Skip to content

Commit

Permalink
Comprehensive updates and improvements to Docker files
Browse files Browse the repository at this point in the history
Resolved warnings, optimized structure, and upgraded or updated base OS versions and dependencies across Docker files to align with modern best practices.

Key changes:
- Upgraded or updated base OS versions and all dependencies to their latest stable releases.

- Improved build processes:
  - Used `-j$(nproc)` for dynamic parallelism.
  - Applied `apk add --no-cache` and `apt-get install --no-install-recommends`.
  - Ensured cleanup after installations.
  - Replaced `apt` with `apt-get` for consistency.

- Enhanced maintainability:
  - Introduced `WORKDIR` for efficient path management.
  - Quoted variables to prevent word splitting and related errors.
  - Standardized `LABEL` syntax with the `=` sign for clarity.

- Removed:
  - The obsolete `version` attribute from Docker Compose files to resolve the warning:
    *"The attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion."*
  - Redundant `DEBIAN_FRONTEND=noninteractive` from Alpine images.
  - Unnecessary upgrade steps in package installation.

**Exclusions:**
These changes do not apply to the OpenSSL 3 Docker file and nginx/fulltest/dockerfile.

Docker files are now optimized, more efficient, and easier to maintain.

Signed-off-by: Khalid <187553667+itsHayyaf@users.noreply.github.com>
  • Loading branch information
Hawazyn committed Dec 24, 2024
1 parent 22ba916 commit e3d9ed1
Show file tree
Hide file tree
Showing 15 changed files with 798 additions and 969 deletions.
167 changes: 73 additions & 94 deletions curl/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,167 +1,146 @@
# Multi-stage build: First the full builder image:

# define the alpine image version to use
ARG ALPINE_VERSION=3.20

# define the openssl tag to be used
ARG OPENSSL_TAG=openssl-3.3.2

# define the liboqs tag to be used
# Define build arguments for version tags, installation paths, and configurations.
ARG ALPINE_VERSION=3.21.0
ARG OPENSSL_TAG=openssl-3.4.0
ARG LIBOQS_TAG=0.11.0

# define the oqsprovider tag to be used
ARG OQSPROVIDER_TAG=0.7.0

# define the Curl version to be baked in
ARG CURL_VERSION=8.10.0

# Default location where all binaries wind up:
ARG CURL_VERSION=8.11.1
ARG INSTALLDIR=/opt/oqssa

# liboqs build type variant; maximum portability of image:
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"

# Default root CA signature algorithm; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms
# Specify supported signature and key encapsulation mechanisms (KEM) algorithms.
ARG SIG_ALG="dilithium3"

# Default KEM algorithms; can be set to any listed at https://github.com/open-quantum-safe/oqs-provider#algorithms
ARG DEFAULT_GROUPS="x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024"

# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
ARG MAKE_DEFINES="-j 4"


# Stage 1: Build - Compile and assemble all necessary components and dependencies.
FROM alpine:${ALPINE_VERSION} AS intermediate
# Take in all global args
ARG OPENSSL_TAG
ARG LIBOQS_TAG
ARG OQSPROVIDER_TAG
ARG CURL_VERSION
ARG INSTALLDIR
ARG LIBOQS_BUILD_DEFINES
ARG SIG_ALG
ARG DEFAULT_GROUPS
ARG MAKE_DEFINES

LABEL version="5"

ENV DEBIAN_FRONTEND noninteractive

RUN apk update && apk upgrade

# Get all software packages required for builing all components:
RUN apk add build-base linux-headers \
libtool automake autoconf cmake ninja \
make \
openssl openssl-dev \
# Install required build tools and system dependencies.
RUN apk --no-cache add build-base linux-headers \
libtool automake autoconf cmake \
ninja make openssl openssl-dev \
git wget

# get all sources
# Download and prepare source files needed for the build process.
WORKDIR /opt
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
wget https://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxvf curl-${CURL_VERSION}.tar.gz;

# build liboqs
WORKDIR /opt/liboqs
RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && ninja install
# Build and install liboqs
WORKDIR /opt/liboqs/build
RUN cmake -G"Ninja" .. \
-DOQS_DIST_BUILD=ON \
-DCMAKE_INSTALL_PREFIX="${INSTALLDIR}" && \
ninja install

# build OpenSSL3
# Build and install OpenSSL, then configure symbolic links.
WORKDIR /opt/openssl
RUN if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi && \
LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
make ${MAKE_DEFINES} && make install_sw install_ssldirs;
RUN if [ -d "${INSTALLDIR}/lib64" ]; then ln -s "${INSTALLDIR}/lib64" "${INSTALLDIR}/lib"; fi && \
if [ -d "${INSTALLDIR}/lib" ]; then ln -s "${INSTALLDIR}/lib" "${INSTALLDIR}/lib64"; fi && \
LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix="${INSTALLDIR}" && \
make -j"$(nproc)" && make install_sw install_ssldirs;

# set path to use 'new' openssl. Dyn libs have been properly linked in to match
# Set PATH for custom OpenSSL binary.
ENV PATH="${INSTALLDIR}/bin:${PATH}"

# build & install provider (and activate by default)
# Build, install, and configure the oqs-provider for OpenSSL integration.
WORKDIR /opt/oqs-provider
RUN ln -s ../openssl . && cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && cmake --build _build && \
cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
RUN ln -s ../openssl . && \
cmake -DOPENSSL_ROOT_DIR="${INSTALLDIR}" \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_PREFIX_PATH="${INSTALLDIR}" \
-S . -B _build && \
cmake --build _build && \
cp _build/lib/oqsprovider.so "${INSTALLDIR}/lib64/ossl-modules" && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM groups if not set via environment variable\nKDEFAULT_GROUPS = $DEFAULT_GROUPS\n\n# Use this in order to automatically load providers/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${INSTALLDIR}/ssl/openssl.cnf

# generate certificates for openssl s_server, which is what we will test curl against
# Generate certificates for testing.
ENV OPENSSL=${INSTALLDIR}/bin/openssl
ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf

# Generate CA key and certificate
WORKDIR ${INSTALLDIR}/bin
# generate CA key and cert
RUN set -x; \
${OPENSSL} req -x509 -new -newkey ${SIG_ALG} -keyout CA.key -out CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF}
"${OPENSSL}" req -x509 -new \
-newkey "${SIG_ALG}" -keyout CA.key \
-out CA.crt -nodes \
-subj "/CN=oqstest CA" -days 365 \
-config "${OPENSSL_CNF}"

# build curl - injecting OQS CA generated above into root store
WORKDIR /opt/curl-${CURL_VERSION}

# Download and integrate LetsEncrypt Root CA to CA bundle
RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem

# For curl debugging enable it by adding the line below to the configure command:
# --enable-debug \

RUN env LDFLAGS=-Wl,-R${INSTALLDIR}/lib64 \
./configure --prefix=${INSTALLDIR} \
--with-ca-bundle=${INSTALLDIR}/oqs-bundle.pem \
--with-ssl=${INSTALLDIR} \
RUN wget https://letsencrypt.org/certs/isrgrootx1.pem -O oqs-bundle.pem && \
cat ${INSTALLDIR}/bin/CA.crt >> oqs-bundle.pem

# Add --enable-debug to the configure command to enable curl debugging.
RUN env LDFLAGS="-Wl,-R${INSTALLDIR}/lib64" \
./configure --prefix="${INSTALLDIR}" \
--with-ca-bundle="${INSTALLDIR}/oqs-bundle.pem" \
--with-ssl="${INSTALLDIR}" \
--without-libpsl && \
make ${MAKE_DEFINES} && make install && mv oqs-bundle.pem ${INSTALLDIR};
make -j"$(nproc)" && make install \
&& mv oqs-bundle.pem "${INSTALLDIR}";

# Download current test.openquantumsafe.org test CA cert
WORKDIR ${INSTALLDIR}
RUN wget https://test.openquantumsafe.org/CA.crt && mv CA.crt oqs-testca.pem

WORKDIR /
RUN wget https://test.openquantumsafe.org/CA.crt && \
mv CA.crt oqs-testca.pem

COPY serverstart.sh ${INSTALLDIR}/bin

CMD ["serverstart.sh"]

## second stage: Only create minimal image without build tooling and intermediate build results generated above:
# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations.
FROM alpine:${ALPINE_VERSION} AS dev
# Take in all global args
ARG INSTALLDIR
ARG SIG_ALG

# Only retain the ${INSTALLDIR} contents in the final image
# Copy runtime files and configure environment for OpenSSL and Curl
COPY --from=intermediate ${INSTALLDIR} ${INSTALLDIR}

# set path to use 'new' openssl & curl. Dyn libs have been properly linked in to match
ENV PATH="${INSTALLDIR}/bin:${PATH}"

# generate certificates for openssl s_server, which is what we will test curl against
ENV OPENSSL=${INSTALLDIR}/bin/openssl
ENV OPENSSL_CNF=${INSTALLDIR}/ssl/openssl.cnf

# Generate server certificates
WORKDIR ${INSTALLDIR}/bin

# generate server CSR using pre-set CA.key and cert
# and generate server cert
RUN set -x && mkdir /opt/test; \
${OPENSSL} req -new -newkey ${SIG_ALG} -keyout /opt/test/server.key -out /opt/test/server.csr -nodes -subj "/CN=localhost" -config ${OPENSSL_CNF}; \
${OPENSSL} x509 -req -in /opt/test/server.csr -out /opt/test/server.crt -CA CA.crt -CAkey CA.key -CAcreateserial -days 365;

COPY serverstart.sh ${INSTALLDIR}/bin
COPY perftest.sh ${INSTALLDIR}/bin

WORKDIR ${INSTALLDIR}

RUN set -x && \
mkdir /opt/test && \
${OPENSSL} req -new -newkey ${SIG_ALG} \
-keyout /opt/test/server.key -out /opt/test/server.csr \
-nodes -subj "/CN=localhost" -config ${OPENSSL_CNF} && \
${OPENSSL} x509 -req \
-in /opt/test/server.csr -out /opt/test/server.crt \
-CA CA.crt -CAkey CA.key -CAcreateserial -days 365

# Optimize image size further
FROM dev
ARG INSTALLDIR

WORKDIR /
COPY serverstart.sh ${INSTALLDIR}/bin
COPY perftest.sh ${INSTALLDIR}/bin

# Improve size some more: liboqs.a not needed during operation
# Remove unused libraries to optimize image.
RUN rm ${INSTALLDIR}/lib64/liboqs*

# Enable a normal user to create new server keys off set CA
RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs /opt/test && chmod go+r ${INSTALLDIR}/bin/CA.key && chmod go+w ${INSTALLDIR}/bin/CA.srl
# Create user for runtime operations
RUN addgroup -g 1000 -S oqs && \
adduser --uid 1000 -S oqs -G oqs && \
chown -R oqs:oqs /opt/test && \
chmod go+r ${INSTALLDIR}/bin/CA.key && \
chmod go+w ${INSTALLDIR}/bin/CA.srl

USER oqs
CMD ["serverstart.sh"]
STOPSIGNAL SIGTERM
STOPSIGNAL SIGTERM
76 changes: 62 additions & 14 deletions curl/Dockerfile-QUIC
Original file line number Diff line number Diff line change
@@ -1,25 +1,73 @@
ARG CURL_VERSION=8.11.1
ARG QUICHE_VERSION=0.22.0

# Stage 1: Build - Compile and assemble all necessary components and dependencies.
FROM ubuntu:latest AS build
ARG CURL_VERSION
ARG QUICHE_VERSION

ARG CURL_VERSION=8.10.1
ARG QUICHE_VERSION=0.22.0
# Install required build tools and system dependencies.
RUN apt-get update && apt-get install -y --no-install-recommends \
cmake gcc ninja-build libunwind-dev \
pkg-config build-essential \
cargo git wget ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Download and prepare source files needed for the build process.
WORKDIR /root
RUN git clone --branch master --depth 1 https://github.com/open-quantum-safe/boringssl.git bssl \
&& git clone --recursive --depth 1 https://github.com/open-quantum-safe/liboqs.git \
&& git clone --recursive --depth 1 --branch ${QUICHE_VERSION} https://github.com/cloudflare/quiche.git \
&& mkdir -p /root/curl \
&& wget -qO- "https://curl.se/download/curl-${CURL_VERSION}.tar.gz" | tar -xzf - -C /root/curl --strip-components=1

RUN apt update && apt install cmake gcc ninja-build libunwind-dev pkg-config build-essential cargo git wget -y && cd /root && \
# Clone BoringSSL&liboqs
git clone --branch master https://github.com/open-quantum-safe/boringssl.git bssl && git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \
# Build liboqs
cd liboqs && mkdir build && cd build && cmake -G"Ninja" -DCMAKE_INSTALL_PREFIX=../../bssl/oqs -DOQS_USE_OPENSSL=OFF .. && ninja && ninja install && \
# Build BoringSSL
cd /root/bssl && mkdir build && cd build && cmake -GNinja -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1 .. && ninja && ninja install && cp -rp ../install/include /usr/local/include/bssl && cp -rp ../install/lib /usr/local/lib/bssl && \
# Build quiche
cd /root && git clone --recursive -b ${QUICHE_VERSION} https://github.com/cloudflare/quiche && cd quiche/quiche/deps && rm -R boringssl && ln -s /root/bssl boringssl && cd /root/quiche && cargo build --package quiche --release --features ffi,pkg-config-meta,qlog && cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0 && \
# Build curl
cd /root && wget https://curl.se/download/curl-${CURL_VERSION}.tar.gz && tar -zxf curl-${CURL_VERSION}.tar.gz && rm -R curl-${CURL_VERSION}.tar.gz && mv curl-${CURL_VERSION} curl && cd curl && LIBS=-lpthread ./configure LDFLAGS="-Wl,-rpath,/usr/local/lib/bssl" --with-openssl=/root/bssl/install --with-quiche=/root/quiche/target/release --without-libpsl --prefix="/usr/local/curl" && make && make install
# Build and install liboqs
WORKDIR /root/liboqs/build
RUN cmake -G"Ninja" \
"-DCMAKE_INSTALL_PREFIX=../../bssl/oqs" \
"-DOQS_USE_OPENSSL=OFF" .. \
&& ninja -j"$(nproc)" && ninja install

# Build and install BoringSSL
WORKDIR /root/bssl/build
RUN cmake -GNinja \
"-DCMAKE_BUILD_TYPE=Release" \
"-DBUILD_SHARED_LIBS=1" .. \
&& ninja -j"$(nproc)" && ninja install \
&& cp -rp "../install/include" "/usr/local/include/bssl" \
&& cp -rp "../install/lib" "/usr/local/lib/bssl"

# Build quiche with custom BoringSSL integration, enabling HTTP/3 and QUIC support
WORKDIR /root/quiche/quiche/deps
RUN rm -R boringssl \
&& ln -s /root/bssl boringssl

WORKDIR /root/quiche
RUN cargo build --package quiche --release --features ffi,pkg-config-meta,qlog \
&& cp -p target/release/libquiche.so /usr/local/lib/bssl/libquiche.so.0

# Build and install cURL
WORKDIR /root/curl
RUN LIBS=-lpthread ./configure \
LDFLAGS=-Wl,-rpath,/usr/local/lib/bssl \
--with-openssl=/root/bssl/install \
--with-quiche=/root/quiche/target/release \
--without-libpsl \
--prefix=/usr/local/curl \
&& make -j"$(nproc)" && make install

# Stage 2: Runtime - Create a lightweight image with essential binaries and configurations.
FROM ubuntu:latest

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Copy necessary files from the build stage
COPY --from=build /usr/local/include/bssl /usr/local/include/bssl
COPY --from=build /usr/local/lib/bssl /usr/local/lib/bssl
COPY --from=build /usr/local/curl /usr/local/curl

RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl
# Create a symbolic link for cURL
RUN ln -s /usr/local/curl/bin/curl /usr/local/bin/curl
Loading

0 comments on commit e3d9ed1

Please sign in to comment.