forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile-centos7
304 lines (259 loc) · 10 KB
/
Dockerfile-centos7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
ARG RUST_VERSION
## GIT2 ###################################################################
# git2 packages are not available on ARM64, so we need to build it from source.
FROM centos:7 AS git2
ARG DEVTOOLSET
RUN yum groupinstall -y 'Development Tools' && \
yum install -y \
ca-certificates \
curl-devel \
expat-devel \
gettext-devel \
openssl-devel \
zlib-devel \
perl-CPAN \
perl-devel wget && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
centos-release-scl \
${DEVTOOLSET}-gcc* \
${DEVTOOLSET}-make && \
yum clean all
RUN wget https://github.com/git/git/archive/refs/tags/v2.39.1.tar.gz && \
tar xf v2.39.1.tar.gz && \
cd git-2.39.1/ && \
scl enable ${DEVTOOLSET} "make configure && \
./configure --prefix=/usr/local && \
make -j6 all && \
DESTDIR=/opt/git make install"
# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
ARG BUILDARCH
FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDARCH} AS teleport-buildbox-centos7-assets
## LIBFIDO2 ###################################################################
# Build libfido2 separately for isolation, speed and flexibility.
FROM centos:7 AS libfido2
ARG DEVTOOLSET
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum install -y centos-release-scl-rh && \
yum update -y && \
yum install -y \
cmake3 \
${DEVTOOLSET}-gcc* \
git \
libudev-devel \
perl-IPC-Cmd \
zlib-devel && \
yum clean all
# Install libudev-zero.
# libudev-zero replaces systemd's libudev.
RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.3 && \
cd libudev-zero && \
[ "$(git rev-parse HEAD)" = 'ee32ac5f6494047b9ece26e7a5920650cdf46655' ] && \
make install-static LIBDIR='$(PREFIX)/lib64'
# Install libcbor.
RUN git clone --depth=1 https://github.com/PJK/libcbor.git -b v0.10.2 && \
cd libcbor && \
[ "$(git rev-parse HEAD)" = 'efa6c0886bae46bdaef9b679f61f4b9d8bc296ae' ] && \
cmake3 \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
-DWITH_EXAMPLES=OFF . && \
make && \
make install
# Install openssl.
# install_sw install only binaries, skips docs.
RUN git clone --depth=1 https://github.com/openssl/openssl.git -b openssl-3.0.10 && \
cd openssl && \
[ "$(git rev-parse HEAD)" = '245cb0291e0db99d9ccf3692fa76f440b2b054c2' ] && \
./config --release --libdir=/usr/local/lib64 && \
make -j"$(nproc)" && \
make install_sw
# Necessary for libfido2 to find the correct libcrypto.
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"
# Install libfido2.
# Depends on libcbor, libcrypto (OpenSSL 3.x), libudev and zlib-devel.
# Linked so `make build/tsh` finds the library where it expects it.
RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.13.0 && \
cd libfido2 && \
[ "$(git rev-parse HEAD)" = '486a8f8667e42f55cee2bba301b41433cacec830' ] && \
scl enable ${DEVTOOLSET} "\
CFLAGS=-pthread cmake3 \
-DBUILD_EXAMPLES=OFF \
-DBUILD_MANPAGES=OFF \
-DBUILD_TOOLS=OFF \
-DCMAKE_BUILD_TYPE=Release . && \
grep 'CRYPTO_VERSION:INTERNAL=3\.0\.' CMakeCache.txt && \
make" && \
make install && \
make clean
## LIBBPF #####################################################################
FROM centos:7 AS libbpf
ARG DEVTOOLSET
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
centos-release-scl \
${DEVTOOLSET}-gcc* \
${DEVTOOLSET}-make \
elfutils-libelf-devel-static \
scl-utils && \
yum clean all
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
ARG LIBBPF_VERSION
RUN mkdir -p /opt && cd /opt && \
curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
scl enable ${DEVTOOLSET} "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
## LIBPCSCLITE #####################################################################
FROM centos:7 AS libpcsclite
ARG DEVTOOLSET
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
autoconf-archive \
libudev-devel \
scl-utils \
centos-release-scl \
${DEVTOOLSET}-gcc* && \
yum clean all
# Install libpcsclite - compile with a newer GCC. The one installed by default is not able to compile it.
ARG LIBPCSCLITE_VERSION
RUN git clone --depth=1 https://github.com/gravitational/PCSC.git -b ${LIBPCSCLITE_VERSION} && \
cd PCSC && \
./bootstrap && \
./configure --enable-static --with-pic --disable-libsystemd && \
scl enable ${DEVTOOLSET} "make" && \
make install
## BUILDBOX ###################################################################
FROM centos:7 AS buildbox
ENV LANGUAGE=en_US.UTF-8 \
LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
LC_CTYPE=en_US.UTF-8
ARG GOLANG_VERSION
ARG RUST_VERSION
ARG DEVTOOLSET
ARG UID
ARG GID
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
#required by libbpf
centos-release-scl \
# required by libbpf
${DEVTOOLSET}-* \
# required by libbpf
elfutils-libelf-devel-static \
net-tools \
# required by Teleport PAM support
pam-devel \
perl-IPC-Cmd \
tree \
# used by our Makefile
which \
zip \
# required by libbpf
zlib-static && \
yum clean all && \
localedef -c -i en_US -f UTF-8 en_US.UTF-8
# Override the old git installed by yum. We need git 2+ on GitHub Actions.
COPY --from=git2 /opt/git /usr/local
ARG BUILDARCH
# Install etcd.
RUN (curl -fsSL https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-${BUILDARCH}.tar.gz | tar -xz && \
cp etcd-v3.3.9-linux-${BUILDARCH}/etcd* /bin/ && \
rm -rf etcd-v3.3.9-linux-${BUILDARCH})
# Install Go.
RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-${BUILDARCH}.tar.gz | tar xz && \
mkdir -p /go/src/github.com/gravitational/teleport && \
chmod a+w /go && \
chmod a+w /var/lib && \
/opt/go/bin/go version
ENV GOPATH="/go" \
GOROOT="/opt/go" \
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
# Install node.
RUN yum install -y python3
ARG NODE_VERSION
ENV NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${BUILDARCH}.tar.xz"
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
ENV PATH="$PATH:${NODE_PATH}/bin"
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \
export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \
mkdir -p ${NODE_PATH} && \
curl -o /tmp/nodejs.tar.xz -fsSL ${NODE_URL} && \
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
RUN node --version
RUN corepack enable yarn
# Install PAM module and policies for testing.
COPY pam/ /opt/pam_teleport/
RUN make -C /opt/pam_teleport install
# Install Rust.
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=$RUST_VERSION
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
RUN chmod a-w /
USER ci
RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
rustup --version && \
cargo --version && \
rustc --version
# Install wasm-pack for targeting WebAssembly from Rust.
RUN cargo install wasm-pack
# Do a quick switch back to root and copy/setup libfido2 and libpcsclite binaries.
# Do this last to take better advantage of the multi-stage build.
USER root
COPY --from=libfido2 /usr/local/include/ /usr/local/include/
COPY --from=libfido2 /usr/local/lib64/engines-3/ /usr/local/lib64/engines-3/
COPY --from=libfido2 /usr/local/lib64/ossl-modules/ /usr/local/lib64/ossl-modules/
COPY --from=libfido2 /usr/local/lib64/pkgconfig/ /usr/local/lib64/pkgconfig/
COPY --from=libfido2 \
/usr/local/lib64/libcbor.a \
/usr/local/lib64/libcrypto.a \
/usr/local/lib64/libcrypto.so.3 \
/usr/local/lib64/libfido2.a \
/usr/local/lib64/libfido2.so.1.13.0 \
/usr/local/lib64/libssl.a \
/usr/local/lib64/libssl.so.3 \
/usr/local/lib64/libudev.a \
/usr/local/lib64/
# Re-create usual lib64 links.
RUN cd /usr/local/lib64 && \
ln -s libcrypto.so.3 libcrypto.so && \
ln -s libfido2.so.1.13.0 libfido2.so.1 && \
ln -s libfido2.so.1 libfido2.so && \
ln -s libssl.so.3 libssl.so && \
# Update ld.
echo /usr/local/lib64 > /etc/ld.so.conf.d/libfido2.conf && \
ldconfig
# Configure pkg-config.
COPY pkgconfig/centos7/ /
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"
COPY --from=libpcsclite /usr/local/include/ /usr/local/include/
COPY --from=libpcsclite /usr/local/lib/pkgconfig/ /usr/local/lib64/pkgconfig/
COPY --from=libpcsclite \
/usr/local/lib/libpcsclite.a \
/usr/local/lib/
# Copy libbpf into the final image.
ARG LIBBPF_VERSION
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
ARG BUILDARCH
COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
VOLUME ["/go/src/github.com/gravitational/teleport"]
EXPOSE 6600 2379 2380