Allow building with OpenSSL 1.0 or 1.1

It turns out that some popular libaries still have problems with OpenSSL
1.1, particularly `postgres` 0.15. So we'll build two sets of images
now.

We also explain the new image tagging scheme, and fix a bug wher the
test script didn't test the newly built image.
This commit is contained in:
Eric Kidd 2019-04-27 08:51:12 -04:00
parent 388941cd8a
commit e50cbda169
5 changed files with 66 additions and 9 deletions

View file

@ -4,6 +4,10 @@ FROM ubuntu:18.04
# The Rust toolchain to use when building our image. Set by `hooks/build`. # The Rust toolchain to use when building our image. Set by `hooks/build`.
ARG TOOLCHAIN=stable ARG TOOLCHAIN=stable
# The OpenSSL version to use. We parameterize this because many Rust
# projects will fail to build with 1.1.
ARG OPENSSL_VERSION=1.0.2r
# Make sure we have basic dev tools for building C libraries. Our goal # Make sure we have basic dev tools for building C libraries. Our goal
# here is to support the musl-libc builds and Cargo builds needed for a # here is to support the musl-libc builds and Cargo builds needed for a
# large selection of the most popular crates. # large selection of the most popular crates.
@ -73,7 +77,6 @@ RUN git config --global credential.https://github.com.helper ghtoken
# needed by the popular Rust `hyper` crate. # needed by the popular Rust `hyper` crate.
RUN echo "Building OpenSSL" && \ RUN echo "Building OpenSSL" && \
cd /tmp && \ cd /tmp && \
OPENSSL_VERSION=1.1.1b && \
curl -LO "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" && \ curl -LO "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" && \
tar xvzf "openssl-$OPENSSL_VERSION.tar.gz" && cd "openssl-$OPENSSL_VERSION" && \ tar xvzf "openssl-$OPENSSL_VERSION.tar.gz" && cd "openssl-$OPENSSL_VERSION" && \
env CC=musl-gcc ./Configure no-shared no-zlib no-async no-engine -fPIC --prefix=/usr/local/musl -DOPENSSL_NO_SECURE_MEMORY linux-x86_64 && \ env CC=musl-gcc ./Configure no-shared no-zlib no-async no-engine -fPIC --prefix=/usr/local/musl -DOPENSSL_NO_SECURE_MEMORY linux-x86_64 && \

View file

@ -23,6 +23,29 @@ Binaries will be written to `target/$TARGET_ARCHITECTURE/release`. By default it
With a bit of luck, you should be able to just copy your application binary from `target/x86_64-unknown-linux-musl/release`, and install it directly on any reasonably modern x86_64 Linux machine. In particular, you should be able make static release binaries using TravisCI and GitHub, or you can copy your Rust application into an [Alpine Linux container][]. See below for details! With a bit of luck, you should be able to just copy your application binary from `target/x86_64-unknown-linux-musl/release`, and install it directly on any reasonably modern x86_64 Linux machine. In particular, you should be able make static release binaries using TravisCI and GitHub, or you can copy your Rust application into an [Alpine Linux container][]. See below for details!
## Available tags
In general, we provide the following tagged Docker images:
- `latest`, `stable`: Current stable Rust, with OpenSSL 1.0 (for now). We
try to update this fairly rapidly after every new stable release, and
after most point releases.
- `beta`: This usually gets updated every six weeks alongside the stable
release. It will usually not be updated for beta bugfix releases.
- `nightly-YYYY-MM-DD`: Specific nightly releases. These should almost
always support `clippy`, `rls` and `rustfmt`, as verified using
[rustup components history][comp]. If you need a specific date for
compatibility with `tokio` or another popular library using unstable
Rust, please file an issue.
- `stable-openssl11`: Current stable Rust, with OpenSSL 1.1.
- `nightly-YYYY-MM-DD-openssl11`: Specific nightly releases with OpenSSL
1.1.
At a minimum, each of these images should be able to
compile [examples/using-diesel](./examples/using-diesel).
[comp]: https://rust-lang.github.io/rustup-components-history/index.html
## Caching builds ## Caching builds
You may be able to speed up build performance by adding the following `-v` commands to the `rust-musl-builder` alias: You may be able to speed up build performance by adding the following `-v` commands to the `rust-musl-builder` alias:

View file

@ -3,8 +3,12 @@
# An example Dockerfile showing how to build a Rust executable using this # An example Dockerfile showing how to build a Rust executable using this
# image, and deploy it with a tiny Alpine Linux container. # image, and deploy it with a tiny Alpine Linux container.
# You can override this `--build-arg BASE_IMAGE=...` to use different
# version of Rust or OpenSSL.
ARG BASE_IMAGE=ekidd/rust-musl-builder:latest
# Our first FROM statement declares the build environment. # Our first FROM statement declares the build environment.
FROM ekidd/rust-musl-builder AS builder FROM ${BASE_IMAGE} AS builder
# Add our source code. # Add our source code.
ADD . ./ ADD . ./

View file

@ -1,23 +1,47 @@
#!/bin/bash #!/bin/bash
#
# This script is responsible for calling `docker build` on behalf of GitHub. But
# what it _really_ does is translate `DOCKER_TAG` into the builds args `TARGET`
# and `OPENSSL_VERSION`.
# Abort if anything goes wrong. # Abort if anything goes wrong.
set -euo pipefail set -euo pipefail
# Decide what Rust toolchain to use. # Default to using OpenSSL 1.0 for a while longer, because 1.1 is
# incompatible with the crates postgres 0.15 and openssl 0.9, which
# are still widely used.
OPENSSL_VERSION=1.0.2r
# Pick an appropriate Docker tag
case "$DOCKER_TAG" in case "$DOCKER_TAG" in
*-openssl11)
DOCKER_TAG_WITHOUT_OPENSSL="${DOCKER_TAG/-openssl11/}"
OPENSSL_VERSION=1.1.1b
;;
*)
DOCKER_TAG_WITHOUT_OPENSSL="$DOCKER_TAG"
;;
esac
# Decide what Rust toolchain to use.
case "$DOCKER_TAG_WITHOUT_OPENSSL" in
# Always map the Docker tags `latest` and `experimental` to stable Rust. # Always map the Docker tags `latest` and `experimental` to stable Rust.
latest|experimental) latest)
TOOLCHAIN=stable TOOLCHAIN=stable
;; ;;
# Strip `experimental-` from other `experimental-*` tags. # Strip `experimental-` from other `experimental-*` tags.
experimental-*) experimental-*)
TOOLCHAIN="${DOCKER_TAG/experimental-/}" TOOLCHAIN="${DOCKER_TAG_WITHOUT_OPENSSL/experimental-/}"
;; ;;
# Pass all our tags # Pass all other tags through.
*) *)
TOOLCHAIN="$DOCKER_TAG" TOOLCHAIN="$DOCKER_TAG_WITHOUT_OPENSSL"
;; ;;
esac esac
# Run the build. # Run the build.
docker build --build-arg TOOLCHAIN="$TOOLCHAIN" -t "$IMAGE_NAME" . docker build \
--build-arg TOOLCHAIN="$TOOLCHAIN" \
--build-arg OPENSSL_VERSION="$OPENSSL_VERSION" \
-t "$IMAGE_NAME" \
.

View file

@ -5,5 +5,8 @@ set -euo pipefail
# Make sure we can build some of our more important test images. # Make sure we can build some of our more important test images.
for EXAMPLE in using-diesel; do for EXAMPLE in using-diesel; do
docker build -t rust-musl-builder-"$EXAMPLE" examples/"$EXAMPLE" docker build \
--build-arg BASE_IMAGE="$IMAGE_NAME" \
-t rust-musl-builder-"$EXAMPLE" \
examples/"$EXAMPLE"
done done