From e16e4ccc1187d86df28ab825d8aff8278d298b13 Mon Sep 17 00:00:00 2001 From: Khalid <187553667+itsHayyaf@users.noreply.github.com> Date: Wed, 25 Dec 2024 13:44:59 +0300 Subject: [PATCH] Comprehensive updates and improvements to Docker files - Upgraded base OS versions and dependencies to their latest stable releases. - Improved build processes: - Enabled dynamic parallelism using `-j$(nproc)`. - Applied `apk add --no-cache` and `apt-get install --no-install-recommends` for efficient installations. - Ensured cleanup after installations to reduce image size. - Replaced `apt` with `apt-get` for consistency. - Enhanced maintainability: - Introduced `WORKDIR` for better path management. - Quoted variables to avoid word splitting and potential errors. - Updated `ENV` instructions to use `key=value` format, resolving deprecation warnings. - Removed obsolete and redundant components: - The `version` attribute from Docker Compose files, resolving warnings. - Unnecessary `DEBIAN_FRONTEND=noninteractive` from Alpine images. - Redundant upgrade steps during package installations. - OpenSSH: - Fixed `/etc/profile.d/README` errors caused by invalid commands and syntax issues. - Customized the OpenSSH setup with a clean and informative welcome message. Exclusions: These changes exclude the OpenSSL 3 Dockerfile and nginx/fulltest/dockerfile. Signed-off-by: Khalid <187553667+itsHayyaf@users.noreply.github.com> --- curl/Dockerfile | 167 +++++++++++++++------------------ curl/Dockerfile-QUIC | 76 ++++++++++++--- h2load/Dockerfile | 82 ++++++++--------- haproxy/Dockerfile | 135 +++++++++++---------------- httpd/Dockerfile | 169 ++++++++++++++-------------------- locust/Dockerfile | 82 +++++++---------- locust/docker-compose.yaml | 2 - mosquitto/Dockerfile | 169 ++++++++++++++-------------------- nginx/Dockerfile | 184 ++++++++++++++++--------------------- nginx/Dockerfile-QUIC | 183 +++++++++++++++++++++--------------- ngtcp2/Dockerfile-client | 120 +++++++++++------------- ngtcp2/Dockerfile-server | 94 +++++++++---------- openssh/Dockerfile | 158 ++++++++++++++----------------- openvpn/Dockerfile | 126 ++++++++++--------------- wireshark/Dockerfile | 51 +++++----- 15 files changed, 819 insertions(+), 979 deletions(-) diff --git a/curl/Dockerfile b/curl/Dockerfile index 9bf11954..6a370e6f 100644 --- a/curl/Dockerfile +++ b/curl/Dockerfile @@ -1,167 +1,146 @@ -# Multi-stage build: First the full builder image: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations. +ARG ALPINE_VERSION=3.21.0 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the Curl version to be baked in -ARG CURL_VERSION=8.10.0 - -# Default location where all binaries wind up: +ARG CURL_VERSION=8.11.1 ARG INSTALLDIR=/opt/oqssa -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" - -# Default root CA signature algorithm; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms. ARG SIG_ALG="dilithium3" - -# Default KEM algorithms; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms ARG DEFAULT_GROUPS="x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024" -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j 4" - +# Stage 1: Build - Compile and assemble all necessary components and dependencies. FROM alpine:${ALPINE_VERSION} AS intermediate -# Take in all global args ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG CURL_VERSION ARG INSTALLDIR -ARG LIBOQS_BUILD_DEFINES ARG SIG_ALG ARG DEFAULT_GROUPS -ARG MAKE_DEFINES LABEL version="5" -ENV DEBIAN_FRONTEND noninteractive - -RUN apk update && apk upgrade - -# Get all software packages required for builing all components: -RUN apk add build-base linux-headers \ - libtool automake autoconf cmake ninja \ - make \ - openssl openssl-dev \ +# Install required build tools and system dependencies. +RUN apk update && apk --no-cache add build-base linux-headers \ + libtool automake autoconf cmake \ + ninja make openssl openssl-dev \ git wget -# get all sources +# Download and prepare source files needed for the build process. WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ wget https://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxvf curl-${CURL_VERSION}.tar.gz; -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. \ + -DOQS_DIST_BUILD=ON \ + -DCMAKE_INSTALL_PREFIX="${INSTALLDIR}" && \ + ninja install -# build OpenSSL3 +# Build and install OpenSSL, then configure symbolic links. WORKDIR /opt/openssl -RUN if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ - if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi && \ - LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs; +RUN if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ + if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi && \ + LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \ + make -j"$(nproc)" && make install_sw install_ssldirs; -# set path to use 'new' openssl. Dyn libs have been properly linked in to match +# Set PATH for custom OpenSSL binary. ENV PATH="${INSTALLDIR}/bin:${PATH}" -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration. WORKDIR /opt/oqs-provider -RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && \ - cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ +RUN ln -s ../openssl . && \ + cmake -DOPENSSL_ROOT_DIR="${INSTALLDIR}" \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_PREFIX_PATH="${INSTALLDIR}" \ + -S . -B _build && \ + cmake --build _build && \ + cp _build/lib/oqsprovider.so "${INSTALLDIR}/lib64/ossl-modules" && \ sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/openssl.cnf && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \ sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" ${INSTALLDIR}/ssl/openssl.cnf && \ sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${INSTALLDIR}/ssl/openssl.cnf -# generate certificates for openssl s_server, which is what we will test curl against +# Generate certificates for testing. ENV OPENSSL=${INSTALLDIR}/bin/openssl ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf +# Generate CA key and certificate WORKDIR ${INSTALLDIR}/bin -# generate CA key and cert RUN set -x; \ - ${OPENSSL} req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF} + "${OPENSSL}" req -x509 -new \ + -newkey "${SIG_ALG}" -keyout CA.key \ + -out CA.crt -nodes \ + -subj "/CN=oqstest CA" -days 365 \ + -config "${OPENSSL_CNF}" # build curl - injecting OQS CA generated above into root store WORKDIR /opt/curl-${CURL_VERSION} # Download and integrate LetsEncrypt Root CA to CA bundle -RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem - -# For curl debugging enable it by adding the line below to the configure command: -# --enable-debug \ - -RUN env LDFLAGS=-Wl,-R${INSTALLDIR}/lib64 \ - ./configure --prefix=${INSTALLDIR} \ - --with-ca-bundle=${INSTALLDIR}/oqs-bundle.pem \ - --with-ssl=${INSTALLDIR} \ +RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && \ + cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem + +# Add --enable-debug to the configure command to enable curl debugging. +RUN env LDFLAGS="-Wl,-R${INSTALLDIR}/lib64" \ + ./configure --prefix="${INSTALLDIR}" \ + --with-ca-bundle="${INSTALLDIR}/oqs-bundle.pem" \ + --with-ssl="${INSTALLDIR}" \ --without-libpsl && \ - make ${MAKE_DEFINES} && make install && mv oqs-bundle.pem ${INSTALLDIR}; + make -j"$(nproc)" && make install \ + && mv oqs-bundle.pem "${INSTALLDIR}"; # Download current test.openquantumsafe.org test CA cert WORKDIR ${INSTALLDIR} -RUN wget https://test.openquantumsafe.org/CA.crt && mv CA.crt oqs-testca.pem - -WORKDIR / +RUN wget https://test.openquantumsafe.org/CA.crt && \ + mv CA.crt oqs-testca.pem -COPY serverstart.sh ${INSTALLDIR}/bin - -CMD ["serverstart.sh"] - -## second stage: Only create minimal image without build tooling and intermediate build results generated above: +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. FROM alpine:${ALPINE_VERSION} AS dev -# Take in all global args ARG INSTALLDIR ARG SIG_ALG -# Only retain the ${INSTALLDIR} contents in the final image +# Copy runtime files and configure environment for OpenSSL and Curl COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} - -# set path to use 'new' openssl & curl. Dyn libs have been properly linked in to match ENV PATH="${INSTALLDIR}/bin:${PATH}" - -# generate certificates for openssl s_server, which is what we will test curl against ENV OPENSSL=${INSTALLDIR}/bin/openssl ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf +# Generate server certificates WORKDIR ${INSTALLDIR}/bin - -# generate server CSR using pre-set CA.key and cert -# and generate server cert -RUN set -x && mkdir /opt/test; \ - ${OPENSSL} req -new -newkey ${SIG_ALG} -keyout /opt/test/server.key -out /opt/test/server.csr -nodes -subj "/CN=localhost" -config ${OPENSSL_CNF}; \ - ${OPENSSL} x509 -req -in /opt/test/server.csr -out /opt/test/server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365; - -COPY serverstart.sh ${INSTALLDIR}/bin -COPY perftest.sh ${INSTALLDIR}/bin - -WORKDIR ${INSTALLDIR} - +RUN set -x && \ + mkdir /opt/test && \ + ${OPENSSL} req -new -newkey ${SIG_ALG} \ + -keyout /opt/test/server.key -out /opt/test/server.csr \ + -nodes -subj "/CN=localhost" -config ${OPENSSL_CNF} && \ + ${OPENSSL} x509 -req \ + -in /opt/test/server.csr -out /opt/test/server.crt \ + -CA CA.crt -CAkey CA.key -CAcreateserial -days 365 + +# Optimize image size further FROM dev ARG INSTALLDIR -WORKDIR / +COPY serverstart.sh ${INSTALLDIR}/bin +COPY perftest.sh ${INSTALLDIR}/bin -# Improve size some more: liboqs.a not needed during operation +# Remove unused libraries to optimize image. RUN rm ${INSTALLDIR}/lib64/liboqs* -# Enable a normal user to create new server keys off set CA -RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs /opt/test && chmod go+r ${INSTALLDIR}/bin/CA.key && chmod go+w ${INSTALLDIR}/bin/CA.srl +# Create user for runtime operations +RUN addgroup -g 1000 -S oqs && \ + adduser --uid 1000 -S oqs -G oqs && \ + chown -R oqs:oqs /opt/test && \ + chmod go+r ${INSTALLDIR}/bin/CA.key && \ + chmod go+w ${INSTALLDIR}/bin/CA.srl USER oqs CMD ["serverstart.sh"] -STOPSIGNAL SIGTERM +STOPSIGNAL SIGTERM \ No newline at end of file diff --git a/curl/Dockerfile-QUIC b/curl/Dockerfile-QUIC index 408a50fb..dd3e8f5f 100644 --- a/curl/Dockerfile-QUIC +++ b/curl/Dockerfile-QUIC @@ -1,25 +1,73 @@ +ARG CURL_VERSION=8.11.1 +ARG QUICHE_VERSION=0.22.0 + +# Stage 1: Build - Compile and assemble all necessary components and dependencies. FROM ubuntu:latest AS build +ARG CURL_VERSION +ARG QUICHE_VERSION -ARG CURL_VERSION=8.10.1 -ARG QUICHE_VERSION=0.22.0 +# Install required build tools and system dependencies. +RUN apt-get update && apt-get install -y --no-install-recommends \ + cmake gcc ninja-build libunwind-dev \ + pkg-config build-essential \ + cargo git wget ca-certificates \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Download and prepare source files needed for the build process. +WORKDIR /root +RUN git clone --branch master --depth 1 https://github.com/open-quantum-safe/boringssl.git bssl \ + && git clone --recursive --depth 1 https://github.com/open-quantum-safe/liboqs.git \ + && git clone --recursive --depth 1 --branch ${QUICHE_VERSION} https://github.com/cloudflare/quiche.git \ + && mkdir -p /root/curl \ + && wget -qO- "https://curl.se/download/curl-${CURL_VERSION}.tar.gz" | tar -xzf - -C /root/curl --strip-components=1 -RUN apt update && apt install cmake gcc ninja-build libunwind-dev pkg-config build-essential cargo git wget -y && cd /root && \ -# Clone BoringSSL&liboqs - git clone --branch master https://github.com/open-quantum-safe/boringssl.git bssl && git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \ -# Build liboqs - cd liboqs && mkdir build && cd build && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=../../bssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \ -# Build BoringSSL - cd /root/bssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && ninja install && cp -rp ../install/include /usr/local/include/bssl && cp -rp ../install/lib /usr/local/lib/bssl && \ -# Build quiche - cd /root && git clone --recursive -b ${QUICHE_VERSION} https://github.com/cloudflare/quiche && cd quiche/quiche/deps && rm -R boringssl && ln -s /root/bssl boringssl && cd /root/quiche && cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 && \ -# Build curl - cd /root && wget https://curl.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxf curl-${CURL_VERSION}.tar.gz && rm -R curl-${CURL_VERSION}.tar.gz && mv curl-${CURL_VERSION} curl && cd curl && LIBS=-lpthread ./configure LDFLAGS="-Wl,-rpath,/usr/local/lib/bssl" --with-openssl=/root/bssl/install --with-quiche=/root/quiche/target/release --without-libpsl --prefix="/usr/local/curl" && make && make install +# Build and install liboqs +WORKDIR /root/liboqs/build +RUN cmake -G"Ninja" \ + "-DCMAKE_INSTALL_PREFIX=../../bssl/oqs" \ + "-DOQS_USE_OPENSSL=OFF" .. \ + && ninja -j"$(nproc)" && ninja install +# Build and install BoringSSL +WORKDIR /root/bssl/build +RUN cmake -GNinja \ + "-DCMAKE_BUILD_TYPE=Release" \ + "-DBUILD_SHARED_LIBS=1" .. \ + && ninja -j"$(nproc)" && ninja install \ + && cp -rp "../install/include" "/usr/local/include/bssl" \ + && cp -rp "../install/lib" "/usr/local/lib/bssl" +# Build quiche with custom BoringSSL integration, enabling HTTP/3 and QUIC support +WORKDIR /root/quiche/quiche/deps +RUN rm -R boringssl \ + && ln -s /root/bssl boringssl + +WORKDIR /root/quiche +RUN cargo build --package quiche --release --features ffi,pkg-config-meta,qlog \ + && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 + +# Build and install cURL +WORKDIR /root/curl +RUN LIBS=-lpthread ./configure \ + LDFLAGS=-Wl,-rpath,/usr/local/lib/bssl \ + --with-openssl=/root/bssl/install \ + --with-quiche=/root/quiche/target/release \ + --without-libpsl \ + --prefix=/usr/local/curl \ + && make -j"$(nproc)" && make install + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. FROM ubuntu:latest +RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Copy necessary files from the build stage COPY --from=build /usr/local/include/bssl /usr/local/include/bssl COPY --from=build /usr/local/lib/bssl /usr/local/lib/bssl COPY --from=build /usr/local/curl /usr/local/curl -RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl +# Create a symbolic link for cURL +RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl \ No newline at end of file diff --git a/h2load/Dockerfile b/h2load/Dockerfile index 34bc4c39..5cc7f6aa 100644 --- a/h2load/Dockerfile +++ b/h2load/Dockerfile @@ -1,54 +1,46 @@ # Multi-stage build: First the full builder image: -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -FROM alpine:${ALPINE_VERSION} AS intermediate - -ENV DEBIAN_FRONTEND=noninteractive - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations. +ARG ALPINE_VERSION=3.21.0 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the nghttp2 tag to be used ARG NGHTTP2_TAG=v1.64.0 - ARG INSTALLDIR=/opt/oqssa -# Update image and apt software -RUN apk update && apk upgrade - -# All build prerequisites for the various software packages: -RUN apk add bash git g++ make cmake ninja autoconf automake libtool \ +# Stage 1: Build - Compile and assemble all necessary components and dependencies. +FROM alpine:${ALPINE_VERSION} AS intermediate +ARG INSTALLDIR +ARG OPENSSL_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG NGHTTP2_TAG + +# Install required build tools and system dependencies. +RUN apk update && apk --no-cache add bash git g++ make cmake ninja autoconf automake libtool \ libev-dev libevent-dev openssl-dev openssl zlib c-ares-dev pkgconfig \ linux-headers zlib-dev jansson-dev +# Download and prepare source files needed for the build process. WORKDIR /opt - -# get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ git clone --depth 1 --branch ${NGHTTP2_TAG} https://github.com/nghttp2/nghttp2.git -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. \ + && ninja && ninja install -# build openssl 3 +# Build and install OpenSSL WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ - if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ - if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \ + make -j"$(nproc)" && make install_sw install_ssldirs && \ + if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ + if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration. WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ @@ -59,24 +51,22 @@ RUN ln -s ../openssl . && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf - -# build nghttp2 +# Build and install nghttp2 WORKDIR /opt/nghttp2 -RUN LD_LIBRARY_PATH=${INSTALLDIR}/lib64 autoreconf -i && automake && autoconf && ./configure \ - PKG_CONFIG_PATH="/opt/oqssa/lib64/pkgconfig" && make -j$(nproc) install +RUN LD_LIBRARY_PATH="${INSTALLDIR}/lib64" autoreconf -i && automake && autoconf && ./configure \ + PKG_CONFIG_PATH="/opt/oqssa/lib64/pkgconfig" && make -j"$(nproc)" install # Copy all required shared object dependencies to a single directory -RUN mkdir /opt/lib && cd /opt/lib && \ - cp /usr/local/lib/libnghttp2.so.* . && \ - cp /usr/lib/libev.so.* . && \ - cp /opt/oqssa/lib64/libssl.so.* . && \ - cp /opt/oqssa/lib64/libcrypto.so.* . && \ - cp /usr/lib/libstdc++.so.* . && \ - cp /usr/lib/libgcc_s.so.* . - -## second stage: Only create minimal image without build tooling and intermediate build results generated above: +WORKDIR /opt/lib +RUN cp /usr/local/lib/libnghttp2.so.* . && \ + cp /usr/lib/libev.so.* . && \ + cp /opt/oqssa/lib64/libssl.so.* . && \ + cp /opt/oqssa/lib64/libcrypto.so.* . && \ + cp /usr/lib/libstdc++.so.* . && \ + cp /usr/lib/libgcc_s.so.* . + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. FROM alpine:${ALPINE_VERSION} AS dev -ENV DEBIAN_FRONTEND=noninteractive # copy executable COPY --from=intermediate /usr/local/bin/h2load /usr/local/bin diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile index eaa21aab..f253cc35 100644 --- a/haproxy/Dockerfile +++ b/haproxy/Dockerfile @@ -1,34 +1,20 @@ -# Multi-stage build: First the full builder image: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations. +ARG ALPINE_VERSION=3.21.0 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the version of haproxy here ARG HAPROXY_RELEASE=3.0 ARG HAPROXY_MICRO=5 ARG HAPROXY_VERSION=${HAPROXY_RELEASE}.${HAPROXY_MICRO} - -# Default location where all binaries wind up: ARG INSTALLDIR=/opt/oqssa ARG HAPROXYDIR=/opt/haproxy -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" - -# Default KEM algorithms to be utilized +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms. ARG KEM_ALGLIST="kyber768:p384_kyber768" +ARG SIG_ALG=dilithium3 +# Stage 1: Build - Compile and assemble all necessary components and dependencies. FROM alpine:${ALPINE_VERSION} AS intermediate -# Take in all global args ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG @@ -36,41 +22,43 @@ ARG INSTALLDIR ARG HAPROXYDIR ARG LIBOQS_BUILD_DEFINES ARG KEM_ALGLIST +ARG SIG_ALG ARG HAPROXY_VERSION ARG HAPROXY_RELEASE -LABEL version "2" +LABEL version="2" -ENV DEBIAN_FRONTEND noninteractive +# Install required build tools and system dependencies. +RUN apk update && apk --no-cache add openssl make \ + build-base linux-headers openssl-dev \ + autoconf automake git libtool \ + unzip wget cmake ninja -# Get all software packages required for builing all components: -RUN apk update && apk upgrade && apk add openssl make build-base linux-headers openssl-dev autoconf automake git libtool unzip wget cmake ninja - -# get all sources +# Download and prepare source files needed for the build process. WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - wget http://www.haproxy.org/download/${HAPROXY_RELEASE}/src/haproxy-${HAPROXY_VERSION}.tar.gz && tar xzvf haproxy-${HAPROXY_VERSION}.tar.gz && mv haproxy-${HAPROXY_VERSION} $HAPROXYDIR + wget http://www.haproxy.org/download/${HAPROXY_RELEASE}/src/haproxy-${HAPROXY_VERSION}.tar.gz && \ + tar xzvf haproxy-${HAPROXY_VERSION}.tar.gz && \ + mv haproxy-${HAPROXY_VERSION} $HAPROXYDIR -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && \ - cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. -DOQS_DIST_BUILD=ON -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ ninja install -# build OpenSSL3 +# build and install OpenSSL WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make -j $(nproc) && \ - make install_sw install_ssldirs && \ - if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ - if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \ + make -j "$(nproc)" && make install_sw install_ssldirs && \ + if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ + if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi # set path to use 'new' openssl. Dyn libs have been properly linked in to match ENV PATH="${INSTALLDIR}/bin:${PATH}" -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration. WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ @@ -79,31 +67,22 @@ RUN ln -s ../openssl . && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf - -ENV OPENSSL3_DIR=${INSTALLDIR} - -# build haproxy +# Build and install haproxy WORKDIR ${HAPROXYDIR} - -RUN make -j $(nproc) \ - LDFLAGS="-Wl,-rpath,$INSTALLDIR/lib64" \ - SSL_INC=$INSTALLDIR/include \ - SSL_LIB=$INSTALLDIR/lib64 \ - TARGET=linux-musl \ +RUN make -j "$(nproc)" \ + LDFLAGS="-Wl,-rpath,${INSTALLDIR}/lib64" \ + SSL_INC="${INSTALLDIR}/include" \ + SSL_LIB="${INSTALLDIR}/lib64" \ + TARGET="linux-musl" \ USE_OPENSSL=1 && \ - make PREFIX=$INSTALLDIR install + make PREFIX="${INSTALLDIR}" install -# prepare to run haproxy +# Prepare to run haproxy ENV OPENSSL=${INSTALLDIR}/bin/openssl ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf -# Set a default QSC signature algorithm from the list at https://github.com/open-quantum-safe/oqs-provider#algorithms -ARG SIG_ALG=dilithium3 - +# Generate CA key and certificate, server CSR, and server certificate WORKDIR ${HAPROXYDIR} - # generate CA key and cert - # generate server CSR - # generate server cert RUN set -x && \ mkdir pki && \ mkdir cacert && \ @@ -111,47 +90,43 @@ RUN set -x && \ ${OPENSSL} req -new -newkey ${SIG_ALG} -keyout pki/server.key -out pki/server.csr -nodes -subj "/CN=oqs-haproxy" -config ${OPENSSL_CNF} && \ ${OPENSSL} x509 -req -in pki/server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey cacert/CA.key -CAcreateserial -days 365 -## second stage: Only create minimal image without build tooling and intermediate build results generated above: +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations. FROM alpine:${ALPINE_VERSION} -# Take in all global args ARG INSTALLDIR ARG HAPROXYDIR ARG KEM_ALGLIST -# lighttpd as built-in backend -RUN apk add lighttpd -# +# Install essential runtime tools and libraries. +RUN apk update && apk --no-cache add lighttpd + # Only retain the ${*_PATH} contents in the final image COPY --from=intermediate ${HAPROXYDIR} ${HAPROXYDIR} COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} -# copy the haproxy configuration file and set the supported Key exchange mechanisms +# Copy the haproxy configuration file and set the supported Key exchange mechanisms COPY conf ${HAPROXYDIR}/conf/ RUN sed -i "s|@@CURVES@@|$KEM_ALGLIST|g" ${HAPROXYDIR}/conf/haproxy.cfg WORKDIR ${HAPROXYDIR} +COPY lighttpd.conf /etc/lighttpd/lighttpd.conf +COPY lighttpd2.conf /etc/lighttpd/lighttpd2.conf +COPY start.sh ${HAPROXYDIR}/start.sh -ADD lighttpd.conf /etc/lighttpd/lighttpd.conf -ADD lighttpd2.conf /etc/lighttpd/lighttpd2.conf -ADD start.sh ${HAPROXYDIR}/start.sh +# Set up non-root user and configure permissions +RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && \ + mkdir -p ${HAPROXYDIR} /opt/lighttpd/log /opt/lighttpd/log2 && \ + chown -R oqs:oqs ${HAPROXYDIR} /opt/lighttpd/log /opt/lighttpd/log2 -# set up normal user -RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${HAPROXYDIR} - -# set up file permissions for lighttpd -RUN mkdir -p /opt/lighttpd/log && mkdir -p /opt/lighttpd/log2 && chown -R oqs.oqs /opt - -# set up demo backend using lighttpd: -RUN echo "Hello World from lighthttpd backend #1. If you see this, all is fine: lighttpd data served via haproxy protected by OQSSL..." > /var/www/localhost/htdocs/index.html -RUN mkdir -p /var/www/localhost2/htdocs && echo "Hello World from lighthttpd backend #2. If you see this, all is fine: lighttpd data served via haproxy protected by OQSSL..." > /var/www/localhost2/htdocs/index.html +# Configure demo backends using lighttpd +RUN mkdir -p /var/www/localhost/htdocs /var/www/localhost2/htdocs && \ + echo "Hello World from lighthttpd backend #1. If you see this, all is fine: lighttpd data served via haproxy protected by OQSSL..." > /var/www/localhost/htdocs/index.html && \ + echo "Hello World from lighthttpd backend #2. If you see this, all is fine: lighttpd data served via haproxy protected by OQSSL..." > /var/www/localhost2/htdocs/index.html +# Switch to non-root user and set up environment USER oqs +ENV PATH=${HAPROXYDIR}/sbin:$PATH -# Ensure haproxy just runs -ENV PATH ${HAPROXYDIR}/sbin:$PATH - +# Expose ports and set entrypoint EXPOSE 4433 - STOPSIGNAL SIGTERM - -CMD ["/opt/haproxy/start.sh"] +CMD ["/opt/haproxy/start.sh"] \ No newline at end of file diff --git a/httpd/Dockerfile b/httpd/Dockerfile index ef099b9e..f4a08c99 100644 --- a/httpd/Dockerfile +++ b/httpd/Dockerfile @@ -1,55 +1,24 @@ -# Multi-stage build: First the full builder image: - -# First: global build arguments: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG ALPINE_VERSION=3.21.0 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" - -# installation paths -ARG OPENSSL_PATH=/opt/openssl -ARG HTTPD_PATH=/opt/httpd - -# defines the QSC signature algorithm used for the certificates: -ARG SIG_ALG="dilithium3" - -# defines default KEM groups to be announced -ARG DEFAULT_GROUPS="kyber768:p384_kyber768" - -# define the httpd version to include ARG HTTPD_VERSION=2.4.62 - -# define the APR version to include ARG APR_VERSION=1.7.5 - -# define the APR util version to include ARG APRU_VERSION=1.6.3 - -# define the mirror from which to fetch the APR and APR-util source code +ARG OPENSSL_PATH=/opt/openssl +ARG HTTPD_PATH=/opt/httpd ARG APR_MIRROR="https://dlcdn.apache.org" -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -# A CI system with less than 4 cores should be avoided -ARG MAKE_DEFINES="-j 4" - +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms +ARG SIG_ALG="dilithium3" +ARG DEFAULT_GROUPS="kyber768:p384_kyber768" +# Stage 1: Build - Compile and assemble all necessary components and dependencies FROM alpine:${ALPINE_VERSION} AS intermediate -# Take in global args ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG -ARG LIBOQS_BUILD_DEFINES ARG OPENSSL_PATH ARG HTTPD_PATH ARG SIG_ALG @@ -57,17 +26,14 @@ ARG HTTPD_VERSION ARG APR_VERSION ARG APRU_VERSION ARG APR_MIRROR -ARG MAKE_DEFINES ARG DEFAULT_GROUPS -# Get all software packages required for builing all components: -RUN apk add build-base linux-headers \ +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add build-base linux-headers \ libtool automake autoconf cmake ninja \ - make \ - git wget pcre-dev \ - expat-dev + make git wget pcre-dev expat-dev -# get sources +# Download and prepare source files needed for the build process WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl ossl-src && \ @@ -76,48 +42,54 @@ RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-s wget ${APR_MIRROR}/apr/apr-util-${APRU_VERSION}.tar.gz && tar xzvf apr-util-${APRU_VERSION}.tar.gz && \ wget --trust-server-names "https://archive.apache.org/dist/httpd/httpd-${HTTPD_VERSION}.tar.gz" && tar -zxvf httpd-${HTTPD_VERSION}.tar.gz; -# build OpenSSL3 +# Build and install OpenSSL WORKDIR /opt/ossl-src -RUN LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_PATH}/lib64" ./config no-shared --prefix=${OPENSSL_PATH} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ - if [ -d ${OPENSSL_PATH}/lib64 ]; then ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; fi && \ - if [ -d ${OPENSSL_PATH}/lib ]; then ln -s ${OPENSSL_PATH}/lib ${OPENSSL_PATH}/lib64; fi - -# build liboqs (shared lib only for oqsprovider) -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=${OPENSSL_PATH} && ninja && ninja install - -# build oqs-provider +RUN LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_PATH}/lib64" ./config no-shared --prefix="${OPENSSL_PATH}" && \ + make -j"$(nproc)" && make install_sw install_ssldirs && \ + if [ -d "${OPENSSL_PATH}/lib64" ]; then ln -s "${OPENSSL_PATH}/lib64" "${OPENSSL_PATH}/lib"; fi && \ + if [ -d "${OPENSSL_PATH}/lib" ]; then ln -s "${OPENSSL_PATH}/lib" "${OPENSSL_PATH}/lib64"; fi + +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. \ + -DOQS_DIST_BUILD=ON -DBUILD_SHARED_LIBS=ON \ + -DCMAKE_INSTALL_PREFIX=${OPENSSL_PATH} && \ + ninja && ninja install + +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider -RUN rm -rf build && cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_PREFIX_PATH=${OPENSSL_PATH} -S . -B build && cmake --build build && export MODULESDIR=$(find ${OPENSSL_PATH} -name ossl-modules) && cp build/lib/oqsprovider.so $MODULESDIR/oqsprovider.so - -# create openssl.cnf activating oqsprovider & setting default groups -RUN sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ +RUN cmake -DOPENSSL_ROOT_DIR="${OPENSSL_PATH}" -DCMAKE_PREFIX_PATH="${OPENSSL_PATH}" -S . -B build && \ + cmake --build build && \ + MODULESDIR="$(find "${OPENSSL_PATH}" -name ossl-modules)" && \ + cp build/lib/oqsprovider.so "${MODULESDIR}/oqsprovider.so" && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \ sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OPENSSL_PATH}/ssl/openssl.cnf -# build httpd +# Build and install httpd WORKDIR /opt -RUN sed -i "s/\$RM \"\$cfgfile\"/\$RM -f \"\$cfgfile\"/g" apr-${APR_VERSION}/configure && \ - cd apr-${APR_VERSION} && ./configure && make ${MAKE_DEFINES} && make install && cd .. && \ - cd apr-util-${APRU_VERSION} && ./configure x86_64-pc-linux-gnu --with-crypto --with-openssl=${OPENSSL_PATH} --with-apr=/usr/local/apr && make ${MAKE_DEFINES} && make install +RUN sed -i "s/\$RM \"\$cfgfile\"/\$RM -f \"\$cfgfile\"/g" "apr-${APR_VERSION}/configure" && \ + ./apr-${APR_VERSION}/configure && make -j"$(nproc)" && make install + +WORKDIR /opt/apr-util-${APRU_VERSION} +RUN ./configure x86_64-pc-linux-gnu --with-crypto --with-openssl="${OPENSSL_PATH}" --with-apr="/usr/local/apr" && \ + make -j"$(nproc)" && make install WORKDIR /opt/httpd-${HTTPD_VERSION} -RUN ./configure --prefix=${HTTPD_PATH} \ +RUN ./configure --prefix="${HTTPD_PATH}" \ --enable-debugger-mode \ - --enable-ssl --with-ssl=${OPENSSL_PATH} \ + --enable-ssl --with-ssl="${OPENSSL_PATH}" \ --enable-ssl-staticlib-deps \ --enable-mods-static=ssl && \ - make ${MAKE_DEFINES} && make install; + make -j"$(nproc)" && make install; # prepare to run httpd ARG OPENSSL_CNF=${OPENSSL_PATH}/ssl/openssl.cnf WORKDIR ${HTTPD_PATH} - # generate CA key and cert - # generate server CSR - # generate server cert + +# Generate CA key and certificate, create server CSR, and issue server certificate RUN set -x && \ mkdir pki && \ mkdir cacert && \ @@ -125,48 +97,45 @@ RUN set -x && \ ${OPENSSL_PATH}/bin/openssl req -new -newkey ${SIG_ALG} -keyout pki/server.key -out pki/server.csr -nodes -subj "/CN=oqs-httpd" -config ${OPENSSL_CNF} && \ ${OPENSSL_PATH}/bin/openssl x509 -req -in pki/server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey cacert/CA.key -CAcreateserial -days 365 -# Some size optimization: -RUN rm -rf ${HTTPD_PATH}/bin/ab - -# second stage: Only create minimal image without build tooling and intermediate build results generated above: +# Stage 2: Runtime - Lightweight image with essential binaries and configurations FROM alpine:${ALPINE_VERSION} - -LABEL version="3" - -# Take in global args ARG HTTPD_PATH ARG OPENSSL_PATH -# -RUN apk add pcre-dev expat-dev -# -# Only retain the ${*_PATH} contents in the final image -COPY --from=intermediate ${HTTPD_PATH} ${HTTPD_PATH} -# copy over manually build libapr{util} -COPY --from=intermediate /usr/local/apr/lib /usr/local/apr/lib -# Need to copy over OpenSSL3 libs and conf for oqsprovider use +# Install runtime tools and dependencies +RUN apk update && apk --no-cache add pcre-dev expat-dev + +# Copy necessary components from the build stage +COPY --from=intermediate ${HTTPD_PATH} ${HTTPD_PATH} +COPY --from=intermediate /usr/local/apr/lib /usr/local/apr/lib COPY --from=intermediate ${OPENSSL_PATH}/ssl ${OPENSSL_PATH}/ssl COPY --from=intermediate ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib64 -RUN ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; +# Create symbolic links for OpenSSL library paths +RUN ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib +# Copy HTTPD configuration files COPY httpd-conf/httpd-ssl.conf ${HTTPD_PATH}/httpd-conf/httpd-ssl.conf COPY httpd-conf/httpd.conf ${HTTPD_PATH}/httpd-conf/httpd.conf -WORKDIR ${HTTPD_PATH} -# forward request and error logs to docker log collector +# Configure log forwarding +WORKDIR ${HTTPD_PATH} RUN ln -sf /dev/stdout ${HTTPD_PATH}/logs/access_log && \ - ln -sf /dev/stderr ${HTTPD_PATH}/logs/error_log; -# -RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${HTTPD_PATH} + ln -sf /dev/stderr ${HTTPD_PATH}/logs/error_log + +# Set up non-root user for improved security, adjust ownership +RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && \ + chown -R oqs:oqs ${HTTPD_PATH} + +# Switch to the non-root user USER oqs -# Ensure httpd just runs -ENV PATH ${HTTPD_PATH}/bin:$PATH +# Set PATH to include HTTPD binaries for runtime execution +ENV PATH="${HTTPD_PATH}/bin:$PATH" +# Expose port for secure communication EXPOSE 4433 -# -STOPSIGNAL SIGTERM - -CMD ["httpd", "-f", "httpd-conf/httpd.conf", "-D", "FOREGROUND"] +# Specify stop signal and startup command for HTTPD +STOPSIGNAL SIGTERM +CMD ["httpd", "-f", "httpd-conf/httpd.conf", "-D", "FOREGROUND"] \ No newline at end of file diff --git a/locust/Dockerfile b/locust/Dockerfile index c35abc68..10383994 100644 --- a/locust/Dockerfile +++ b/locust/Dockerfile @@ -1,84 +1,61 @@ -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG ALPINE_VERSION=3.21.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the openssl version to be baked in -ARG OPENSSL_BRANCH=openssl-3.3.2 - -# Default location where all binaries wind up: +ARG OPENSSL_BRANCH=openssl-3.4.0 +ARG PYTHON_VERSION=3.13.1 ARG INSTALLDIR=/opt/oqssa -# Default Python version to be used -ARG PYTHON_VERSION=3.12.6 - -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" - -# Default root CA signature algorithm; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms ARG SIG_ALG="dilithium3" - -# Default KEM algorithms; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms ARG DEFAULT_GROUPS="x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024" -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j 16" - -# Define the Alpine version to be used -ARG ALPINE_VERSION=3.20.3 - FROM alpine:${ALPINE_VERSION} -# Take in all global args ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG INSTALLDIR -ARG LIBOQS_BUILD_DEFINES ARG SIG_ALG ARG DEFAULT_GROUPS -ARG MAKE_DEFINES ARG PYTHON_VERSION ARG OPENSSL_BRANCH LABEL version="1" -ENV DEBIAN_FRONTEND noninteractive ENV LD_LIBRARY_PATH=${INSTALLDIR}/lib -RUN apk update && apk upgrade -# Get all software packages required for builing all components: -RUN apk add build-base linux-headers \ - libtool automake autoconf cmake ninja \ - make \ - git wget vim nano zlib-dev py3-pip tcpdump python3-dev +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add \ + build-base linux-headers \ + libtool automake autoconf cmake ninja \ + make git wget vim nano zlib-dev \ + py3-pip tcpdump python3-dev -# get all sources +# Download and prepare source files needed for the build process WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_BRANCH} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git -# build OpenSSL3 +# Build and install OpenSSL WORKDIR /opt/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared enable-zlib no-comp --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs install_dev && \ + make -j"$(nproc)" && make install_sw install_ssldirs install_dev && \ if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && \ - cd build && \ - cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. -DOQS_DIST_BUILD=ON \ + -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ ninja install -# set path to use 'new' openssl. Dyn libs have been properly linked in to match +# Update PATH and library path to use the newly built OpenSSL ENV PATH="${INSTALLDIR}/bin:${PATH}" ENV LD_LIBRARY_PATH=${INSTALLDIR}/lib -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ @@ -90,26 +67,29 @@ RUN ln -s ../openssl . && \ sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" /opt/oqssa/ssl/openssl.cnf -# generate certificates for openssl s_server +# Set OpenSSL executable and configuration paths ENV OPENSSL=${INSTALLDIR}/bin/openssl ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf +# Generate CA key and certificate WORKDIR ${INSTALLDIR}/bin -# generate CA key and cert RUN set -x; \ ${OPENSSL} req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF} -# Download current test.openquantumsafe.org test CA cert +# Download and save test CA certificate from Open Quantum Safe server WORKDIR ${INSTALLDIR} RUN wget --no-check-certificate https://test.openquantumsafe.org/CA.crt && \ mv CA.crt oqs-testca.pem -# Install Locust -RUN mkdir /home/locust && cd /home/locust +# Set Python build environment flags ENV CFLAGS="-I/opt/python-${PYTHON_VERSION}-custom/include/${PYTHON_VERSION}" ENV LDFLAGS="-L/opt/python-${PYTHON_VERSION}-custom/lib" + +# Install Locust dependencies +WORKDIR /home/locust COPY requirements.txt /home/locust -RUN pip3 install --break-system-packages --upgrade pip -RUN pip3 install --break-system-packages -r /home/locust/requirements.txt -ADD / /mnt/locust +RUN pip3 install --no-cache-dir --break-system-packages --upgrade pip && \ + pip3 install --no-cache-dir --break-system-packages -r /home/locust/requirements.txt +# Copy Locust test scripts +COPY / /mnt/locust \ No newline at end of file diff --git a/locust/docker-compose.yaml b/locust/docker-compose.yaml index 02e47e65..748a0db1 100644 --- a/locust/docker-compose.yaml +++ b/locust/docker-compose.yaml @@ -1,5 +1,3 @@ -version: '3' - services: master: image: oqs-locust:0.0.1 diff --git a/mosquitto/Dockerfile b/mosquitto/Dockerfile index 67e8e01d..ab0bf064 100644 --- a/mosquitto/Dockerfile +++ b/mosquitto/Dockerfile @@ -1,161 +1,130 @@ -# Original Dockerfile made by Chia-Chin Chung <60947091s@gapps.ntnu.edu.tw> -# Multi-stage build: First the full builder image: - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG UBUNTU_VERSION=24.04 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# Default location where all binaries wind up: +ARG MOSQUITTO_TAG=v2.0.20 ARG INSTALLDIR=/opt/oqssa +ARG BROKER_IP=localhost +ARG PUBLISHER_IP=localhost +ARG SUBSCRIBER_IP=localhost -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" +# Default example shell script to execute +ARG EXAMPLE=broker-start.sh -# Default KEM algorithms to be utilized +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms ARG KEM_ALGLIST="kyber768:p384_kyber768" - -# Default Signature algorithm to be used ARG SIG_ALG="dilithium3" -ARG MOSQUITTO_TAG=v2.0.20 - -# define IP addresses or Domain Name -ARG BROKER_IP=localhost -ARG PUB_IP=localhost -ARG SUB_IP=localhost - -# choose the shell script(simple example) -ARG EXAMPLE=broker-start.sh - -# First stage: the full build image: -FROM ubuntu:22.04 AS builder +# Stage 1: Build - Compile and assemble all necessary components and dependencies +FROM ubuntu:${UBUNTU_VERSION} AS builder -# Set timezone -ARG TZ=Europe/London ENV DEBIAN_FRONTEND=noninteractive ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG +ARG MOSQUITTO_TAG ARG INSTALLDIR -ARG HAPROXYDIR -ARG LIBOQS_BUILD_DEFINES ARG KEM_ALGLIST -ARG MOSQUITTO_TAG -# Update image and install all prerequisites -RUN apt update && apt install -y build-essential \ - cmake \ - gcc \ - libtool \ - libssl-dev \ - make \ - ninja-build \ - git \ - doxygen \ - libcjson1 \ - libcjson-dev \ - uthash-dev \ - libcunit1-dev \ - libsqlite3-dev \ - xsltproc \ - docbook-xsl && \ - apt clean - -# get all sources +# Install required build tools and system dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + build-essential cmake gcc libtool ca-certificates \ + libssl-dev make ninja-build git \ + doxygen libcjson1 libcjson-dev uthash-dev \ + libcunit1-dev libsqlite3-dev xsltproc docbook-xsl \ + && apt-get clean && rm -rf /var/lib/apt/lists/* + +# Download and prepare source files needed for the build process WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ git clone --depth 1 --branch ${MOSQUITTO_TAG} https://github.com/eclipse/mosquitto.git -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && \ - cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. -DOQS_DIST_BUILD=ON \ + -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \ ninja install -# build OpenSSL3 +# Build and install OpenSSL WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make -j $(nproc) && \ - make install_sw install_ssldirs && \ - if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ - if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" \ + ./config shared --prefix="${INSTALLDIR}" && \ + make -j"$(nproc)" && make install_sw install_ssldirs && \ + if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ + if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi -# set path to use 'new' openssl. Dyn libs have been properly linked in to match +# Set PATH to include the new OpenSSL binaries ENV PATH="${INSTALLDIR}/bin:${PATH}" -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ - cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ - cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ + cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ + cmake --build _build && \ + cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \ sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf # Build and install Mosquitto WORKDIR /opt/mosquitto -RUN make -j$(nproc) && \ - make install +RUN make -j"$(nproc)" && make install + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations +FROM ubuntu:${UBUNTU_VERSION} -# Second stage: Only create minimal image: -FROM ubuntu:22.04 -RUN apt update && apt install -y libcjson1 +# Install essential runtime tools and libraries +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates libcjson1 \ + && apt-get clean && rm -rf /var/lib/apt/lists/* +# Set variables for installation, cryptography, networking, and runtime behavior. +ARG INSTALLDIR ARG SIG_ALG -ENV SIG_ALG=${SIG_ALG} ARG BROKER_IP -ENV BROKER_IP=${BROKER_IP} -ARG PUB_IP -ENV PUB_IP=${PUB_IP} -ARG SUB_IP -ENV SUB_IP=${SUB_IP} +ARG PUBLISHER_IP +ARG SUBSCRIBER_IP ARG EXAMPLE +ARG KEM_ALGLIST + +ENV SIG_ALG=${SIG_ALG} +ENV BROKER_IP=${BROKER_IP} +ENV PUBLISHER_IP=${PUBLISHER_IP} +ENV SUBSCRIBER_IP=${SUBSCRIBER_IP} ENV EXAMPLE=${EXAMPLE} -ARG KEM_ALGLIST -# Set the TLS_DEFAULT_GROUPS environment variable to permit selection of QSC KEMs, by default the ones associated with the openssl configuration are chosen +# Define QSC KEM groups for OpenSSL, prioritizing those specified in the configuration or defaults ENV TLS_DEFAULT_GROUPS=${KEM_ALGLIST} -ARG INSTALLDIR - -# Copy files from the local storage to a destination in the Docker image -WORKDIR / -RUN mkdir test -ADD . /test -RUN chmod 777 /test/* && sed -i 's/\r//' /test/* +# Copy testing shell scripts to the container +WORKDIR /test +COPY . . +RUN chmod 777 /test/* -# openssl +# Copy required files from the builder stage COPY --from=builder ${INSTALLDIR} ${INSTALLDIR} -# Mosquitto COPY --from=builder /usr/local/lib /usr/local/lib COPY --from=builder /usr/local/bin /usr/local/bin COPY --from=builder /usr/local/sbin /usr/local/sbin -# Dynamically link to mosquitto +# Link Mosquitto library and update cache RUN ln -s /usr/local/lib/libmosquitto.so.1 /usr/lib/libmosquitto.so.1 && ldconfig -# Dynamically link to Newly built OpenSSL +# Set environment variables for OpenSSL library path and executable search path ENV LD_LIBRARY_PATH=$INSTALLDIR/lib64 - -# Set path ENV PATH="/usr/local/bin:/usr/local/sbin:${INSTALLDIR}/bin:$PATH" -# Generate the CA key and the cert +# Generate CA key and certificate for MQTT RUN openssl req -x509 -new -newkey $SIG_ALG -keyout /test/CA.key -out /test/CA.crt -nodes -subj "/O=test-ca" -days 3650 -# MQTTS port +# Expose MQTT TLS port and set runtime configurations EXPOSE 8883 - -# Run shell script WORKDIR /test -CMD /bin/bash $EXAMPLE - -STOPSIGNAL SIGTERM +CMD ["/bin/bash", "-c", "$EXAMPLE"] +STOPSIGNAL SIGTERM \ No newline at end of file diff --git a/nginx/Dockerfile b/nginx/Dockerfile index e44233ab..0bdb80f5 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,83 +1,59 @@ -# Multi-stage build: First the full builder image: - -# First: global build arguments: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG ALPINE_VERSION=3.21.0 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" - -# base install path +ARG NGINX_VERSION=1.27.2 ARG BASEDIR="/opt" - -# installation paths ARG INSTALLDIR=${BASEDIR}/nginx -# defines the QSC signature algorithm used for the certificates: +# Specify supported signature and key encapsulation mechanisms (KEM) algorithms ARG SIG_ALG="dilithium3" - -# defines the list of default groups to be activated in nginx-openssl config: ARG DEFAULT_GROUPS=x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 -# define the nginx version to include -ARG NGINX_VERSION=1.27.2 - -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j 18" - - +# Stage 1: Build - Compile and assemble all necessary components and dependencies FROM alpine:${ALPINE_VERSION} AS intermediate -# Take in global args ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG +ARG NGINX_VERSION ARG BASEDIR -ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR ARG SIG_ALG -ARG NGINX_VERSION -ARG MAKE_DEFINES ARG DEFAULT_GROUPS ARG OSSLDIR=${BASEDIR}/openssl/.openssl +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add \ + build-base linux-headers libtool \ + automake autoconf make cmake ninja \ + openssl openssl-dev git wget pcre-dev -# Get all software packages required for builing all components: -RUN apk add build-base linux-headers \ - libtool automake autoconf cmake ninja \ - make \ - openssl openssl-dev \ - git wget pcre-dev - -# get OQS sources +# Download and prepare source files needed for the build process WORKDIR /opt -RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ - git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ - wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz; - -# build liboqs (static only) -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install - -# build nginx (also building openssl) +RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs \ + && git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git \ + && git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git \ + && wget -q nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \ + && tar -zxf nginx-${NGINX_VERSION}.tar.gz \ + && rm nginx-${NGINX_VERSION}.tar.gz + +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" \ + -DOQS_DIST_BUILD=ON \ + -DBUILD_SHARED_LIBS=OFF \ + -DCMAKE_INSTALL_PREFIX="${INSTALLDIR}" .. \ + && ninja -j"$(nproc)" && ninja install + +# Build and install Nginx with custom OpenSSL and SSL support WORKDIR /opt/nginx-${NGINX_VERSION} RUN ./configure --prefix=${INSTALLDIR} \ - --with-debug \ - --with-http_ssl_module --with-openssl=/opt/openssl \ - --without-http_gzip_module && \ - make ${MAKE_DEFINES} && make install; + --with-debug --with-http_ssl_module \ + --with-openssl=/opt/openssl --without-http_gzip_module && \ + make -j"$(nproc)" && make install -# create openssl.cnf activating oqsprovider & setting default groups +# Configure OpenSSL to support the oqs-provider RUN mkdir -p ${OSSLDIR=}/ssl && \ cp /opt/openssl/apps/openssl.cnf ${OSSLDIR}/ssl/ && \ sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OSSLDIR}/ssl/openssl.cnf && \ @@ -85,75 +61,69 @@ RUN mkdir -p ${OSSLDIR=}/ssl && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OSSLDIR}/ssl/openssl.cnf && \ sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OSSLDIR}/ssl/openssl.cnf -# build oqsprovider +# Build and install OQS provider WORKDIR /opt/oqs-provider - -RUN ln -s /opt/nginx/include/oqs ${OSSLDIR}/include && \ +RUN ln -s "/opt/nginx/include/oqs" "${OSSLDIR}/include" && \ rm -rf build && \ - cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OSSLDIR} -DCMAKE_PREFIX_PATH=$INSTALLDIR -S . -B build && \ + cmake -DCMAKE_BUILD_TYPE=Debug \ + -DOPENSSL_ROOT_DIR="${OSSLDIR}" \ + -DCMAKE_PREFIX_PATH="${INSTALLDIR}" \ + -S . -B build && \ cmake --build build && \ - export MODULESDIR=$(find ${OSSLDIR} -name ossl-modules) && \ - cp build/lib/oqsprovider.so $MODULESDIR && \ - mkdir -p ${OSSLDIR}/lib64 && \ - ln -s ${OSSLDIR}/lib/ossl-modules ${OSSLDIR}/lib64 && \ - rm -rf ${INSTALLDIR}/lib64 - + MODULESDIR=$(find "${OSSLDIR}" -name ossl-modules) && \ + export MODULESDIR && \ + cp build/lib/oqsprovider.so "${MODULESDIR}" && \ + mkdir -p "${OSSLDIR}/lib64" && \ + ln -s "${OSSLDIR}/lib/ossl-modules" "${OSSLDIR}/lib64" && \ + rm -rf "${INSTALLDIR:?}/lib64" + +# Minimize image size, generate CA/server certificates, then cleanup WORKDIR ${INSTALLDIR} +ENV PATH="${INSTALLDIR}/sbin:${OSSLDIR}/bin:${PATH}" -# Test/Utilize oqsprovider: - # generate CA key and cert - # generate server CSR - # generate server cert - -ENV PATH ${INSTALLDIR}/sbin:${OSSLDIR}/bin:$PATH -# begin optimizing sizes: -RUN strip ${OSSLDIR}/lib/*.a ${OSSLDIR}/lib64/ossl-modules/oqsprovider.so ${INSTALLDIR}/sbin/* ${INSTALLDIR}/sbin/* -RUN set -x && \ - mkdir cacert && \ - mkdir pki && \ - openssl req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out cacert/CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OSSLDIR}/ssl/openssl.cnf && \ - openssl req -new -newkey ${SIG_ALG} -keyout pki/server.key -out server.csr -nodes -subj "/CN=oqs-nginx" -config ${OSSLDIR}/ssl/openssl.cnf && \ - openssl x509 -req -in server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey CA.key -CAcreateserial -days 365 - -# further optimize sizes: -RUN rm ${OSSLDIR}/bin/* - -# second stage: Only create minimal image without build tooling and intermediate build results generated above: +RUN set -ex && \ + strip "${OSSLDIR}/lib/"*.a "${OSSLDIR}/lib64/ossl-modules/oqsprovider.so" "${INSTALLDIR}/sbin/"* "${INSTALLDIR}/sbin/"* && \ + mkdir -p cacert pki && \ + openssl req -x509 -new -newkey "${SIG_ALG}" -keyout CA.key -out cacert/CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config "${OSSLDIR}/ssl/openssl.cnf" && \ + openssl req -new -newkey "${SIG_ALG}" -keyout pki/server.key -out server.csr -nodes -subj "/CN=oqs-nginx" -config "${OSSLDIR}/ssl/openssl.cnf" && \ + openssl x509 -req -in server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey CA.key -CAcreateserial -days 365 && \ + rm -f "${OSSLDIR}/bin/"* + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations FROM alpine:${ALPINE_VERSION} -# Take in global args -ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR ARG SIG_ALG ARG BASEDIR ARG OSSLDIR=${BASEDIR}/openssl/.openssl -LABEL version="3" - -RUN apk add pcre-dev +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add pcre-dev -# Only retain the ${*_PATH} contents in the final image +# Copy compiled artifacts and configuration from the intermediate stage COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} COPY --from=intermediate ${OSSLDIR} ${OSSLDIR} COPY nginx-conf/ ${INSTALLDIR}/nginx-conf -WORKDIR ${INSTALLDIR} - -# forward request and error logs to docker log collector -RUN ln -sf /dev/stdout ${INSTALLDIR}/logs/access.log && \ - ln -sf /dev/stderr ${INSTALLDIR}/logs/error.log; +# Link logs to Docker collector +RUN set -ex && \ + ln -sf /dev/stdout "${INSTALLDIR}/logs/access.log" && \ + ln -sf /dev/stderr "${INSTALLDIR}/logs/error.log" -# This expose command needs to be in line with what's spec'd in nginx.conf: +# This expose command needs to be in line with what's specified in nginx.conf: EXPOSE 4433 -# Ensure nginx just runs -ENV PATH ${INSTALLDIR}/sbin:$PATH +# From Nginx 1.25.2: "nginx does not try to load OpenSSL configuration if the +# --with-openssl option was used to build OpenSSL and the OPENSSL_CONF +# environment variable is not set." Hence we must explicitly set OPENSSL_CONF. +ENV PATH="${INSTALLDIR}/sbin:${PATH}" \ + OPENSSL_CONF="${OSSLDIR}/ssl/openssl.cnf" -STOPSIGNAL SIGTERM +# Create non-root user and update permissions +RUN addgroup -g 1000 -S oqs \ + && adduser --uid 1000 -S oqs -G oqs \ + && chown -R oqs:oqs "${INSTALLDIR}" -# Enable a normal user to create new server keys off set CA -RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${INSTALLDIR} +# Run as non-root user USER oqs -# From nginx 1.25.2: "nginx does not try to load OpenSSL configuration if the --with-openssl option was used to built OpenSSL and the OPENSSL_CONF environment variable is not set". -# We therefore have to set the OPENSSL_CONF environment variable. -ENV OPENSSL_CONF ${OSSLDIR}/ssl/openssl.cnf -CMD ["nginx", "-c", "nginx-conf/nginx.conf", "-g", "daemon off;"] +STOPSIGNAL SIGTERM +CMD ["nginx", "-c", "nginx-conf/nginx.conf", "-g", "daemon off;"] \ No newline at end of file diff --git a/nginx/Dockerfile-QUIC b/nginx/Dockerfile-QUIC index 55ad8d7e..c42a58a2 100644 --- a/nginx/Dockerfile-QUIC +++ b/nginx/Dockerfile-QUIC @@ -1,83 +1,118 @@ +# Define nginx version +ARG NGINX_VERSION=1.26.2 + +# Stage 1: Build - Compile and assemble all necessary components and dependencies FROM ubuntu:latest AS build +ARG NGINX_VERSION -ARG NGINX_VERSION=1.26.2 +# Install required build tools and system dependencies +RUN apt-get update && apt-get install --no-install-recommends -y \ + g++ make cmake git build-essential \ + libpcre3 libpcre3-dev zlib1g-dev \ + wget ninja-build libunwind-dev \ + pkg-config python3 ca-certificates && \ + rm -rf /var/lib/apt/lists/* + +# Download and prepare source files needed for the build process +WORKDIR /home/build +RUN git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \ + git clone --branch master --single-branch --depth 1 https://github.com/open-quantum-safe/boringssl.git && \ + wget -qO- "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" | tar -xzf - + + +# Build and install liboqs +WORKDIR /home/build/liboqs/build +RUN cmake -GNinja \ + -DCMAKE_INSTALL_PREFIX=/home/build/boringssl/oqs \ + -DCMAKE_BUILD_TYPE=Release \ + -DOQS_DIST_BUILD=ON \ + -DOQS_USE_OPENSSL=OFF .. && \ + ninja && ninja install + +# Build and install boringssl +WORKDIR /home/build/boringssl +RUN mkdir build && cd build && \ + cmake -GNinja \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=1 .. && \ + ninja && \ + # Copy BoringSSL libraries into the system path after build + cp -p ssl/libssl.so /usr/local/lib && \ + cp -p crypto/libcrypto.so /usr/local/lib -RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \ - apt install -y g++ make git libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \ -# liboqs deps - liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3" && apt install -y $liboqs_pkgs && \ -# Download liboqs - git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \ -# Download open-quantum-safe/boringssl - git clone --branch master --single-branch --depth 1 https://github.com/open-quantum-safe/boringssl.git && \ -# Build liboqs -# https://github.com/open-quantum-safe/liboqs/blob/main/CONFIGURE.md#options-for-configuring-liboqs-builds - cd liboqs && mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=../../boringssl/oqs -DCMAKE_BUILD_TYPE=Release -DOQS_DIST_BUILD=ON -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \ -# build boringssl - cd ../../boringssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && \ -# prepare dir - cp -p ssl/libssl.so /usr/local/lib && cp -p crypto/libcrypto.so /usr/local/lib && cd ../.. && \ -# Download nginx - wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && mv nginx-${NGINX_VERSION} nginx && \ -# build nginx - cd nginx && \ - ./configure \ - --prefix=/etc/nginx \ - --sbin-path=/usr/sbin/nginx \ - --modules-path=/usr/lib/nginx/modules \ - --conf-path=/etc/nginx/nginx.conf \ - --error-log-path=/var/log/nginx/error.log \ - --http-log-path=/var/log/nginx/access.log \ - --pid-path=/var/run/nginx.pid \ - --lock-path=/var/run/nginx.lock \ - --http-client-body-temp-path=/var/cache/nginx/client_temp \ - --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ - --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ - --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ - --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ - --user=nginx --group=nginx \ - --with-http_v3_module \ - --with-http_v2_module \ - --with-http_ssl_module \ - --with-http_realip_module \ - --with-http_gzip_static_module \ - --with-http_gunzip_module \ - --with-http_slice_module \ - --with-stream \ - --with-stream_ssl_module \ - --with-stream_ssl_preread_module \ - --with-stream_realip_module \ - --with-compat \ - --with-threads \ - --with-http_mp4_module \ - --with-file-aio \ - --with-http_secure_link_module \ - --with-http_stub_status_module \ - --with-http_auth_request_module \ - --with-http_dav_module \ - --with-http_flv_module \ - --with-cc=c++ \ - --with-cc-opt="-I../boringssl/include -x c -Ofast" \ - --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,/usr/local/lib" && \ - make +# Build and install Nginx +WORKDIR /home/build/nginx-${NGINX_VERSION} +RUN ./configure \ + --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx \ + --modules-path=/usr/lib/nginx/modules \ + --conf-path=/etc/nginx/nginx.conf \ + --error-log-path=/var/log/nginx/error.log \ + --http-log-path=/var/log/nginx/access.log \ + --pid-path=/var/run/nginx.pid \ + --lock-path=/var/run/nginx.lock \ + --http-client-body-temp-path=/var/cache/nginx/client_temp \ + --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ + --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ + --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ + --user=nginx \ + --group=nginx \ + --with-http_v3_module \ + --with-http_v2_module \ + --with-http_ssl_module \ + --with-http_realip_module \ + --with-http_gzip_static_module \ + --with-http_gunzip_module \ + --with-http_slice_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_ssl_preread_module \ + --with-stream_realip_module \ + --with-compat \ + --with-threads \ + --with-http_mp4_module \ + --with-file-aio \ + --with-http_secure_link_module \ + --with-http_stub_status_module \ + --with-http_auth_request_module \ + --with-http_dav_module \ + --with-http_flv_module \ + --with-cc=c++ \ + --with-cc-opt="-I../boringssl/include -x c -Ofast" \ + --with-ld-opt="-L../boringssl/build/ssl -L../boringssl/build/crypto -Wl,-rpath,/usr/local/lib" && \ + make + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations FROM ubuntu:latest -COPY --from=build /home/build/nginx/objs/nginx /usr/sbin/nginx -COPY --from=build /home/build/nginx/conf /etc/nginx +ARG NGINX_VERSION + +# Copy compiled artifacts from the intermediate stage +COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx +COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx COPY --from=build /usr/local/lib /usr/local/lib -RUN set -x \ - && apt update && apt upgrade -y && apt install --no-install-recommends --no-install-suggests -y adduser libpcre3 && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \ - && groupadd --system --gid 101 nginx \ - && useradd --system --gid nginx --no-create-home --home /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ - && mkdir -p '/var/run' && mkdir -p '/var/cache/nginx' && mkdir -p '/var/log/nginx' \ - && touch /var/log/nginx/access.log /var/log/nginx/error.log \ - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log -EXPOSE 80 -EXPOSE 443 -EXPOSE 443/udp +# Install essential runtime tools and libraries +RUN apt-get update && apt-get install --no-install-recommends -y \ + adduser libpcre3 && \ + rm -rf /var/lib/apt/lists/* -STOPSIGNAL SIGQUIT +# Create a dedicated 'nginx' user and group +RUN groupadd --system --gid 101 nginx && \ + useradd --system --gid nginx --no-create-home --home /nonexistent \ + --comment "nginx user" --shell /bin/false --uid 101 nginx -CMD ["nginx", "-g", "daemon off;"] +# Link logs to Docker collector +RUN mkdir -p /var/run /var/cache/nginx /var/log/nginx && \ + touch /var/log/nginx/access.log /var/log/nginx/error.log && \ + ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +# Expose the following ports: +# 80 : HTTP (tcp) +# 443 : HTTPS (tcp) +# 443/udp : QUIC/HTTP/3 (udp) +EXPOSE 80 443 443/udp + +STOPSIGNAL SIGQUIT +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/ngtcp2/Dockerfile-client b/ngtcp2/Dockerfile-client index 44fd6dc8..a03bdc85 100644 --- a/ngtcp2/Dockerfile-client +++ b/ngtcp2/Dockerfile-client @@ -1,59 +1,47 @@ -# Multi-stage build: First the full builder image: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -FROM alpine:${ALPINE_VERSION} AS intermediate - -ENV DEBIAN_FRONTEND=noninteractive - -# define the quictls openssl tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG ALPINE_VERSION=3.21.0 ARG OPENSSLQUIC_TAG=openssl-3.1.7-quic1 - -# define the liboqs tag to be used ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the nghttp3 tag to be used ARG NGHTTP3_TAG=v1.6.0 - -# define the ngtcp2 tag to be used ARG NGTCP2_TAG=v1.5.0 - ARG INSTALLDIR=/opt/oqssa -# Update image and apt software -RUN apk update && apk upgrade - -# All build prerequisites for the various software packages: -RUN apk add bash git pkgconfig autoconf automake libtool g++ make cmake ninja \ - libev-dev libevent-dev openssl-dev openssl linux-headers - +# Stage 1: Build - Compile and assemble all necessary components and dependencies +FROM alpine:${ALPINE_VERSION} AS intermediate +ARG OPENSSLQUIC_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG NGHTTP3_TAG +ARG NGTCP2_TAG +ARG INSTALLDIR + +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add \ + bash git pkgconfig autoconf automake \ + libtool g++ make cmake ninja libev-dev \ + libevent-dev openssl-dev openssl linux-headers + +# Download and prepare source files needed for the build process WORKDIR /opt - -# get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSLQUIC_TAG} https://github.com/quictls/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ git clone --depth 1 --branch ${NGHTTP3_TAG} https://github.com/ngtcp2/nghttp3 && \ git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2 -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install - +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install -# build openssl 3 +# Build and install OpenSSL with QUIC support WORKDIR /opt/openssl -RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ - if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ - if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi - +RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \ + make -j"$(nproc)" && make install_sw install_ssldirs && \ + if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \ + if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ @@ -63,37 +51,39 @@ RUN ln -s ../openssl . && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf -# build nghttp3 +# Build and install nghttp3 (HTTP/3 library) WORKDIR /opt/nghttp3 -RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install +RUN git submodule update --init && \ + autoreconf -i && \ + ./configure --prefix="$PWD/build" --enable-lib-only && \ + make -j"$(nproc)" check && make install -# build ngtcp2 +# Build and install ngtcp2 (QUIC protocol library) WORKDIR /opt/ngtcp2 -RUN autoreconf -i && ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:/opt/oqssa/lib64/pkgconfig CXX=g++ CXXFLAGS="-std=c++20" && make -j$(nproc) && make install - -# Copy all required shared object dependencies to a single directory -RUN mkdir /opt/lib && cd /opt/lib && \ - cp /opt/ngtcp2/lib/.libs/libngtcp2.so.* . && \ - cp /usr/lib/libev.so.* . && \ - cp /opt/nghttp3/build/lib/libnghttp3.so.* . && \ - cp /opt/ngtcp2/crypto/quictls/.libs/libngtcp2_crypto_quictls.so.* . && \ - cp /opt/oqssa/lib64/libssl.so.* . && \ - cp /opt/oqssa/lib64/libcrypto.so.* . && \ - cp /usr/lib/libstdc++.so.* . && \ - cp /usr/lib/libgcc_s.so.* . - -## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:${ALPINE_VERSION} AS dev -ENV DEBIAN_FRONTEND=noninteractive - -RUN apk update && apk upgrade - -# copy executable +RUN autoreconf -i && \ + ./configure PKG_CONFIG_PATH="$PWD/../nghttp3/build/lib/pkgconfig:/opt/oqssa/lib64/pkgconfig" \ + CXX="g++" CXXFLAGS="-std=c++20" && \ + make -j"$(nproc)" && make install + +# Copy required libraries to a single directory +WORKDIR /opt/lib +RUN cp /opt/ngtcp2/lib/.libs/libngtcp2.so.* . && \ + cp /usr/lib/libev.so.* . && \ + cp /opt/nghttp3/build/lib/libnghttp3.so.* . && \ + cp /opt/ngtcp2/crypto/quictls/.libs/libngtcp2_crypto_quictls.so.* . && \ + cp /opt/oqssa/lib64/libssl.so.* . && \ + cp /opt/oqssa/lib64/libcrypto.so.* . && \ + cp /usr/lib/libstdc++.so.* . && \ + cp /usr/lib/libgcc_s.so.* . + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations +FROM alpine:${ALPINE_VERSION} AS runtime + +# Copy the client executable, libraries, and configuration files COPY --from=intermediate /opt/ngtcp2/examples/qtlsclient /usr/local/bin - -# copy shared object dependencies and configuration file COPY --from=intermediate /opt/lib /usr/local/lib COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf -RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; +# Create compatibility symlink for libraries +RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib \ No newline at end of file diff --git a/ngtcp2/Dockerfile-server b/ngtcp2/Dockerfile-server index 52934ae3..50af43ad 100644 --- a/ngtcp2/Dockerfile-server +++ b/ngtcp2/Dockerfile-server @@ -1,59 +1,49 @@ -# Multi-stage build: First the full builder image: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -FROM alpine:${ALPINE_VERSION} AS intermediate - -ENV DEBIAN_FRONTEND=noninteractive - -# define the quictls openssl tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG ALPINE_VERSION=3.21.0 ARG OPENSSLQUIC_TAG=openssl-3.1.7-quic1 - -# define the liboqs tag to be used ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - -# define the nghttp3 tag to be used ARG NGHTTP3_TAG=v1.6.0 - -# define the ngtcp2 tag to be used ARG NGTCP2_TAG=v1.5.0 - ARG INSTALLDIR=/opt/oqssa -# Update image and apt software -RUN apk update && apk upgrade - -# All build prerequisites for the various software packages: -RUN apk add bash git pkgconfig autoconf automake libtool g++ make cmake ninja \ - libev-dev libevent-dev openssl-dev openssl linux-headers - +# Stage 1: Build - Compile and assemble all necessary components and dependencies +FROM alpine:${ALPINE_VERSION} AS intermediate +ARG OPENSSLQUIC_TAG +ARG LIBOQS_TAG +ARG OQSPROVIDER_TAG +ARG NGHTTP3_TAG +ARG NGTCP2_TAG +ARG INSTALLDIR + +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add bash git \ + pkgconfig autoconf automake libtool g++ \ + make cmake ninja libev-dev libevent-dev \ + openssl-dev openssl linux-headers + +# Download and prepare source files needed for the build process WORKDIR /opt - -# get all sources RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSLQUIC_TAG} https://github.com/quictls/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ git clone --depth 1 --branch ${NGHTTP3_TAG} https://github.com/ngtcp2/nghttp3 && \ git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2 -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. \ + && ninja && ninja install -# build openssl 3 +# Build and instal OpenSSL WORKDIR /opt/openssl RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \ make ${MAKE_DEFINES} && make install_sw install_ssldirs && \ if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \ if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi - -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \ @@ -63,16 +53,21 @@ RUN ln -s ../openssl . && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf -# build nghttp3 +# Build and install nghttp3 WORKDIR /opt/nghttp3 -RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install +RUN git submodule update --init && autoreconf -i && \ + ./configure --prefix=$PWD/build --enable-lib-only && \ + make -j$(nproc) check && make install -# build ngtcp2 +# Build and install ngtcp2 WORKDIR /opt/ngtcp2 -RUN autoreconf -i && ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:/opt/oqssa/lib64/pkgconfig CXX=g++ CXXFLAGS="-std=c++20" && make -j$(nproc) && make install +RUN autoreconf -i && \ + ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:/opt/oqssa/lib64/pkgconfig \ + CXX=g++ CXXFLAGS="-std=c++20" && \ + make -j$(nproc) && make install +# Generate server key and self-signed certificate files WORKDIR / -# Generate server key and self-signed certificate files RUN echo "Generating server key and certificate" && mkdir certs && cd certs && openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt -subj "/CN=localhost" # Copy all required shared object dependencies to a single directory @@ -86,24 +81,25 @@ RUN mkdir /opt/lib && cd /opt/lib && \ cp /usr/lib/libstdc++.so.* . && \ cp /usr/lib/libgcc_s.so.* . -## second stage: Only create minimal image without build tooling and intermediate build results generated above: +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations FROM alpine:${ALPINE_VERSION} AS dev -ENV DEBIAN_FRONTEND=noninteractive -RUN apk update && apk upgrade && apk add mailcap && echo "This is my index page">index.html -COPY ./serverstart.sh . +# Install essential runtime tools and libraries +RUN apk update && apk --no-cache add mailcap -# copy executable -COPY --from=intermediate /opt/ngtcp2/examples/qtlsserver /usr/local/bin +# Create a simple index page +RUN echo "This is my index page">index.html -# Copy server key and self-signed certificate files +# Copy required executables, certificates, libraries, and configuration files from the build stage +COPY --from=intermediate /opt/ngtcp2/examples/qtlsserver /usr/local/bin COPY --from=intermediate /certs /certs - -# copy shared object dependencies and configuration file COPY --from=intermediate /opt/lib /usr/local/lib COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf +# Create a symbolic link for the library path RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib; -CMD ["./serverstart.sh"] +# Copy and run the startup script +COPY ./serverstart.sh . +CMD ["./serverstart.sh"] \ No newline at end of file diff --git a/openssh/Dockerfile b/openssh/Dockerfile index bae7dcbb..dc60aa3e 100644 --- a/openssh/Dockerfile +++ b/openssh/Dockerfile @@ -1,158 +1,136 @@ -# Multi-stage build: First the full builder image: - -# define the alpine image version to use -ARG ALPINE_VERSION=3.20 - -# Default location where all binaries wind up: -ARG DEFAULT_INSTALL_DIR=/opt/oqs-ssh -ARG INSTALL_DIR=${DEFAULT_INSTALL_DIR} - -# liboqs version -# ATTENTION: Changing this could mean that further adaptions in sshd_config and ssh_config are required +# Define build arguments for version tags, installation paths, and configurations +# Note: Changing LIBOQS_TAG may require updates in sshd_config and ssh_config +ARG ALPINE_VERSION=3.21.0 ARG LIBOQS_TAG="0.11.0" - -# liboqs build defines (https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs) -ARG LIBOQS_BUILD_DEFINES= - -# Open quantum safe OpenSSH release ARG OQS_OPENSSH_RELEASE="OQS-v9" +ARG DEFAULT_INSTALL_DIR=/opt/oqs-ssh +ARG INSTALL_DIR=${DEFAULT_INSTALL_DIR} -# openssh build defines (https://github.com/open-quantum-safe/openssh#step-2-build-the-fork) -ARG OPENSSH_BUILD_OPTIONS= - -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j2" -ARG MAKE_INSTALL="install-nokeys" - -# Define the username of the normal user +# Define user credentials ARG OQS_USER="oqs" ARG OQS_PASSWORD="Pa55W0rd" +# Stage 1: Build - Compile and assemble all necessary components and dependencies FROM alpine:${ALPINE_VERSION} AS intermediate -# Take in all global args ARG INSTALL_DIR ARG LIBOQS_TAG -ARG LIBOQS_BUILD_DEFINES ARG OQS_OPENSSH_RELEASE -ARG OPENSSH_BUILD_OPTIONS -ARG MAKE_DEFINES -ARG MAKE_INSTALL ARG OQS_USER LABEL version="3" -ENV DEBIAN_FRONTEND noninteractive +# Install required build tools and system dependencies +RUN apk update && apk --no-cache add gcc musl-dev \ + linux-headers libtool automake autoconf cmake \ + make openssl openssl-dev git docker zlib-dev -RUN apk update && apk upgrade - -# Get all software packages required for builing all components: -# Note: build-base cannot be used due to the fortify-headers package throwing an error -RUN apk add gcc musl-dev linux-headers \ - libtool automake autoconf cmake \ - make \ - openssl openssl-dev \ - git docker \ - zlib-dev - -# get all sources +# Download and prepare source files needed for the build process WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OQS_OPENSSH_RELEASE} https://github.com/open-quantum-safe/openssh ossh-src; -# build liboqs static (does not work with shared lib!) +# Build and install liboqs +# Note: Shared libraries are not supported; static libraries must be used WORKDIR /opt/liboqs -# RUN mkdir build && cd build && cmake .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && make ${MAKE_DEFINES} && make install -RUN mkdir build-static && \ - cd build-static && \ - cmake .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_BUILD_TYPE=${LIBOQS_BUILD_TYPE} -DBUILD_SHARED_LIBS=OFF -DCMAKE_INSTALL_PREFIX=/opt/ossh-src/oqs && \ - make ${MAKE_DEFINES} && \ - make install - -# builds and installs OQS-OpenSSH +RUN cmake . \ + -DBUILD_SHARED_LIBS=OFF \ + -DCMAKE_INSTALL_PREFIX="/opt/ossh-src/oqs" && \ + make -j"$(nproc)" && make install + +# Build and install OQS-OpenSSH WORKDIR /opt/ossh-src -RUN autoreconf && ./configure \ - --with-libs=-lm \ - --prefix=${INSTALL_DIR} \ - --sysconfdir=${INSTALL_DIR} \ - --with-liboqs-dir=/opt/ossh-src/oqs \ - --with-mantype=man \ - ${OPENSSH_BUILD_OPTIONS} -RUN make ${MAKE_DEFINES} && \ - make ${MAKE_INSTALL} +RUN autoreconf && \ + ./configure \ + --with-libs=-lm \ + --prefix=${INSTALL_DIR} \ + --sysconfdir=${INSTALL_DIR} \ + --with-liboqs-dir=/opt/ossh-src/oqs \ + --with-mantype=man && \ + make -j"$(nproc)" && make install-nokeys CMD ["sh"] STOPSIGNAL SIGTERM -## second stage: Only create minimal image without build tooling and intermediate build results generated above: - +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations FROM alpine:${ALPINE_VERSION} AS dev -# Take in all global args ARG DEFAULT_INSTALL_DIR ARG INSTALL_DIR ARG OQS_USER ARG OQS_PASSWORD -RUN apk update \ - && apk upgrade \ - && apk add bash nano +# Install essential runtime tools and libraries +RUN apk update && apk --no-cache add bash nano openrc -# Only retain the ${INSTALL_DIR} contents in the final image +# Copy installation artifacts from the build stage COPY --from=intermediate ${INSTALL_DIR} ${INSTALL_DIR} -# Create a normal user to be able to log into the system via ssh -RUN addgroup --gid 1000 --system ${OQS_USER} && \ - adduser --uid 1000 --system ${OQS_USER} --ingroup ${OQS_USER} --shell /bin/sh && \ - echo -e -e "${OQS_PASSWORD}\n${OQS_PASSWORD}\n" | passwd ${OQS_USER} - -# Set up login shell: Add ssh-binaries to path for ssh login shell, fix /etc/profile not executing /etc/profile.d/* -RUN sed -i "s|PATH=|PATH=${INSTALL_DIR}/bin:|;s|/etc/profile.d/\*\.sh|/etc/profile.d/\*|" /etc/profile - -# Setup .ssh folder for $OQS_USER to hold the identity keys later +# Create a system user for SSH +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] +RUN addgroup --gid 1000 --system "${OQS_USER}" && \ + adduser --uid 1000 --system "${OQS_USER}" --ingroup "${OQS_USER}" --shell /bin/sh && \ + printf "%s\n%s\n" "${OQS_PASSWORD}" "${OQS_PASSWORD}" | passwd "${OQS_USER}" + +# Modify /etc/profile to execute only valid, executable scripts and prepend INSTALL_DIR to PATH +RUN sed -i "s|PATH=|PATH=${INSTALL_DIR}/bin:|g" /etc/profile && \ + sed -i '/\/etc\/profile\.d\//s|$|; for file in /etc/profile.d/*; do [ -f "$file" ] && [ -x "$file" ] && . "$file"; done|' /etc/profile && \ + find /etc/profile.d/ -type f ! -name '*.sh' -delete + +# Craft a custom welcome message in /etc/motd +RUN printf "Welcome to OQS-OpenSSH!\n\n\ +The Open Quantum Safe (OQS) project is an open-source initiative dedicated to the development and prototyping of quantum-resistant cryptographic algorithms.\n\n\ +The Alpine Wiki contains a large amount of how-to guides and general\n\ +information about administrating Alpine systems.\n\ +See .\n\n\ +Disclaimer:\n\ +This software is for research and testing purposes only and is NOT intended for production use. Use it at your own risk.\n" > /etc/motd + +# Set up .ssh directory for identity keys WORKDIR /home/${OQS_USER}/.ssh RUN chown ${OQS_USER}:${OQS_USER} . -# Pass some potentionally useful variables to environment ENV OQS_INSTALL_DIR=${INSTALL_DIR} ENV OQS_USER=$OQS_USER -# Enable ssh deamon to start at boot (although `rc-service oqs-sshd start` still needs to be called) +# Enable SSH daemon to start at boot +# Note: `rc-service oqs-sshd start` must still be called manually to start the service COPY oqs-sshd /etc/init.d/ RUN sed -ri "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" /etc/init.d/oqs-sshd -RUN apk add openrc openssl \ +RUN apk update && apk --no-cache add openrc openssl \ && mkdir -p /run/openrc \ && touch /run/openrc/softlevel \ && rc-update add oqs-sshd \ && rc-status -# Fix error "/lib/rc/sh/openrc-run.sh: line 100: can't create /sys/fs/cgroup/*/*: Read-only file system" -RUN sed -ri '269 s/cgroup_add_service/#cgroup_add_service/' /lib/rc/sh/openrc-run.sh +# Fix OpenRC cgroup error caused by attempts to modify a read-only file system +RUN sed -ri '269 s/cgroup_add_service/#cgroup_add_service/' /usr/libexec/rc/sh/openrc-run.sh -# Copy scripts +# Copy and configure SSH server settings COPY sshd_config ${INSTALL_DIR} RUN sed -ri "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" ${INSTALL_DIR}/sshd_config + +# Copy and configure SSH client settings COPY ssh_config ${INSTALL_DIR} RUN sed -ri "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" ${INSTALL_DIR}/ssh_config + +# Copy utility scripts for server operations COPY serverstart.sh ${INSTALL_DIR}/test/ -# RUN sed -in "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" ${INSTALL_DIR}/serverstart.sh COPY connect-test.sh ${INSTALL_DIR}/test/ -# RUN sed -in "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" ${INSTALL_DIR}/connect-test.sh COPY key-gen.sh ${INSTALL_DIR}/scripts/ -# RUN sed -in "s:${DEFAULT_INSTALL_DIR}:${INSTALL_DIR}:g" ${INSTALL_DIR}/key-gen.sh -# set path to use 'new' openssh +# Update PATH for OpenSSH and utility scripts ENV PATH="${INSTALL_DIR}/bin:${PATH}" ENV PATH="${INSTALL_DIR}/test:${PATH}" ENV PATH="${INSTALL_DIR}/scripts:${PATH}" STOPSIGNAL SIGTERM -# Expose port 2222 as this is the chosen ssh port for oqs-ssh +# Expose the SSH port for oqs-ssh EXPOSE 2222 +# Prepare entrypoint and default shell WORKDIR /home/${OQS_USER}/ - -# Generate the host and identity keys (see key-gen.sh) and start a shell COPY entrypoint.sh . RUN chmod a+x ./entrypoint.sh + ENTRYPOINT [ "./entrypoint.sh" ] -CMD [ "/bin/sh" ] +CMD [ "/bin/sh" ] \ No newline at end of file diff --git a/openvpn/Dockerfile b/openvpn/Dockerfile index 03cd890e..8c633e1c 100644 --- a/openvpn/Dockerfile +++ b/openvpn/Dockerfile @@ -1,80 +1,62 @@ -# Multi-stage build: First the full builder image: - -# define the openssl tag to be used -ARG OPENSSL_TAG=openssl-3.3.2 - -# define the liboqs tag to be used +# Define build arguments for version tags, installation paths, and configurations +ARG UBUNTU_VERSION=24.04 +ARG OPENSSL_TAG=openssl-3.4.0 ARG LIBOQS_TAG=0.11.0 - -# define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.7.0 - ARG OPENVPN_TAG=v2.6.12 - -# Default location where all binaries wind up: ARG INSTALLDIR=/opt/oqssa - -# Location where all default OpenVPN config files wind up: ARG OPENVPNDIR=/home/openvpn -# liboqs build type variant; maximum portability of image: -ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" +# Specify supported key encapsulation mechanisms (KEM) algorithms +ARG KEM_ALGLIST="mlkem768:p384_mlkem768" -# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing -ARG MAKE_DEFINES="-j 4" +# Stage 1: Build - Compile and assemble all necessary components and dependencies +FROM ubuntu:${UBUNTU_VERSION} AS intermediate -# Default KEM algorithms to be utilized -ARG KEM_ALGLIST="mlkem768:p384_mlkem768" +LABEL version="3" -FROM debian:bullseye AS intermediate -# Take in all global args ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG OPENVPN_TAG ARG INSTALLDIR -ARG LIBOQS_BUILD_DEFINES -ARG MAKE_DEFINES ARG KEM_ALGLIST ARG OPENVPNDIR -LABEL version="3" - ENV DEBIAN_FRONTEND=noninteractive +ENV OPENSSL3_DIR=${INSTALLDIR} -RUN apt update && apt -y upgrade - -# Get all software packages required for builing all components: -RUN apt install -y \ - libtool automake autoconf cmake ninja-build \ - make \ - openssl libssl-dev pkg-config libcap-ng-dev \ - git docker wget vim net-tools \ - liblzo2-dev libpam0g-dev python3-docutils \ - libnl-3-dev libnl-genl-3-dev +# Install required build tools and system dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + libtool automake autoconf cmake ninja-build ca-certificates \ + make openssl libssl-dev pkg-config libcap-ng-dev \ + git net-tools liblzo2-dev \ + libpam0g-dev python3-docutils \ + libnl-3-dev libnl-genl-3-dev \ + && apt-get clean && rm -rf /var/lib/apt/lists/* -# get all sources +# Download and prepare source files needed for the build process WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ git clone --depth 1 --branch ${OPENVPN_TAG} https://github.com/OpenVPN/openvpn.git -# build liboqs -WORKDIR /opt/liboqs -RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install +# Build and install liboqs +WORKDIR /opt/liboqs/build +RUN cmake -G"Ninja" .. \ + -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install -# build OpenSSL3 +# Build and install OpenSSL WORKDIR /opt/openssl RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/$openssl_libdir" ./config shared --prefix=${INSTALLDIR} && \ - make ${MAKE_DEFINES} && \ - make install_sw install_ssldirs; + make -j"$(nproc)" && make install_sw install_ssldirs; -# set path to use 'new' openssl. Dyn libs have been properly linked in to match +# Set PATH to include the new OpenSSL binaries ENV PATH="${INSTALLDIR}/bin:${PATH}" -# build & install provider (and activate by default) +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/oqs-provider RUN ln -s ../openssl . && \ openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ @@ -84,46 +66,36 @@ RUN ln -s ../openssl . && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \ sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" /opt/oqssa/ssl/openssl.cnf - -# build openvpn based on OpenSSL3 - -ENV OPENSSL3_DIR=${INSTALLDIR} - +# Build and install OpenVPN with the new OpenSSL WORKDIR /opt/openvpn - RUN openssl_libdir='lib64' && if [ "$(uname -m)" = "aarch64" ]; then openssl_libdir='lib'; fi && \ - libtoolize --force && \ - aclocal && \ - autoheader && \ - automake --force-missing --add-missing && \ - autoconf && \ + libtoolize --force && aclocal && autoheader && \ + automake --force-missing --add-missing && autoconf && \ CFLAGS="-I$OPENSSL3_DIR/include -Wl,-rpath=$OPENSSL3_DIR/$openssl_libdir -L$OPENSSL3_DIR/$openssl_libdir" ./configure --prefix=${INSTALLDIR} --disable-lz4 && \ - make ${MAKE_DEFINES} && \ - make check && \ - make install + make -j"$(nproc)" && make check && make install + +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations +FROM ubuntu:${UBUNTU_VERSION} -## second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM debian:bullseye-slim -# Take in all global args ARG INSTALLDIR ARG OPENVPNDIR -# install basics to run executable and enable network control -RUN apt update && apt upgrade -y && \ - apt install -y liblzo2-2 \ - libnl-3-200 \ - libnl-genl-3-200 \ - procps \ - net-tools \ - iputils-ping && \ - mkdir -p ${OPENVPNDIR} - -# Only retain the ${INSTALLDIR} contents in the final image +# Install essential runtime tools and libraries +RUN apt-get update && apt-get install -y --no-install-recommends \ + liblzo2-2 libnl-3-200 libnl-genl-3-200 \ + procps net-tools iputils-ping ca-certificates \ + && apt-get clean && rm -rf /var/lib/apt/lists/* + +# Create necessary directories +RUN mkdir -p ${OPENVPNDIR} + +# Copy only the required contents from the intermediate stage COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR} -# set path to use openssl built. Dyn libs have been properly linked in to match +# Set PATH to include OpenSSL and OpenVPN binaries ENV PATH="${INSTALLDIR}/bin:${INSTALLDIR}/sbin:${PATH}" +# Copy configuration files and scripts COPY serverstart.sh ${INSTALLDIR}/bin COPY clientstart.sh ${INSTALLDIR}/bin COPY openvpn-openssl.cnf ${OPENVPNDIR} @@ -131,11 +103,7 @@ COPY server.config ${OPENVPNDIR} COPY client.config ${OPENVPNDIR} COPY createcerts_and_config.sh ${INSTALLDIR}/bin +# Set working directory for the OpenVPN service WORKDIR ${OPENVPNDIR} - -# Activate to limit access to normal user rights -#RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs -#USER oqs - CMD ["serverstart.sh"] -STOPSIGNAL SIGTERM +STOPSIGNAL SIGTERM \ No newline at end of file diff --git a/wireshark/Dockerfile b/wireshark/Dockerfile index 5a1815e5..fdab16ef 100755 --- a/wireshark/Dockerfile +++ b/wireshark/Dockerfile @@ -2,17 +2,15 @@ # By integrating OQS, the resulting Wireshark build is capable of # analyzing and handling post-quantum cryptographic protocols. -# Define the base versions and tags for dependencies +# Define build arguments for version tags, installation paths, and configurations ARG UBUNTU_VERSION=24.04 ARG WIRESHARK_VERSION=4.4.1 ARG OPENSSL_TAG=3.4.0 ARG LIBOQS_TAG=0.11.0 ARG OQSPROVIDER_TAG=0.7.0 - -# Define Installation directory ARG INSTALLDIR=/opt/oqs -# Stage 1: Building stage +# Stage 1: Build - Compile and assemble all necessary components and dependencies FROM ubuntu:${UBUNTU_VERSION} AS build LABEL version="2" @@ -24,21 +22,20 @@ ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG INSTALLDIR -# Install essential build dependencies +# Install required build tools and system dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ build-essential libtool automake autoconf cmake ninja-build \ git wget ca-certificates \ python3 python3-pip python3-venv && \ apt-get clean && rm -rf /var/lib/apt/lists/* -WORKDIR /opt # Set up isolated directories -# src for source files, build for compiling, and install for final binaries +WORKDIR /opt RUN mkdir -p src/liboqs src/openssl src/oqs-provider src/wireshark \ build/liboqs build/openssl build/oqs-provider build/wireshark \ ${INSTALLDIR}/lib ${INSTALLDIR}/bin ${INSTALLDIR}/ssl -# Download sources +# Download and prepare source files needed for the build process WORKDIR /opt/src RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs.git liboqs && \ git clone --depth 1 --branch openssl-${OPENSSL_TAG} https://github.com/openssl/openssl.git openssl && \ @@ -50,36 +47,34 @@ RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-s # Build and install liboqs WORKDIR /opt/build/liboqs RUN cmake -G Ninja /opt/src/liboqs \ - -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/liboqs \ + -D CMAKE_INSTALL_PREFIX="${INSTALLDIR}/liboqs" \ -D BUILD_SHARED_LIBS=ON \ -D OQS_USE_OPENSSL=OFF \ -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/liboqs/lib" && \ - ninja -j$(nproc) && ninja install + ninja -j"$(nproc)" && ninja install -# Build OpenSSL integrated with liboqs +# Build and install OpenSSL WORKDIR /opt/build/openssl RUN LDFLAGS="-Wl,-rpath,${INSTALLDIR}/liboqs/lib" \ /opt/src/openssl/config \ - --prefix=${INSTALLDIR}/openssl \ - --openssldir=${INSTALLDIR}/ssl \ + --prefix="${INSTALLDIR}/openssl" \ + --openssldir="${INSTALLDIR}/ssl" \ shared && \ - make -j$(nproc) && \ + make -j"$(nproc)" && \ make install_sw install_ssldirs -# Build OQS provider for OpenSSL integration +# Build, install, and configure the oqs-provider for OpenSSL integration WORKDIR /opt/build/oqs-provider RUN cmake -G Ninja \ - -D OPENSSL_ROOT_DIR=${INSTALLDIR}/openssl \ + -D OPENSSL_ROOT_DIR="${INSTALLDIR}/openssl" \ -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ - -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/oqs-provider \ + -D CMAKE_INSTALL_PREFIX="${INSTALLDIR}/oqs-provider" \ -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" \ /opt/src/oqs-provider && \ - ninja -j$(nproc) && \ - mkdir -p ${INSTALLDIR}/openssl/lib/ossl-modules && \ - cp /opt/build/oqs-provider/lib/oqsprovider.so ${INSTALLDIR}/openssl/lib/ossl-modules - -# Set up OpenSSL to load the OQS provider -RUN CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ + ninja -j"$(nproc)" && \ + mkdir -p "${INSTALLDIR}/openssl/lib/ossl-modules" && \ + cp /opt/build/oqs-provider/lib/oqsprovider.so "${INSTALLDIR}/openssl/lib/ossl-modules" && \ + CONFIG_FILE="${INSTALLDIR}/ssl/openssl.cnf" && \ sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" "$CONFIG_FILE" && \ sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" "$CONFIG_FILE" @@ -116,25 +111,25 @@ RUN cmake -G Ninja /opt/src/wireshark \ -D QT5=OFF \ -D QT6=ON \ -D CMAKE_BUILD_TYPE=Release \ - -D CMAKE_INSTALL_PREFIX=${INSTALLDIR}/wireshark \ + -D CMAKE_INSTALL_PREFIX="${INSTALLDIR}/wireshark" \ -D CMAKE_PREFIX_PATH="${INSTALLDIR}/openssl;${INSTALLDIR}/liboqs" \ -D CMAKE_INSTALL_RPATH="${INSTALLDIR}/openssl/lib:${INSTALLDIR}/liboqs/lib" && \ - ninja -j$(nproc) && ninja install + ninja -j"$(nproc)" && ninja install # Test integration of OQS provider with OpenSSL WORKDIR /opt/src/oqs-provider ENV OPENSSL_CONF=${INSTALLDIR}/ssl/openssl.cnf ENV OPENSSL_MODULES=${INSTALLDIR}/openssl/lib/ossl-modules RUN mkdir -p _build -RUN ./scripts/runtests.sh -j$(nproc) +RUN ./scripts/runtests.sh -j"$(nproc)" -# Stage 2: Minimal runtime image +# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations FROM ubuntu:${UBUNTU_VERSION} AS runtime ENV DEBIAN_FRONTEND=noninteractive ARG INSTALLDIR -# Install necessary runtime dependencies +# Install essential runtime tools and libraries RUN apt-get update && apt-get install -y --no-install-recommends \ libc-ares2 pcaputils libssh-4 libgcrypt20 \ libglib2.0-0 libpcap0.8 libspeexdsp1 zlib1g \