175,7 @@ RUN set -eux; \ amd64 | arm64) jitFlag='--enable-jit' ;; \ esac; \ ./configure \ - --prefix="$INSTALL_PATH_PREFIX" \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ --host="$hostArch" \ --build="$buildArch" \ --disable-hipe \ @@ -188,7 +188,7 @@ RUN set -eux; \ --enable-smp-support \ --enable-threads \ --with-microstate-accounting=extra \ - --with-ssl="$INSTALL_PATH_PREFIX" \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ --without-common_test \ --without-debugger \ --without-dialyzer \ @@ -214,40 +214,45 @@ RUN set -eux; \ make install; \ \ # Remove unnecessary files - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' FROM alpine:{{ .alpine.version }} -# INSTALL_PATH_PREFIX is in a different stage, so define it again -ENV INSTALL_PATH_PREFIX /usr/local/erlang -COPY --from=erlang-builder "$INSTALL_PATH_PREFIX" "$INSTALL_PATH_PREFIX" -ENV PATH="$INSTALL_PATH_PREFIX/bin:$PATH" +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH -ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq +ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq RUN set -eux; \ # Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$INSTALL_PATH_PREFIX/etc/ssl"; \ + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ \ # Ensure run-time dependencies are installed runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + scanelf --needed --nobanner --format '%n#p' --recursive $ERLANG_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX \ | tr ',' '\n' \ | sort -u \ + | grep -v '^$\|lib\(crypto\|ssl\)' \ | awk 'system("test -e /usr/local/lib/" $1) == 0 { next } { print "so:" $1 }' \ )"; \ apk add --no-cache --virtual .otp-run-deps $runDeps; \ \ # Check that OpenSSL still works after copying from previous builder - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$INSTALL_PATH_PREFIX/bin/openssl" ]; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ openssl version; \ openssl version -d; \ \ @@ -275,11 +280,11 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION {{ .version }} # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH -ENV PATH=$RABBITMQ_HOME/sbin:$PATH +ENV PATH $RABBITMQ_HOME/sbin:$PATH # Install RabbitMQ RUN set -eux; \ diff --git a/Dockerfile-ubuntu.template b/Dockerfile-ubuntu.template index 4cb48ed..3dd4faf 100644 --- a/Dockerfile-ubuntu.template +++ b/Dockerfile-ubuntu.template @@ -141,7 +141,7 @@ RUN set -eux; \ ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" # smoke test -RUN openssl version +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version FROM openssl-builder as erlang-builder @@ -223,7 +223,7 @@ RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [cry FROM ubuntu:{{ .ubuntu.version }} -# ERLANG_INSTALL_PATH_PREFIX is in a different stage, so define it again +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX @@ -259,8 +259,8 @@ RUN set -eux; \ # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ENV RABBITMQ_VERSION {{ .version }} # https://www.rabbitmq.com/signatures.html#importing-gpg -ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA" -ENV RABBITMQ_HOME=/opt/rabbitmq +ENV RABBITMQ_PGP_KEY_ID 0x0A9AF2115F4687BD29803A206B73A36E6026DFCA +ENV RABBITMQ_HOME /opt/rabbitmq # Add RabbitMQ to PATH ENV PATH $RABBITMQ_HOME/sbin:$PATH