2022-07-02 02:11:37 +00:00
|
|
|
FROM centos:7 AS libbpf
|
|
|
|
|
|
|
|
# Install required dependencies.
|
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
|
|
yum install -y epel-release && \
|
|
|
|
yum update -y && \
|
|
|
|
yum -y install centos-release-scl-rh && \
|
|
|
|
yum install -y \
|
|
|
|
# required by libbpf
|
|
|
|
centos-release-scl \
|
|
|
|
# required by libbpf
|
|
|
|
devtoolset-11-gcc* \
|
|
|
|
# required by libbpf
|
|
|
|
devtoolset-11-make \
|
|
|
|
# required by libbpf
|
|
|
|
elfutils-libelf-devel-static \
|
|
|
|
git \
|
|
|
|
# required by libbpf
|
|
|
|
scl-utils \
|
|
|
|
yum clean all
|
|
|
|
|
|
|
|
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
|
|
|
|
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
|
|
|
|
ARG LIBBPF_VERSION
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
|
|
curl -L https://github.com/gravitational/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
|
|
|
|
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
|
|
|
|
scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
|
|
|
|
|
2022-11-23 14:32:53 +00:00
|
|
|
|
|
|
|
|
|
|
|
FROM centos:7 AS boringssl
|
|
|
|
# The below tools are required in order to build and compile the module:
|
|
|
|
# Clang compiler version 7.0.1
|
|
|
|
# Go programming language version 1.12.7
|
|
|
|
# Ninja build system version 1.9.0
|
|
|
|
#
|
|
|
|
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
|
|
|
|
# For more information please refer to the section 12. Guidance and Secure Operation of:
|
|
|
|
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
|
|
|
|
|
|
|
|
# Install required dependencies.
|
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
|
|
yum install -y epel-release && \
|
|
|
|
yum update -y && \
|
|
|
|
yum -y install centos-release-scl-rh && \
|
|
|
|
yum install -y \
|
|
|
|
cmake3 \
|
|
|
|
llvm-toolset-7.0-clang-7.0.1 \
|
|
|
|
git
|
|
|
|
|
|
|
|
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
|
|
curl -sLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \
|
|
|
|
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \
|
|
|
|
tar xf go1.12.7.linux-amd64.tar.gz && \
|
|
|
|
rm -f go1.12.7.linux-amd64.tar.gz && \
|
|
|
|
chmod a+w /opt/go && \
|
|
|
|
chmod a+w /var/lib && \
|
|
|
|
chmod a-w /
|
|
|
|
ENV GOPATH="/go" \
|
|
|
|
GOROOT="/opt/go" \
|
|
|
|
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin"
|
|
|
|
|
|
|
|
RUN git clone https://github.com/ninja-build/ninja.git && \
|
|
|
|
cd ninja && \
|
|
|
|
git checkout v1.9.0 && \
|
|
|
|
./configure.py --bootstrap && \
|
|
|
|
mv ninja /usr/bin
|
|
|
|
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
|
|
git clone https://github.com/google/boringssl.git && \
|
|
|
|
cd boringssl && \
|
|
|
|
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
|
|
|
|
mkdir build && \
|
|
|
|
cd build && \
|
|
|
|
scl enable llvm-toolset-7.0 "cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja"
|
|
|
|
|
|
|
|
|
2021-12-01 01:39:24 +00:00
|
|
|
FROM centos:7
|
|
|
|
|
|
|
|
ENV LANGUAGE=en_US.UTF-8 \
|
|
|
|
LANG=en_US.UTF-8 \
|
|
|
|
LC_ALL=en_US.UTF-8 \
|
|
|
|
LC_CTYPE=en_US.UTF-8
|
|
|
|
|
|
|
|
ARG UID
|
|
|
|
ARG GID
|
|
|
|
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
|
|
|
|
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
|
|
|
|
|
2022-07-02 02:11:37 +00:00
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
|
|
yum install -y epel-release && \
|
|
|
|
yum update -y && \
|
|
|
|
yum -y install centos-release-scl-rh && \
|
|
|
|
yum install -y \
|
|
|
|
#required by libbpf
|
|
|
|
centos-release-scl \
|
|
|
|
# required by libbpf
|
|
|
|
devtoolset-11-* \
|
|
|
|
# required by libbpf
|
|
|
|
elfutils-libelf-devel-static \
|
|
|
|
git \
|
|
|
|
net-tools \
|
2022-11-23 14:32:53 +00:00
|
|
|
# required to create bindings for Rust's boring-rs crate
|
|
|
|
llvm-toolset-7.0-clang-7.0.1 \
|
2022-07-02 02:11:37 +00:00
|
|
|
# required by Teleport PAM support
|
|
|
|
pam-devel \
|
|
|
|
perl-IPC-Cmd \
|
|
|
|
tree \
|
|
|
|
# used by our Makefile
|
|
|
|
which \
|
|
|
|
zip \
|
|
|
|
# required by libbpf
|
|
|
|
zlib-static && \
|
2021-12-01 01:39:24 +00:00
|
|
|
yum clean all
|
|
|
|
|
|
|
|
# Install etcd.
|
|
|
|
RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \
|
|
|
|
cp etcd-v3.3.9-linux-amd64/etcd* /bin/)
|
|
|
|
|
2022-09-19 17:31:51 +00:00
|
|
|
# Install Go.
|
|
|
|
ARG GOLANG_VERSION
|
|
|
|
RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
|
2021-12-01 01:39:24 +00:00
|
|
|
mkdir -p /go/src/github.com/gravitational/teleport && \
|
|
|
|
chmod a+w /go && \
|
|
|
|
chmod a+w /var/lib && \
|
2022-09-19 17:31:51 +00:00
|
|
|
chmod a-w /
|
|
|
|
ENV GOEXPERIMENT=boringcrypto \
|
|
|
|
GOPATH="/go" \
|
2022-06-17 15:05:39 +00:00
|
|
|
GOROOT="/opt/go" \
|
2022-07-02 02:11:37 +00:00
|
|
|
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
|
2022-06-17 15:05:39 +00:00
|
|
|
|
2021-12-01 01:39:24 +00:00
|
|
|
# Install PAM module and policies for testing.
|
|
|
|
COPY pam/ /opt/pam_teleport/
|
|
|
|
RUN make -C /opt/pam_teleport install
|
|
|
|
|
|
|
|
RUN chmod a-w /
|
|
|
|
|
2022-07-02 02:11:37 +00:00
|
|
|
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
|
|
|
|
RUN cd / && curl -L https://s3.amazonaws.com/clientbuilds.gravitational.io/go/centos7-assets.tar.gz | tar -xz
|
|
|
|
|
|
|
|
# Copy libbpf into the final image.
|
|
|
|
COPY --from=libbpf /opt/libbpf/usr /usr
|
|
|
|
|
2022-11-23 14:32:53 +00:00
|
|
|
ARG RUST_VERSION
|
|
|
|
ENV RUSTUP_HOME=/usr/local/rustup \
|
|
|
|
CARGO_HOME=/usr/local/cargo \
|
|
|
|
PATH=/usr/local/cargo/bin:$PATH \
|
|
|
|
RUST_VERSION=$RUST_VERSION
|
|
|
|
|
|
|
|
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
|
|
|
|
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
|
|
|
|
|
|
|
|
# Install Rust using the ci user, as that is the user that
|
|
|
|
# will run builds using the Rust toolchains we install here.
|
2021-12-01 01:39:24 +00:00
|
|
|
USER ci
|
2022-11-23 14:32:53 +00:00
|
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
|
|
|
|
rustup --version && \
|
|
|
|
cargo --version && \
|
|
|
|
rustc --version && \
|
|
|
|
rustup component add rustfmt clippy && \
|
|
|
|
rustup target add aarch64-unknown-linux-gnu
|
|
|
|
|
|
|
|
|
|
|
|
# Copy BoringSSL into the final image
|
|
|
|
COPY --from=boringssl /opt/boringssl /opt/boringssl
|
|
|
|
|
|
|
|
# set boring-rs crate env variables to point to pre-built binaries
|
|
|
|
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
|
|
|
|
ENV BORING_BSSL_PATH=/opt/boringssl
|
|
|
|
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
|
|
|
|
|
2021-12-01 01:39:24 +00:00
|
|
|
VOLUME ["/go/src/github.com/gravitational/teleport"]
|
|
|
|
EXPOSE 6600 2379 2380
|