diff --git a/.github/workflows/oci-base.yaml b/.github/workflows/oci-base.yaml deleted file mode 100644 index 2add081a7752..000000000000 --- a/.github/workflows/oci-base.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# https://github.com/marketplace/actions/build-and-push-docker-images -name: OCI Base Image -on: - schedule: - - cron: '0 3 * * *' - workflow_dispatch: -jobs: - build-publish: - runs-on: ubuntu-20.04 - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up QEMU - id: qemu - uses: docker/setup-qemu-action@v3 - with: - image: tonistiigi/binfmt:latest - platforms: linux/amd64,linux/arm64 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Available platforms - run: echo ${{ steps.buildx.outputs.platforms }} - - - name: Cache Docker layers - uses: actions/cache@v4.0.2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-${{ github.event.pull_request.head.sha || github.sha }} - restore-keys: | - ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx- - - - name: Check for Push Credentials - id: authorized - run: | - if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then - echo "PUSH=true" >> $GITHUB_OUTPUT - else - echo "PUSH=false" >> $GITHUB_OUTPUT - fi - - - name: Login to DockerHub - if: steps.authorized.outputs.PUSH == 'true' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - - name: Build and push - uses: docker/build-push-action@v5 - with: - context: packaging/base-image - platforms: linux/amd64,linux/arm64 - pull: true - push: ${{ steps.authorized.outputs.PUSH }} - tags: | - pivotalrabbitmq/ubuntu:20.04 - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache-new - - # Temp fix - # https://github.com/docker/build-push-action/issues/252 - # https://github.com/moby/buildkit/issues/1896 - - name: Move cache - run: | - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache diff --git a/.github/workflows/oci-make.yaml b/.github/workflows/oci-make.yaml new file mode 100644 index 000000000000..d6471a10fe93 --- /dev/null +++ b/.github/workflows/oci-make.yaml @@ -0,0 +1,155 @@ +# https://github.com/marketplace/actions/build-and-push-docker-images +name: OCI (make) +on: + push: + paths-ignore: + - '.github/workflows/secondary-umbrella.yaml' + - '.github/workflows/update-elixir-patches.yaml' + - '.github/workflows/update-otp-patches.yaml' + workflow_dispatch: +env: + REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +jobs: + build-package-generic-unix: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Configure Erlang + uses: erlef/setup-beam@v1 + with: + otp-version: 26.2 + elixir-version: 1.15 + - name: make package-generic-unix + run: | + make package-generic-unix + - name: Upload package-generic-unix + uses: actions/upload-artifact@v4.3.1 + with: + name: package-generic-unix + path: PACKAGES/rabbitmq-server-*.tar.xz + + build: + needs: build-package-generic-unix + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + platform: + - linux/amd64 + - linux/arm64 + steps: + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + - name: Checkout + uses: actions/checkout@v4 + - name: Download package-generic-unix + uses: actions/download-artifact@v4 + with: + name: package-generic-unix + path: PACKAGES + - name: Rename package-generic-unix + run: | + cp \ + PACKAGES/rabbitmq-server-generic-unix-*.tar.xz \ + packaging/docker-image/package-generic-unix.tar.xz + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=sha,format=long + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + - name: Build and push by digest + id: build + uses: docker/build-push-action@v5 + with: + context: packaging/docker-image + platforms: ${{ matrix.platform }} + labels: ${{ steps.meta.outputs.labels }} + cache-to: type=registry,ref=ghcr.io/rabbitmq/rabbitmq:buildcache-${{ env.PLATFORM_PAIR }},mode=max + cache-from: type=registry,ref=ghcr.io/rabbitmq/rabbitmq:buildcache-${{ env.PLATFORM_PAIR }} + outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + needs: + - build + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY_IMAGE }} + tags: | + type=ref,event=branch + type=ref,event=pr + type=sha,format=long + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_PASSWORD }} + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + + summary-oci: + needs: + - build-package-generic-unix + - build + - merge + runs-on: ubuntu-latest + steps: + - name: SUMMARY + run: | + cat << 'EOF' | jq -e 'map(.result == "success") | all(.)' + ${{ toJson(needs) }} + EOF diff --git a/.github/workflows/oci.yaml b/.github/workflows/oci.yaml deleted file mode 100644 index f0eaf7c49adb..000000000000 --- a/.github/workflows/oci.yaml +++ /dev/null @@ -1,139 +0,0 @@ -# https://github.com/marketplace/actions/build-and-push-docker-images -name: OCI -on: - push: - paths-ignore: - - '.github/workflows/secondary-umbrella.yaml' - - '.github/workflows/update-elixir-patches.yaml' - - '.github/workflows/update-otp-patches.yaml' - workflow_dispatch: -env: - VERSION: ${{ github.event.pull_request.head.sha || github.sha }} -concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} - cancel-in-progress: true -jobs: - build-publish-dev-bazel: - runs-on: ubuntu-latest - services: - registry: - image: registry - ports: - - 5001:5000 - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: 'Login to GitHub Container Registry' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Configure Erlang - uses: erlef/setup-beam@v1 - with: - otp-version: 26.2 - elixir-version: 1.15 - - - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@v3 - - - name: Configure Bazel - run: | - if [ -n "${{ secrets.BUILDBUDDY_API_KEY }}" ]; then - cat << EOF >> user.bazelrc - build:buildbuddy --remote_header=x-buildbuddy-api-key=${{ secrets.BUILDBUDDY_API_KEY }} - EOF - fi - cat << EOF >> user.bazelrc - build:buildbuddy --build_metadata=ROLE=CI - build:buildbuddy --build_metadata=VISIBILITY=PRIVATE - build:buildbuddy --color=yes - - build --action_env EXTRA_BUILDX_OPTS="--cache-from=type=gha --cache-to=type=gha" - EOF - - - name: Build package-generic-unix - run: | - bazelisk build :package-generic-unix \ - --config=buildbuddy - - - name: Build amd64 Base - run: | - bazelisk build //packaging/base-image:docker-build-amd64 \ - --config=buildbuddy \ - --experimental_ui_max_stdouterr_bytes=4194304 - - - name: Build amd64 - run: | - bazelisk build //packaging/docker-image:rabbitmq-amd64 \ - --config=buildbuddy - - - name: Build arm64 Base - run: | - bazelisk build //packaging/base-image:docker-build-arm64 \ - --config=buildbuddy \ - --experimental_ui_max_stdouterr_bytes=4194304 - - - name: Build arm64 - run: | - bazelisk build //packaging/docker-image:rabbitmq-arm64 \ - --config=buildbuddy - - - name: Test - run: | - OCI_TESTS=$(bazel cquery 'tests(//packaging/docker-image/...)' | awk '{ print $1 }') - bazelisk test ${OCI_TESTS} \ - --config=buildbuddy - - - name: Check for Push Credentials - id: authorized - run: | - if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then - echo "PUSH=true" >> $GITHUB_OUTPUT - else - echo "PUSH=false" >> $GITHUB_OUTPUT - fi - - - name: Assemble Multi-Arch - run: | - bazelisk build //packaging/docker-image:rabbitmq \ - --config=buildbuddy - - - name: Login to DockerHub - if: steps.authorized.outputs.PUSH == 'true' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PASSWORD }} - - - name: Tag and Push - if: steps.authorized.outputs.PUSH == 'true' - run: | - TAG_1="${{ env.VERSION }}" - - REF_NAME="${{ github.ref_name }}" - TAG_2="${REF_NAME//\//-}" - - set -x - bazelisk run //packaging/docker-image:push \ - --config=buildbuddy -- \ - --tag ${TAG_1} \ - --tag ${TAG_2} - - summary-oci: - needs: - - build-publish-dev-bazel - runs-on: ubuntu-latest - steps: - - name: SUMMARY - run: | - echo "SUCCESS" diff --git a/.github/workflows/rabbitmq_peer_discovery_aws.yaml b/.github/workflows/rabbitmq_peer_discovery_aws.yaml index d111a23403cc..9e9acb5a3c82 100644 --- a/.github/workflows/rabbitmq_peer_discovery_aws.yaml +++ b/.github/workflows/rabbitmq_peer_discovery_aws.yaml @@ -21,13 +21,17 @@ jobs: steps: - name: CHECKOUT REPOSITORY uses: actions/checkout@v4 - - name: WAIT FOR OCI IMAGE WORKFLOW - uses: lewagon/wait-on-check-action@v1.3.4 + - uses: docker/metadata-action@v4 + id: metadata with: - ref: ${{ github.ref }} - check-name: build-publish-dev-bazel - repo-token: ${{ secrets.GITHUB_TOKEN }} - wait-interval: 30 # seconds + images: pivotalrabbitmq/rabbitmq + tags: | + type=sha,format=long + - uses: int128/wait-for-docker-image-action@v1 + with: + tags: ${{ steps.metadata.outputs.tags }} + timeout-seconds: 3600 + polling-seconds: 60 - name: CONFIGURE BAZEL run: | cat << EOF >> user.bazelrc @@ -51,6 +55,6 @@ jobs: --build_tests_only \ --test_env AWS_ACCESS_KEY_ID=${{ secrets.CONCOURSE_AWS_ACCESS_KEY_ID }} \ --test_env AWS_SECRET_ACCESS_KEY=${{ secrets.CONCOURSE_AWS_SECRET_ACCESS_KEY }} \ - --test_env RABBITMQ_IMAGE="pivotalrabbitmq/rabbitmq:${{ github.sha }}" \ + --test_env RABBITMQ_IMAGE="pivotalrabbitmq/rabbitmq:sha-${{ github.sha }}" \ --test_env AWS_ECS_CLUSTER_NAME="rabbitmq-peer-discovery-aws-actions-${branch_or_tag//[._]/-}" \ --verbose_failures diff --git a/packaging/base-image/.dockerignore b/packaging/base-image/.dockerignore deleted file mode 100644 index 819ae9cc4ce6..000000000000 --- a/packaging/base-image/.dockerignore +++ /dev/null @@ -1 +0,0 @@ -BUILD.bazel diff --git a/packaging/base-image/BUILD.bazel b/packaging/base-image/BUILD.bazel deleted file mode 100644 index a4ab6d5c59c2..000000000000 --- a/packaging/base-image/BUILD.bazel +++ /dev/null @@ -1,40 +0,0 @@ -_ARCHS = [ - "amd64", - "arm64", -] - -_TAGS = [ - "docker", - "manual", - "no-sandbox", - "no-remote-exec", # buildbuddy runners do not have the emulator available -] - -[ - genrule( - name = "docker-build-%s" % arch, - srcs = [ - "Dockerfile", - ], - outs = [ - "image-%s.tar" % arch, - ], - cmd = """set -euo pipefail - -CONTEXT="$$(mktemp -d)" - -cp $(location Dockerfile) "$$CONTEXT" - -docker buildx \\ - build \\ - "$$CONTEXT" \\ - --platform linux/{arch} \\ - --output type=tar,dest=$(location image-{arch}.tar) $${{EXTRA_BUILDX_OPTS:-}} -""".format( - arch = arch, - ), - tags = _TAGS, - visibility = ["//packaging:__subpackages__"], - ) - for arch in _ARCHS -] diff --git a/packaging/base-image/Dockerfile b/packaging/base-image/Dockerfile deleted file mode 100644 index d4541a8a882d..000000000000 --- a/packaging/base-image/Dockerfile +++ /dev/null @@ -1,234 +0,0 @@ -# -# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" -# -# PLEASE DO NOT EDIT IT DIRECTLY. -# - -# The official Canonical Ubuntu Focal image is ideal from a security perspective, -# especially for the enterprises that we, the RabbitMQ team, have to deal with - -FROM ubuntu:22.04 as build-base - -ARG BUILDKIT_SBOM_SCAN_STAGE=true - -RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - build-essential \ - ca-certificates \ - gnupg \ - libncurses5-dev \ - wget - -FROM build-base as openssl-builder - -ARG BUILDKIT_SBOM_SCAN_STAGE=true - -# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally -ARG PGP_KEYSERVER=keyserver.ubuntu.com -# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, -# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.13 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.13/ubuntu -# For context, see https://github.com/docker-library/official-images/issues/4252 - -ENV OPENSSL_VERSION 3.1.5 -ENV OPENSSL_SOURCE_SHA256="6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262" -# https://www.openssl.org/community/otc.html -# https://www.openssl.org/source/ -ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D 0xEFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5" - -ENV OTP_VERSION 26.2.2 -# TODO add PGP checking when the feature will be added to Erlang/OTP's build system -# https://erlang.org/pipermail/erlang-questions/2019-January/097067.html -ENV OTP_SOURCE_SHA256="d537ff4ac5d8c1cb507aedaf7198fc1f155ea8aa65a8d83edb35c2802763cc28" - -# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages -ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang -ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl - -# Install dependencies required to build Erlang/OTP from source -# https://erlang.org/doc/installation_guide/INSTALL.html -# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP -# gnupg: Required to verify OpenSSL artefacts -# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli -RUN set -eux; \ - OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ - OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ - OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ - \ -# Required by the crypto & ssl Erlang/OTP applications - wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ - wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $OPENSSL_PGP_KEY_IDS; do \ - gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key"; \ - done; \ - gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \ - mkdir -p "$OPENSSL_PATH"; \ - tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ - \ -# Configure OpenSSL for compilation - cd "$OPENSSL_PATH"; \ -# without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) -# OpenSSL's "config" script uses a lot of "uname"-based target detection... - dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ -# https://deb.debian.org/debian/dists/unstable/main/ - case "$dpkgArch" in \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) - amd64) opensslMachine='linux-x86_64' ;; \ - arm64) opensslMachine='linux-aarch64' ;; \ -# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 -# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines -# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html - armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ - i386) opensslMachine='linux-x86' ;; \ - ppc64el) opensslMachine='linux-ppc64le' ;; \ - riscv64) opensslMachine='linux64-riscv64' ;; \ - s390x) opensslMachine='linux64-s390x' ;; \ - *) echo >&2 "error: unsupported arch: '$apkArch'"; exit 1 ;; \ - esac; \ - MACHINE="$opensslMachine" \ - RELEASE="4.x.y-z" \ - SYSTEM='Linux' \ - BUILD='???' \ - ./Configure \ - "$opensslMachine" \ - enable-fips \ - --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ - --openssldir="$OPENSSL_CONFIG_DIR" \ - --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ - ${opensslExtraConfig:-} \ - ; \ -# Compile, install OpenSSL, verify that the command-line works & development headers are present - make -j "$(getconf _NPROCESSORS_ONLN)"; \ - make install_sw install_ssldirs install_fips; \ - ldconfig; \ -# use Debian's CA certificates - rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ - ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" - -# smoke test -RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version - -FROM openssl-builder as erlang-builder - -ARG BUILDKIT_SBOM_SCAN_STAGE=true - -RUN set -eux; \ - OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ - OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ - \ -# Download, verify & extract OTP_SOURCE - mkdir -p "$OTP_PATH"; \ - wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ - echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ - tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ - \ -# Configure Erlang/OTP for compilation, disable unused features & applications -# https://erlang.org/doc/applications.html -# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation - cd "$OTP_PATH"; \ - export ERL_TOP="$OTP_PATH"; \ - CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ -# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) - export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ - hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ - buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ - dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ -# JIT is only supported on amd64 + arm64; https://github.com/erlang/otp/blob/OTP-25.3.2.2/erts/configure#L24306-L24347 - jitFlag=; \ - case "$dpkgArch" in \ - amd64 | arm64) jitFlag='--enable-jit' ;; \ - esac; \ - ./configure \ - --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ - --host="$hostArch" \ - --build="$buildArch" \ - --disable-hipe \ - --disable-sctp \ - --disable-silent-rules \ - --enable-builtin-zlib \ - --enable-clock-gettime \ - --enable-hybrid-heap \ - --enable-kernel-poll \ - --enable-smp-support \ - --enable-threads \ - --with-microstate-accounting=extra \ - --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ - --without-common_test \ - --without-debugger \ - --without-dialyzer \ - --without-diameter \ - --without-edoc \ - --without-erl_docgen \ - --without-et \ - --without-eunit \ - --without-ftp \ - --without-hipe \ - --without-jinterface \ - --without-megaco \ - --without-observer \ - --without-odbc \ - --without-reltool \ - --without-ssh \ - --without-tftp \ - --without-wx \ - $jitFlag \ - ; \ - \ -# Compile & install Erlang/OTP - make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ - make install; \ - \ -# Remove unnecessary files - find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ - find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ - find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + - -# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly -ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH -RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' -RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' - -FROM ubuntu:22.04 - -# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again -ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang -ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl -COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.2","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json - -COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX -RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json - -ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH - -ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq - -RUN set -eux; \ -# Configure OpenSSL to use system certs - ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ - \ -# Check that OpenSSL still works after copying from previous builder - ldconfig; \ - sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ - -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ - sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ - [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ - openssl version; \ - openssl version -d; \ - \ -# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly - erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \ - \ -# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM - groupadd --gid 999 --system rabbitmq; \ - useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \ - mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ - chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ - chmod 1777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ - ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie diff --git a/packaging/docker-image/.gitignore b/packaging/docker-image/.gitignore new file mode 100644 index 000000000000..65b88cadab90 --- /dev/null +++ b/packaging/docker-image/.gitignore @@ -0,0 +1 @@ +package-generic-unix.tar.xz diff --git a/packaging/docker-image/BUILD.bazel b/packaging/docker-image/BUILD.bazel index f6106e281c66..2828f8a8e2ea 100644 --- a/packaging/docker-image/BUILD.bazel +++ b/packaging/docker-image/BUILD.bazel @@ -36,7 +36,6 @@ _TAGS = [ genrule( name = "docker-build-%s" % arch, srcs = [ - "//packaging/base-image:image-%s.tar" % arch, ":context-files", ], outs = [ @@ -48,22 +47,10 @@ CONTEXT="$$(mktemp -d)" cp $(locations :context-files) "$$CONTEXT" -BASE_IMAGE="ghcr.io/rabbitmq/rabbitmq-base" - -set -x - -docker import \\ - --platform linux/{arch} \\ - "$(location //packaging/base-image:image-{arch}.tar)" \\ - $$BASE_IMAGE:{arch} - -DIGEST="$$(docker push $$BASE_IMAGE:{arch} | sed -n 's/.*\\(sha256:[a-z0-9]*\\).*/\\1/p')" - docker buildx \\ build \\ "$$CONTEXT" \\ --platform linux/{arch} \\ - --build-arg BASE_IMAGE="$$BASE_IMAGE@$$DIGEST" \\ --build-arg RABBITMQ_VERSION="{rmq_version}" \\ --output type=tar,dest=$(location image-{arch}.tar) $${{EXTRA_BUILDX_OPTS:-}} """.format( diff --git a/packaging/docker-image/Dockerfile b/packaging/docker-image/Dockerfile index d2d104d65075..7571087fc773 100644 --- a/packaging/docker-image/Dockerfile +++ b/packaging/docker-image/Dockerfile @@ -1,13 +1,238 @@ -ARG BASE_IMAGE=ghcr.io/rabbitmq/rabbitmq-base:amd64 -FROM ${BASE_IMAGE} +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# +# The official Canonical Ubuntu Focal image is ideal from a security perspective, +# especially for the enterprises that we, the RabbitMQ team, have to deal with + +FROM ubuntu:22.04 as build-base + +ARG BUILDKIT_SBOM_SCAN_STAGE=true + +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + build-essential \ + ca-certificates \ + gnupg \ + libncurses5-dev \ + wget + +FROM build-base as openssl-builder + +ARG BUILDKIT_SBOM_SCAN_STAGE=true + +# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally +ARG PGP_KEYSERVER=keyserver.ubuntu.com +# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors, +# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.13 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.13/ubuntu +# For context, see https://github.com/docker-library/official-images/issues/4252 + +ENV OPENSSL_VERSION 3.1.5 +ENV OPENSSL_SOURCE_SHA256="6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262" +# https://www.openssl.org/community/otc.html +# https://www.openssl.org/source/ +ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D 0xEFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5" + +ENV OTP_VERSION 26.2.2 +# TODO add PGP checking when the feature will be added to Erlang/OTP's build system +# https://erlang.org/pipermail/erlang-questions/2019-January/097067.html +ENV OTP_SOURCE_SHA256="d537ff4ac5d8c1cb507aedaf7198fc1f155ea8aa65a8d83edb35c2802763cc28" + +# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +# Install dependencies required to build Erlang/OTP from source +# https://erlang.org/doc/installation_guide/INSTALL.html +# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP +# gnupg: Required to verify OpenSSL artefacts +# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli +RUN set -eux; \ + OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \ + OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \ + OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ + \ +# Required by the crypto & ssl Erlang/OTP applications + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \ + wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \ + export GNUPGHOME="$(mktemp -d)"; \ + for key in $OPENSSL_PGP_KEY_IDS; do \ + gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key"; \ + done; \ + gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \ + mkdir -p "$OPENSSL_PATH"; \ + tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \ + \ +# Configure OpenSSL for compilation + cd "$OPENSSL_PATH"; \ +# without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??) +# OpenSSL's "config" script uses a lot of "uname"-based target detection... + dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ +# https://deb.debian.org/debian/dists/unstable/main/ + case "$dpkgArch" in \ +# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys) + amd64) opensslMachine='linux-x86_64' ;; \ + arm64) opensslMachine='linux-aarch64' ;; \ +# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766 +# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines +# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html + armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \ + i386) opensslMachine='linux-x86' ;; \ + ppc64el) opensslMachine='linux-ppc64le' ;; \ + riscv64) opensslMachine='linux64-riscv64' ;; \ + s390x) opensslMachine='linux64-s390x' ;; \ + *) echo >&2 "error: unsupported arch: '$apkArch'"; exit 1 ;; \ + esac; \ + MACHINE="$opensslMachine" \ + RELEASE="4.x.y-z" \ + SYSTEM='Linux' \ + BUILD='???' \ + ./Configure \ + "$opensslMachine" \ + enable-fips \ + --prefix="$OPENSSL_INSTALL_PATH_PREFIX" \ + --openssldir="$OPENSSL_CONFIG_DIR" \ + --libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + -Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \ + ${opensslExtraConfig:-} \ + ; \ +# Compile, install OpenSSL, verify that the command-line works & development headers are present + make -j "$(getconf _NPROCESSORS_ONLN)"; \ + make install_sw install_ssldirs install_fips; \ + ldconfig; \ +# use Debian's CA certificates + rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \ + ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR" + +# smoke test +RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version + +FROM openssl-builder as erlang-builder + +ARG BUILDKIT_SBOM_SCAN_STAGE=true + +RUN set -eux; \ + OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \ + OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \ + \ +# Download, verify & extract OTP_SOURCE + mkdir -p "$OTP_PATH"; \ + wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \ + echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \ + tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \ + \ +# Configure Erlang/OTP for compilation, disable unused features & applications +# https://erlang.org/doc/applications.html +# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation + cd "$OTP_PATH"; \ + export ERL_TOP="$OTP_PATH"; \ + CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \ +# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364) + export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \ + hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \ + buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \ +# JIT is only supported on amd64 + arm64; https://github.com/erlang/otp/blob/OTP-25.3.2.2/erts/configure#L24306-L24347 + jitFlag=; \ + case "$dpkgArch" in \ + amd64 | arm64) jitFlag='--enable-jit' ;; \ + esac; \ + ./configure \ + --prefix="$ERLANG_INSTALL_PATH_PREFIX" \ + --host="$hostArch" \ + --build="$buildArch" \ + --disable-hipe \ + --disable-sctp \ + --disable-silent-rules \ + --enable-builtin-zlib \ + --enable-clock-gettime \ + --enable-hybrid-heap \ + --enable-kernel-poll \ + --enable-smp-support \ + --enable-threads \ + --with-microstate-accounting=extra \ + --with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \ + --without-common_test \ + --without-debugger \ + --without-dialyzer \ + --without-diameter \ + --without-edoc \ + --without-erl_docgen \ + --without-et \ + --without-eunit \ + --without-ftp \ + --without-hipe \ + --without-jinterface \ + --without-megaco \ + --without-observer \ + --without-odbc \ + --without-reltool \ + --without-ssh \ + --without-tftp \ + --without-wx \ + $jitFlag \ + ; \ + \ +# Compile & install Erlang/OTP + make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \ + make install; \ + \ +# Remove unnecessary files + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \ + find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' + + +# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly +ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH +RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }' +RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().' + +FROM ubuntu:22.04 + +# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again +ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang +ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl +COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX +RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.2","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json + +COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX +RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json + ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq +RUN set -eux; \ +# Configure OpenSSL to use system certs + ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \ + \ +# Check that OpenSSL still works after copying from previous builder + ldconfig; \ + sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \ + -e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \ + sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \ + [ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \ + openssl version; \ + openssl version -d; \ + \ +# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly + erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \ + \ +# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM + groupadd --gid 999 --system rabbitmq; \ + useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \ + mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + chmod 1777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \ + ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie + # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html) ARG RABBITMQ_VERSION=4.0.0 ENV RABBITMQ_VERSION=${RABBITMQ_VERSION} diff --git a/packaging/docker-image/Makefile b/packaging/docker-image/Makefile index 6e82080b6057..3b442b5cb180 100644 --- a/packaging/docker-image/Makefile +++ b/packaging/docker-image/Makefile @@ -34,24 +34,14 @@ endif IMAGE_TAG_1 ?= $(subst +,-,$(VERSION)) endif -OTP_VERSION ?= 25.0.4 -OTP_SHA256 ?= 05878cb51a64b33c86836b12a21903075c300409b609ad5e941ddb0feb8c2120 REPO ?= pivotalrabbitmq/rabbitmq -SKIP_PGP_VERIFY ?= false -PGP_KEYSERVER ?= pgpkeys.eu -ALT1_PGP_KEYSERVER ?= keyserver.ubuntu.com -ALT2_PGP_KEYSERVER ?= pgpkeys.uk all: dist dist: - xzcat $(GENERIC_UNIX_ARCHIVE) | tar xvf - + cp -f $(GENERIC_UNIX_ARCHIVE) package-generic-unix.tar.xz docker build --pull \ - --build-arg SKIP_PGP_VERIFY=$(SKIP_PGP_VERIFY) \ - --build-arg PGP_KEYSERVER=$(PGP_KEYSERVER) \ - --build-arg OTP_VERSION=$(OTP_VERSION) \ - --build-arg OTP_SHA256=$(OTP_SHA256) \ - --build-arg RABBITMQ_BUILD=rabbitmq_server-$(VERSION) \ + --build-arg RABBITMQ_VERSION=$(VERSION) \ --tag $(REPO):$(IMAGE_TAG_1) \ . @@ -63,19 +53,4 @@ ifdef IMAGE_TAG_2 endif clean: - rm -rf rabbitmq_server-* - -OTP_VERSION_MATCH ?= 25[0-9.]+ -define LATEST_STABLE_OTP_VERSION -curl --silent --fail https://api.github.com/repos/erlang/otp/git/refs/tags | \ - jq -r '.[].ref | sub("refs/tags/OTP.{1}";"") | match("^$(OTP_VERSION_MATCH)$$") | .string' | \ - tail -n 1 -endef -.PHONY: find-otp-sha256 -find-otp-sha256: - @printf "Version: " && \ - export VERSION="$$($(LATEST_STABLE_OTP_VERSION))" && \ - echo "$$VERSION" && \ - printf "Checksum: " && \ - wget --continue --quiet --output-document="/tmp/OTP-$$VERSION.tar.gz" "https://github.com/erlang/otp/archive/OTP-$$VERSION.tar.gz" && \ - shasum -a 256 "/tmp/OTP-$$VERSION.tar.gz" + rm -f rabbitmq_server-*