forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile-centos7-fips
189 lines (159 loc) · 6.5 KB
/
Dockerfile-centos7-fips
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
ARG BUILDARCH
FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDARCH} AS teleport-buildbox-centos7-assets
FROM centos:7 AS libbpf
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
centos-release-scl \
devtoolset-11-gcc* \
devtoolset-11-make \
elfutils-libelf-devel-static \
scl-utils && \
yum clean all
# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
ARG LIBBPF_VERSION
RUN mkdir -p /opt && cd /opt && \
curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
cd /opt/libbpf-${LIBBPF_VERSION}/src && \
scl enable devtoolset-11 "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"
FROM centos:7 AS boringssl
# The below tools are required in order to build and compile the module:
# Clang compiler version 7.0.1
# Go programming language version 1.12.7
# Ninja build system version 1.9.0
#
# We also need the FIPS 140-2 validated release of BoringSSL: ae223d6138807a13006342edfeef32e813246b39
# For more information please refer to the section 12. Guidance and Secure Operation of:
# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3678.pdf
# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
cmake3 \
llvm-toolset-7.0-clang-7.0.1 \
git
RUN mkdir -p /opt && cd /opt && \
curl -fsSLO https://go.dev/dl/go1.12.7.linux-amd64.tar.gz && \
echo "66d83bfb5a9ede000e33c6579a91a29e6b101829ad41fffb5c5bb6c900e109d9" "go1.12.7.linux-amd64.tar.gz" | sha256sum --check && \
tar xf go1.12.7.linux-amd64.tar.gz && \
rm -f go1.12.7.linux-amd64.tar.gz && \
chmod a+w /opt/go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOPATH="/go" \
GOROOT="/opt/go" \
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin"
RUN git clone https://github.com/ninja-build/ninja.git && \
cd ninja && \
git checkout v1.9.0 && \
./configure.py --bootstrap && \
mv ninja /usr/bin
RUN mkdir -p /opt && cd /opt && \
git clone https://github.com/google/boringssl.git && \
cd boringssl && \
git checkout ae223d6138807a13006342edfeef32e813246b39 && \
mkdir build && \
cd build && \
scl enable llvm-toolset-7.0 "cd /opt/boringssl/build && cmake3 -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -GNinja .. && ninja"
FROM centos:7
ENV LANGUAGE=en_US.UTF-8 \
LANG=en_US.UTF-8 \
LC_ALL=en_US.UTF-8 \
LC_CTYPE=en_US.UTF-8
ARG UID
ARG GID
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)
RUN yum groupinstall -y 'Development Tools' && \
yum install -y epel-release && \
yum update -y && \
yum -y install centos-release-scl-rh && \
yum install -y \
#required by libbpf
centos-release-scl \
# required by libbpf
devtoolset-11-* \
# required by libbpf
elfutils-libelf-devel-static \
git \
net-tools \
# required to create bindings for Rust's boring-rs crate
llvm-toolset-7.0-clang-7.0.1 \
# required by Teleport PAM support
pam-devel \
perl-IPC-Cmd \
tree \
# used by our Makefile
which \
zip \
# required by libbpf
zlib-static && \
yum clean all
# Install etcd.
RUN (curl -fsSL https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz | tar -xz && \
cp etcd-v3.3.9-linux-amd64/etcd* /bin/)
# Install Go.
ARG GOLANG_VERSION
RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-amd64.tar.gz | tar xz && \
mkdir -p /go/src/github.com/gravitational/teleport && \
chmod a+w /go && \
chmod a+w /var/lib && \
chmod a-w /
ENV GOEXPERIMENT=boringcrypto \
GOPATH="/go" \
GOROOT="/opt/go" \
PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"
# Install node.
RUN yum install -y python3
ARG NODE_VERSION
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
ENV PATH="$PATH:${NODE_PATH}/bin"
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \
export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" && \
mkdir -p ${NODE_PATH} && \
curl -o /tmp/nodejs.tar.xz -fsSL ${NODE_URL} && \
tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
RUN node --version
RUN corepack enable yarn
# Install PAM module and policies for testing.
COPY pam/ /opt/pam_teleport/
RUN make -C /opt/pam_teleport install
RUN chmod a-w /
ARG RUST_VERSION
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=$RUST_VERSION
RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME
# Install Rust using the ci user, as that is the user that
# will run builds using the Rust toolchains we install here.
USER ci
RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
rustup --version && \
cargo --version && \
rustc --version && \
rustup component add rustfmt clippy && \
rustup target add aarch64-unknown-linux-gnu
# Install wasm-pack for targeting WebAssembly from Rust.
RUN cargo install wasm-pack
# Copy BoringSSL into the final image
COPY --from=boringssl /opt/boringssl /opt/boringssl
# set boring-rs crate env variables to point to pre-built binaries
# https://github.com/cloudflare/boring#support-for-pre-built-binaries
ENV BORING_BSSL_PATH=/opt/boringssl
ENV BORING_BSSL_INCLUDE_PATH=/opt/boringssl/include
ARG LIBBPF_VERSION
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}
# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
ARG BUILDARCH
COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm
VOLUME ["/go/src/github.com/gravitational/teleport"]
EXPOSE 6600 2379 2380