bpf: Add build support to FIPS Dockerfile (gravitational#7407)

* bpf: Add build support to FIPS Dockerfile * Expose libbpf version as a variable * Unlock keychain for signing Mac Teleport pkg
ardeche07 · Jun 29, 2021 · 3a6a4d6 · 3a6a4d6
1 parent 9b7002c
commit 3a6a4d6
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 6 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -2647,13 +2647,26 @@ steps:
     environment:
       OS: darwin
       ARCH: amd64
+      APPLE_USERNAME:
+        from_secret: APPLE_USERNAME
+      APPLE_PASSWORD:
+        from_secret: APPLE_PASSWORD
+      BUILDBOX_PASSWORD:
+        from_secret: BUILDBOX_PASSWORD
       OSS_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts
       ENT_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts
       WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg
     commands:
       - set -u
       - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport
       - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)
+      # set HOME explicitly (as Drone overrides it normally)
+      - export HOME=/Users/build
+      # unlock login keychain
+      - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain
+      # show available certificates
+      - security find-identity -v
+      # build teleport pkg
       - make pkg OS=$OS ARCH=$ARCH
 
   - name: Copy Mac pkg artifacts
@@ -2797,7 +2810,7 @@ steps:
       - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain
       # show available certificates
       - security find-identity -v
-      # build pkg
+      # build tsh pkg
       - make pkg-tsh OS=$OS ARCH=$ARCH
 
   - name: Copy Mac tsh pkg artifacts
@@ -4386,6 +4399,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 6fb06de638133160c0989682a9034201405e43ee5b74f6f263cca7b0f69651c6
+hmac: a6eb9db27be4297501980988a17b963076717be5b64fe774bb47f742d5c8b493
 
 ...
diff --git a/build.assets/Dockerfile b/build.assets/Dockerfile
@@ -77,8 +77,9 @@ RUN mkdir -p /opt && cd /opt && curl https://storage.googleapis.com/golang/$RUNT
     chmod a-w /
 
 # Install libbpf
-RUN mkdir -p /opt && cd /opt && curl -L https://github.com/libbpf/libbpf/archive/refs/tags/v0.3.tar.gz | tar xz && \
-    cd /opt/libbpf-0.3/src && \
+ARG LIBBPF_VERSION
+RUN mkdir -p /opt && cd /opt && curl -L https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
+    cd /opt/libbpf-${LIBBPF_VERSION}/src && \
     make && \
     make install
 

diff --git a/build.assets/Dockerfile-fips b/build.assets/Dockerfile-fips
@@ -19,9 +19,31 @@ ENV LANGUAGE="en_US.UTF-8" \
 
 RUN apt-get update -y --fix-missing && \
     apt-get -q -y upgrade && \
-    apt-get install -q -y apt-utils curl gcc git gzip libbpfcc-dev libc6-dev libpam-dev libsqlite3-0 locales make net-tools tar tree zip && \
+    apt-get install -y --no-install-recommends apt-utils ca-certificates curl && \
+    apt-get install -q -y --no-install-recommends \
+        clang-10 \
+        clang-format-10 \
+        gcc \
+        git \
+        gzip \
+        libc6-dev \
+        libelf-dev \
+        libpam-dev \
+        libsqlite3-0 \
+        llvm-10 \
+        locales \
+        make \
+        net-tools \
+        openssh-client \
+        pkg-config \
+        tar \
+        tree \
+        unzip \
+        zip \
+        && \
     dpkg-reconfigure locales && \
-    apt-get -y autoclean && apt-get -y clean
+    apt-get -y clean && \
+    rm -rf /var/lib/apt/lists/*
 
 ARG UID
 ARG GID
@@ -40,6 +62,13 @@ RUN mkdir -p /opt && cd /opt && curl https://go-boringcrypto.storage.googleapis.
     chmod a+w /var/lib && \
     chmod a-w /
 
+# Install libbpf
+ARG LIBBPF_VERSION
+RUN mkdir -p /opt && cd /opt && curl -L https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
+    cd /opt/libbpf-${LIBBPF_VERSION}/src && \
+    make && \
+    make install
+
 ENV GOPATH="/go" \
     GOROOT="/opt/go" \
     PATH="$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"

diff --git a/build.assets/Makefile b/build.assets/Makefile
@@ -18,6 +18,7 @@ OS ?= linux
 ARCH ?= amd64
 RUNTIME ?= go1.16.2
 BORINGCRYPTO_RUNTIME=$(RUNTIME)b7
+LIBBPF_VERSION ?= 0.3
 
 UID := $$(id -u)
 GID := $$(id -g)
@@ -109,6 +110,7 @@ buildbox:
 			--build-arg PROTOC_VER=$(PROTOC_VER) \
 			--build-arg GOGO_PROTO_TAG=$(GOGO_PROTO_TAG) \
 			--build-arg PROTOC_PLATFORM=$(PROTOC_PLATFORM) \
+			--build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \
 			--cache-from $(BUILDBOX) \
 			--tag $(BUILDBOX) . ; \
 	fi
@@ -124,6 +126,7 @@ buildbox-fips:
 			--build-arg UID=$(UID) \
 			--build-arg GID=$(GID) \
 			--build-arg BORINGCRYPTO_RUNTIME=$(BORINGCRYPTO_RUNTIME) \
+			--build-arg LIBBPF_VERSION=$(LIBBPF_VERSION) \
 			--cache-from $(BUILDBOX_FIPS) \
 			--tag $(BUILDBOX_FIPS) -f Dockerfile-fips . ; \
 	fi