Skip to content

release: do not install openssl in FIPS mode #157197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

release: do not install openssl in FIPS mode #157197

merged 1 commit into from
Nov 13, 2025
+17 −38

Conversation

@rail
Copy link
Member

@rail rail commented Nov 11, 2025

Previously, our Dockerfile for deployment would install the openssl package when FIPS mode was enabled. However, this is unnecessary because the current implementation of FIPS mode does not rely on the system's OpenSSL library. This allows us to unify the Dockerfile for both variants.

Additionally, install ca-certificates to ensure that TLS certificates can be properly validated, without implicitly using x509.SetFallbackRoots.

Epic: none
Release note: none

@rail rail requested a review from rickystewart November 11, 2025 21:01
@rail rail self-assigned this Nov 11, 2025
@rail rail requested a review from a team as a code owner November 11, 2025 21:01
@rail rail added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-release T-release Release Engineering & Automation Team labels Nov 11, 2025
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Nov 11, 2025

This change is Reviewable

@rail rail removed the request for review from rickystewart November 12, 2025 16:07
@rail rail marked this pull request as draft November 12, 2025 16:11
@rail rail force-pushed the rail/pr-umswuwyxmkzl branch from addd152 to d37491a Compare November 12, 2025 18:11
@github-actions
Copy link

github-actions bot commented Nov 12, 2025

Potential Bug(s) Detected

The three-stage Claude Code analysis has identified potential bug(s) in this PR that may warrant investigation.

Next Steps:
Please review the detailed findings in the workflow run.

Note: When viewing the workflow output, scroll to the bottom to find the Final Analysis Summary.

After you review the findings, please tag the issue as follows:

  • If the detected issue is real or was helpful in any way, please tag the issue with O-AI-Review-Real-Issue-Found
  • If the detected issue was not helpful in any way, please tag the issue with O-AI-Review-Not-Helpful

@github-actions github-actions bot added the o-AI-Review-Potential-Issue-Detected AI reviewer found potential issue. Never assign manually—auto-applied by GH action only. label Nov 12, 2025
@rail
release: do not install openssl in FIPS mode
1ae578e 
Previously, our Dockerfile for deployment would install the `openssl`
package when FIPS mode was enabled. However, this is unnecessary because
the current implementation of FIPS mode does not rely on the system's
OpenSSL library. This allows us to unify the Dockerfile for both
variants.

Additionally, install `ca-certificates` to ensure that TLS certificates
can be properly validated, without implicitly using
`x509.SetFallbackRoots`.

Epic: none
Release note: none
@rail rail force-pushed the rail/pr-umswuwyxmkzl branch from d37491a to 1ae578e Compare November 12, 2025 18:22
@rail rail added the O-AI-Review-Real-Issue-Found AI reviewer found real issue label Nov 12, 2025
@rail rail requested a review from rickystewart November 12, 2025 19:37
@rail rail marked this pull request as ready for review November 12, 2025 19:37
rickystewart
rickystewart approved these changes Nov 13, 2025
View reviewed changes
build/deploy/Dockerfile
gzip \
xz \
&& rm -rf /var/cache/yum
# FIPS mode requires the `openssl` package installed. Also we need to temporarily
Copy link
Collaborator

@rickystewart rickystewart Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice to see all this code go away.

@rail
Copy link
Member Author

rail commented Nov 13, 2025

bors r=rickystewart

@craig
Copy link
Contributor

craig bot commented Nov 13, 2025

Build succeeded:

@craig craig bot merged commit d05f126 into cockroachdb:master Nov 13, 2025
25 checks passed
@rail rail deleted the rail/pr-umswuwyxmkzl branch November 13, 2025 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rickystewart rickystewart rickystewart approved these changes

Assignees

@rail rail

Labels

A-release C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) o-AI-Review-Potential-Issue-Detected AI reviewer found potential issue. Never assign manually—auto-applied by GH action only. O-AI-Review-Real-Issue-Found AI reviewer found real issue T-release Release Engineering & Automation Team target-release-26.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rail @cockroach-teamcity @rickystewart