From eafe58ddb269ff905b5e0f7edaa26a8b62d29b9a Mon Sep 17 00:00:00 2001 From: Alex Lopez Date: Tue, 18 Feb 2025 14:13:34 +0100 Subject: [PATCH] Build cryptography (Linux) (#19635) * Fix short-circuited condition * Force build Cryptography on Linux * Don't `enable-fips` --- .builders/build.py | 2 +- .builders/images/linux-aarch64/Dockerfile | 17 +++++++++++++++++ .builders/images/linux-aarch64/build_script.sh | 3 +++ .builders/images/linux-x86_64/Dockerfile | 17 +++++++++++++++++ .builders/images/linux-x86_64/build_script.sh | 3 +++ 5 files changed, 41 insertions(+), 1 deletion(-) diff --git a/.builders/build.py b/.builders/build.py index 43233c9d3cd88..328441670a76d 100644 --- a/.builders/build.py +++ b/.builders/build.py @@ -224,7 +224,7 @@ def build_image(): # Assumption: if a digest was provided we're not changing the build image and therefore # we're fine with reusing wheels we've built previously - if args.digest or True: + if args.digest: script_args.append('--use-built-index') check_process([ diff --git a/.builders/images/linux-aarch64/Dockerfile b/.builders/images/linux-aarch64/Dockerfile index 1a03035a9bc5e..c4ad0bc15fbde 100644 --- a/.builders/images/linux-aarch64/Dockerfile +++ b/.builders/images/linux-aarch64/Dockerfile @@ -53,6 +53,19 @@ RUN /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-l && /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-location virtualenv \ && /opt/python/${PYTHON3_VERSION}/bin/python3 -m virtualenv /py3 +# Rust toolchain (needed for cryptography) +ENV RUST_VERSION="1.76" +ENV RUSTC_SHA256="673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800" +ARG RUSTUP_VERSION="1.26.0" +ARG RUSTUP_SHA256="673e336c81c65e6b16dcdede33f4cc9ed0f08bde1dbe7a935f113605292dc800" +RUN curl -sSL -o rustup-init "https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/aarch64-unknown-linux-gnu/rustup-init" \ + && echo "${RUSTUP_SHA256} rustup-init" | sha256sum --check \ + && chmod +x ./rustup-init \ + && ./rustup-init -y --profile minimal --default-toolchain "${RUST_VERSION}" \ + && echo "${RUSTC_SHA256} $HOME/.cargo/bin/rustc" | sha256sum --check \ + && rm ./rustup-init +ENV PATH="/root/.cargo/bin:${PATH}" + # krb5 for dependencies that require kerberos support RUN \ DOWNLOAD_URL="https://kerberos.org/dist/krb5/1.20/krb5-{{version}}.tar.gz" \ @@ -163,6 +176,10 @@ RUN \ --with-ssl=/usr/local \ && rm /usr/local/bin/curl +# Environment variables to help openssl crate find OpenSSL +ENV OPENSSL_LIB_DIR="/usr/local/lib" +ENV OPENSSL_INCLUDE_DIR="/usr/local/include" + # Set up runner COPY runner_dependencies.txt /runner_dependencies.txt RUN python3 -m pip install --no-warn-script-location -r /runner_dependencies.txt diff --git a/.builders/images/linux-aarch64/build_script.sh b/.builders/images/linux-aarch64/build_script.sh index ca0d2f2a25b2e..7b916c2dfaa38 100644 --- a/.builders/images/linux-aarch64/build_script.sh +++ b/.builders/images/linux-aarch64/build_script.sh @@ -29,6 +29,9 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then # The version of pyodbc is dynamically linked against a version of the odbc which doesn't come included in the wheel # That causes the omnibus' health check to flag it. Forcing the build so that we do include it in the wheel. always_build+=("pyodbc") + + # We need to build cryptography for FIPS support + always_build+=("cryptography") else # Not working on Python 2 sed -i '/aerospike==/d' /home/requirements.in diff --git a/.builders/images/linux-x86_64/Dockerfile b/.builders/images/linux-x86_64/Dockerfile index 08f9e31dc9302..3d554a62f0352 100644 --- a/.builders/images/linux-x86_64/Dockerfile +++ b/.builders/images/linux-x86_64/Dockerfile @@ -48,6 +48,19 @@ RUN /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-l && /opt/python/${PYTHON3_VERSION}/bin/python3 -m pip install --no-warn-script-location virtualenv \ && /opt/python/${PYTHON3_VERSION}/bin/python3 -m virtualenv /py3 +# Rust toolchain (needed for cryptography) +ENV RUST_VERSION="1.76" +ENV RUSTC_SHA256="0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db" +ARG RUSTUP_VERSION="1.26.0" +ARG RUSTUP_SHA256="0b2f6c8f85a3d02fde2efc0ced4657869d73fccfce59defb4e8d29233116e6db" +RUN curl -sSL -o rustup-init "https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/x86_64-unknown-linux-gnu/rustup-init" \ + && echo "${RUSTUP_SHA256} rustup-init" | sha256sum --check \ + && chmod +x ./rustup-init \ + && ./rustup-init -y --profile minimal --default-toolchain "${RUST_VERSION}" \ + && echo "${RUSTC_SHA256} $HOME/.cargo/bin/rustc" | sha256sum --check \ + && rm ./rustup-init +ENV PATH="/root/.cargo/bin:${PATH}" + # MQ Client library required by pymqi ENV IBM_MQ_VERSION="9.2.4.0" ENV IBM_MQ_SHA256="d0d583eba72daf20b3762976f8831c2e23150ace90509520e12f8cda5b5bdb49" @@ -167,6 +180,10 @@ RUN \ --with-ssl=/usr/local \ && rm /usr/local/bin/curl +# Environment variables to help openssl crate find OpenSSL +ENV OPENSSL_LIB_DIR="/usr/local/lib64" +ENV OPENSSL_INCLUDE_DIR="/usr/local/include" + # Set up runner COPY runner_dependencies.txt /runner_dependencies.txt RUN python3 -m pip install --no-warn-script-location -r /runner_dependencies.txt diff --git a/.builders/images/linux-x86_64/build_script.sh b/.builders/images/linux-x86_64/build_script.sh index d00254e364e77..45f1441c4f019 100644 --- a/.builders/images/linux-x86_64/build_script.sh +++ b/.builders/images/linux-x86_64/build_script.sh @@ -26,6 +26,9 @@ if [[ "${DD_BUILD_PYTHON_VERSION}" == "3" ]]; then # The version of pyodbc is dynamically linked against a version of the odbc which doesn't come included in the wheel # That causes the omnibus' health check to flag it. Forcing the build so that we do include it in the wheel. always_build+=("pyodbc") + + # We need to build cryptography for FIPS support + always_build+=("cryptography") fi # package names passed to PIP_NO_BINARY need to be separated by commas