self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 16:53:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/build.assets/Dockerfile-centos7-fips
Grzegorz Zdunek 8d6b0d625c
Upgrade Node.js to v18 (#30985) 
* Remove Node from CentOS Dockerfiles

* Take Node version from Makefile in GHA

* Update Node to 18.17.1
2023-08-28 09:55:42 +00:00

170 lines
5.8 KiB
Plaintext
Raw Blame History

# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
ARG BUILDARCH
FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDARCH} AS teleport-buildbox-centos7-assets
FROM centos:7 AS libbpf
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
centos-release-scl \
devtoolset-11-gcc* \
devtoolset-11-make \
elfutils-libelf-devel-static \
scl-utils && \
yum clean all
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
ARG LIBBPF_VERSION
RUN mkdir -p /opt && cd /opt && \
curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
FROM centos:7 AS boringssl
# The below tools are required in order to build and compile the module:
# Clang compiler version 7.0.1
# Go programming language version 1.12.7
# Ninja build system version 1.9.0
#
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
# For more information please refer to the section 12. Guidance and Secure Operation of:
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
cmake3 \
llvm-toolset-7.0-clang-7.0.1 \
git
RUN mkdir -p /opt && cd /opt && \
curl -fsSLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \
tar xf go1.12.7.linux-amd64.tar.gz && \
rm -f go1.12.7.linux-amd64.tar.gz && \
chmod a+w /opt/go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOPATH="/go" \
GOROOT="/opt/go" \
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin"
RUN git clone https://github.com/ninja-build/ninja.git && \
cd ninja && \
git checkout v1.9.0 && \
./configure.py --bootstrap && \
mv ninja /usr/bin
RUN mkdir -p /opt && cd /opt && \
git clone https://github.com/google/boringssl.git && \
cd boringssl && \
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
mkdir build && \
cd build && \
scl enable llvm-toolset-7.0 "cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja"
FROM centos:7
ENV LANGUAGE=en_US.UTF-8 \
LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
LC_CTYPE=en_US.UTF-8
ARG UID
ARG GID
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
#required by libbpf
centos-release-scl \
# required by libbpf
devtoolset-11-* \
# required by libbpf
elfutils-libelf-devel-static \
git \
net-tools \
# required to create bindings for Rust's boring-rs crate
llvm-toolset-7.0-clang-7.0.1 \
# required by Teleport PAM support
pam-devel \
perl-IPC-Cmd \
tree \
# used by our Makefile
which \
zip \
# required by libbpf
zlib-static && \
yum clean all
# Install Go.
ARG GOLANG_VERSION
RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
mkdir -p /go/src/github.com/gravitational/teleport && \
chmod a+w /go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOEXPERIMENT=boringcrypto \
GOPATH="/go" \
GOROOT="/opt/go" \
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
# Install PAM module and policies for testing.
COPY pam/ /opt/pam_teleport/
RUN make -C /opt/pam_teleport install
RUN chmod a-w /
ARG RUST_VERSION
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=$RUST_VERSION
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
# Install Rust using the ci user, as that is the user that
# will run builds using the Rust toolchains we install here.
USER ci
RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
rustup --version && \
cargo --version && \
rustc --version && \
rustup component add rustfmt clippy && \
rustup target add aarch64-unknown-linux-gnu
ARG WASM_PACK_VERSION
# Install wasm-pack for targeting WebAssembly from Rust.
RUN cargo install wasm-pack --version ${WASM_PACK_VERSION}
# Copy BoringSSL into the final image
COPY --from=boringssl /opt/boringssl /opt/boringssl
# set boring-rs crate env variables to point to pre-built binaries
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
ENV BORING_BSSL_PATH=/opt/boringssl
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
ARG LIBBPF_VERSION
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
ARG BUILDARCH
COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
VOLUME ["/go/src/github.com/gravitational/teleport"]
EXPOSE 6600 2379 2380
Reference in a new issue View git blame Copy permalink