mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
81f319d3e3
* build.assets Dockerfiles: Remove unnecessary ENV NODE_URL NODE_URL is being redefined within the RUN instruction anyway. We suspect it might be causing problems because sometimes the logs from build failures suggest that the NODE_URL export was either ignored or ${NODE_URL} passed to curl reads ENV NODE_URL and not the env var set within the shell. * Pass fsSl flags to curl
188 lines
6.4 KiB
Plaintext
188 lines
6.4 KiB
Plaintext
# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
|
|
ARG BUILDARCH
|
|
FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport13-${BUILDARCH} AS teleport-buildbox-centos7-assets
|
|
|
|
FROM centos:7 AS libbpf
|
|
|
|
# Install required dependencies.
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum -y install centos-release-scl-rh && \
|
|
yum install -y \
|
|
centos-release-scl \
|
|
devtoolset-11-gcc* \
|
|
devtoolset-11-make \
|
|
elfutils-libelf-devel-static \
|
|
scl-utils && \
|
|
yum clean all
|
|
|
|
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
|
|
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
|
|
ARG LIBBPF_VERSION
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
|
|
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
|
|
scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
|
|
|
|
|
|
|
|
FROM centos:7 AS boringssl
|
|
# The below tools are required in order to build and compile the module:
|
|
# Clang compiler version 7.0.1
|
|
# Go programming language version 1.12.7
|
|
# Ninja build system version 1.9.0
|
|
#
|
|
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
|
|
# For more information please refer to the section 12. Guidance and Secure Operation of:
|
|
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
|
|
|
|
# Install required dependencies.
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum -y install centos-release-scl-rh && \
|
|
yum install -y \
|
|
cmake3 \
|
|
llvm-toolset-7.0-clang-7.0.1 \
|
|
git
|
|
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
curl -fsSLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \
|
|
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \
|
|
tar xf go1.12.7.linux-amd64.tar.gz && \
|
|
rm -f go1.12.7.linux-amd64.tar.gz && \
|
|
chmod a+w /opt/go && \
|
|
chmod a+w /var/lib && \
|
|
chmod a-w /
|
|
ENV GOPATH="/go" \
|
|
GOROOT="/opt/go" \
|
|
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin"
|
|
|
|
RUN git clone https://github.com/ninja-build/ninja.git && \
|
|
cd ninja && \
|
|
git checkout v1.9.0 && \
|
|
./configure.py --bootstrap && \
|
|
mv ninja /usr/bin
|
|
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
git clone https://github.com/google/boringssl.git && \
|
|
cd boringssl && \
|
|
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
|
|
mkdir build && \
|
|
cd build && \
|
|
scl enable llvm-toolset-7.0 "cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja"
|
|
|
|
|
|
FROM centos:7
|
|
|
|
ENV LANGUAGE=en_US.UTF-8 \
|
|
LANG=en_US.UTF-8 \
|
|
LC_ALL=en_US.UTF-8 \
|
|
LC_CTYPE=en_US.UTF-8
|
|
|
|
ARG UID
|
|
ARG GID
|
|
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
|
|
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
|
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum -y install centos-release-scl-rh && \
|
|
yum install -y \
|
|
#required by libbpf
|
|
centos-release-scl \
|
|
# required by libbpf
|
|
devtoolset-11-* \
|
|
# required by libbpf
|
|
elfutils-libelf-devel-static \
|
|
git \
|
|
net-tools \
|
|
# required to create bindings for Rust's boring-rs crate
|
|
llvm-toolset-7.0-clang-7.0.1 \
|
|
# required by Teleport PAM support
|
|
pam-devel \
|
|
perl-IPC-Cmd \
|
|
tree \
|
|
# used by our Makefile
|
|
which \
|
|
zip \
|
|
# required by libbpf
|
|
zlib-static && \
|
|
yum clean all
|
|
|
|
# Install etcd.
|
|
RUN (curl -fsSL https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \
|
|
cp etcd-v3.3.9-linux-amd64/etcd* /bin/)
|
|
|
|
# Install Go.
|
|
ARG GOLANG_VERSION
|
|
RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
|
|
mkdir -p /go/src/github.com/gravitational/teleport && \
|
|
chmod a+w /go && \
|
|
chmod a+w /var/lib && \
|
|
chmod a-w /
|
|
ENV GOEXPERIMENT=boringcrypto \
|
|
GOPATH="/go" \
|
|
GOROOT="/opt/go" \
|
|
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
|
|
|
|
# Install node.
|
|
RUN yum install -y python3
|
|
ARG NODE_VERSION
|
|
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
|
|
ENV PATH="$PATH:${NODE_PATH}/bin"
|
|
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \
|
|
export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" && \
|
|
mkdir -p ${NODE_PATH} && \
|
|
curl -o /tmp/nodejs.tar.xz -fsSL ${NODE_URL} && \
|
|
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
|
|
RUN node --version
|
|
RUN corepack enable yarn
|
|
|
|
# Install PAM module and policies for testing.
|
|
COPY pam/ /opt/pam_teleport/
|
|
RUN make -C /opt/pam_teleport install
|
|
|
|
RUN chmod a-w /
|
|
|
|
ARG RUST_VERSION
|
|
ENV RUSTUP_HOME=/usr/local/rustup \
|
|
CARGO_HOME=/usr/local/cargo \
|
|
PATH=/usr/local/cargo/bin:$PATH \
|
|
RUST_VERSION=$RUST_VERSION
|
|
|
|
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
|
|
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
|
|
|
|
# Install Rust using the ci user, as that is the user that
|
|
# will run builds using the Rust toolchains we install here.
|
|
USER ci
|
|
RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
|
|
rustup --version && \
|
|
cargo --version && \
|
|
rustc --version && \
|
|
rustup component add rustfmt clippy && \
|
|
rustup target add aarch64-unknown-linux-gnu
|
|
|
|
|
|
# Copy BoringSSL into the final image
|
|
COPY --from=boringssl /opt/boringssl /opt/boringssl
|
|
|
|
# set boring-rs crate env variables to point to pre-built binaries
|
|
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
|
|
ENV BORING_BSSL_PATH=/opt/boringssl
|
|
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
|
|
|
|
ARG LIBBPF_VERSION
|
|
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}
|
|
|
|
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
|
|
ARG BUILDARCH
|
|
COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
|
|
|
|
VOLUME ["/go/src/github.com/gravitational/teleport"]
|
|
EXPOSE 6600 2379 2380
|