Reinstall Ruby grpc gem with system OpenSSL for FIPS builds
What does this MR do?
By default, the Ruby grpc gem installs itself as a native gem and bundles its own copy of BoringSSL. BoringSSL is a fork of OpenSSL, and while there are FIPS-validated versions available, a BoringSSL FIPS library is not generally available. However, we can ensure FIPS compliance by building and linking against the system OpenSSL.
Unfortunately, the gRPC upstream has not made it possible to configure the Ruby compilation options (https://github.com/grpc/grpc/pull/27881).
To work around this, we patch the Ruby extconf.rb to link against
the system OpenSSL. This commit:
- Determines which grpc gems have been installed in the system.
- Uninstalls all versions. Note that it's possible to install the same version with both the Ruby and x86 native platforms.
- For each version, download the gem, patch it with the handy
gem-patchtool, and reinstall the patched gem.
Related issues
Related Omnibus merge request: gitlab-org/omnibus-gitlab!6172 (merged)
Relates to gitlab-org/omnibus-gitlab#6687 (closed)
Testing
Installed the images via:
--set global.certificates.image.tag=20211220-r0-fips \
--set gitlab.gitaly.image.pullPolicy=Always \
--set gitlab.gitaly.image.tag=sh-grpc-system-ssl-fips-fips \
--set gitlab.sidekiq.image.pullPolicy=Always \
--set gitlab.sidekiq.image.tag=sh-grpc-system-ssl-fips-fips \
--set gitlab.webservice.image.pullPolicy=Always \
--set gitlab.webservice.image.tag=sh-grpc-system-ssl-fips-fips \
--set gitlab.webservice.workhorse.pullPolicy=Always \
--set gitlab.webservice.workhorse.tag=sh-grpc-system-ssl-fips-fips \
--set gitlab.sidekiq.image.pullPolicy=Always \
--set gitlab.sidekiq.image.tag=sh-grpc-system-ssl-fips-fips \gitaly-ruby starts just fine. Validated the libssl is being linked:
[git@gitlab-gitaly-0 /]$ ldd ./srv/gitaly-ruby/vendor/bundle/ruby/2.7.0/extensions/x86_64-linux/2.7.0/grpc-1.42.0/grpc/grpc_c.so
linux-vdso.so.1 (0x00007ffd95fa3000)
libssl.so.1.1 => /usr/lib64/libssl.so.1.1 (0x00007fa6ad60f000)
libruby.so.2.7 => /usr/lib64/libruby.so.2.7 (0x00007fa6ad062000)
libm.so.6 => /usr/lib64/libm.so.6 (0x00007fa6acce0000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007fa6ac91b000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa6adf79000)
libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007fa6ac432000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00007fa6ac21a000)
libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fa6ac016000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fa6abdf6000)
librt.so.1 => /usr/lib64/librt.so.1 (0x00007fa6abbee000)
libjemalloc.so.2 => /usr/lib64/libjemalloc.so.2 (0x00007fa6ab71e000)
libcrypt.so.1 => /usr/lib64/libcrypt.so.1 (0x00007fa6ab4f5000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fa6ab160000)
libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fa6aaf48000)Size of image looks reasonable:
$ docker images | grep gitaly
registry.gitlab.com/gitlab-org/build/cng/gitaly sh-grpc-system-ssl-fips-fips 1d77ac161f3c 6 hours ago 1.04GB
registry.gitlab.com/gitlab-org/build/cng/gitaly master-ubi8 1aeec13388fd 9 hours ago 1.06GBChecklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Integration tests added to GitLab QA -
The impact any change in container size has should be evaluated