ansible: add Ubuntu 22.04 sharedlibs container

richardlau · richardlau · commit 6e6125356e73 · 2023-06-12T11:57:33.000Z
Add an Ubuntu 22.04 based sharedlibs container, intended to eventually
replace the Ubuntu 18.04 based one.

Changes compared to the Ubuntu 18.04 container:
- Add FIPS variant for OpenSSL 3.0.
- Add OpenSSL 3.1.
- Dropped older versions of ICU that were used for Node.js 14.
diff --git a/ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2 b/ansible/roles/docker/templates/ubuntu2204_sharedlibs.Dockerfile.j2
@@ -0,0 +1,136 @@
+FROM ubuntu:22.04
+
+ENV LC_ALL C
+ENV USER {{ server_user }}
+ENV JOBS {{ server_jobs | default(ansible_processor_vcpus) }}
+ENV SHELL /bin/bash
+ENV HOME /home/{{ server_user }}
+ENV PATH /usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV NODE_COMMON_PIPE /home/{{ server_user }}/test.pipe
+ENV NODE_TEST_DIR /home/{{ server_user }}/tmp
+ENV OSTYPE linux-gnu
+ENV OSVARIANT docker
+ENV DESTCPU {{ arch }}
+ENV ARCH {{ arch }}
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get install apt-utils -y && \
+    apt-get dist-upgrade -y && apt-get install -y \
+      ccache \
+      g++ \
+      gcc \
+      git \
+      openjdk-17-jre-headless \
+      pkg-config \
+      curl \
+      python3-pip \
+      python-is-python3 \
+      libfontconfig1 \
+      libtool \
+      automake
+
+RUN pip3 install tap2junit=={{ tap2junit_version }}
+
+RUN addgroup --gid {{ server_user_gid.stdout_lines[0] }} {{ server_user }}
+
+RUN adduser --gid {{ server_user_gid.stdout_lines[0] }} --uid {{ server_user_uid.stdout_lines[0] }} --disabled-password --gecos {{ server_user }} {{ server_user }}
+
+ENV ICU68DIR=/opt/icu-68.1 \
+    ICU69DIR=/opt/icu-69.1 \
+    ICU71DIR=/opt/icu-71.1
+
+RUN for ICU_ENV in $(env | grep ICU..DIR); do \
+    ICU_PREFIX=$(echo $ICU_ENV | cut -d '=' -f 2) && \
+    ICU_VERSION=$(echo $ICU_PREFIX | cut -d '-' -f 2) && \
+    ICU_MAJOR=$(echo $ICU_VERSION | cut -d '.' -f 1) && \
+    ICU_MINOR=$(echo $ICU_VERSION | cut -d '.' -f 2) && \
+    mkdir -p /tmp/icu-$ICU_VERSION && \
+    cd /tmp/icu-$ICU_VERSION && \
+    curl -sL "https://github.com/unicode-org/icu/releases/download/release-$ICU_MAJOR-$ICU_MINOR/icu4c-${ICU_MAJOR}_$ICU_MINOR-src.tgz" | tar zxv --strip=1 && \
+    cd source && \
+    ./runConfigureICU Linux --prefix=$ICU_PREFIX && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/icu-$ICU_VERSION; \
+    done
+
+ENV OPENSSL111VER 1.1.1u
+ENV OPENSSL111DIR /opt/openssl-$OPENSSL111VER
+
+RUN mkdir -p /tmp/openssl_$OPENSSL111VER && \
+    cd /tmp/openssl_$OPENSSL111VER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL111VER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL111DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl_$OPENSSL111VER
+
+# OpenSSL FIPS validation occurs post-release, and not for every version.
+# See https://www.openssl.org/docs/fips.html and the version documented in the
+# certificate and security policy.
+ENV OPENSSL30FIPSVER 3.0.8
+ENV OPENSSL30FIPSDIR /opt/openssl-$OPENSSL30FIPSVER-fips
+
+RUN mkdir -p /tmp/openssl-$OPENSSL30FIPSVER && \
+    cd /tmp/openssl-$OPENSSL30FIPSVER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL30FIPSVER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL30FIPSDIR enable-fips && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL30FIPSVER
+# Install the FIPS provider. Update OpenSSL config file to enable FIPS.
+RUN LD_LIBRARY_PATH=$OPENSSL30FIPSDIR/lib64 $OPENSSL30FIPSDIR/bin/openssl fipsinstall \
+      -module $OPENSSL30FIPSDIR/lib64/ossl-modules/fips.so -provider_name fips \
+      -out $OPENSSL30FIPSDIR/ssl/fipsmodule.cnf && \
+      sed -i -r "s|^# (.include fipsmodule.cnf)|.include $OPENSSL30FIPSDIR\/ssl\/fipsmodule.cnf|g" $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r '/^providers = provider_sect/a alg_section = evp_properties' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r 's/^# (fips = fips_sect)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      sed -i -r 's/^# (activate = 1)/\1/g' $OPENSSL30FIPSDIR/ssl/openssl.cnf && \
+      echo "\n[evp_properties]\ndefault_properties = \"fips=yes\"\n" >> $OPENSSL30FIPSDIR/ssl/openssl.cnf
+
+ENV OPENSSL30VER 3.0.8+quic
+ENV OPENSSL30DIR /opt/openssl-$OPENSSL30VER
+
+RUN mkdir -p /tmp/openssl-$OPENSSL30VER && \
+    cd /tmp/openssl-$OPENSSL30VER && \
+    git clone https://github.com/quictls/openssl.git -b openssl-$OPENSSL30VER --depth 1 && \
+    cd openssl && \
+    ./config --prefix=$OPENSSL30DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL30VER
+
+ENV OPENSSL31VER 3.1.1
+ENV OPENSSL31DIR /opt/openssl-$OPENSSL31VER
+
+RUN mkdir -p /tmp/openssl-$OPENSSL31VER && \
+    cd /tmp/openssl-$OPENSSL31VER && \
+    curl -sL https://www.openssl.org/source/openssl-$OPENSSL31VER.tar.gz | tar zxv --strip=1 && \
+    ./config --prefix=$OPENSSL31DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/openssl-$OPENSSL31VER
+
+ENV ZLIBVER 1.2.13
+ENV ZLIB12DIR /opt/zlib_$ZLIBVER
+
+RUN mkdir -p /tmp/zlib_$ZLIBVER && \
+    cd /tmp/zlib_$ZLIBVER && \
+    curl -sL https://zlib.net/fossils/zlib-$ZLIBVER.tar.gz | tar zxv --strip=1 && \
+    ./configure --prefix=$ZLIB12DIR && \
+    make -j $JOBS && \
+    make install && \
+    rm -rf /tmp/zlib_$ZLIBVER
+
+VOLUME /home/{{ server_user }}/ /home/{{ server_user }}/.ccache
+
+USER iojs:iojs
+
+ENV CCACHE_TEMPDIR /home/iojs/.ccache/{{ item.name }}
+
+CMD cd /home/iojs \
+  && curl https://ci.nodejs.org/jnlpJars/agent.jar -O \
+  && java -Xmx{{ server_ram|default('128m') }} \
+          -jar /home/{{ server_user }}/agent.jar \
+          -jnlpUrl {{ jenkins_url }}/computer/{{ item.name }}/jenkins-agent.jnlp \
+          -secret {{ item.secret }}
