Skip to content

Commit

Permalink
Comprehensive updates and improvements to Docker files
Browse files Browse the repository at this point in the history 
- Upgraded base OS versions and dependencies to their latest stable releases.
- Improved build processes:
  - Enabled dynamic parallelism using `-j$(nproc)`.
  - Applied `apk add --no-cache` and `apt-get install --no-install-recommends` for efficient installations.
  - Ensured cleanup after installations to reduce image size.
  - Replaced `apt` with `apt-get` for consistency.

- Enhanced maintainability:
  - Introduced `WORKDIR` for better path management.
  - Quoted variables to avoid word splitting and potential errors.
  - Updated `ENV` instructions to use `key=value` format, resolving deprecation warnings.

- Removed obsolete and redundant components:
  - The `version` attribute from Docker Compose files, resolving warnings.
  - Unnecessary `DEBIAN_FRONTEND=noninteractive` from Alpine images.
  - Redundant upgrade steps during package installations.

- OpenSSH:
  - Fixed `/etc/profile.d/README` errors caused by invalid commands and syntax issues.
  - Customized the OpenSSH setup with a clean and informative welcome message.

Exclusions: These changes exclude the OpenSSL 3 Dockerfile and nginx/fulltest/dockerfile.
Signed-off-by: Khalid <187553667+itsHayyaf@users.noreply.github.com>
  • Loading branch information
@Hawazyn
Hawazyn committed Dec 25, 2024
1 parent 22ba916 commit e16e4cc
Show file tree
Hide file tree
Showing 15 changed files with 819 additions and 979 deletions.
167 changes: 73 additions & 94 deletions curl/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,167 +1,146 @@
# Multi-stage build: First the full builder image:

# define the alpine image version to use
ARG ALPINE_VERSION=3.20

# define the openssl tag to be used
ARG OPENSSL_TAG=openssl-3.3.2

# define the liboqs tag to be used
# Define build arguments for version tags, installation paths, and configurations.
ARG ALPINE_VERSION=3.21.0
ARG OPENSSL_TAG=openssl-3.4.0
ARG LIBOQS_TAG=0.11.0

# define the oqsprovider tag to be used
ARG OQSPROVIDER_TAG=0.7.0

# define the Curl version to be baked in
ARG CURL_VERSION=8.10.0

# Default location where all binaries wind up:
ARG CURL_VERSION=8.11.1
ARG INSTALLDIR=/opt/oqssa

# liboqs build type variant; maximum portability of image:
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"

# Default root CA signature algorithm; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms
# Specify supported signature and key encapsulation mechanisms (KEM) algorithms.
ARG SIG_ALG="dilithium3"

# Default KEM algorithms; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms
ARG DEFAULT_GROUPS="x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024"

# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
ARG MAKE_DEFINES="-j 4"


# Stage 1: Build - Compile and assemble all necessary components and dependencies.
FROM alpine:${ALPINE_VERSION} AS intermediate
# Take in all global args
ARG OPENSSL_TAG
ARG LIBOQS_TAG
ARG OQSPROVIDER_TAG
ARG CURL_VERSION
ARG INSTALLDIR
ARG LIBOQS_BUILD_DEFINES
ARG SIG_ALG
ARG DEFAULT_GROUPS
ARG MAKE_DEFINES

LABEL version="5"

ENV DEBIAN_FRONTEND noninteractive

RUN apk update && apk upgrade

# Get all software packages required for builing all components:
RUN apk add build-base linux-headers \
libtool automake autoconf cmake ninja \
make \
openssl openssl-dev \
# Install required build tools and system dependencies.
RUN apk update && apk --no-cache add build-base linux-headers \
libtool automake autoconf cmake \
ninja make openssl openssl-dev \
git wget

# get all sources
# Download and prepare source files needed for the build process.
WORKDIR /opt
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
wget https://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxvf curl-${CURL_VERSION}.tar.gz;

# build liboqs
WORKDIR /opt/liboqs
RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install
# Build and install liboqs
WORKDIR /opt/liboqs/build
RUN cmake -G"Ninja" .. \
-DOQS_DIST_BUILD=ON \
-DCMAKE_INSTALL_PREFIX="${INSTALLDIR}" && \
ninja install

# build OpenSSL3
# Build and install OpenSSL, then configure symbolic links.
WORKDIR /opt/openssl
RUN if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi && \
LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
make ${MAKE_DEFINES} && make install_sw install_ssldirs;
RUN if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \
if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi && \
LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \
make -j"$(nproc)" && make install_sw install_ssldirs;

# set path to use 'new' openssl. Dyn libs have been properly linked in to match
# Set PATH for custom OpenSSL binary.
ENV PATH="${INSTALLDIR}/bin:${PATH}"

# build & install provider (and activate by default)
# Build, install, and configure the oqs-provider for OpenSSL integration.
WORKDIR /opt/oqs-provider
RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && \
cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
RUN ln -s ../openssl . && \
cmake -DOPENSSL_ROOT_DIR="${INSTALLDIR}" \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_PREFIX_PATH="${INSTALLDIR}" \
-S . -B _build && \
cmake --build _build && \
cp _build/lib/oqsprovider.so "${INSTALLDIR}/lib64/ossl-modules" && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${INSTALLDIR}/ssl/openssl.cnf

# generate certificates for openssl s_server, which is what we will test curl against
# Generate certificates for testing.
ENV OPENSSL=${INSTALLDIR}/bin/openssl
ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf

# Generate CA key and certificate
WORKDIR ${INSTALLDIR}/bin
# generate CA key and cert
RUN set -x; \
${OPENSSL} req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF}
"${OPENSSL}" req -x509 -new \
-newkey "${SIG_ALG}" -keyout CA.key \
-out CA.crt -nodes \
-subj "/CN=oqstest CA" -days 365 \
-config "${OPENSSL_CNF}"

# build curl - injecting OQS CA generated above into root store
WORKDIR /opt/curl-${CURL_VERSION}

# Download and integrate LetsEncrypt Root CA to CA bundle
RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem

# For curl debugging enable it by adding the line below to the configure command:
# --enable-debug \

RUN env LDFLAGS=-Wl,-R${INSTALLDIR}/lib64 \
./configure --prefix=${INSTALLDIR} \
--with-ca-bundle=${INSTALLDIR}/oqs-bundle.pem \
--with-ssl=${INSTALLDIR} \
RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && \
cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem

# Add --enable-debug to the configure command to enable curl debugging.
RUN env LDFLAGS="-Wl,-R${INSTALLDIR}/lib64" \
./configure --prefix="${INSTALLDIR}" \
--with-ca-bundle="${INSTALLDIR}/oqs-bundle.pem" \
--with-ssl="${INSTALLDIR}" \
--without-libpsl && \
make ${MAKE_DEFINES} && make install && mv oqs-bundle.pem ${INSTALLDIR};
make -j"$(nproc)" && make install \
&& mv oqs-bundle.pem "${INSTALLDIR}";

# Download current test.openquantumsafe.org test CA cert
WORKDIR ${INSTALLDIR}
RUN wget https://test.openquantumsafe.org/CA.crt && mv CA.crt oqs-testca.pem

WORKDIR /
RUN wget https://test.openquantumsafe.org/CA.crt && \
mv CA.crt oqs-testca.pem

COPY serverstart.sh ${INSTALLDIR}/bin

CMD ["serverstart.sh"]

## second stage: Only create minimal image without build tooling and intermediate build results generated above:
# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations.
FROM alpine:${ALPINE_VERSION} AS dev
# Take in all global args
ARG INSTALLDIR
ARG SIG_ALG

# Only retain the ${INSTALLDIR} contents in the final image
# Copy runtime files and configure environment for OpenSSL and Curl
COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR}

# set path to use 'new' openssl & curl. Dyn libs have been properly linked in to match
ENV PATH="${INSTALLDIR}/bin:${PATH}"

# generate certificates for openssl s_server, which is what we will test curl against
ENV OPENSSL=${INSTALLDIR}/bin/openssl
ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf

# Generate server certificates
WORKDIR ${INSTALLDIR}/bin

# generate server CSR using pre-set CA.key and cert
# and generate server cert
RUN set -x && mkdir /opt/test; \
${OPENSSL} req -new -newkey ${SIG_ALG} -keyout /opt/test/server.key -out /opt/test/server.csr -nodes -subj "/CN=localhost" -config ${OPENSSL_CNF}; \
${OPENSSL} x509 -req -in /opt/test/server.csr -out /opt/test/server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365;

COPY serverstart.sh ${INSTALLDIR}/bin
COPY perftest.sh ${INSTALLDIR}/bin

WORKDIR ${INSTALLDIR}

RUN set -x && \
mkdir /opt/test && \
${OPENSSL} req -new -newkey ${SIG_ALG} \
-keyout /opt/test/server.key -out /opt/test/server.csr \
-nodes -subj "/CN=localhost" -config ${OPENSSL_CNF} && \
${OPENSSL} x509 -req \
-in /opt/test/server.csr -out /opt/test/server.crt \
-CA CA.crt -CAkey CA.key -CAcreateserial -days 365

# Optimize image size further
FROM dev
ARG INSTALLDIR

WORKDIR /
COPY serverstart.sh ${INSTALLDIR}/bin
COPY perftest.sh ${INSTALLDIR}/bin

# Improve size some more: liboqs.a not needed during operation
# Remove unused libraries to optimize image.
RUN rm ${INSTALLDIR}/lib64/liboqs*

# Enable a normal user to create new server keys off set CA
RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs /opt/test && chmod go+r ${INSTALLDIR}/bin/CA.key && chmod go+w ${INSTALLDIR}/bin/CA.srl
# Create user for runtime operations
RUN addgroup -g 1000 -S oqs && \
adduser --uid 1000 -S oqs -G oqs && \
chown -R oqs:oqs /opt/test && \
chmod go+r ${INSTALLDIR}/bin/CA.key && \
chmod go+w ${INSTALLDIR}/bin/CA.srl

USER oqs
CMD ["serverstart.sh"]
STOPSIGNAL SIGTERM
STOPSIGNAL SIGTERM
76 changes: 62 additions & 14 deletions curl/Dockerfile-QUIC
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,73 @@
ARG CURL_VERSION=8.11.1
ARG QUICHE_VERSION=0.22.0

# Stage 1: Build - Compile and assemble all necessary components and dependencies.
FROM ubuntu:latest AS build
ARG CURL_VERSION
ARG QUICHE_VERSION

ARG CURL_VERSION=8.10.1
ARG QUICHE_VERSION=0.22.0
# Install required build tools and system dependencies.
RUN apt-get update && apt-get install -y --no-install-recommends \
cmake gcc ninja-build libunwind-dev \
pkg-config build-essential \
cargo git wget ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Download and prepare source files needed for the build process.
WORKDIR /root
RUN git clone --branch master --depth 1 https://github.com/open-quantum-safe/boringssl.git bssl \
&& git clone --recursive --depth 1 https://github.com/open-quantum-safe/liboqs.git \
&& git clone --recursive --depth 1 --branch ${QUICHE_VERSION} https://github.com/cloudflare/quiche.git \
&& mkdir -p /root/curl \
&& wget -qO- "https://curl.se/download/curl-${CURL_VERSION}.tar.gz" | tar -xzf - -C /root/curl --strip-components=1

RUN apt update && apt install cmake gcc ninja-build libunwind-dev pkg-config build-essential cargo git wget -y && cd /root && \
# Clone BoringSSL&liboqs
git clone --branch master https://github.com/open-quantum-safe/boringssl.git bssl && git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \
# Build liboqs
cd liboqs && mkdir build && cd build && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=../../bssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \
# Build BoringSSL
cd /root/bssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && ninja install && cp -rp ../install/include /usr/local/include/bssl && cp -rp ../install/lib /usr/local/lib/bssl && \
# Build quiche
cd /root && git clone --recursive -b ${QUICHE_VERSION} https://github.com/cloudflare/quiche && cd quiche/quiche/deps && rm -R boringssl && ln -s /root/bssl boringssl && cd /root/quiche && cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 && \
# Build curl
cd /root && wget https://curl.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxf curl-${CURL_VERSION}.tar.gz && rm -R curl-${CURL_VERSION}.tar.gz && mv curl-${CURL_VERSION} curl && cd curl && LIBS=-lpthread ./configure LDFLAGS="-Wl,-rpath,/usr/local/lib/bssl" --with-openssl=/root/bssl/install --with-quiche=/root/quiche/target/release --without-libpsl --prefix="/usr/local/curl" && make && make install
# Build and install liboqs
WORKDIR /root/liboqs/build
RUN cmake -G"Ninja" \
"-DCMAKE_INSTALL_PREFIX=../../bssl/oqs" \
"-DOQS_USE_OPENSSL=OFF" .. \
&& ninja -j"$(nproc)" && ninja install

# Build and install BoringSSL
WORKDIR /root/bssl/build
RUN cmake -GNinja \
"-DCMAKE_BUILD_TYPE=Release" \
"-DBUILD_SHARED_LIBS=1" .. \
&& ninja -j"$(nproc)" && ninja install \
&& cp -rp "../install/include" "/usr/local/include/bssl" \
&& cp -rp "../install/lib" "/usr/local/lib/bssl"

# Build quiche with custom BoringSSL integration, enabling HTTP/3 and QUIC support
WORKDIR /root/quiche/quiche/deps
RUN rm -R boringssl \
&& ln -s /root/bssl boringssl

WORKDIR /root/quiche
RUN cargo build --package quiche --release --features ffi,pkg-config-meta,qlog \
&& cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0

# Build and install cURL
WORKDIR /root/curl
RUN LIBS=-lpthread ./configure \
LDFLAGS=-Wl,-rpath,/usr/local/lib/bssl \
--with-openssl=/root/bssl/install \
--with-quiche=/root/quiche/target/release \
--without-libpsl \
--prefix=/usr/local/curl \
&& make -j"$(nproc)" && make install

# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations.
FROM ubuntu:latest

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Copy necessary files from the build stage
COPY --from=build /usr/local/include/bssl /usr/local/include/bssl
COPY --from=build /usr/local/lib/bssl /usr/local/lib/bssl
COPY --from=build /usr/local/curl /usr/local/curl

RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl
# Create a symbolic link for cURL
RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl
Loading

0 comments on commit e16e4cc

Please sign in to comment.