Skip to content

Commit ba4c482

Browse files
author
Axel von Bertoldi
committed
Fix go-fips build image
* Install go "manually" from tarball in ci go-fips container. We need go 1.19 to install go-fips 1.19, and the image only has 1.18. * Specify `GOEXPERIMENT=boringcrypto` when building the fips version of runner. As @stanhu mentions, this is necessary because of https://github.com/golang/go/blob/dev.boringcrypto/README.boringcrypto.md See: * golang/go#51940 * golang-fips/go#59
1 parent 12eca5e commit ba4c482

File tree

3 files changed

+20
-5
lines changed

3 files changed

+20
-5
lines changed

Makefile.build.mk

+1-1
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ runner-bin-fips: export GOOS ?= linux
99
runner-bin-fips: export GOARCH ?= amd64
1010
runner-bin-fips:
1111
# Building $(NAME) in version $(VERSION) for FIPS $(GOOS) $(GOARCH)
12-
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
12+
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build \
1313
-tags fips \
1414
-ldflags "$(GO_LDFLAGS)" \
1515
-o="out/binaries/$(NAME)-$(GOOS)-$(GOARCH)-fips" \

Makefile.runner_helper.mk

+1-1
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,7 @@ ${BASE_BINARY_PATH}-fips: export GOOS ?= linux
104104
${BASE_BINARY_PATH}-fips: export GOARCH ?= amd64
105105
${BASE_BINARY_PATH}-fips: APP_NAME := "gitlab-runner-helper"
106106
${BASE_BINARY_PATH}-fips: $(HELPER_GO_FILES)
107-
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 go build \
107+
GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build \
108108
-tags fips \
109109
-ldflags "$(GO_LDFLAGS)" \
110110
-o="${BASE_BINARY_PATH}.$(GO_ARCH_NAME_$(GOARCH))-fips" \

dockerfiles/ci/go.fips.Dockerfile

+18-3
Original file line numberDiff line numberDiff line change
@@ -2,22 +2,37 @@ ARG UBI_VERSION
22

33
FROM redhat/ubi8:${UBI_VERSION}
44

5-
RUN INSTALL_PKGS="openssl-devel glibc-devel gcc git golang" && \
5+
RUN INSTALL_PKGS="openssl-devel glibc-devel gcc git wget" && \
66
dnf update -y && \
77
dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
88
dnf clean all -y
99

1010
ARG GO_VERSION=1.19
11+
ARG GO_FULL_VERSION=${GO_VERSION}.6
12+
13+
RUN wget https://go.dev/dl/go${GO_FULL_VERSION}.linux-amd64.tar.gz && \
14+
tar -C /usr/ -xzf go${GO_FULL_VERSION}.linux-amd64.tar.gz
15+
16+
ENV PATH="$PATH:/usr/go/bin"
1117

1218
RUN git clone \
1319
https://github.com/golang-fips/go \
1420
--branch go${GO_VERSION}-fips-release \
1521
--single-branch \
1622
--depth 1 \
17-
/usr/local/go
23+
/tmp/go
24+
25+
RUN cd /tmp/go && \
26+
chmod +x scripts/* && \
27+
git config --global user.email "[email protected]" && \
28+
git config --global user.name "Your Name" && \
29+
scripts/full-initialize-repo.sh && \
30+
pushd go/src && \
31+
CGO_ENABLED=1 ./make.bash && \
32+
popd && \
33+
mv go /usr/local/
1834

1935
RUN cd /usr/local/go/src && \
20-
CGO_ENABLED=1 ./make.bash && \
2136
rm -rf \
2237
/usr/local/go/pkg/*/cmd \
2338
/usr/local/go/pkg/bootstrap \

0 commit comments

Comments
 (0)