emelie/rust-musl-builder
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Build OpenSSL 1.1.1 by default (fixes #91)

Browse source 
OpenSSL 1.0.2 has reached its end-of-life and it will no longer recieve
security fixes. So we're changing our tagging scheme.
This commit is contained in:
Eric Kidd 2020-04-10 09:23:08 -04:00
parent 0325cfcac0
commit 1f2f0260c1
3 changed files with 27 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
Dockerfile
View file

@ -6,7 +6,7 @@ ARG TOOLCHAIN=stable
# The OpenSSL version to use. We parameterize this because many Rust # The OpenSSL version to use. We parameterize this because many Rust
# projects will fail to build with 1.1. # projects will fail to build with 1.1.
ARG OPENSSL_VERSION=1.0.2r ARG OPENSSL_VERSION=1.1.1f
# Make sure we have basic dev tools for building C libraries. Our goal # Make sure we have basic dev tools for building C libraries. Our goal
# here is to support the musl-libc builds and Cargo builds needed for a # here is to support the musl-libc builds and Cargo builds needed for a
@ -39,12 +39,12 @@ RUN apt-get update && \
apt-get clean && rm -rf /var/lib/apt/lists/* && \ apt-get clean && rm -rf /var/lib/apt/lists/* && \
useradd rust --user-group --create-home --shell /bin/bash --groups sudo && \ useradd rust --user-group --create-home --shell /bin/bash --groups sudo && \
MDBOOK_VERSION=0.3.6 && \ MDBOOK_VERSION=0.3.6 && \
curl -LO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \ curl -fLO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
tar xf mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \ tar xf mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
mv mdbook /usr/local/bin/ && \ mv mdbook /usr/local/bin/ && \
rm -f mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \ rm -f mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
DENY_VERSION=0.6.6 && \ DENY_VERSION=0.6.6 && \
curl -LO https://github.com/EmbarkStudios/cargo-deny/releases/download/$DENY_VERSION/cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \ curl -fLO https://github.com/EmbarkStudios/cargo-deny/releases/download/$DENY_VERSION/cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
tar xf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \ tar xf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
mv cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl/cargo-deny /usr/local/bin/ && \ mv cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl/cargo-deny /usr/local/bin/ && \
rm -rf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz rm -rf cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl cargo-deny-$DENY_VERSION-x86_64-unknown-linux-musl.tar.gz
@ -94,8 +94,10 @@ RUN echo "Building OpenSSL" && \
sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/local/musl/include/asm && \ sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/local/musl/include/asm && \
sudo ln -s /usr/include/asm-generic /usr/local/musl/include/asm-generic && \ sudo ln -s /usr/include/asm-generic /usr/local/musl/include/asm-generic && \
cd /tmp && \ cd /tmp && \
curl -LO "https://github.com/openssl/openssl/archive/OpenSSL_$OPENSSL_VERSION.tar.gz" && \ short_version="$(echo "$OPENSSL_VERSION" | sed s'/[a-z]$//' )" && \
tar xvzf "OpenSSL_$OPENSSL_VERSION.tar.gz" && cd "openssl-OpenSSL_$OPENSSL_VERSION" && \ curl -fLO "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" || \
curl -fLO "https://www.openssl.org/source/old/$short_version/openssl-$OPENSSL_VERSION.tar.gz" && \
tar xvzf "openssl-$OPENSSL_VERSION.tar.gz" && cd "openssl-$OPENSSL_VERSION" && \
env CC=musl-gcc ./Configure no-shared no-zlib -fPIC --prefix=/usr/local/musl -DOPENSSL_NO_SECURE_MEMORY linux-x86_64 && \ env CC=musl-gcc ./Configure no-shared no-zlib -fPIC --prefix=/usr/local/musl -DOPENSSL_NO_SECURE_MEMORY linux-x86_64 && \
env C_INCLUDE_PATH=/usr/local/musl/include/ make depend && \ env C_INCLUDE_PATH=/usr/local/musl/include/ make depend && \
env C_INCLUDE_PATH=/usr/local/musl/include/ make && \ env C_INCLUDE_PATH=/usr/local/musl/include/ make && \
@ -106,7 +108,7 @@ RUN echo "Building OpenSSL" && \
RUN echo "Building zlib" && \ RUN echo "Building zlib" && \
cd /tmp && \ cd /tmp && \
ZLIB_VERSION=1.2.11 && \ ZLIB_VERSION=1.2.11 && \
curl -LO "http://zlib.net/zlib-$ZLIB_VERSION.tar.gz" && \ curl -fLO "http://zlib.net/zlib-$ZLIB_VERSION.tar.gz" && \
tar xzf "zlib-$ZLIB_VERSION.tar.gz" && cd "zlib-$ZLIB_VERSION" && \ tar xzf "zlib-$ZLIB_VERSION.tar.gz" && cd "zlib-$ZLIB_VERSION" && \
CC=musl-gcc ./configure --static --prefix=/usr/local/musl && \ CC=musl-gcc ./configure --static --prefix=/usr/local/musl && \
make && sudo make install && \ make && sudo make install && \
@ -115,7 +117,7 @@ RUN echo "Building zlib" && \
RUN echo "Building libpq" && \ RUN echo "Building libpq" && \
cd /tmp && \ cd /tmp && \
POSTGRESQL_VERSION=11.2 && \ POSTGRESQL_VERSION=11.2 && \
curl -LO "https://ftp.postgresql.org/pub/source/v$POSTGRESQL_VERSION/postgresql-$POSTGRESQL_VERSION.tar.gz" && \ curl -fLO "https://ftp.postgresql.org/pub/source/v$POSTGRESQL_VERSION/postgresql-$POSTGRESQL_VERSION.tar.gz" && \
tar xzf "postgresql-$POSTGRESQL_VERSION.tar.gz" && cd "postgresql-$POSTGRESQL_VERSION" && \ tar xzf "postgresql-$POSTGRESQL_VERSION.tar.gz" && cd "postgresql-$POSTGRESQL_VERSION" && \
CC=musl-gcc CPPFLAGS=-I/usr/local/musl/include LDFLAGS=-L/usr/local/musl/lib ./configure --with-openssl --without-readline --prefix=/usr/local/musl && \ CC=musl-gcc CPPFLAGS=-I/usr/local/musl/include LDFLAGS=-L/usr/local/musl/lib ./configure --with-openssl --without-readline --prefix=/usr/local/musl && \
cd src/interfaces/libpq && make all-static-lib && sudo make install-lib-static && \ cd src/interfaces/libpq && make all-static-lib && sudo make install-lib-static && \

17
README.md
View file

@ -2,8 +2,15 @@
[![Docker Image](https://img.shields.io/docker/pulls/ekidd/rust-musl-builder.svg?maxAge=2592000)](https://hub.docker.com/r/ekidd/rust-musl-builder/) [![Docker Image](https://img.shields.io/docker/pulls/ekidd/rust-musl-builder.svg?maxAge=2592000)](https://hub.docker.com/r/ekidd/rust-musl-builder/)
**NOTE:** The underlying build image is now running Ubuntu 18.04 and newer **OPENSSL SECURITY NOTE:** Previously, `stable` included OpenSSL 1.0.2, and `stable-openssl11` included OpenSSL 1.1.1. However, OpenSSL 1.0.2 is **no longer receiving security fixes,** so the new tagging system will be:
versions of several libraries. Please report any problems!
- `stable`: OpenSSL 1.1.1 and the latest stable Rust.
- **DEPRECATED** `stable-openssl11`: OpenSSL 1.1 and Rust 1.42.0. This will no longer be updated. Use `stable` instead.
- **DEPRECATED** `1.42.0-openssl10` and `nightly-2020-03-12-openssl10`: OpenSSL 1.0.2. These will not be updated to newer Rust. You will still be able to build newer OpenSSL 1.0.2 images manually.
I hate to break compatibility with projects that require OpenSSL 1.0.2, but since it will receive no future security updates, I no longer feel comfortable supplying pre-built images.
## What is this?
Do you want to compile a completely static Rust binary with no external dependencies? If so, try: Do you want to compile a completely static Rust binary with no external dependencies? If so, try:
@ -24,7 +31,7 @@ With a bit of luck, you should be able to just copy your application binary from
In general, we provide the following tagged Docker images: In general, we provide the following tagged Docker images:
- `latest`, `stable`: Current stable Rust, with OpenSSL 1.0 (for now). We - `latest`, `stable`: Current stable Rust, now with OpenSSL 1.1. We
try to update this fairly rapidly after every new stable release, and try to update this fairly rapidly after every new stable release, and
after most point releases. after most point releases.
- `X.Y.Z`: Specific versions of stable Rust. - `X.Y.Z`: Specific versions of stable Rust.
@ -35,10 +42,6 @@ In general, we provide the following tagged Docker images:
[rustup components history][comp]. If you need a specific date for [rustup components history][comp]. If you need a specific date for
compatibility with `tokio` or another popular library using unstable compatibility with `tokio` or another popular library using unstable
Rust, please file an issue. Rust, please file an issue.
- `stable-openssl11`: Current stable Rust, with OpenSSL 1.1.
- `X.Y.Z-openssl11`: Specific versions of stable Rust, with OpenSSL 1.1.
- `nightly-YYYY-MM-DD-openssl11`: Specific nightly releases, with OpenSSL
1.1.
At a minimum, each of these images should be able to At a minimum, each of these images should be able to
compile [examples/using-diesel](./examples/using-diesel). compile [examples/using-diesel](./examples/using-diesel).

13
hooks/build
View file

@ -7,16 +7,19 @@
# Abort if anything goes wrong. # Abort if anything goes wrong.
set -euo pipefail set -euo pipefail
# Default to using OpenSSL 1.0 for a while longer, because 1.1 is # Default to using OpenSSL 1.1 now, because 1.0 has stopped receiving security
# incompatible with the crates postgres 0.15 and openssl 0.9, which # updates. 1.1 is incompatible with the crates postgres 0.15 and openssl 0.9,
# are still widely used. # so we do offer the option of falling back to 1.0.
OPENSSL_VERSION=1.0.2r OPENSSL_VERSION=1.1.1f
# Pick an appropriate Docker tag # Pick an appropriate Docker tag
case "$DOCKER_TAG" in case "$DOCKER_TAG" in
*-openssl11) *-openssl11)
DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl11/}" DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl11/}"
OPENSSL_VERSION=1.1.1b ;;
*-openssl10)
DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl10/}"
OPENSSL_VERSION=1.0.2u
;; ;;
*) *)
DOCKER_TAG_WITHOUT_OPENSSL="$DOCKER_TAG" DOCKER_TAG_WITHOUT_OPENSSL="$DOCKER_TAG"