Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Explicitly upgrade openssl in docker file and enforce new version of cryptography #9697

Merged
merged 6 commits into from
Mar 26, 2021
Merged

Explicitly upgrade openssl in docker file and enforce new version of cryptography #9697

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
574d121
Reformat
erikjohnston Mar 26, 2021
f6e41c6
Explicitly upgrade libssl/openssl
erikjohnston Mar 26, 2021
f4ab3e6
Explicitly require a cryptography version with a patched openssl
erikjohnston Mar 26, 2021
51e4bac
Newsfile
erikjohnston Mar 26, 2021
fa687b4
Only pin cryptograhpy for 3.6+
erikjohnston Mar 26, 2021
09d39a4
libssl doesn't exist, so drop it rather than explicitly depend on 1.1
erikjohnston Mar 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/9697.docker
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Ensure that the docker container has up to date versions of openssl.
1 change: 1 addition & 0 deletions changelog.d/9697.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Enforce that `cryptography` dependency is up to date to ensure it has the most recent openssl patches.
43 changes: 23 additions & 20 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,17 +20,18 @@ FROM docker.io/python:${PYTHON_VERSION}-slim as builder

# install the OS build deps
RUN apt-get update && apt-get install -y \
build-essential \
libffi-dev \
libjpeg-dev \
libpq-dev \
libssl-dev \
libwebp-dev \
libxml++2.6-dev \
libxslt1-dev \
rustc \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/*
build-essential \
libffi-dev \
libjpeg-dev \
libpq-dev \
libssl-dev \
libwebp-dev \
libxml++2.6-dev \
libxslt1-dev \
openssl \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is openssl actually a build dep? I'm not sure we want to start throwing random things in here just in case they get used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we figure this out?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we don't know if anything depends on openssl, even if we don't think so, I'm inclined to install it anyway for paranoia reasons since its a security thing

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like openssl is already installed in the base image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! Already installed, but not necessarily updated since the base images only get updated ~monthly at best. So good for us to do it here.

rustc \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/*

# Build dependencies that are not available as wheels, to speed up rebuilds
RUN pip install --prefix="/install" --no-warn-script-location \
Expand Down Expand Up @@ -63,14 +64,16 @@ RUN pip install --prefix="/install" --no-warn-script-location \
FROM docker.io/python:${PYTHON_VERSION}-slim

RUN apt-get update && apt-get install -y \
curl \
gosu \
libjpeg62-turbo \
libpq5 \
libwebp6 \
xmlsec1 \
libjemalloc2 \
&& rm -rf /var/lib/apt/lists/*
curl \
gosu \
libjpeg62-turbo \
libpq5 \
libwebp6 \
xmlsec1 \
libjemalloc2 \
libssl-dev \
openssl \
&& rm -rf /var/lib/apt/lists/*

COPY --from=builder /install /usr/local
COPY ./docker/start.py /start.py
Expand All @@ -83,4 +86,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
ENTRYPOINT ["/start.py"]

HEALTHCHECK --interval=1m --timeout=5s \
CMD curl -fSs http://localhost:8008/health || exit 1
CMD curl -fSs http://localhost:8008/health || exit 1
3 changes: 3 additions & 0 deletions synapse/python_dependencies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@
"Jinja2>=2.9",
"bleach>=1.4.3",
"typing-extensions>=3.7.4",
# We enforce that we have a `cryptography` version that bundles an `openssl`
# with the latest security patches.
"cryptography>=3.4.7;python_version>='3.6'",
]

CONDITIONAL_REQUIREMENTS = {
Expand Down