Build cryptography (Linux) (#19635)

* Fix short-circuited condition * Force build Cryptography on Linux * Don't `enable-fips`
DataDog · Feb 18, 2025 · eafe58d · eafe58d
1 parent 5e31e04
commit eafe58d
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 1 deletion.
diff --git a/.builders/build.py b/.builders/build.py
@@ -224,7 +224,7 @@ def build_image():
 
             # Assumption: if a digest was provided we're not changing the build image and therefore
             # we're fine with reusing wheels we've built previously
-            if args.digest or True:
+            if args.digest:
                 script_args.append('--use-built-index')
 
             check_process([

diff --git a/.builders/images/linux-aarch64/Dockerfile b/.builders/images/linux-aarch64/Dockerfile
@@ -53,6 +53,19 @@ RUN /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-l
  && /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-location virtualenv \
  && /opt/python/${PYTHON3_VERSION}/bin/python3 -m virtualenv /py3
 
+# Rust toolchain (needed for cryptography)
+ENV RUST_VERSION="1.76"
+ENV RUSTC_SHA256="673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800"
+ARG RUSTUP_VERSION="1.26.0"
+ARG RUSTUP_SHA256="673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800"
+RUN curl -sSL -o rustup-init "https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/aarch64-unknown-linux-gnu/rustup-init" \
+ && echo "${RUSTUP_SHA256} rustup-init" | sha256sum --check \
+ && chmod +x ./rustup-init \
+ && ./rustup-init -y --profile minimal --default-toolchain "${RUST_VERSION}" \
+ && echo "${RUSTC_SHA256}  $HOME/.cargo/bin/rustc" | sha256sum --check \
+ && rm ./rustup-init
+ENV PATH="/root/.cargo/bin:${PATH}"
+
 # krb5 for dependencies that require kerberos support
 RUN \
  DOWNLOAD_URL="https://kerberos.org/dist/krb5/1.20/krb5-{{version}}.tar.gz" \
@@ -163,6 +176,10 @@ RUN \
     --with-ssl=/usr/local \
  && rm /usr/local/bin/curl
 
+# Environment variables to help openssl crate find OpenSSL
+ENV OPENSSL_LIB_DIR="/usr/local/lib"
+ENV OPENSSL_INCLUDE_DIR="/usr/local/include"
+
 # Set up runner
 COPY runner_dependencies.txt /runner_dependencies.txt
 RUN python3 -m pip install --no-warn-script-location -r /runner_dependencies.txt

diff --git a/.builders/images/linux-aarch64/build_script.sh b/.builders/images/linux-aarch64/build_script.sh
@@ -29,6 +29,9 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then
     # The version of pyodbc is dynamically linked against a version of the odbc which doesn't come included in the wheel
     # That causes the omnibus' health check to flag it. Forcing the build so that we do include it in the wheel.
     always_build+=("pyodbc")
+
+    # We need to build cryptography for FIPS support
+    always_build+=("cryptography")
 else
     # Not working on Python 2
     sed -i '/aerospike==/d' /home/requirements.in

diff --git a/.builders/images/linux-x86_64/Dockerfile b/.builders/images/linux-x86_64/Dockerfile
@@ -48,6 +48,19 @@ RUN /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-l
  && /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-location virtualenv \
  && /opt/python/${PYTHON3_VERSION}/bin/python3 -m virtualenv /py3
 
+# Rust toolchain (needed for cryptography)
+ENV RUST_VERSION="1.76"
+ENV RUSTC_SHA256="0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db"
+ARG RUSTUP_VERSION="1.26.0"
+ARG RUSTUP_SHA256="0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db"
+RUN curl -sSL -o rustup-init "https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/x86_64-unknown-linux-gnu/rustup-init" \
+ && echo "${RUSTUP_SHA256} rustup-init" | sha256sum --check \
+ && chmod +x ./rustup-init \
+ && ./rustup-init -y --profile minimal --default-toolchain "${RUST_VERSION}" \
+ && echo "${RUSTC_SHA256}  $HOME/.cargo/bin/rustc" | sha256sum --check \
+ && rm ./rustup-init
+ENV PATH="/root/.cargo/bin:${PATH}"
+
 # MQ Client library required by pymqi
 ENV IBM_MQ_VERSION="9.2.4.0"
 ENV IBM_MQ_SHA256="d0d583eba72daf20b3762976f8831c2e23150ace90509520e12f8cda5b5bdb49"
@@ -167,6 +180,10 @@ RUN \
     --with-ssl=/usr/local \
  && rm /usr/local/bin/curl
 
+# Environment variables to help openssl crate find OpenSSL
+ENV OPENSSL_LIB_DIR="/usr/local/lib64"
+ENV OPENSSL_INCLUDE_DIR="/usr/local/include"
+
 # Set up runner
 COPY runner_dependencies.txt /runner_dependencies.txt
 RUN python3 -m pip install --no-warn-script-location -r /runner_dependencies.txt

diff --git a/.builders/images/linux-x86_64/build_script.sh b/.builders/images/linux-x86_64/build_script.sh
@@ -26,6 +26,9 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then
     # The version of pyodbc is dynamically linked against a version of the odbc which doesn't come included in the wheel
     # That causes the omnibus' health check to flag it. Forcing the build so that we do include it in the wheel.
     always_build+=("pyodbc")
+
+    # We need to build cryptography for FIPS support
+    always_build+=("cryptography")
 fi
 
 # package names passed to PIP_NO_BINARY need to be separated by commas