OpenSSL 3

[collimarco]

When you will start using OpenSSL 3 (instead of 1.1)?

This is a major breaking change, but it is inevitable soon or later.

Are there any plans to use OpenSSL 3 for the Ruby 3.2 images?

[yosifkit]

In Alpine 3.17, Openssl is 3 by default, so those images are already using it (and the reason for 2.7 and 3.0 not having Alpine 3.17 images). See #392.

As far as the Debian based images, that will happen in the Debian Bookworm based images, but Bookworm is not a stable release yet, so we don't base any images on it.

[md5]

Hey @yosifkit sorry if this is better answered elsewhere, but what's the timeline for starting to produce bookworm images across the Official Images portfolio?

Per the bookworm Freeze Timeline and Policy page, bookworm is planned enter "hard freeze" in less than a month. Will there be some lead time before bookworm is actually released when we can start testing the image updates, such as after the hard freeze or the full freeze?

[tianon]

Ideally, we prefer to wait until actual release (and will definitely do so for generic aliases like latest, etc), but if there are sufficiently compelling reasons we have added new variants earlier -- each level of freeze usually requires an inversely proportional level of compelling reasoning. 😅

[lzettel]

This broke our application. We used the image ruby:3.2.2 and suddenly it changed from bullseye to bookworm. Do we have to reckon with operating system version changes in the future?

[yosifkit]

Any image tag that doesn't pick an OS release, like ruby:3.2.2 is subject to an OS release update when the next stable release of the distribution comes out. A tag with a Debian release name (or Alpine version) will stay on that release, like ruby:3.2.2-bullseye (or ruby:3.2.2-alpine3.17). We support and build images for the two latest stable releases of each distribution, so Debian Bookworm and Bullseye and Alpine 3.18 and 3.17.

[wuarmin]

I want to use ruby:3.2.2-slim-bookworm, but get
OpenSSL is not available. Install OpenSSL and rebuild Ruby or use non-HTTPS sources (Gem::Exception). How to fix this issue? Do I have to stay on bullseye, or which image do you recommend?

Thanks

[LaurentGoderre]

@wuarmin I just tried and it worked for me. What were you running?

[wuarmin]

Hey @LaurentGoderre,
thank you for the response. Here's my Dockerfile:

# syntax=docker/dockerfile:1

ARG RUBY_VERSION
ARG DISTRO_NAME=bookworm
# RUBY_VERSION has to be defined in docker-compose.yml
FROM ruby:$RUBY_VERSION-slim-$DISTRO_NAME AS development

ARG PG_MAJOR
ARG DISTRO_NAME
ARG USER_ID
ARG GROUP_ID

ENV TZ="Europe/Vienna"

# Common dependencies
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
  --mount=type=cache,target=/var/lib/apt,sharing=locked \
  --mount=type=tmpfs,target=/var/log \
  rm -f /etc/apt/apt.conf.d/docker-clean; \
  echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
  apt-get update -qq \
  && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
    build-essential \
    gnupg2 \
    curl \
    less \
    git

RUN addgroup --gid $GROUP_ID user
RUN adduser --disabled-password --gecos '' --uid $USER_ID --gid $GROUP_ID user

# Configure bundler
ENV LANG=C.UTF-8 \
  BUNDLE_JOBS=4 \
  BUNDLE_RETRY=3

# Uncomment this line if you store Bundler settings in the project's root
ENV BUNDLE_APP_CONFIG=.bundle

# Uncomment this line if you want to run binstubs without prefixing with `bin/` or `bundle exec`
# ENV PATH /app/bin:$PATH

# Create a directory for the app code
RUN mkdir -p /home/user/app
RUN chown -R user:user /home/user/app
USER user

# Upgrade RubyGems and install required Bundler version
RUN gem update && \
    gem install bundler

WORKDIR /home/user/app

and docker-compose.yml:

version: '2.4'

x-app: &app
  build:
    context: .dockerdev
    dockerfile: Dockerfile
    args:
      RUBY_VERSION: '3.2.2'
      USER_ID: '1000'
      GROUP_ID: '1000'
  environment: &env
    HANAMI_ENV: ${HANAMI_ENV:-development}
  image: my_server:latest
  tmpfs:
    - /tmp

x-backend: &backend
  <<: *app
  stdin_open: true
  tty: true
  volumes:
    - .:/home/user/app
    - bundle:/usr/local/bundle
    - .dockerdev/.bashrc:/root/.bashrc:ro
  environment: &backend-env
    <<: *env
    WEB_CONCURRENCY: 1
    HISTFILE: /home/user/app/log/.bash_history
    EDITOR: vi

services:
  runner:
    <<: *backend
    environment:
      <<: *backend-env
    command: /bin/bash
    ports:
      - '2300:2300'
    extra_hosts:
      - "host.docker.internal:host-gateway"
volumes:
  bundle:

After the runner is built

docker-compose build --no-cache runner

following command inside the container:

gem install hanami

fails with:

user@2b65f626fd19:~/app$ gem install hanami
+ERROR:  While executing gem ... (Gem::Exception)
    OpenSSL is not available. Install OpenSSL and rebuild Ruby or use non-HTTPS sources (Gem::Exception)
        /usr/local/lib/ruby/3.2.0/rubygems/request.rb:47:in `configure_connection_for_https'
        /usr/local/lib/ruby/3.2.0/rubygems/request/https_pool.rb:6:in `setup_connection'
        /usr/local/lib/ruby/3.2.0/rubygems/request/http_pool.rb:39:in `make_connection'
        /usr/local/lib/ruby/3.2.0/rubygems/request/http_pool.rb:20:in `checkout'
        /usr/local/lib/ruby/3.2.0/rubygems/request.rb:129:in `connection_for'
        /usr/local/lib/ruby/3.2.0/rubygems/request.rb:188:in `perform_request'
        /usr/local/lib/ruby/3.2.0/rubygems/request.rb:154:in `fetch'
        /usr/local/lib/ruby/3.2.0/rubygems/remote_fetcher.rb:309:in `request'
        /usr/local/lib/ruby/3.2.0/rubygems/remote_fetcher.rb:209:in `fetch_http'
        /usr/local/lib/ruby/3.2.0/rubygems/remote_fetcher.rb:248:in `fetch_path'
        /usr/local/lib/ruby/3.2.0/rubygems/source.rb:88:in `dependency_resolver_set'
        /usr/local/lib/ruby/3.2.0/rubygems/resolver/best_set.rb:23:in `block in pick_sets'
        /usr/local/lib/ruby/3.2.0/rubygems/source_list.rb:94:in `each'
        /usr/local/lib/ruby/3.2.0/rubygems/source_list.rb:94:in `each_source'
        /usr/local/lib/ruby/3.2.0/rubygems/resolver/best_set.rb:22:in `pick_sets'
        /usr/local/lib/ruby/3.2.0/rubygems/resolver/best_set.rb:28:in `find_all'
        /usr/local/lib/ruby/3.2.0/rubygems/resolver/installer_set.rb:170:in `find_all'
        /usr/local/lib/ruby/3.2.0/rubygems/resolver/installer_set.rb:61:in `add_always_install'
        /usr/local/lib/ruby/3.2.0/rubygems/dependency_installer.rb:322:in `resolve_dependencies'
        /usr/local/lib/ruby/3.2.0/rubygems/commands/install_command.rb:205:in `install_gem'
        /usr/local/lib/ruby/3.2.0/rubygems/commands/install_command.rb:230:in `block in install_gems'
        /usr/local/lib/ruby/3.2.0/rubygems/commands/install_command.rb:223:in `each'
        /usr/local/lib/ruby/3.2.0/rubygems/commands/install_command.rb:223:in `install_gems'
        /usr/local/lib/ruby/3.2.0/rubygems/commands/install_command.rb:169:in `execute'
        /usr/local/lib/ruby/3.2.0/rubygems/command.rb:327:in `invoke_with_build_args'
        /usr/local/lib/ruby/3.2.0/rubygems/command_manager.rb:252:in `invoke_command'
        /usr/local/lib/ruby/3.2.0/rubygems/command_manager.rb:192:in `process_args'
        /usr/local/lib/ruby/3.2.0/rubygems/command_manager.rb:150:in `run'
        /usr/local/lib/ruby/3.2.0/rubygems/gem_runner.rb:51:in `run'
        /usr/local/bin/gem:10:in `<main>'

[wuarmin]

@LaurentGoderre Do you have an idea?

[LaurentGoderre]

Strange I used your code and it worked for me

[LaurentGoderre]

Oh, I did have to comment out the bashrc mount into the container and I wonder if something in there could be throwing it off

[tianon]

Just to resummarize our position here, we're maintaining builds of upstream-supported versions of Ruby against up to two distributions for upstream-supported combinations, which means that Ruby 3.0 will unfortunately not be getting any further distribution updates beyond Alpine 3.16 and Debian Bullseye (because of OpenSSL 3). However, it is EOL in ~3 months (Mar 2024), so I'd suggest any users get off Ruby 3.0 ASAP.