Skip to content

Commit

Permalink
Refactor httpd Dockerfile
Browse files Browse the repository at this point in the history
  • Loading branch information
@Hawazyn
Hawazyn committed Dec 3, 2024
1 parent b352411 commit c83ada8
Showing 1 changed file with 32 additions and 57 deletions.
89 changes: 32 additions & 57 deletions httpd/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,63 +5,41 @@
# define the alpine image version to use
ARG ALPINE_VERSION=3.20

# define the openssl tag to be used
ARG OPENSSL_TAG=openssl-3.3.2

# define the liboqs tag to be used
# Define version tags for dependencies
ARG OPENSSL_TAG=openssl-3.4.0
ARG LIBOQS_TAG=0.11.0

# define the oqsprovider tag to be used
ARG OQSPROVIDER_TAG=0.7.0

# liboqs build type variant; maximum portability of image:
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
ARG HTTPD_VERSION=2.4.62
ARG APR_VERSION=1.7.5
ARG APRU_VERSION=1.6.3

# installation paths
ARG OPENSSL_PATH=/opt/openssl
ARG HTTPD_PATH=/opt/httpd

# defines the QSC signature algorithm used for the certificates:
# Define QSC signature and KEM algorithms
ARG SIG_ALG="dilithium3"

# defines default KEM groups to be announced
ARG DEFAULT_GROUPS="kyber768:p384_kyber768"

# define the httpd version to include
ARG HTTPD_VERSION=2.4.62

# define the APR version to include
ARG APR_VERSION=1.7.5

# define the APR util version to include
ARG APRU_VERSION=1.6.3

# define the mirror from which to fetch the APR and APR-util source code
ARG APR_MIRROR="https://dlcdn.apache.org"

# Define the degree of parallelism when building the image; leave the number away only if you know what you are doing
# A CI system with less than 4 cores should be avoided
ARG MAKE_DEFINES="-j 4"


FROM alpine:${ALPINE_VERSION} as intermediate
FROM alpine:${ALPINE_VERSION} AS intermediate
# Take in global args
ARG OPENSSL_TAG
ARG LIBOQS_TAG
ARG OQSPROVIDER_TAG
ARG LIBOQS_BUILD_DEFINES
ARG OPENSSL_PATH
ARG HTTPD_PATH
ARG SIG_ALG
ARG HTTPD_VERSION
ARG APR_VERSION
ARG APRU_VERSION
ARG APR_MIRROR
ARG MAKE_DEFINES
ARG DEFAULT_GROUPS

# Get all software packages required for builing all components:
RUN apk add build-base linux-headers \
RUN apk --no-cache add build-base linux-headers \
libtool automake autoconf cmake ninja \
make \
git wget pcre-dev \
Expand All @@ -78,18 +56,18 @@ RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-s

# build OpenSSL3
WORKDIR /opt/ossl-src
RUN LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_PATH}/lib64" ./config no-shared --prefix=${OPENSSL_PATH} && \
make ${MAKE_DEFINES} && make install_sw install_ssldirs && \
if [ -d ${OPENSSL_PATH}/lib64 ]; then ln -s ${OPENSSL_PATH}/lib64 ${OPENSSL_PATH}/lib; fi && \
if [ -d ${OPENSSL_PATH}/lib ]; then ln -s ${OPENSSL_PATH}/lib ${OPENSSL_PATH}/lib64; fi
RUN LDFLAGS="-Wl,-rpath -Wl,${OPENSSL_PATH}/lib64" ./config no-shared --prefix="${OPENSSL_PATH}" && \
make -j"$(nproc)" && make install_sw install_ssldirs && \
if [ -d "${OPENSSL_PATH}/lib64" ]; then ln -s "${OPENSSL_PATH}/lib64" "${OPENSSL_PATH}/lib"; fi && \
if [ -d "${OPENSSL_PATH}/lib" ]; then ln -s "${OPENSSL_PATH}/lib" "${OPENSSL_PATH}/lib64"; fi

# build liboqs (shared lib only for oqsprovider)
WORKDIR /opt/liboqs
RUN mkdir build && cd build && cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=${OPENSSL_PATH} && ninja && ninja install
WORKDIR /opt/liboqs/build
RUN cmake -G"Ninja" .. -DOQS_DIST_BUILD=ON -DBUILD_SHARED_LIBS=ON -DCMAKE_INSTALL_PREFIX=${OPENSSL_PATH} && ninja && ninja install

# build oqs-provider
WORKDIR /opt/oqs-provider
RUN rm -rf build && cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_PREFIX_PATH=${OPENSSL_PATH} -S . -B build && cmake --build build && export MODULESDIR=$(find ${OPENSSL_PATH} -name ossl-modules) && cp build/lib/oqsprovider.so $MODULESDIR/oqsprovider.so
RUN cmake -DCMAKE_BUILD_TYPE=Debug -DOPENSSL_ROOT_DIR="${OPENSSL_PATH}" -DCMAKE_PREFIX_PATH="${OPENSSL_PATH}" -S . -B build && cmake --build build && MODULESDIR="$(find "${OPENSSL_PATH}" -name ossl-modules)" && cp build/lib/oqsprovider.so "${MODULESDIR}/oqsprovider.so"

# create openssl.cnf activating oqsprovider & setting default groups
RUN sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${OPENSSL_PATH}/ssl/openssl.cnf && \
Expand All @@ -99,35 +77,35 @@ RUN sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqspr

# build httpd
WORKDIR /opt
RUN sed -i "s/\$RM \"\$cfgfile\"/\$RM -f \"\$cfgfile\"/g" apr-${APR_VERSION}/configure && \
cd apr-${APR_VERSION} && ./configure && make ${MAKE_DEFINES} && make install && cd .. && \
cd apr-util-${APRU_VERSION} && ./configure x86_64-pc-linux-gnu --with-crypto --with-openssl=${OPENSSL_PATH} --with-apr=/usr/local/apr && make ${MAKE_DEFINES} && make install

RUN sed -i "s/\$RM \"\$cfgfile\"/\$RM -f \"\$cfgfile\"/g" "apr-${APR_VERSION}/configure" && \
./apr-${APR_VERSION}/configure && make -j"$(nproc)" && make install

WORKDIR /opt/apr-util-${APRU_VERSION}
RUN ./configure x86_64-pc-linux-gnu --with-crypto --with-openssl="${OPENSSL_PATH}" --with-apr="/usr/local/apr" && \
make -j"$(nproc)" && make install

WORKDIR /opt/httpd-${HTTPD_VERSION}
RUN ./configure --prefix=${HTTPD_PATH} \
RUN ./configure --prefix="${HTTPD_PATH}" \
--enable-debugger-mode \
--enable-ssl --with-ssl=${OPENSSL_PATH} \
--enable-ssl --with-ssl="${OPENSSL_PATH}" \
--enable-ssl-staticlib-deps \
--enable-mods-static=ssl && \
make ${MAKE_DEFINES} && make install;
make -j"$(nproc)" && make install;

# prepare to run httpd
ARG OPENSSL_CNF=${OPENSSL_PATH}/ssl/openssl.cnf

WORKDIR ${HTTPD_PATH}
# generate CA key and cert
# generate server CSR
# generate server cert

# Generate CA key and certificate, create server CSR, and issue server certificate
RUN set -x && \
mkdir pki && \
mkdir cacert && \
${OPENSSL_PATH}/bin/openssl req -x509 -new -newkey ${SIG_ALG} -keyout cacert/CA.key -out cacert/CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config ${OPENSSL_CNF} && \
${OPENSSL_PATH}/bin/openssl req -new -newkey ${SIG_ALG} -keyout pki/server.key -out pki/server.csr -nodes -subj "/CN=oqs-httpd" -config ${OPENSSL_CNF} && \
${OPENSSL_PATH}/bin/openssl x509 -req -in pki/server.csr -out pki/server.crt -CA cacert/CA.crt -CAkey cacert/CA.key -CAcreateserial -days 365

# Some size optimization:
RUN rm -rf ${HTTPD_PATH}/bin/ab

# second stage: Only create minimal image without build tooling and intermediate build results generated above:
FROM alpine:${ALPINE_VERSION}

Expand All @@ -136,9 +114,9 @@ LABEL version="3"
# Take in global args
ARG HTTPD_PATH
ARG OPENSSL_PATH
#
RUN apk add pcre-dev expat-dev
#

RUN apk --no-cache add pcre-dev expat-dev

# Only retain the ${*_PATH} contents in the final image
COPY --from=intermediate ${HTTPD_PATH} ${HTTPD_PATH}
# copy over manually build libapr{util}
Expand All @@ -157,16 +135,13 @@ WORKDIR ${HTTPD_PATH}
# forward request and error logs to docker log collector
RUN ln -sf /dev/stdout ${HTTPD_PATH}/logs/access_log && \
ln -sf /dev/stderr ${HTTPD_PATH}/logs/error_log;
#

RUN addgroup -g 1000 -S oqs && adduser --uid 1000 -S oqs -G oqs && chown -R oqs.oqs ${HTTPD_PATH}
USER oqs

# Ensure httpd just runs
ENV PATH ${HTTPD_PATH}/bin:$PATH
ENV PATH="${HTTPD_PATH}/bin:$PATH"

EXPOSE 4433
#
STOPSIGNAL SIGTERM

CMD ["httpd", "-f", "httpd-conf/httpd.conf", "-D", "FOREGROUND"]

0 comments on commit c83ada8

Please sign in to comment.