# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155 ARG BUILDARCH FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport13-${BUILDARCH} AS teleport-buildbox-centos7-assets FROM centos:7 AS libbpf # Install required dependencies. RUN yum groupinstall -y 'Development Tools' && \ yum install -y epel-release && \ yum update -y && \ yum -y install centos-release-scl-rh && \ yum install -y \ centos-release-scl \ devtoolset-11-gcc* \ devtoolset-11-make \ elfutils-libelf-devel-static \ scl-utils && \ yum clean all # Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it. # BUILD_STATIC_ONLY disables libbpf.so build as we don't need it. ARG LIBBPF_VERSION RUN mkdir -p /opt && cd /opt && \ curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \ cd /opt/libbpf-${LIBBPF_VERSION}/src && \ scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install" FROM centos:7 AS boringssl # The below tools are required in order to build and compile the module: # Clang compiler version 7.0.1 # Go programming language version 1.12.7 # Ninja build system version 1.9.0 # # We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39 # For more information please refer to the section 12. Guidance and Secure Operation of: # https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf # Install required dependencies. RUN yum groupinstall -y 'Development Tools' && \ yum install -y epel-release && \ yum update -y && \ yum -y install centos-release-scl-rh && \ yum install -y \ cmake3 \ llvm-toolset-7.0-clang-7.0.1 \ git RUN mkdir -p /opt && cd /opt && \ curl -fsSLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \ echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \ tar xf go1.12.7.linux-amd64.tar.gz && \ rm -f go1.12.7.linux-amd64.tar.gz && \ chmod a+w /opt/go && \ chmod a+w /var/lib && \ chmod a-w / ENV GOPATH="/go" \ GOROOT="/opt/go" \ PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin" RUN git clone https://github.com/ninja-build/ninja.git && \ cd ninja && \ git checkout v1.9.0 && \ ./configure.py --bootstrap && \ mv ninja /usr/bin RUN mkdir -p /opt && cd /opt && \ git clone https://github.com/google/boringssl.git && \ cd boringssl && \ git checkout ae223d6138807a13006342edfeef32e813246b39 && \ mkdir build && \ cd build && \ scl enable llvm-toolset-7.0 "cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja" FROM centos:7 ENV LANGUAGE=en_US.UTF-8 \ LANG=en_US.UTF-8 \ LC_ALL=en_US.UTF-8 \ LC_CTYPE=en_US.UTF-8 ARG UID ARG GID RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) RUN yum groupinstall -y 'Development Tools' && \ yum install -y epel-release && \ yum update -y && \ yum -y install centos-release-scl-rh && \ yum install -y \ #required by libbpf centos-release-scl \ # required by libbpf devtoolset-11-* \ # required by libbpf elfutils-libelf-devel-static \ git \ net-tools \ # required to create bindings for Rust's boring-rs crate llvm-toolset-7.0-clang-7.0.1 \ # required by Teleport PAM support pam-devel \ perl-IPC-Cmd \ tree \ # used by our Makefile which \ zip \ # required by libbpf zlib-static && \ yum clean all # Install etcd. RUN (curl -fsSL https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \ cp etcd-v3.3.9-linux-amd64/etcd* /bin/) # Install Go. ARG GOLANG_VERSION RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \ mkdir -p /go/src/github.com/gravitational/teleport && \ chmod a+w /go && \ chmod a+w /var/lib && \ chmod a-w / ENV GOEXPERIMENT=boringcrypto \ GOPATH="/go" \ GOROOT="/opt/go" \ PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build" # Install node. RUN yum install -y python3 ARG NODE_VERSION ENV NODE_PATH="/usr/local/lib/nodejs-linux" ENV PATH="$PATH:${NODE_PATH}/bin" RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \ export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" && \ mkdir -p ${NODE_PATH} && \ curl -o /tmp/nodejs.tar.xz -fsSL ${NODE_URL} && \ tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1 RUN node --version RUN corepack enable yarn # Install PAM module and policies for testing. COPY pam/ /opt/pam_teleport/ RUN make -C /opt/pam_teleport install RUN chmod a-w / ARG RUST_VERSION ENV RUSTUP_HOME=/usr/local/rustup \ CARGO_HOME=/usr/local/cargo \ PATH=/usr/local/cargo/bin:$PATH \ RUST_VERSION=$RUST_VERSION RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \ mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME # Install Rust using the ci user, as that is the user that # will run builds using the Rust toolchains we install here. USER ci RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \ rustup --version && \ cargo --version && \ rustc --version && \ rustup component add rustfmt clippy && \ rustup target add aarch64-unknown-linux-gnu # Copy BoringSSL into the final image COPY --from=boringssl /opt/boringssl /opt/boringssl # set boring-rs crate env variables to point to pre-built binaries # https://github.com/cloudflare/boring#support-for-pre-built-binaries ENV BORING_BSSL_PATH=/opt/boringssl ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include ARG LIBBPF_VERSION COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION} # Download pre-built CentOS 7 assets with clang needed to build BPF tools. ARG BUILDARCH COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm VOLUME ["/go/src/github.com/gravitational/teleport"] EXPOSE 6600 2379 2380