mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
a72d1c7285
Adds the GCB build yaml for controlling the build, and updates the test script to work in both the GCB environment and on a local dev machine. Also changes the centos buildbox to leave the default user as root. When GCB mounts the workspace into the container, the source code is owned by root, and there is no way to change this. This means that the build will fail when the non-root user specified in the build image attempt to write files into the workspace. Setting the root user fixes this. See-Also: #15186
210 lines
6.7 KiB
Plaintext
210 lines
6.7 KiB
Plaintext
ARG RUST_VERSION
|
|
|
|
## LIBFIDO2 ###################################################################
|
|
|
|
# Build libfido2 separately for isolation, speed and flexibility.
|
|
FROM centos:7 AS libfido2
|
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum install -y \
|
|
cmake3 \
|
|
git \
|
|
libudev-devel \
|
|
zlib-devel && \
|
|
yum clean all
|
|
|
|
# Install libudev-zero.
|
|
# libudev-zero replaces systemd's libudev
|
|
RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.1 && \
|
|
cd libudev-zero && \
|
|
[ "$(git rev-parse HEAD)" = "4154cf252c17297f98a8ca33693ead003b4509da" ] && \
|
|
make install-static LIBDIR='$(PREFIX)/lib64'
|
|
|
|
# Instal openssl.
|
|
# Pulled from source because repository versions are too old.
|
|
# install_sw install only binaries, skips docs.
|
|
RUN git clone --depth=1 git://git.openssl.org/openssl.git -b OpenSSL_1_1_1o && \
|
|
cd openssl && \
|
|
[ "$(git rev-parse HEAD)" = "ca2e0784d2c38edcefd5d68028f4d954bd8faddb" ] && \
|
|
./config --release && \
|
|
make && \
|
|
make install_sw
|
|
|
|
# Install libcbor.
|
|
RUN git clone --depth=1 https://github.com/PJK/libcbor.git -b v0.9.0 && \
|
|
cd libcbor && \
|
|
[ "$(git rev-parse HEAD)" = "58b3319b8c3ec15171cb00f01a3a1e9d400899e1" ] && \
|
|
cmake3 \
|
|
-DCBOR_CUSTOM_ALLOC=ON \
|
|
-DCMAKE_BUILD_TYPE=Release \
|
|
-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
|
|
-DWITH_EXAMPLES=OFF . && \
|
|
make && \
|
|
make install
|
|
|
|
# Install libfido2.
|
|
# Depends on libcbor, openssl, zlib-devel and libudev.
|
|
# Linked so `make build/tsh` finds the library where it expects it.
|
|
RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.11.0 && \
|
|
cd libfido2 && \
|
|
[ "$(git rev-parse HEAD)" = "e61379ff0a27277fbe0aca29ccc34ff93c57b359" ] && \
|
|
cmake3 \
|
|
-DBUILD_EXAMPLES=OFF \
|
|
-DBUILD_MANPAGES=OFF \
|
|
-DBUILD_TOOLS=OFF \
|
|
-DCMAKE_BUILD_TYPE=Release . && \
|
|
make && \
|
|
make install && \
|
|
# Update ld.
|
|
echo /usr/local/lib64 > /etc/ld.so.conf.d/libfido2.conf && \
|
|
ldconfig
|
|
|
|
## LIBBPF #####################################################################
|
|
|
|
FROM centos:7 AS libbpf
|
|
|
|
# Install required dependencies.
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum -y install centos-release-scl-rh && \
|
|
yum install -y \
|
|
# required by libbpf
|
|
centos-release-scl \
|
|
# required by libbpf
|
|
devtoolset-11-gcc* \
|
|
# required by libbpf
|
|
devtoolset-11-make \
|
|
# required by libbpf
|
|
elfutils-libelf-devel-static \
|
|
git \
|
|
# required by libbpf
|
|
scl-utils \
|
|
yum clean all
|
|
|
|
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
|
|
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
|
|
ARG LIBBPF_VERSION
|
|
RUN mkdir -p /opt && cd /opt && \
|
|
curl -L https://github.com/gravitational/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
|
|
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
|
|
scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
|
|
|
|
## BUILDBOX ###################################################################
|
|
|
|
FROM centos:7 AS buildbox
|
|
|
|
ENV LANGUAGE=en_US.UTF-8 \
|
|
LANG=en_US.UTF-8 \
|
|
LC_ALL=en_US.UTF-8 \
|
|
LC_CTYPE=en_US.UTF-8
|
|
|
|
ARG GOLANG_VERSION
|
|
ARG RUST_VERSION
|
|
|
|
ARG UID
|
|
ARG GID
|
|
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
|
|
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
|
|
|
|
RUN yum groupinstall -y 'Development Tools' && \
|
|
yum install -y epel-release && \
|
|
yum update -y && \
|
|
yum -y install centos-release-scl-rh && \
|
|
yum install -y \
|
|
#required by libbpf
|
|
centos-release-scl \
|
|
# required by libbpf
|
|
devtoolset-11-* \
|
|
# required by libbpf
|
|
elfutils-libelf-devel-static \
|
|
git \
|
|
net-tools \
|
|
# required by Teleport PAM support
|
|
pam-devel \
|
|
perl-IPC-Cmd \
|
|
tree \
|
|
# used by our Makefile
|
|
which \
|
|
zip \
|
|
# required by libbpf
|
|
zlib-static && \
|
|
yum clean all
|
|
|
|
# Install etcd.
|
|
RUN (curl -L https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \
|
|
cp etcd-v3.3.9-linux-amd64/etcd* /bin/ && \
|
|
rm -rf etcd-v3.3.9-linux-${BUILDARCH})
|
|
|
|
# Install Go.
|
|
RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
|
|
mkdir -p /go/src/github.com/gravitational/teleport && \
|
|
chmod a+w /go && \
|
|
chmod a+w /var/lib && \
|
|
/opt/go/bin/go version
|
|
ENV GOPATH="/go" \
|
|
GOROOT="/opt/go" \
|
|
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
|
|
|
|
ARG BUILDARCH
|
|
|
|
# Install PAM module and policies for testing.
|
|
COPY pam/ /opt/pam_teleport/
|
|
RUN make -C /opt/pam_teleport install
|
|
|
|
# Install Rust.
|
|
ENV RUSTUP_HOME=/usr/local/rustup \
|
|
CARGO_HOME=/usr/local/cargo \
|
|
PATH=/usr/local/cargo/bin:$PATH \
|
|
RUST_VERSION=$RUST_VERSION
|
|
|
|
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
|
|
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
|
|
|
|
RUN chmod a-w /
|
|
|
|
USER ci
|
|
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
|
|
rustup --version && \
|
|
cargo --version && \
|
|
rustc --version && \
|
|
rustup component add --toolchain $RUST_VERSION-x86_64-unknown-linux-gnu rustfmt clippy
|
|
|
|
# Do a quick switch back to root and copy/setup libfido2 binaries.
|
|
# Do this last to take better advantage of the multi-stage build.
|
|
USER root
|
|
COPY --from=libfido2 /usr/local/include/ /usr/local/include/
|
|
COPY --from=libfido2 /usr/local/lib64/pkgconfig/ /usr/local/lib64/pkgconfig/
|
|
COPY --from=libfido2 \
|
|
/usr/local/lib64/libcbor.a \
|
|
/usr/local/lib64/libcrypto.a \
|
|
/usr/local/lib64/libcrypto.so.1.1 \
|
|
/usr/local/lib64/libfido2.a \
|
|
/usr/local/lib64/libfido2.so.1.11.0 \
|
|
/usr/local/lib64/libssl.a \
|
|
/usr/local/lib64/libssl.so.1.1 \
|
|
/usr/local/lib64/libudev.a \
|
|
/usr/local/lib64/
|
|
RUN cd /usr/local/lib64 && \
|
|
# Re-create usual lib64 links.
|
|
ln -s libcrypto.so.1.1 libcrypto.so && \
|
|
ln -s libfido2.so.1.11.0 libfido2.so.1 && \
|
|
ln -s libfido2.so.1 libfido2.so && \
|
|
ln -s libssl.so.1.1 libssl.so && \
|
|
# Update ld.
|
|
echo /usr/local/lib64 > /etc/ld.so.conf.d/libfido2.conf && \
|
|
ldconfig
|
|
COPY pkgconfig/centos7/ /
|
|
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"
|
|
|
|
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
|
|
RUN cd / && curl -L https://s3.amazonaws.com/clientbuilds.gravitational.io/go/centos7-assets.tar.gz | tar -xz
|
|
|
|
# Copy libbpf into the final image.
|
|
COPY --from=libbpf /opt/libbpf/usr /usr
|
|
|
|
VOLUME ["/go/src/github.com/gravitational/teleport"]
|
|
EXPOSE 6600 2379 2380
|