mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 08:43:58 +00:00
96a13802d5
Signed-off-by: Jakub Nyckowski <jakub.nyckowski@goteleport.com> Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
270 lines
9.2 KiB
Plaintext
270 lines
9.2 KiB
Plaintext
# #############################################################################
|
|
# This Dockerfile aims to be the single source of truth for linux buildboxes on
|
|
# all supported architectures.
|
|
## #############################################################################
|
|
|
|
ARG BUILDBOX_VERSION
|
|
ARG BUILDBOX_PREFIX
|
|
|
|
FROM centos:7 AS base
|
|
|
|
# Automatically supplied by the Docker buildkit
|
|
ARG TARGETARCH
|
|
|
|
# Aliases
|
|
FROM $BUILDBOX_PREFIX/buildbox-multiarch-clang7:$BUILDBOX_VERSION-$TARGETARCH AS clang7-boringcrypto
|
|
FROM $BUILDBOX_PREFIX/buildbox-multiarch-clang10:$BUILDBOX_VERSION-$TARGETARCH AS clang10
|
|
|
|
# Root target with ci user
|
|
FROM $BUILDBOX_PREFIX/buildbox-multiarch-base:$BUILDBOX_VERSION-$TARGETARCH AS gcc
|
|
|
|
ARG UID
|
|
ARG GID
|
|
|
|
RUN groupadd ci --gid=$GID -o && \
|
|
useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh
|
|
|
|
RUN install --directory --mode=0700 --owner=ci --group=ci /var/lib/teleport
|
|
|
|
## LIBPCSCLITE ################################################################
|
|
#
|
|
FROM gcc AS libpcsclite
|
|
ARG LIBPCSCLITE_VERSION
|
|
|
|
# Configure fails to determine correct std on ARM
|
|
ENV CFLAGS="-std=gnu99"
|
|
|
|
# Install libpcsclite - compile with a newer GCC. The one installed by default is not able to compile it.
|
|
RUN git clone --depth=1 https://github.com/gravitational/PCSC.git -b ${LIBPCSCLITE_VERSION} && \
|
|
cd PCSC && \
|
|
./bootstrap && \
|
|
./configure --enable-static --with-pic --disable-libsystemd && \
|
|
make install && \
|
|
rm -rf PCSC
|
|
|
|
## LIBFIDO2 ###################################################################
|
|
#
|
|
|
|
# Build libfido2 separately for isolation, speed and flexibility.
|
|
FROM gcc AS libfido2
|
|
|
|
# Install libudev-zero.
|
|
# libudev-zero replaces systemd's libudev.
|
|
RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.1 && \
|
|
cd libudev-zero && \
|
|
[ "$(git rev-parse HEAD)" = '4154cf252c17297f98a8ca33693ead003b4509da' ] && \
|
|
make install-static LIBDIR='$(PREFIX)/lib64'
|
|
|
|
# Install openssl.
|
|
# Pulled from source because repository versions are too old.
|
|
# install_sw install only binaries, skips docs.
|
|
RUN git clone --depth=1 https://github.com/openssl/openssl.git -b OpenSSL_1_1_1t && \
|
|
cd openssl && \
|
|
[ "$(git rev-parse HEAD)" = '830bf8e1e4749ad65c51b6a1d0d769ae689404ba' ] && \
|
|
./config --release --libdir=/usr/local/lib64 && \
|
|
make && \
|
|
make install_sw
|
|
|
|
# Install libcbor.
|
|
RUN git clone --depth=1 https://github.com/PJK/libcbor.git -b v0.10.2 && \
|
|
cd libcbor && \
|
|
[ "$(git rev-parse HEAD)" = 'efa6c0886bae46bdaef9b679f61f4b9d8bc296ae' ] && \
|
|
cmake3 \
|
|
-DCMAKE_CXX_FLAGS=-lpthread \
|
|
-DCMAKE_BUILD_TYPE=Release \
|
|
-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
|
|
-DWITH_EXAMPLES=OFF . && \
|
|
make && \
|
|
make install
|
|
|
|
# Install libfido2.
|
|
# Depends on libcbor, openssl, zlib-devel and libudev.
|
|
# Linked so `make build/tsh` finds the library where it expects it.
|
|
RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.12.0 && \
|
|
cd libfido2 && \
|
|
[ "$(git rev-parse HEAD)" = '659a02679f99fd34a44e06e35dce90794f6ecc86' ] && \
|
|
LDFLAGS="-lpthread" cmake3 \
|
|
-DBUILD_EXAMPLES=OFF \
|
|
-DBUILD_MANPAGES=OFF \
|
|
-DBUILD_TOOLS=OFF \
|
|
-DCMAKE_BUILD_TYPE=Release . && \
|
|
make && \
|
|
make install && \
|
|
make clean
|
|
|
|
## LIBBPF ########################################################################
|
|
#
|
|
FROM gcc AS libbpf
|
|
|
|
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
|
|
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
|
|
ARG LIBBPF_VERSION
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
curl -L https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
|
|
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
|
|
make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install
|
|
|
|
## Integral image for 64-bit targets #############################################
|
|
#
|
|
FROM gcc AS deps-64
|
|
|
|
# Make clang10 available
|
|
COPY --from=clang10 /opt/llvm /opt/llvm
|
|
ENV PATH="/opt/llvm/bin:$PATH"
|
|
|
|
ARG RUST_VERSION
|
|
|
|
## Install Rust ###############################################################
|
|
ENV RUSTUP_HOME=/usr/local/rustup \
|
|
CARGO_HOME=/usr/local/cargo \
|
|
PATH=/usr/local/cargo/bin:$PATH \
|
|
RUST_VERSION=$RUST_VERSION
|
|
|
|
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
|
|
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
|
|
|
|
USER ci
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain ${RUST_VERSION} --default-host ${RUST_ARCH} && \
|
|
rustup --version && \
|
|
cargo --version && \
|
|
rustc --version && \
|
|
rustup target add ${RUST_ARCH}
|
|
|
|
USER root
|
|
|
|
# Copy dependencies
|
|
COPY --from=libfido2 /usr/local/include/ /usr/local/include/
|
|
COPY --from=libfido2 /usr/local/lib64/pkgconfig/ /usr/local/lib64/pkgconfig/
|
|
COPY --from=libfido2 \
|
|
/usr/local/lib64/libcbor.a \
|
|
/usr/local/lib64/libcrypto.a \
|
|
/usr/local/lib64/libcrypto.so.1.1 \
|
|
/usr/local/lib64/libfido2.a \
|
|
/usr/local/lib64/libfido2.so.1.12.0 \
|
|
/usr/local/lib64/libssl.a \
|
|
/usr/local/lib64/libssl.so.1.1 \
|
|
/usr/local/lib64/libudev.a \
|
|
/usr/local/lib64/
|
|
# Re-create usual lib64 links.
|
|
RUN cd /usr/local/lib64 && \
|
|
ln -s libcrypto.so.1.1 libcrypto.so && \
|
|
ln -s libfido2.so.1.12.0 libfido2.so.1 && \
|
|
ln -s libfido2.so.1 libfido2.so && \
|
|
ln -s libssl.so.1.1 libssl.so && \
|
|
# Update ld.
|
|
echo /usr/local/lib64 > /etc/ld.so.conf.d/libfido2.conf && \
|
|
ldconfig
|
|
|
|
COPY pkgconfig/centos7/ /
|
|
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"
|
|
|
|
COPY --from=libpcsclite /usr/local/include/ /usr/local/include/
|
|
COPY --from=libpcsclite /usr/local/lib/pkgconfig/ /usr/local/lib64/pkgconfig/
|
|
COPY --from=libpcsclite \
|
|
/usr/local/lib/libpcsclite.a \
|
|
/usr/local/lib/
|
|
|
|
ARG LIBBPF_VERSION
|
|
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}
|
|
|
|
## BORINGSSL ########################################################################
|
|
#
|
|
FROM clang7-boringcrypto AS boringssl
|
|
# The below tools are required in order to build and compile the module:
|
|
# Clang compiler version 7.0.1
|
|
# Go programming language version 1.12.7
|
|
# Ninja build system version 1.9.0
|
|
#
|
|
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
|
|
# For more information please refer to the section 12. Guidance and Secure Operation of:
|
|
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
curl -sLO https://go.dev/dl/go1.12.7.linux-$GOLANG_ARCH.tar.gz && \
|
|
tar xf go1.12.7.linux-$GOLANG_ARCH.tar.gz && \
|
|
rm -f go1.12.7.linux-$GOLANG_ARCH.tar.gz && \
|
|
chmod a+w /opt/go && \
|
|
chmod a+w /var/lib && \
|
|
chmod a-w /
|
|
ENV GOEXPERIMENT=boringcrypto \
|
|
GOPATH="/go" \
|
|
GOROOT="/opt/go" \
|
|
PATH="$PATH:/opt/go/bin:/go/bin"
|
|
|
|
RUN git clone https://github.com/ninja-build/ninja.git && \
|
|
cd ninja && \
|
|
git checkout v1.9.0 && \
|
|
./configure.py --bootstrap && \
|
|
mv ninja /usr/bin
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
git clone https://github.com/google/boringssl.git && \
|
|
cd boringssl && \
|
|
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
|
|
mkdir build && \
|
|
cd build && \
|
|
cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja
|
|
|
|
## Intermediate targets ########################################################
|
|
#
|
|
FROM gcc AS deps-arm
|
|
|
|
ENV GOARCH=arm
|
|
ENV GOARM=7
|
|
|
|
FROM gcc AS deps-386
|
|
|
|
FROM deps-64 AS deps-arm64
|
|
FROM deps-64 AS deps-amd64
|
|
|
|
# Copy BoringSSL into the final image
|
|
COPY --from=boringssl /opt/boringssl /opt/boringssl
|
|
|
|
# set boring-rs crate env variables to point to pre-built binaries
|
|
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
|
|
ENV BORING_BSSL_PATH=/opt/boringssl
|
|
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
|
|
ENV GOEXPERIMENT=boringcrypto
|
|
|
|
# Install node.
|
|
# Node is required to build teleterm. It does not work on 32-bit archs, and is not required for them.
|
|
RUN yum install -y python3
|
|
ARG NODE_ARCH=x64
|
|
ARG NODE_VERSION
|
|
ENV NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz"
|
|
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
|
|
ENV PATH="$PATH:${NODE_PATH}/bin"
|
|
RUN mkdir -p ${NODE_PATH} && \
|
|
curl -o /tmp/nodejs.tar.xz -Lf ${NODE_URL} && \
|
|
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
|
|
|
|
RUN node --version
|
|
RUN corepack enable yarn
|
|
|
|
## Final target image with go #################################################
|
|
#
|
|
FROM deps-$TARGETARCH
|
|
|
|
# NOTE: We expect the GOLANG_VERSION to contain the leading `go` in the version
|
|
# string (e,g, go1.19), as produced by `go version`
|
|
ARG GOLANG_VERSION
|
|
|
|
## Install Go #################################################################
|
|
RUN mkdir -p /opt && \
|
|
mkdir -p /go && \
|
|
curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-$GOLANG_ARCH.tar.gz | tar xz -C /opt && \
|
|
chmod a+w /go && \
|
|
chmod a+w /var/lib && \
|
|
/opt/go/bin/go version
|
|
ENV GOPATH="/go" \
|
|
GOROOT="/opt/go" \
|
|
PATH="$PATH:/opt/go/bin:/go/bin"
|
|
|
|
# Install PAM module and policies for testing.
|
|
COPY pam/ /opt/pam_teleport/
|
|
RUN make -C /opt/pam_teleport install
|
|
|
|
RUN chmod a-w /
|
|
|
|
USER ci
|