From 5e972f1b6fc4771a80ea09a876b415f4e3980935 Mon Sep 17 00:00:00 2001 From: Alex Bozarth Date: Tue, 8 Oct 2024 16:27:52 -0500 Subject: [PATCH] Update nginx demo --- curl/Dockerfile | 2 +- nginx/Dockerfile | 39 +++++++++++++++++++++++++++++---------- nginx/README.md | 12 ++++++++++-- 3 files changed, 40 insertions(+), 13 deletions(-) diff --git a/curl/Dockerfile b/curl/Dockerfile index a95b8cca..74b9f331 100644 --- a/curl/Dockerfile +++ b/curl/Dockerfile @@ -7,7 +7,7 @@ ARG ALPINE_VERSION=3.20 ARG OPENSSL_TAG=openssl-3.3.2 # define the liboqs tag to be used -ARG LIBOQS_TAG=0.10.1 +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used ARG OQSPROVIDER_TAG=0.6.1 diff --git a/nginx/Dockerfile b/nginx/Dockerfile index b9c53f4a..c4cdfda7 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -2,11 +2,17 @@ # First: global build arguments: +# define the alpine image version to use +ARG ALPINE_VERSION=3.20 + +# define the openssl tag to be used +ARG OPENSSL_TAG=openssl-3.3.2 + # define the liboqs tag to be used -ARG LIBOQS_TAG=main +ARG LIBOQS_TAG=0.11.0 # define the oqsprovider tag to be used -ARG OQSPROVIDER_TAG=main +ARG OQSPROVIDER_TAG=0.6.1 # liboqs build type variant; maximum portability of image: ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON" @@ -24,15 +30,15 @@ ARG SIG_ALG="dilithium3" ARG DEFAULT_GROUPS=x25519:x448:kyber512:p256_kyber512:kyber768:p384_kyber768:kyber1024:p521_kyber1024 # define the nginx version to include -ARG NGINX_VERSION=1.25.2 +ARG NGINX_VERSION=1.27.2 # Define the degree of parallelism when building the image; leave the number away only if you know what you are doing ARG MAKE_DEFINES="-j 18" -FROM alpine:3.13 as intermediate -# ToDo: Upgrade possible if https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2 addressed +FROM alpine:${ALPINE_VERSION} as intermediate # Take in global args +ARG OPENSSL_TAG ARG LIBOQS_TAG ARG OQSPROVIDER_TAG ARG BASEDIR @@ -56,7 +62,7 @@ RUN apk add build-base linux-headers \ WORKDIR /opt RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \ git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \ - git clone --depth 1 --branch master https://github.com/openssl/openssl.git && \ + git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \ wget nginx.org/download/nginx-${NGINX_VERSION}.tar.gz && tar -zxvf nginx-${NGINX_VERSION}.tar.gz; # build liboqs (static only) @@ -72,12 +78,25 @@ RUN ./configure --prefix=${INSTALLDIR} \ make ${MAKE_DEFINES} && make install; # create openssl.cnf activating oqsprovider & setting default groups -RUN mkdir -p ${OSSLDIR=}/ssl && cp /opt/openssl/apps/openssl.cnf ${OSSLDIR}/ssl/ && sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OSSLDIR}/ssl/openssl.cnf && sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OSSLDIR}/ssl/openssl.cnf +RUN mkdir -p ${OSSLDIR=}/ssl && \ + cp /opt/openssl/apps/openssl.cnf ${OSSLDIR}/ssl/ && \ + sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:DEFAULT_GROUPS\n/g" ${OSSLDIR}/ssl/openssl.cnf && \ + sed -i "s/HOME\t\t\t= ./HOME\t\t= .\nDEFAULT_GROUPS\t= ${DEFAULT_GROUPS}/g" ${OSSLDIR}/ssl/openssl.cnf # build oqsprovider WORKDIR /opt/oqs-provider -RUN ln -s /opt/nginx/include/oqs ${OSSLDIR}/include && rm -rf build && cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OSSLDIR} -DCMAKE_PREFIX_PATH=$INSTALLDIR -S . -B build && cmake --build build && export MODULESDIR=$(find ${OSSLDIR} -name ossl-modules) && cp build/lib/oqsprovider.so $MODULESDIR && mkdir -p ${OSSLDIR}/lib64 && ln -s ${OSSLDIR}/lib/ossl-modules ${OSSLDIR}/lib64 && rm -rf ${INSTALLDIR}/lib64 +RUN ln -s /opt/nginx/include/oqs ${OSSLDIR}/include && \ + rm -rf build && \ + cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OSSLDIR} -DCMAKE_PREFIX_PATH=$INSTALLDIR -S . -B build && \ + cmake --build build && \ + export MODULESDIR=$(find ${OSSLDIR} -name ossl-modules) && \ + cp build/lib/oqsprovider.so $MODULESDIR && \ + mkdir -p ${OSSLDIR}/lib64 && \ + ln -s ${OSSLDIR}/lib/ossl-modules ${OSSLDIR}/lib64 && \ + rm -rf ${INSTALLDIR}/lib64 WORKDIR ${INSTALLDIR} @@ -100,7 +119,7 @@ RUN set -x && \ RUN rm ${OSSLDIR}/bin/* # second stage: Only create minimal image without build tooling and intermediate build results generated above: -FROM alpine:3.13 +FROM alpine:${ALPINE_VERSION} # Take in global args ARG LIBOQS_BUILD_DEFINES ARG INSTALLDIR @@ -108,7 +127,7 @@ ARG SIG_ALG ARG BASEDIR ARG OSSLDIR=${BASEDIR}/openssl/.openssl -LABEL version="2" +LABEL version="3" RUN apk add pcre-dev diff --git a/nginx/README.md b/nginx/README.md index b62bc593..13ff7c1f 100644 --- a/nginx/README.md +++ b/nginx/README.md @@ -17,13 +17,17 @@ Complete information how to use the image is [available in the separate file USA The Dockerfile provided allows for significant customization of the image built: +### OPENSSL_TAG + +Tag of `openssl` release to be used. + ### LIBOQS_TAG -Tag of `liboqs` release to be used. Default "main". +Tag of `liboqs` release to be used. ### OQSPROVIDER_TAG -Tag of `oqsprovider` release to be used. Default "main". +Tag of `oqsprovider` release to be used. ### LIBOQS_BUILD_DEFINES @@ -66,3 +70,7 @@ The default version set is known to work OK but one could try any value availabl Allow setting parameters to `make` operation, e.g., '-j nnn' where nnn defines the number of jobs run in parallel during build. The default is conservative and known not to overload normal machines. If one has a very powerful (many cores, >64GB RAM) machine, passing larger numbers (or only '-j' for maximum parallelism) speeds up building considerably. + +### ALPINE_VERSION + +The version of the `alpine` docker image to to be used.