update SDK dependencies, add OpenSSL

Dockerfile

@@ -12,8 +12,8 @@ RUN \
     dwarves elfutils-devel libcap-devel openssl-devel \
     createrepo_c e2fsprogs gdisk grub2-tools.$(uname -m) \
     kpartx lz4 veritysetup dosfstools mtools squashfs-tools \
-    perl-FindBin perl-open policycoreutils secilc qemu-img \
-    glib2-devel rpcgen && \
+    perl-FindBin perl-IPC-Cmd perl-open policycoreutils \
+    secilc qemu-img glib2-devel rpcgen erofs-utils && \
   dnf clean all && \
   useradd builder
 COPY ./sdk-fetch /usr/local/bin
@@ -151,7 +151,7 @@ COPY --from=toolchain-musl \
 FROM sdk as sdk-gnu
 USER builder
 
-ARG GLIBCVER="2.33"
+ARG GLIBCVER="2.34"
 
 WORKDIR /home/builder
 COPY ./hashes/glibc ./hashes
@@ -238,7 +238,7 @@ RUN make install
 RUN \
   install -p -m 0644 -Dt ${SYSROOT}/usr/share/licenses/musl COPYRIGHT
 
-ARG LLVMVER="12.0.0"
+ARG LLVMVER="12.0.1"
 
 USER builder
 WORKDIR /home/builder
@@ -282,6 +282,71 @@ RUN \
 
 # =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
+FROM sdk-musl as sdk-musl-openssl
+USER builder
+
+ARG OPENSSLVER="3.0.0"
+
+WORKDIR /home/builder
+COPY ./hashes/openssl ./hashes
+RUN \
+  sdk-fetch hashes && \
+  rpm2cpio openssl-${OPENSSLVER}-*.src.rpm | cpio -idmv && \
+  tar xf openssl-${OPENSSLVER}-hobbled.tar.xz && \
+  mv openssl-${OPENSSLVER} openssl && \
+  for p in *.patch ; do \
+    echo "applying ${p}" ; \
+    patch -d openssl -p1 < "${p}" ; \
+  done && \
+  cp ec_curve.c openssl/crypto/ec
+
+ARG ARCH
+ARG TARGET="${ARCH}-bottlerocket-linux-musl"
+ARG SYSROOT="/${TARGET}/sys-root"
+ARG CFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-clash-protection"
+ARG LDFLAGS="-Wl,-z,relro -Wl,-z,now"
+
+WORKDIR /home/builder/openssl
+RUN \
+  NO_FEATURES="" && \
+  for algorithm in \
+    aria bf blake2 camellia cast des dh dsa idea md4 \
+    mdc2 ocb rc2 rc4 rmd160 scrypt seed siphash siv \
+    sm2 sm3 sm4 whirlpool ; \
+  do \
+    NO_FEATURES+="no-${algorithm} " ; \
+  done && \
+  for feature in \
+    cmp cms deprecated dgram ec2m gost legacy padlockeng \
+    srp srtp ssl ssl-trace stdio tests ts ui-console \
+    dtls dtls1{,-method} dtls1_2{,-method} \
+    tls1{,-method} tls1_1{,-method} \
+    ; \
+  do \
+    NO_FEATURES+="no-${feature} " ; \
+  done && \
+  CC="gcc" \
+  CXX="g++" \
+  CROSS_COMPILE="${TARGET}-" \
+  ./Configure \
+    --prefix="${SYSROOT}/usr" \
+    --libdir="${SYSROOT}/usr/lib" \
+    --cross-compile-prefix="${TARGET}-" \
+    '-DDEVRANDOM="\"/dev/urandom\""' \
+    ${NO_FEATURES} \
+    enable-ec_nistp_64_gcc_128 \
+    "linux-${ARCH}" && \
+   perl configdata.pm --dump && \
+   make -j$(nproc)
+
+USER root
+WORKDIR /home/builder/openssl
+RUN make install_sw
+RUN \
+  install -p -m 0644 -Dt ${SYSROOT}/usr/share/licenses/openssl LICENSE.txt
+
+# =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
 FROM sdk as sdk-libc
 
 ARG ARCH
@@ -305,7 +370,7 @@ RUN \
 ARG ARCH
 ARG HOST_ARCH
 ARG VENDOR="bottlerocket"
-ARG RUSTVER="1.53.0"
+ARG RUSTVER="1.56.0"
 
 USER builder
 WORKDIR /home/builder
@@ -353,6 +418,8 @@ RUN \
     cp compiler/rustc_target/src/spec/${ARCH}_{unknown,${VENDOR}}_linux_${libc}.rs && \
     sed -i -e '/let mut base = super::linux_'${libc}'_base::opts();/a base.vendor = "'${VENDOR}'".to_string();' \
       compiler/rustc_target/src/spec/${ARCH}_${VENDOR}_linux_${libc}.rs && \
+    sed -i -e '/ \.\.super::linux_'${libc}'_base::opts()/i vendor: "'${VENDOR}'".to_string(),' \
+      compiler/rustc_target/src/spec/${ARCH}_${VENDOR}_linux_${libc}.rs && \
     sed -i -e '/("'${ARCH}-unknown-linux-${libc}'", .*),/a("'${ARCH}-${VENDOR}-linux-${libc}'", '${ARCH}_${VENDOR}_linux_${libc}'),' \
       compiler/rustc_target/src/spec/mod.rs ; \
   done && \
@@ -379,7 +446,7 @@ FROM sdk-libc as sdk-go
 
 ARG ARCH
 ARG TARGET="${ARCH}-bottlerocket-linux-gnu"
-ARG GOVER="1.16.5"
+ARG GOVER="1.16.9"
 
 USER root
 RUN dnf -y install golang
@@ -440,7 +507,7 @@ RUN \
   mkdir -p /usr/libexec/tools /home/builder/license-scan /usr/share/licenses/bottlerocket-license-scan && \
   chown -R builder:builder /usr/libexec/tools /home/builder/license-scan /usr/share/licenses/bottlerocket-license-scan
 
-ARG SPDXVER="3.13"
+ARG SPDXVER="3.14"
 
 USER builder
 WORKDIR /home/builder/license-scan
@@ -472,7 +539,7 @@ RUN \
   mkdir -p /usr/share/licenses/cargo-deny && \
   chown -R builder:builder /usr/share/licenses/cargo-deny
 
-ARG DENYVER="0.6.2"
+ARG DENYVER="0.9.1"
 
 USER builder
 WORKDIR /home/builder
@@ -504,9 +571,9 @@ RUN \
   mkdir -p /usr/libexec/tools /usr/share/licenses/govmomi && \
   chown -R builder:builder /usr/libexec/tools /usr/share/licenses/govmomi
 
-ARG GOVMOMIVER="0.26.0"
-ARG GOVMOMISHORTCOMMIT="34586b6"
-ARG GOVMOMIDATE="2021-06-03T19:03:25Z"
+ARG GOVMOMIVER="0.27.0"
+ARG GOVMOMISHORTCOMMIT="086bb561"
+ARG GOVMOMIDATE="2021-10-14T20:30:09Z"
 
 USER builder
 WORKDIR ${GOPATH}/src/github.com/vmware/govmomi
@@ -578,11 +645,11 @@ WORKDIR /
 # "sdk" has our C/C++ toolchain and kernel headers for both targets.
 COPY --from=sdk / /
 
-# "sdk-musl" has a superset of the above, and includes C library and headers.
+# "sdk-musl-openssl" includes the musl C library and OpenSSL, plus headers.
 # We omit "sdk-gnu" because we expect to build glibc again for the target OS,
 # while we will use the musl artifacts directly to generate static binaries
 # such as migrations.
-COPY --chown=0:0 --from=sdk-musl ${MUSL_SYSROOT}/ ${MUSL_SYSROOT}/
+COPY --chown=0:0 --from=sdk-musl-openssl ${MUSL_SYSROOT}/ ${MUSL_SYSROOT}/
 
 # "sdk-rust" has our Rust toolchain with the required targets.
 COPY --chown=0:0 --from=sdk-rust /usr/libexec/rust/ /usr/libexec/rust/

Makefile

@@ -1,7 +1,7 @@
 ARCH ?= $(shell uname -m)
 HOST_ARCH ?= $(shell uname -m)
 
-VERSION := v0.22.0
+VERSION := v0.23.0
 
 SDK_TAG := bottlerocket/sdk-$(ARCH):$(VERSION)-$(HOST_ARCH)
 TOOLCHAIN_TAG := bottlerocket/toolchain-$(ARCH):$(VERSION)-$(HOST_ARCH)

configs/cargo-deny/clarify.toml

@@ -51,6 +51,7 @@ license-files = [
     { path = "libgit2/COPYING", hash = 0x6ad47cc8},
     { path = "libgit2/deps/http-parser/COPYING", hash = 0x81cd6118 },
     { path = "libgit2/deps/pcre/COPYING", hash = 0x30b9f959 },
+    { path = "libgit2/deps/pcre/LICENCE", hash = 0xe7b944da },
     { path = "libgit2/deps/zlib/COPYING", hash = 0x5f5980f4 },
 ]
 # we aren't distributing examples or build scripts, and we're not using winhttp
@@ -67,6 +68,14 @@ license-files = [
     { path = "libssh2/COPYING", hash = 0xd8679249 },
 ]
 
+[clarify.libz-sys]
+expression = "(MIT OR Apache-2.0) AND Zlib"
+license-files = [
+    { path = "LICENSE-APACHE", hash = 0x24b54f4b },
+    { path = "LICENSE-MIT", hash = 0x88396382 },
+    { path = "src/zlib-ng/LICENSE.md", hash = 0xa03e2b4 },
+]
+
 [clarify.openssl-src]
 expression = "MIT OR Apache-2.0"
 license-files = [
@@ -102,6 +111,7 @@ license-files = [
 # libzstd is GPL-2.0-only OR BSD-3-Clause (selecting BSD-3-Clause)
 expression = "(MIT OR Apache-2.0) AND BSD-3-Clause"
 license-files = [
+    { path = "LICENSE", hash = 0xa237d234 },
     { path = "zstd/LICENSE", hash = 0x79cda15 },
 ]
 skip-files = [

hashes/cargo-deny

@@ -1,2 +1,2 @@
-# https://github.com/EmbarkStudios/cargo-deny/archive/0.6.2.tar.gz#/cargo-deny-0.6.2.tar.gz
-SHA512 (cargo-deny-0.6.2.tar.gz) = 1711a132c6fee8bfd17fe00470cf615f135869dd2321189ef14a306b8662fe8a55dab9c84e941f99b7d05b5e0a739fc0ab590971a121b461437659e76f8aed63
+# https://github.com/EmbarkStudios/cargo-deny/archive/0.9.1.tar.gz#/cargo-deny-0.9.1.tar.gz
+SHA512 (cargo-deny-0.9.1.tar.gz) = 963783cbe0fb89c578cdf2811ae6b3147052fa2b1f27bb11775725508ed01a951ecac5b0bbb41be8be5fb2d1f16dc9575600b3fb87dc7e5814db28f2d562798c

hashes/glibc

@@ -1,2 +1,2 @@
-# https://mirrors.kernel.org/gnu/glibc/glibc-2.33.tar.xz
-SHA512 (glibc-2.33.tar.xz) = 4cb5777b68b22b746cc51669e0e9282b43c83f6944e42656e6db7195ebb68f2f9260f130fdeb4e3cfc64efae4f58d96c43d388f52be1eb024ca448084684abdb
+# https://mirrors.kernel.org/gnu/glibc/glibc-2.34.tar.xz
+SHA512 (glibc-2.34.tar.xz) = 15252affd9ef4523a8001db16d497f4fdcb3ddf4cde7fe80e075df0bd3cc6524dc29fbe20229dbf5f97af580556e6b1fac0de321a5fe25322bc3e72f93beb624

hashes/go

@@ -1,2 +1,2 @@
-# https://golang.org/dl/go1.16.5.src.tar.gz
-SHA512 (go1.16.5.src.tar.gz) = ba90ce1f3faa39519eb5437009c4b710b493e42764a14b0821292a8a17b714fe5985ef20e6e3c340f71cb521ff63d45a23570d38fd752526a1262448c641d544
+# https://golang.org/dl/go1.16.9.src.tar.gz
+SHA512 (go1.16.9.src.tar.gz) = e1c02ac64fcc13b94bb160c9129d5fcfa4a486df069e4f5a42b5d5827e0c82105a957a92926a1e4802e37fd5a148ffcc015e244a31367fd68cfe30c90d2de385

hashes/govmomi

@@ -1,2 +1,2 @@
-# https://github.com/vmware/govmomi/archive/v0.26.0.tar.gz#/govmomi-0.26.0.tar.gz
-SHA512 (govmomi-0.26.0.tar.gz) = 51e1e41fd230781b841ed238ce87d81e6b6902c67f1aae91c1245bcb69a696d13baaadae4f67e59bf58b018c6fc1e808168eb55eb4b351f82ace8a16633daa5c
+# https://github.com/vmware/govmomi/archive/v0.27.0.tar.gz#/govmomi-0.27.0.tar.gz
+SHA512 (govmomi-0.27.0.tar.gz) = 696db77edbc77fc7068e678a858d4c28cab8e7750b9cf8f2ba81704e4d8b6a0e046b49b05cd356c2e6b9575c6995697f5ffc190b1af1968f590a11a8bc2276d0

hashes/libunwind

@@ -1,6 +1,6 @@
-# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/llvm-12.0.0.src.tar.xz
-SHA512 (llvm-12.0.0.src.tar.xz) = ec17153ef774a1e08085763bda7d0dfce6802fbaa17e89831695ce1b2eb015a6c2aebfaa9fe7985a83b9c51bd75d40bb4f1fc706dc16d4c0dc2b2722a1d8a24e
-# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/libcxx-12.0.0.src.tar.xz
-SHA512 (libcxx-12.0.0.src.tar.xz) = d8038e73b4f26191516608799288f5418ccfb4552ffd767b08179f0dba2730f0d872b28bd3db9fe244e7177101b599aa251d28a496c734b22b3c053db187d88d
-# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.0/libunwind-12.0.0.src.tar.xz
-SHA512 (libunwind-12.0.0.src.tar.xz) = 0fabbd3292fb14e423e0db9b76dd73d166e4942b9573bf37ed71d1f5198c59d5218277cb030b9cb2d4f071780f6125a24d387a41da2de3c187e9f9feba2024e8
+# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.1/llvm-12.0.1.src.tar.xz
+SHA512 (llvm-12.0.1.src.tar.xz) = ff674afb4c8eea699a4756f1bb463f15098a7fa354c733de83c024f8f0cf238cd5f19ae3ec446831c7109235e293e2bf31d8562567ede163c8ec53af7306ba0f
+# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.1/libcxx-12.0.1.src.tar.xz
+SHA512 (libcxx-12.0.1.src.tar.xz) = c9f9a546d6a312ff6e7c85a044ce801fe7bfca1c349767b3f3c5ea16656b8906a8078f25de38138c9844c4b2646238fd17d890438cd10391cd9e4a430f9064a0
+# https://github.com/llvm/llvm-project/releases/download/llvmorg-12.0.1/libunwind-12.0.1.src.tar.xz
+SHA512 (libunwind-12.0.1.src.tar.xz) = 847b6ba03010a43f4fdbfdc49bf16d18fd18474d01584712e651b11191814bf7c1cf53475021d9ee447ed78413202b4ed97973d7bdd851d3e49f8d06f55a7af4

hashes/license-scan

@@ -1,2 +1,2 @@
-# https://github.com/spdx/license-list-data/archive/v3.13.tar.gz#/license-list-data-3.13.tar.gz
-SHA512 (license-list-data-3.13.tar.gz) = c8429e4bb9f69c364cb75bff06d219cd886b9b11c5fd4b7b6e11f0f85ebbb0b5a76cb303f0ff12864db8888d4e9a88185df7192b3dfd244d29f9944ed016d647
+# https://github.com/spdx/license-list-data/archive/v3.14.tar.gz#/license-list-data-3.14.tar.gz
+SHA512 (license-list-data-3.14.tar.gz) = 12e3e7405c24ac0ad35556e409bf255342b94c2491c2abf4dfb168bba69becfa82a965a5b3b94fa2bb042ef56951ecb6e949b085e58b0946025e43b4b16f0084

hashes/openssl

@@ -0,0 +1,2 @@
+# https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/o/openssl-3.0.0-1.fc36.src.rpm
+SHA512 (openssl-3.0.0-1.fc36.src.rpm) = f0aa28ee6c2810e595310221a610c58861ef75b2c2002f6f65f715b25927fb3359b8dd3b0da7ce1d4578bfe9990f42190b8f4e94ed009ac53220dc381417ddf8

hashes/rust

@@ -1,15 +1,15 @@
-# https://static.rust-lang.org/dist/rustc-1.53.0-src.tar.xz
-SHA512 (rustc-1.53.0-src.tar.xz) = 70485cf7a0f7fc36ee31644e546374079dc387a85b44e5e793707fd0a4d7ca05d311291e78b86db955485d8f21c47ff9e1908acc4da68ba04929287213a40c24
-### See https://github.com/rust-lang/rust/blob/1.53.0/src/stage0.txt for what to use below. ###
-# https://static.rust-lang.org/dist/2021-05-06/rust-std-1.52.0-x86_64-unknown-linux-gnu.tar.xz
-SHA512 (rust-std-1.52.0-x86_64-unknown-linux-gnu.tar.xz) = 4affdea14e6ee015bb09ac5956a94275e321c7fa80feaa892e55bee692e7d022103cdcb6832cfb62ec797d4db062c0762dd60ddeddfcb9e5fad184076ef3ff93
-# https://static.rust-lang.org/dist/2021-05-06/rustc-1.52.0-x86_64-unknown-linux-gnu.tar.xz
-SHA512 (rustc-1.52.0-x86_64-unknown-linux-gnu.tar.xz) = 75c7de819acf46bc136e5361aab4b00fcf7d8ea6717317fb858a099c5304053d23b80fb1aeb8e5da48e8916a27ef5ecf3fd14c006bf54a52d8d7f1bbcc43c113
-# https://static.rust-lang.org/dist/2021-05-06/cargo-1.52.0-x86_64-unknown-linux-gnu.tar.xz
-SHA512 (cargo-1.52.0-x86_64-unknown-linux-gnu.tar.xz) = e8456fea80df70f687362fa364697c7cd77e1dfda66ddeb1fb58b4aa0a1d8702e24a914f1104ca2201007362095da8853ffe277ef3ab780289b757072a677b47
-# https://static.rust-lang.org/dist/2021-05-06/rust-std-1.52.0-aarch64-unknown-linux-gnu.tar.xz
-SHA512 (rust-std-1.52.0-aarch64-unknown-linux-gnu.tar.xz) = c1ac821611c69a95afc98374a17c1e4815e9b5337c67c0ce94e56baef5e8ecd6ed9bd48413657c9cb7c02a94368a8a55ab3079982196f96d4c44686c30b941a3
-# https://static.rust-lang.org/dist/2021-05-06/rustc-1.52.0-aarch64-unknown-linux-gnu.tar.xz
-SHA512 (rustc-1.52.0-aarch64-unknown-linux-gnu.tar.xz) = 04646d6d9ed859791b2aef6e27535e9b3a7c841e131cb139051bbce24f450e5b9b163e258119a5c81cd0118e237e36f95ac8d0ca5fbadf09a82067e20a112b41
-# https://static.rust-lang.org/dist/2021-05-06/cargo-1.52.0-aarch64-unknown-linux-gnu.tar.xz
-SHA512 (cargo-1.52.0-aarch64-unknown-linux-gnu.tar.xz) = 71856bb447f920052bdb37a73a8919cc779cfc60142a9bafcffa121626099b96762fe87448762e3a64beaf06d951fb4cc3c4e4118aac19253208e3d7f37b2616
+# https://static.rust-lang.org/dist/rustc-1.56.0-src.tar.xz
+SHA512 (rustc-1.56.0-src.tar.xz) = 2daa365524b47dcc48e49a0e9c8c45988af44c0845e2695dc5053f18e768e49acf3dbdd77f808dbf260546ef608eb47c593544012dd05675cb7e6b6223900315
+### See https://github.com/rust-lang/rust/blob/1.56.0/src/stage0.txt for what to use below. ###
+# https://static.rust-lang.org/dist/2021-09-09/rust-std-1.55.0-x86_64-unknown-linux-gnu.tar.xz
+SHA512 (rust-std-1.55.0-x86_64-unknown-linux-gnu.tar.xz) = 88832a54efe6591bb2191e5a43c81639d590b012f51d5e086bed66ac4fce51bb93f6104bfbbca87614dfbfba78a096c2cdd9ad194e44bb4d409530a8f929d905
+# https://static.rust-lang.org/dist/2021-09-09/rustc-1.55.0-x86_64-unknown-linux-gnu.tar.xz
+SHA512 (rustc-1.55.0-x86_64-unknown-linux-gnu.tar.xz) = 3e3d32327d465b33c026974c2b7509474733c387eef65518b7fb29bbee544848b37a79fd8d212ffea868a4f70b92180e7c3c92233d195ccabc1589b16409a96d
+# https://static.rust-lang.org/dist/2021-09-09/cargo-1.55.0-x86_64-unknown-linux-gnu.tar.xz
+SHA512 (cargo-1.55.0-x86_64-unknown-linux-gnu.tar.xz) = d2434d0f8bf9ee83c0484bd3f35c91d6ba296537ef83149fa20ec2b79c24c53d73aacbbf31a8ffe22003ab0555e231b16b3e31c72e2d37f9aa18b749818d9e96
+# https://static.rust-lang.org/dist/2021-09-09/rust-std-1.55.0-aarch64-unknown-linux-gnu.tar.xz
+SHA512 (rust-std-1.55.0-aarch64-unknown-linux-gnu.tar.xz) = 8e6a7626807623bae3d86d3ae38eab65f983e0cf7c6b3d56f0389f451ac7b861265ee421253c5146b68f83237a0ad230e0fe65e01e276c2078bf673eeaf4aff0
+# https://static.rust-lang.org/dist/2021-09-09/rustc-1.55.0-aarch64-unknown-linux-gnu.tar.xz
+SHA512 (rustc-1.55.0-aarch64-unknown-linux-gnu.tar.xz) = 88854d2b9313bc2f2844c41ac5f5eab2b17928b294b0bf2f94f6c1d60fbe7623baaad672a1fb619a28875c8fe9f535e963ba51b0de4eb1c557136a0d2cc78af8
+# https://static.rust-lang.org/dist/2021-09-09/cargo-1.55.0-aarch64-unknown-linux-gnu.tar.xz
+SHA512 (cargo-1.55.0-aarch64-unknown-linux-gnu.tar.xz) = f1533c8de34c4a2ad8050480bbf3764046b21e956f06163558604a4d5e3b6997a76aa12e0be5c63728a6129d7373c0986aa619e10730933e5f9f8e76aa70a32f

license-scan/deny.toml

@@ -15,8 +15,19 @@ allow = [
     "BSL-1.0",
     "MIT",
     "Unlicense",
+    "Zlib",
 ]
 
 # FIXME: Remove this when a license is assigned for first-party packages
 [licenses.private]
 ignore = true
+
+[bans]
+# Deny multiple versions or wildcard dependencies.
+multiple-versions = "deny"
+wildcards = "deny"
+
+[sources]
+# Deny crates from unknown registries or git repositories.
+unknown-registry = "deny"
+unknown-git = "deny"