Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade OpenSSL from 1.1.1 to 3.1.3 #4179

Merged
merged 18 commits into from
Dec 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
f015987
Build ckb's docker image by bionic-rust-1.71.1-openssl-3.1.3
eval-exec Oct 8, 2023
4f06ded
Package ckb with statically linked OpenSSL 3.1.3
eval-exec Oct 8, 2023
b5becfd
Static link openssl for aarch64-linux release
eval-exec Oct 12, 2023
af54f60
Install latest openssl 3.1.3 for windows platform release
eval-exec Oct 12, 2023
503f754
Fix OpenSSL 3.1.3 build instructions for linux-aarch64
eval-exec Dec 6, 2023
b560271
Extract OPENSSL_* related env from make prod for mac
eval-exec Dec 6, 2023
50aac10
Extract OPENSSL_* related env from make prod for mac-aarch64
eval-exec Dec 6, 2023
1be0b49
Separate no-shared OPENSSL as a independent step for linux-aarch64
eval-exec Dec 6, 2023
b7d5028
Compile OpenSSL 3.1.3 from source intead of install it from brew for mac
eval-exec Dec 6, 2023
b6a76f8
Compile OpenSSL 3.1.3 from source intead of install it from brew for …
eval-exec Dec 6, 2023
526d261
Verify GPG signature and sha256sum for openssl tar ball
eval-exec Dec 6, 2023
d897fad
Verify GPG signature and sha256sum for openssl tar ball for mac
eval-exec Dec 6, 2023
ce1ef3c
Verify GPG signature and sha256sum for openssl tar ball for mac-aarch64
eval-exec Dec 6, 2023
c4ab35e
Fix OpenSSL prefix path to openssl-3.1.3/build
eval-exec Dec 6, 2023
3e530fa
Put OpenSSL related file under `target` dir
eval-exec Dec 6, 2023
388bbd6
Fix OpenSSL include dir env name
eval-exec Dec 11, 2023
a4ef135
Remove trailing whitespace
eval-exec Dec 11, 2023
a6cb554
Do not install openssl on windows-2019
eval-exec Dec 11, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 81 additions & 23 deletions .github/workflows/package.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:
GPG_SIGNER: ${{ secrets.GPG_SIGNER }}
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
docker run --rm -i -w /ckb -v $(pwd):/ckb -e OPENSSL_STATIC=1 -e OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu -e OPENSSL_INCLUDE_DIR=/usr/include $BUILDER_IMAGE make ${{ matrix.build_target }}
docker run --rm -i -w /ckb -v $(pwd):/ckb -e OPENSSL_STATIC=1 -e OPENSSL_LIB_DIR=/usr/local/lib64 -e OPENSSL_INCLUDE_DIR=/usr/local/include $BUILDER_IMAGE make ${{ matrix.build_target }}
gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output devtools/ci/signer.asc devtools/ci/signer.asc.gpg
gpg --import devtools/ci/signer.asc
devtools/ci/package.sh target/prod/ckb
Expand All @@ -78,7 +78,7 @@ jobs:
name: ckb_${{env.GIT_TAG_NAME }}_${{env.REL_PKG }}.asc
path: ckb_${{env.GIT_TAG_NAME }}_${{env.REL_PKG }}.asc
env:
BUILDER_IMAGE: nervos/ckb-docker-builder:bionic-rust-1.71.1
BUILDER_IMAGE: nervos/ckb-docker-builder:bionic-rust-1.71.1-openssl-3.1.3
Copy link
Collaborator Author

@eval-exec eval-exec Dec 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nervos/ckb-docker-builder:bionic-rust-1.71.1-openssl-3.1.3 doesn't exist in dockerhub.
In dockerhub, we have bionic-rust-1.71.0-openssl-3.1.3 and centos-7-rust-1.71.0-openssl-3.1.3

REL_PKG: ${{ matrix.rel_pkg }}

package-for-linux-aarch64:
Expand All @@ -94,6 +94,24 @@ jobs:
run: rustup target add aarch64-unknown-linux-gnu
- name: Install dependencies
run: sudo apt-get update && sudo apt-get install -y gcc-multilib && sudo apt-get install -y build-essential clang gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
- name: Install OpenSSL
run: |
mkdir target && cd target

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz
curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.asc

gpg --keyserver keys.openpgp.org --recv-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg --verify openssl-3.1.3.tar.gz.asc openssl-3.1.3.tar.gz

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256
echo $(cat openssl-3.1.3.tar.gz.sha256) openssl-3.1.3.tar.gz | sha256sum --check

tar -xzf openssl-3.1.3.tar.gz
cd openssl-3.1.3
CC=aarch64-linux-gnu-gcc ./Configure --prefix=$(pwd)/openssl-3.1.3/build linux-aarch64 no-shared
CC=aarch64-linux-gnu-gcc make -j $(nproc)
CC=aarch64-linux-gnu-gcc make -j $(nproc) install_sw
- name: Build CKB and Package CKB
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
Expand All @@ -103,16 +121,13 @@ jobs:
SKIP_CKB_CLI: true
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
export TOP_DIR=$(pwd)
curl -LO https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
CC=aarch64-linux-gnu-gcc ./Configure linux-aarch64 shared
CC=aarch64-linux-gnu-gcc make
cd ..
export OPENSSL_LIB_DIR=${TOP_DIR}/openssl-1.1.1
export OPENSSL_INCLUDE_DIR=${TOP_DIR}/openssl-1.1.1/include

export OPENSSL_DIR=$(pwd)/target/openssl-3.1.3/build
export OPENSSL_INCLUDE_DIR=${OPENSSL_DIR}/include
export OPENSSL_LIB_DIR=${OPENSSL_DIR}/lib64
export OPENSSL_STATIC=1
PKG_CONFIG_ALLOW_CROSS=1 CC=gcc CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc CKB_BUILD_TARGET="--target=aarch64-unknown-linux-gnu" make prod_portable

gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output devtools/ci/signer.asc devtools/ci/signer.asc.gpg
gpg --import devtools/ci/signer.asc
devtools/ci/package.sh target/aarch64-unknown-linux-gnu/prod/ckb
Expand Down Expand Up @@ -170,7 +185,7 @@ jobs:
name: ckb_${{env.GIT_TAG_NAME }}_${{env.REL_PKG }}.asc
path: ckb_${{env.GIT_TAG_NAME }}_${{env.REL_PKG }}.asc
env:
BUILDER_IMAGE: nervos/ckb-docker-builder:centos-7-rust-1.71.1
BUILDER_IMAGE: nervos/ckb-docker-builder:centos-7-rust-1.71.1-openssl-3.1.3
REL_PKG: ${{ matrix.rel_pkg }}

package-for-mac:
Expand All @@ -189,13 +204,37 @@ jobs:
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
echo "GIT_TAG_NAME=$GIT_TAG_NAME" >> $GITHUB_ENV
- name: Install Dependencies
run: |
mkdir target && cd target

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz
curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.asc

gpg --keyserver keys.openpgp.org --recv-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg --verify openssl-3.1.3.tar.gz.asc openssl-3.1.3.tar.gz

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256
echo $(cat openssl-3.1.3.tar.gz.sha256) openssl-3.1.3.tar.gz | sha256sum --check

tar -xzf openssl-3.1.3.tar.gz
cd openssl-3.1.3
./Configure --prefix=$(pwd)/openssl-3.1.3/build no-shared
make
make install_sw
- name: Build CKB and Package CKB
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
GPG_SIGNER: ${{ secrets.GPG_SIGNER }}
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
make OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/local/opt/openssl@1.1/lib OPENSSL_INCLUDE_DIR=/usr/local/opt/openssl@1.1/include ${{ matrix.build_target }}

export OPENSSL_DIR=$(pwd)/target/openssl-3.1.3/build
export OPENSSL_LIB_DIR=${OPENSSL_DIR}/lib
export OPENSSL_INCLUDE_DIR=${OPENSSL_DIR}/include
export OPENSSL_STATIC=1
make ${{ matrix.build_target }}

gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output devtools/ci/signer.asc devtools/ci/signer.asc.gpg
gpg --import devtools/ci/signer.asc
devtools/ci/package.sh target/prod/ckb
Expand Down Expand Up @@ -230,31 +269,50 @@ jobs:
echo /opt/homebrew/bin >> $GITHUB_PATH
echo /opt/homebrew/sbin >> $GITHUB_PATH
echo "$HOME/.cargo/bin" >> $GITHUB_PATH

- uses: actions/checkout@v3
- name: Set Env
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
echo "GIT_TAG_NAME=$GIT_TAG_NAME" >> $GITHUB_ENV
- name: Install Depedencies
run: |
if ! [ -d /opt/homebrew/opt/openssl@1.1 ]; then
brew install "openssl@1.1"
fi
if ! type -f gpg &> /dev/null; then
brew install gnupg
fi
if ! [ -f "$HOME/.cargo/bin/rustup" ]; then
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
fi

- uses: actions/checkout@v3
- name: Set Env
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
echo "GIT_TAG_NAME=$GIT_TAG_NAME" >> $GITHUB_ENV
mkdir target && cd target

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz
curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.asc

gpg --keyserver keys.openpgp.org --recv-keys EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5
gpg --verify openssl-3.1.3.tar.gz.asc openssl-3.1.3.tar.gz

curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz.sha256
echo $(cat openssl-3.1.3.tar.gz.sha256) openssl-3.1.3.tar.gz | sha256sum --check

tar -xzf openssl-3.1.3.tar.gz
cd openssl-3.1.3
./Configure --prefix=$(pwd)/openssl-3.1.3/build no-shared
make
make install_sw

- name: Build CKB and Package CKB
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
GPG_SIGNER: ${{ secrets.GPG_SIGNER }}
run: |
export GIT_TAG_NAME=` echo ${{ github.ref }} | awk -F '/' '{print $4}' `
make OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/opt/homebrew/opt/openssl@1.1/lib OPENSSL_INCLUDE_DIR=/opt/homebrew/opt/openssl@1.1/include ${{ matrix.build_target }}

export OPENSSL_DIR=$(pwd)/target/openssl-3.1.3/build
export OPENSSL_LIB_DIR=${OPENSSL_DIR}/lib
export OPENSSL_INCLUDE_DIR=${OPENSSL_DIR}/include
export OPENSSL_STATIC=1
make ${{ matrix.build_target }}

gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output devtools/ci/signer.asc devtools/ci/signer.asc.gpg
gpg --import devtools/ci/signer.asc
devtools/ci/package.sh target/prod/ckb
Expand Down
10 changes: 5 additions & 5 deletions devtools/ci/ci_main.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,15 +66,15 @@ case $GITHUB_WORKFLOW in
sudo apt-get install -y gcc-multilib
sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu clang
rustup target add aarch64-unknown-linux-gnu
curl -LO https://www.openssl.org/source/openssl-1.1.1.tar.gz
tar -xvzf openssl-1.1.1.tar.gz
cd openssl-1.1.1
curl -LO https://www.openssl.org/source/openssl-3.1.3.tar.gz
tar -xvzf openssl-3.1.3.tar.gz
cd openssl-3.1.3
CC=aarch64-linux-gnu-gcc ./Configure linux-aarch64 shared
CC=aarch64-linux-gnu-gcc make
cd ..
export TOP
export OPENSSL_LIB_DIR=$(pwd)/openssl-1.1.1
export OPENSSL_INCLUDE_DIR=$(pwd)/openssl-1.1.1/include
export OPENSSL_LIB_DIR=$(pwd)/openssl-3.1.3
export OPENSSL_INCLUDE_DIR=$(pwd)/openssl-3.1.3/include
export PKG_CONFIG_ALLOW_CROSS=1
export CC=gcc
export CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
Expand Down
8 changes: 2 additions & 6 deletions docker/hub/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
FROM nervos/ckb-docker-builder:bionic-rust-1.71.1 as ckb-docker-builder
FROM nervos/ckb-docker-builder:bionic-rust-1.71.1-openssl-3.1.3 as ckb-docker-builder

WORKDIR /ckb
COPY ./ .

RUN make prod-docker
RUN make OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/local/lib64 OPENSSL_INCLUDE_DIR=/usr/local/include prod-docker

FROM ubuntu:bionic
LABEL description="Nervos CKB is a public permissionless blockchain, the common knowledge layer of Nervos network."
Expand All @@ -15,10 +15,6 @@ RUN groupadd -g 1000 ckb \

WORKDIR /var/lib/ckb

COPY --from=ckb-docker-builder \
/usr/lib/x86_64-linux-gnu/libssl.so.* \
/usr/lib/x86_64-linux-gnu/libcrypto.so.* \
/usr/lib/x86_64-linux-gnu/
COPY --from=ckb-docker-builder /ckb/target/prod/ckb /ckb/docker/docker-entrypoint.sh /bin/
RUN chown -R ckb:ckb /var/lib/ckb \
&& chmod 755 /var/lib/ckb
Expand Down
Loading