From 00664741d57e4b58c5e228e17a824c525a344aff Mon Sep 17 00:00:00 2001 From: Charles Pierce Date: Fri, 22 Apr 2022 15:07:29 -0700 Subject: [PATCH] Build Volta with a statically-linked TLS implementation --- .github/workflows/release.yml | 123 ++------------------- Cargo.lock | 197 ++++++++++++++-------------------- ci/build-and-package.sh | 3 + ci/build-with-openssl.sh | 12 --- ci/docker-centos/Dockerfile | 13 --- ci/docker-ubuntu/Dockerfile | 9 -- ci/docker/Dockerfile | 16 +++ crates/archive/Cargo.toml | 2 +- crates/volta-core/Cargo.toml | 2 +- dev/unix/volta-install.sh | 60 ++--------- 10 files changed, 121 insertions(+), 316 deletions(-) delete mode 100755 ci/build-with-openssl.sh delete mode 100644 ci/docker-centos/Dockerfile delete mode 100644 ci/docker-ubuntu/Dockerfile create mode 100644 ci/docker/Dockerfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ef8a240c04..4ecb2522bb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,79 +9,22 @@ on: name: Production jobs: - centos: - name: Build - CentOS / RHEL - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Set up docker image - run: docker build -t volta . - working-directory: ./ci/docker-centos - - name: Compile and package Volta - run: docker run --volume ${PWD}:/root/workspace --workdir /root/workspace --rm --init --tty volta /root/workspace/ci/build-and-package.sh volta-centos - - name: Confirm correct OpenSSL Version - run: | - objdump -p target/release/volta - readelf -d target/release/volta - - name: Upload release artifact - uses: actions/upload-artifact@v2 - with: - name: linux-centos - path: target/release/volta-centos.tar.gz - - linux-ssl-3: - name: Build - OpenSSL 3 - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Set up docker image - run: docker build -t volta . - working-directory: ./ci/docker-ubuntu - - name: Compile and package Volta - run: docker run --volume ${PWD}:/root/workspace --workdir /root/workspace --rm --init --tty volta /root/workspace/ci/build-and-package.sh volta-openssl-3 - - name: Confirm correct OpenSSL Version - run: | - objdump -p target/release/volta - readelf -d target/release/volta - - name: Upload release artifact - uses: actions/upload-artifact@v2 - with: - name: linux-openssl-3 - path: target/release/volta-openssl-3.tar.gz - linux: - strategy: - matrix: - openssl: - - 1_1_0 - - 1_0_1 - name: Build - OpenSSL ${{ matrix.openssl }} + name: Build - Linux runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@v2 - - name: Check out OpenSSL - uses: actions/checkout@v2 - with: - repository: openssl/openssl - ref: OpenSSL_${{ matrix.openssl }}-stable - path: openssl - name: Set up docker image run: docker build -t volta . - working-directory: ./ci/docker-centos - - name: Compile and package OpenSSL & Volta - run: docker run --volume ${PWD}:/root/workspace --workdir /root/workspace --rm --init --tty volta /root/workspace/ci/build-with-openssl.sh volta-openssl-${{ matrix.openssl }} - - name: Confirm OpenSSL Version - run: | - objdump -p target/release/volta - readelf -d target/release/volta + working-directory: ./ci/docker + - name: Compile and package Volta + run: docker run --volume ${PWD}:/root/workspace --workdir /root/workspace --rm --init --tty volta /root/workspace/ci/build-and-package.sh volta-linux - name: Upload release artifact uses: actions/upload-artifact@v2 with: - name: linux-openssl-${{ matrix.openssl }} - path: target/release/volta-openssl-${{ matrix.openssl }}.tar.gz + name: linux + path: target/release/volta-linux.tar.gz macos: name: Build - MacOS @@ -182,9 +125,7 @@ jobs: name: Publish release runs-on: ubuntu-latest needs: - - centos - linux - - linux-ssl-3 - macos - macos-aarch64 - windows @@ -197,25 +138,10 @@ jobs: env: TAG: ${{ github.ref }} run: echo "::set-output name=version::${TAG:11}" - - name: Fetch CentOS artifact + - name: Fetch Linux artifact uses: actions/download-artifact@v2 with: - name: linux-centos - path: release - - name: Fetch OpenSSL 3 artifact - uses: actions/download-artifact@v2 - with: - name: linux-openssl-3 - path: release - - name: Fetch OpenSSL 1.0.* artifact - uses: actions/download-artifact@v2 - with: - name: linux-openssl-1_0_1 - path: release - - name: Fetch OpenSSL 1.1.* artifact - uses: actions/download-artifact@v2 - with: - name: linux-openssl-1_1_0 + name: linux path: release - name: Fetch MacOS artifact uses: actions/download-artifact@v2 @@ -248,41 +174,14 @@ jobs: tag_name: ${{ github.ref }} release_name: ${{ github.ref }} draft: true - - name: Upload CentOS artifact - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./release/volta-centos.tar.gz - asset_name: volta-${{ steps.release_info.outputs.version }}-linux-openssl-rhel.tar.gz - asset_content_type: application/gzip - - name: Upload OpenSSL 3 artifact - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./release/volta-openssl-3.tar.gz - asset_name: volta-${{ steps.release_info.outputs.version }}-linux-openssl-3.0.tar.gz - asset_content_type: application/gzip - - name: Upload OpenSSL 1.0.* artifact - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./release/volta-openssl-1_0_1.tar.gz - asset_name: volta-${{ steps.release_info.outputs.version }}-linux-openssl-1.0.tar.gz - asset_content_type: application/gzip - - name: Upload OpenSSL 1.1.* artifact + - name: Upload Linux artifact uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./release/volta-openssl-1_1_0.tar.gz - asset_name: volta-${{ steps.release_info.outputs.version }}-linux-openssl-1.1.tar.gz + asset_path: ./release/volta-linux.tar.gz + asset_name: volta-${{ steps.release_info.outputs.version }}-linux.tar.gz asset_content_type: application/gzip - name: Upload MacOS artifact uses: actions/upload-release-asset@v1 diff --git a/Cargo.lock b/Cargo.lock index 263c9c875c..3fe3055c3d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -71,10 +71,12 @@ dependencies = [ "flate2", "http", "log", - "native-tls", + "rustls", "serde", "serde_json", "url", + "webpki", + "webpki-roots", ] [[package]] @@ -241,9 +243,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.59" +version = "1.0.73" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "66120af515773fb005778dc07c261bd201ec8ce50bd6e7144c927753fe013381" +checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" [[package]] name = "cfg-if" @@ -354,16 +356,6 @@ dependencies = [ "custom_derive", ] -[[package]] -name = "core-foundation" -version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" -dependencies = [ - "core-foundation-sys", - "libc", -] - [[package]] name = "core-foundation-sys" version = "0.8.3" @@ -613,21 +605,6 @@ version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2fad85553e09a6f881f739c29f0b00b0f01357c743266d478b68951ce23285f3" -[[package]] -name = "foreign-types" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" -dependencies = [ - "foreign-types-shared", -] - -[[package]] -name = "foreign-types-shared" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" - [[package]] name = "form_urlencoded" version = "1.0.1" @@ -1018,24 +995,6 @@ dependencies = [ "winapi 0.3.9", ] -[[package]] -name = "native-tls" -version = "0.2.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd7e2f3618557f980e0b17e8856252eee3c97fa12c54dff0ca290fb6266ca4a9" -dependencies = [ - "lazy_static", - "libc", - "log", - "openssl", - "openssl-probe", - "openssl-sys", - "schannel", - "security-framework", - "security-framework-sys", - "tempfile", -] - [[package]] name = "nix" version = "0.24.1" @@ -1152,39 +1111,6 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "93f5bb2e8e8dec81642920ccff6b61f1eb94fa3020c5a325c9851ff604152409" -[[package]] -name = "openssl" -version = "0.10.38" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c7ae222234c30df141154f159066c5093ff73b63204dcda7121eb082fc56a95" -dependencies = [ - "bitflags 1.3.2", - "cfg-if 1.0.0", - "foreign-types", - "libc", - "once_cell", - "openssl-sys", -] - -[[package]] -name = "openssl-probe" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "77af24da69f9d9341038eba93a073b1fdaaa1b788221b00a69bce9e762cb32de" - -[[package]] -name = "openssl-sys" -version = "0.9.72" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e46109c383602735fa0a2e48dd2b7c892b048e1bf69e5c3b1d804b7d9c203cb" -dependencies = [ - "autocfg 1.0.0", - "cc", - "libc", - "pkg-config", - "vcpkg", -] - [[package]] name = "os_info" version = "3.5.0" @@ -1245,12 +1171,6 @@ dependencies = [ "sha-1 0.8.1", ] -[[package]] -name = "pkg-config" -version = "0.3.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33" - [[package]] name = "podio" version = "0.1.6" @@ -1436,12 +1356,39 @@ dependencies = [ "rand", ] +[[package]] +name = "ring" +version = "0.16.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +dependencies = [ + "cc", + "libc", + "once_cell", + "spin", + "untrusted", + "web-sys", + "winapi 0.3.9", +] + [[package]] name = "rustc-demangle" version = "0.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a7f4dccf6f4891ebcc0c39f9b6eb1a83b9bf5d747cb439ec6fba4f3b977038af" +[[package]] +name = "rustls" +version = "0.20.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921" +dependencies = [ + "log", + "ring", + "sct", + "webpki", +] + [[package]] name = "ryu" version = "1.0.6" @@ -1458,36 +1405,13 @@ dependencies = [ ] [[package]] -name = "schannel" -version = "0.1.19" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75" -dependencies = [ - "lazy_static", - "winapi 0.3.9", -] - -[[package]] -name = "security-framework" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2dc14f172faf8a0194a3aded622712b0de276821addc574fa54fc0a1167e10dc" -dependencies = [ - "bitflags 1.3.2", - "core-foundation", - "core-foundation-sys", - "libc", - "security-framework-sys", -] - -[[package]] -name = "security-framework-sys" -version = "2.6.1" +name = "sct" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0160a13a177a45bfb43ce71c01580998474f556ad854dcbca936dd2841a5c556" +checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4" dependencies = [ - "core-foundation-sys", - "libc", + "ring", + "untrusted", ] [[package]] @@ -1605,6 +1529,12 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f67ad224767faa3c7d8b6d91985b78e70a1324408abcb1cfcc2be4c06bc06043" +[[package]] +name = "spin" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" + [[package]] name = "strsim" version = "0.8.0" @@ -1882,6 +1812,12 @@ dependencies = [ "void", ] +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "url" version = "2.1.1" @@ -1902,12 +1838,6 @@ dependencies = [ "regex", ] -[[package]] -name = "vcpkg" -version = "0.2.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6454029bf181f092ad1b853286f23e2c507d8e8194d01d92da4a55c274a5508c" - [[package]] name = "vec_map" version = "0.8.1" @@ -2106,6 +2036,35 @@ version = "0.2.82" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6598dd0bd3c7d51095ff6531a5b23e02acdc81804e30d8f07afb77b7215a140a" +[[package]] +name = "web-sys" +version = "0.3.59" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed055ab27f941423197eb86b2035720b1a3ce40504df082cac2ecc6ed73335a1" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webpki" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd" +dependencies = [ + "ring", + "untrusted", +] + +[[package]] +name = "webpki-roots" +version = "0.22.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1c760f0d366a6c24a02ed7816e23e691f5d92291f94d15e836006fd11b04daf" +dependencies = [ + "webpki", +] + [[package]] name = "which" version = "4.3.0" diff --git a/ci/build-and-package.sh b/ci/build-and-package.sh index 0538b4c011..d773c1587c 100755 --- a/ci/build-and-package.sh +++ b/ci/build-and-package.sh @@ -2,6 +2,9 @@ set -e +# Activate the upgraded versions of GCC and binutils +source /opt/rh/devtoolset-2/enable + echo "Building Volta" cargo build --release diff --git a/ci/build-with-openssl.sh b/ci/build-with-openssl.sh deleted file mode 100755 index 50bc5342b2..0000000000 --- a/ci/build-with-openssl.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -set -e - -echo "Building OpenSSL" -cd openssl -./config shared --prefix=/root/workspace/openssl-dist -make -make install_sw -cd - - -OPENSSL_DIR=/root/workspace/openssl-dist ./ci/build-and-package.sh "$1" diff --git a/ci/docker-centos/Dockerfile b/ci/docker-centos/Dockerfile deleted file mode 100644 index c232cbe828..0000000000 --- a/ci/docker-centos/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM centos:6.10 - -# CentOS 6 packages are no longer hosted on the main repository, instead they are in the CentOS Vault -RUN sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Base.repo && \ - sed -i 's/#baseurl=http:\/\/mirror.centos.org\/centos\/$releasever/baseurl=http:\/\/linuxsoft.cern.ch\/centos-vault\/6.10/g' /etc/yum.repos.d/CentOS-Base.repo - -# Set up additional build tools -RUN yum -y update && yum clean all -RUN yum -y install gcc curl openssl openssl-devel ca-certificates tar perl perl-Module-Load-Conditional && yum clean all - -# Install Rust -RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain stable -ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/ci/docker-ubuntu/Dockerfile b/ci/docker-ubuntu/Dockerfile deleted file mode 100644 index e1774c56ea..0000000000 --- a/ci/docker-ubuntu/Dockerfile +++ /dev/null @@ -1,9 +0,0 @@ -FROM ubuntu:22.04 - -# Install build tools -RUN apt-get update -y; \ - apt-get install -y curl build-essential pkg-config libssl-dev - -# Install Rust -RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain stable -ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/ci/docker/Dockerfile b/ci/docker/Dockerfile new file mode 100644 index 0000000000..9ff47be294 --- /dev/null +++ b/ci/docker/Dockerfile @@ -0,0 +1,16 @@ +FROM cern/slc6-base + +# This repo file references a URL that is no longer valid. It also isn't used by the build +# toolchain, so we can safely remove it entirely +RUN rm /etc/yum.repos.d/epel.repo + +# Tools needed for the build and setup process +RUN yum -y install wget tar +# Fetch the repo information for the devtoolset repo +RUN wget -O /etc/yum.repos.d/slc6-devtoolset.repo http://linuxsoft.cern.ch/cern/devtoolset/slc6-devtoolset.repo +# Install more recent GCC and binutils, to allow us to compile +RUN yum -y install devtoolset-2-gcc devtoolset-2-binutils + +# Install Rust toolchain +RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain stable +ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/crates/archive/Cargo.toml b/crates/archive/Cargo.toml index a353c569da..2795b10887 100644 --- a/crates/archive/Cargo.toml +++ b/crates/archive/Cargo.toml @@ -15,4 +15,4 @@ verbatim = "0.1" cfg-if = "1.0" hyperx = "1.0.0" thiserror = "1.0.16" -attohttpc = { version = "0.22.0", features = ["json"] } +attohttpc = { version = "0.22.0", default-features = false, features = ["json", "compress", "tls-rustls"] } diff --git a/crates/volta-core/Cargo.toml b/crates/volta-core/Cargo.toml index 38a1b496a3..0aa5b8e06f 100644 --- a/crates/volta-core/Cargo.toml +++ b/crates/volta-core/Cargo.toml @@ -48,7 +48,7 @@ double-checked-cell = "2.1.0" dunce = "1.0.2" ci_info = "0.14.6" hyperx = "1.4.0" -attohttpc = { version = "0.22.0", features = ["json"] } +attohttpc = { version = "0.22.0", default-features = false, features = ["json", "compress", "tls-rustls"] } chain-map = "0.1.0" indexmap = "1.9.1" retry = "1.3.1" diff --git a/dev/unix/volta-install.sh b/dev/unix/volta-install.sh index c9c93c5adb..2f1a6b9b82 100755 --- a/dev/unix/volta-install.sh +++ b/dev/unix/volta-install.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash # This is the bootstrap Unix installer served by `https://get.volta.sh`. -# Its responsibility is to query the system to determine what OS (and in the -# case of Linux, what OpenSSL version) the system has, fetch and install the -# appropriate build of Volta, and modify the user's profile. +# Its responsibility is to query the system to determine what OS the system +# has, fetch and install the appropriate build of Volta, and modify the user's +# profile. # NOTE: to use an internal company repo, change how this determines the latest version get_latest_release() { @@ -120,21 +120,19 @@ upgrade_is_ok() { return 0 } -# returns the os name to be used in the packaged release, -# including the openssl info if necessary +# returns the os name to be used in the packaged release parse_os_info() { local uname_str="$1" - local openssl_version="$2" + local arch="$(uname -m)" case "$uname_str" in Linux) - parsed_version="$(parse_openssl_version "$openssl_version")" - exit_code="$?" - if [ "$exit_code" != 0 ]; then - return "$exit_code" + if [ "$arch" == "x86_64" ]; then + echo "linux" + else + error "Releases for non x64 architectures are not currently supported." + return 1 fi - - echo "linux-openssl-$parsed_version" ;; Darwin) if [ "$(uname -m)" == "arm64" ]; then @@ -179,41 +177,6 @@ element_in() { return 1 } -# parse the OpenSSL version from the input text -# for most distros, we only care about MAJOR.MINOR, with the exception of RHEL/CENTOS, -parse_openssl_version() { - local version_str="$1" - - # array containing the SSL libraries that are supported - # would be nice to use a bash 4.x associative array, but bash 3.x is the default on OSX - SUPPORTED_SSL_LIBS=( 'OpenSSL' ) - - # use regex to get the library name and version - # typical version string looks like 'OpenSSL 1.0.1e-fips 11 Feb 2013' - if [[ "$version_str" =~ ^([^\ ]*)\ ([0-9]+\.[0-9]+) ]] - then - # check that the lib is supported - libname="${BASH_REMATCH[1]}" - major_minor="${BASH_REMATCH[2]}" - if ! element_in "$libname" "${SUPPORTED_SSL_LIBS[@]}" - then - error "Releases for '$libname' not currently supported. Supported libraries are: ${SUPPORTED_SSL_LIBS[@]}." - return 1 - fi - - # for version 1.0.x, check for RHEL/CentOS style OpenSSL SONAME (.so.10) - if [ "$major_minor" == "1.0" ] && [ -f "/usr/lib64/libcrypto.so.10" ]; then - echo "rhel" - else - echo "$major_minor" - fi - return 0 - else - error "Could not determine OpenSSL version for '$version_str'." - return 1 - fi -} - create_tree() { local install_dir="$1" @@ -359,9 +322,8 @@ download_release() { local version="$1" local uname_str="$(uname -s)" - local openssl_version="$(openssl version)" local os_info - os_info="$(parse_os_info "$uname_str" "$openssl_version")" + os_info="$(parse_os_info "$uname_str")" if [ "$?" != 0 ]; then error "The current operating system ($uname_str) does not appear to be supported by Volta." return 1