Build OpenSSL 1.1.1 by default (fixes #91)
OpenSSL 1.0.2 has reached its end-of-life and it will no longer recieve security fixes. So we're changing our tagging scheme.
This commit is contained in:
Eric Kidd
parent
0325cfcac0
commit
1f2f0260c1
16
Dockerfile
16
Dockerfile
|
|
@ -6,7 +6,7 @@ ARG TOOLCHAIN=stable
|
|||
|
||||
# The OpenSSL version to use. We parameterize this because many Rust
|
||||
# projects will fail to build with 1.1.
|
||||
ARG OPENSSL_VERSION=1.0.2r
|
||||
ARG OPENSSL_VERSION=1.1.1f
|
||||
|
||||
# Make sure we have basic dev tools for building C libraries. Our goal
|
||||
# here is to support the musl-libc builds and Cargo builds needed for a
|
||||
|
|
@ -39,12 +39,12 @@ RUN apt-get update && \
|
|||
apt-get clean && rm -rf /var/lib/apt/lists/* && \
|
||||
useradd rust --user-group --create-home --shell /bin/bash --groups sudo && \
|
||||
MDBOOK_VERSION=0.3.6 && \
|
||||
curl -LO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
|
||||
curl -fLO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
|
||||
tar xf mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
|
||||
mv mdbook /usr/local/bin/ && \
|
||||
rm -f mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
|
||||
DENY_VERSION=0.6.6 && \
|
||||
curl -LO https://github.com/EmbarkStudios/cargo-deny/releases/download/$DENY_VERSION/cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
|
||||
curl -fLO https://github.com/EmbarkStudios/cargo-deny/releases/download/$DENY_VERSION/cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
|
||||
tar xf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
|
||||
mv cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl/cargo-deny /usr/local/bin/ && \
|
||||
rm -rf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz
|
||||
|
|
@ -94,8 +94,10 @@ RUN echo "Building OpenSSL" && \
|
|||
sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/local/musl/include/asm && \
|
||||
sudo ln -s /usr/include/asm-generic /usr/local/musl/include/asm-generic && \
|
||||
cd /tmp && \
|
||||
curl -LO "https://github.com/openssl/openssl/archive/OpenSSL_$OPENSSL_VERSION.tar.gz" && \
|
||||
tar xvzf "OpenSSL_$OPENSSL_VERSION.tar.gz" && cd "openssl-OpenSSL_$OPENSSL_VERSION" && \
|
||||
short_version="$(echo "$OPENSSL_VERSION" | sed s'/[a-z]$//' )" && \
|
||||
curl -fLO "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" || \
|
||||
curl -fLO "https://www.openssl.org/source/old/$short_version/openssl-$OPENSSL_VERSION.tar.gz" && \
|
||||
tar xvzf "openssl-$OPENSSL_VERSION.tar.gz" && cd "openssl-$OPENSSL_VERSION" && \
|
||||
env CC=musl-gcc ./Configure no-shared no-zlib -fPIC --prefix=/usr/local/musl -DOPENSSL_NO_SECURE_MEMORY linux-x86_64 && \
|
||||
env C_INCLUDE_PATH=/usr/local/musl/include/ make depend && \
|
||||
env C_INCLUDE_PATH=/usr/local/musl/include/ make && \
|
||||
|
|
@ -106,7 +108,7 @@ RUN echo "Building OpenSSL" && \
|
|||
RUN echo "Building zlib" && \
|
||||
cd /tmp && \
|
||||
ZLIB_VERSION=1.2.11 && \
|
||||
curl -LO "http://zlib.net/zlib-$ZLIB_VERSION.tar.gz" && \
|
||||
curl -fLO "http://zlib.net/zlib-$ZLIB_VERSION.tar.gz" && \
|
||||
tar xzf "zlib-$ZLIB_VERSION.tar.gz" && cd "zlib-$ZLIB_VERSION" && \
|
||||
CC=musl-gcc ./configure --static --prefix=/usr/local/musl && \
|
||||
make && sudo make install && \
|
||||
|
|
@ -115,7 +117,7 @@ RUN echo "Building zlib" && \
|
|||
RUN echo "Building libpq" && \
|
||||
cd /tmp && \
|
||||
POSTGRESQL_VERSION=11.2 && \
|
||||
curl -LO "https://ftp.postgresql.org/pub/source/v$POSTGRESQL_VERSION/postgresql-$POSTGRESQL_VERSION.tar.gz" && \
|
||||
curl -fLO "https://ftp.postgresql.org/pub/source/v$POSTGRESQL_VERSION/postgresql-$POSTGRESQL_VERSION.tar.gz" && \
|
||||
tar xzf "postgresql-$POSTGRESQL_VERSION.tar.gz" && cd "postgresql-$POSTGRESQL_VERSION" && \
|
||||
CC=musl-gcc CPPFLAGS=-I/usr/local/musl/include LDFLAGS=-L/usr/local/musl/lib ./configure --with-openssl --without-readline --prefix=/usr/local/musl && \
|
||||
cd src/interfaces/libpq && make all-static-lib && sudo make install-lib-static && \
|
||||
|
|
|
|||
17
README.md
17
README.md
|
|
@ -2,8 +2,15 @@
|
|||
|
||||
[](https://hub.docker.com/r/ekidd/rust-musl-builder/)
|
||||
|
||||
**NOTE:** The underlying build image is now running Ubuntu 18.04 and newer
|
||||
versions of several libraries. Please report any problems!
|
||||
**OPENSSL SECURITY NOTE:** Previously, `stable` included OpenSSL 1.0.2, and `stable-openssl11` included OpenSSL 1.1.1. However, OpenSSL 1.0.2 is **no longer receiving security fixes,** so the new tagging system will be:
|
||||
|
||||
- `stable`: OpenSSL 1.1.1 and the latest stable Rust.
|
||||
- **DEPRECATED** `stable-openssl11`: OpenSSL 1.1 and Rust 1.42.0. This will no longer be updated. Use `stable` instead.
|
||||
- **DEPRECATED** `1.42.0-openssl10` and `nightly-2020-03-12-openssl10`: OpenSSL 1.0.2. These will not be updated to newer Rust. You will still be able to build newer OpenSSL 1.0.2 images manually.
|
||||
|
||||
I hate to break compatibility with projects that require OpenSSL 1.0.2, but since it will receive no future security updates, I no longer feel comfortable supplying pre-built images.
|
||||
|
||||
## What is this?
|
||||
|
||||
Do you want to compile a completely static Rust binary with no external dependencies? If so, try:
|
||||
|
||||
|
|
@ -24,7 +31,7 @@ With a bit of luck, you should be able to just copy your application binary from
|
|||
|
||||
In general, we provide the following tagged Docker images:
|
||||
|
||||
- `latest`, `stable`: Current stable Rust, with OpenSSL 1.0 (for now). We
|
||||
- `latest`, `stable`: Current stable Rust, now with OpenSSL 1.1. We
|
||||
try to update this fairly rapidly after every new stable release, and
|
||||
after most point releases.
|
||||
- `X.Y.Z`: Specific versions of stable Rust.
|
||||
|
|
@ -35,10 +42,6 @@ In general, we provide the following tagged Docker images:
|
|||
[rustup components history][comp]. If you need a specific date for
|
||||
compatibility with `tokio` or another popular library using unstable
|
||||
Rust, please file an issue.
|
||||
- `stable-openssl11`: Current stable Rust, with OpenSSL 1.1.
|
||||
- `X.Y.Z-openssl11`: Specific versions of stable Rust, with OpenSSL 1.1.
|
||||
- `nightly-YYYY-MM-DD-openssl11`: Specific nightly releases, with OpenSSL
|
||||
1.1.
|
||||
|
||||
At a minimum, each of these images should be able to
|
||||
compile [examples/using-diesel](./examples/using-diesel).
|
||||
|
|
|
|||
13
hooks/build
13
hooks/build
|
|
@ -7,16 +7,19 @@
|
|||
# Abort if anything goes wrong.
|
||||
set -euo pipefail
|
||||
|
||||
# Default to using OpenSSL 1.0 for a while longer, because 1.1 is
|
||||
# incompatible with the crates postgres 0.15 and openssl 0.9, which
|
||||
# are still widely used.
|
||||
OPENSSL_VERSION=1.0.2r
|
||||
# Default to using OpenSSL 1.1 now, because 1.0 has stopped receiving security
|
||||
# updates. 1.1 is incompatible with the crates postgres 0.15 and openssl 0.9,
|
||||
# so we do offer the option of falling back to 1.0.
|
||||
OPENSSL_VERSION=1.1.1f
|
||||
|
||||
# Pick an appropriate Docker tag
|
||||
case "$DOCKER_TAG" in
|
||||
*-openssl11)
|
||||
DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl11/}"
|
||||
OPENSSL_VERSION=1.1.1b
|
||||
;;
|
||||
*-openssl10)
|
||||
DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl10/}"
|
||||
OPENSSL_VERSION=1.0.2u
|
||||
;;
|
||||
*)
|
||||
DOCKER_TAG_WITHOUT_OPENSSL="$DOCKER_TAG"
|
||||
|
|
|
|||
Loading…
Reference in New Issue