-
Notifications
You must be signed in to change notification settings - Fork 76
/
Dockerfile-server
109 lines (80 loc) · 4.82 KB
/
Dockerfile-server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Multi-stage build: First the full builder image:
# define the alpine image version to use
ARG ALPINE_VERSION=3.20
FROM alpine:${ALPINE_VERSION} AS intermediate
ENV DEBIAN_FRONTEND=noninteractive
# define the quictls openssl tag to be used
ARG OPENSSLQUIC_TAG=openssl-3.1.7-quic1
# define the liboqs tag to be used
ARG LIBOQS_TAG=0.11.0
# define the oqsprovider tag to be used
ARG OQSPROVIDER_TAG=0.7.0
# define the nghttp3 tag to be used
ARG NGHTTP3_TAG=v1.6.0
# define the ngtcp2 tag to be used
ARG NGTCP2_TAG=v1.5.0
ARG INSTALLDIR=/opt/oqssa
# Update image and apt software
RUN apk update && apk upgrade
# All build prerequisites for the various software packages:
RUN apk add bash git pkgconfig autoconf automake libtool g++ make cmake ninja \
libev-dev libevent-dev openssl-dev openssl linux-headers
WORKDIR /opt
# get all sources
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
git clone --depth 1 --branch ${OPENSSLQUIC_TAG} https://github.com/quictls/openssl.git && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git && \
git clone --depth 1 --branch ${NGHTTP3_TAG} https://github.com/ngtcp2/nghttp3 && \
git clone --depth 1 --branch ${NGTCP2_TAG} https://github.com/ngtcp2/ngtcp2
# build liboqs
WORKDIR /opt/liboqs
RUN mkdir build && cd build && cmake -GNinja -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} .. && ninja && ninja install
# build openssl 3
WORKDIR /opt/openssl
RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib64" ./config shared --prefix=${INSTALLDIR} && \
make ${MAKE_DEFINES} && make install_sw install_ssldirs && \
if [ -d ${INSTALLDIR}/lib64 ]; then ln -s ${INSTALLDIR}/lib64 ${INSTALLDIR}/lib; fi && \
if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
# build & install provider (and activate by default)
WORKDIR /opt/oqs-provider
RUN ln -s ../openssl . && \
cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
cmake --build _build && cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" /opt/oqssa/ssl/openssl.cnf && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" /opt/oqssa/ssl/openssl.cnf && \
sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = \$ENV\:\:KEM_ALG\n/g" /opt/oqssa/ssl/openssl.cnf && \
sed -i "s/\# Use this in order to automatically load providers/\# Set default KEM alg if not set via environment variable\nKEM_ALG = kyber512\n\n# Use this in order to automatically load providers/g" /opt/oqssa/ssl/openssl.cnf
# build nghttp3
WORKDIR /opt/nghttp3
RUN git submodule update --init && autoreconf -i && ./configure --prefix=$PWD/build --enable-lib-only && make -j$(nproc) check && make install
# build ngtcp2
WORKDIR /opt/ngtcp2
RUN autoreconf -i && ./configure PKG_CONFIG_PATH=$PWD/../nghttp3/build/lib/pkgconfig:/opt/oqssa/lib64/pkgconfig CXX=g++ CXXFLAGS="-std=c++20" && make -j$(nproc) && make install
WORKDIR /
# Generate server key and self-signed certificate files
RUN echo "Generating server key and certificate" && mkdir certs && cd certs && openssl req -newkey rsa:4096 -nodes -keyout server.key -x509 -days 365 -out server.crt -subj "/CN=localhost"
# Copy all required shared object dependencies to a single directory
RUN mkdir /opt/lib && cd /opt/lib && \
cp /opt/ngtcp2/lib/.libs/libngtcp2.so.* . && \
cp /usr/lib/libev.so.* . && \
cp /opt/nghttp3/build/lib/libnghttp3.so.* . && \
cp /opt/ngtcp2/crypto/quictls/.libs/libngtcp2_crypto_quictls.so.* . && \
cp /opt/oqssa/lib64/libssl.so.* . && \
cp /opt/oqssa/lib64/libcrypto.so.* . && \
cp /usr/lib/libstdc++.so.* . && \
cp /usr/lib/libgcc_s.so.* .
## second stage: Only create minimal image without build tooling and intermediate build results generated above:
FROM alpine:${ALPINE_VERSION} AS dev
ENV DEBIAN_FRONTEND=noninteractive
RUN apk update && apk upgrade && apk add mailcap && echo "This is my index page">index.html
COPY ./serverstart.sh .
# copy executable
COPY --from=intermediate /opt/ngtcp2/examples/qtlsserver /usr/local/bin
# Copy server key and self-signed certificate files
COPY --from=intermediate /certs /certs
# copy shared object dependencies and configuration file
COPY --from=intermediate /opt/lib /usr/local/lib
COPY --from=intermediate /opt/oqssa/lib64/ossl-modules/oqsprovider.so /opt/oqssa/lib64/ossl-modules/oqsprovider.so
COPY --from=intermediate /opt/oqssa/ssl/openssl.cnf /opt/oqssa/ssl/openssl.cnf
RUN ln -s /opt/oqssa/lib64 /opt/oqssa/lib;
CMD ["./serverstart.sh"]