mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-27 06:39:26 +00:00
Windows Docker images needed some work (#817)
* Use openssl 3.3 in aca windows images [no ci] * Further attempt to compile the tpm simulator on Windows [no ci] * Sw tpm vs solution was updated to look for libcrypto in different place [no ci] * Similar steps for tss tools [no ci] * Change workflow ref [no ci] * REF not connecting [no ci] * Try accessing through Env [no ci] * Tried to print build args before selecting image [no ci] * Different arg access before shell change [no ci] * Fun with docker args [no ci] * Fun with docker build args 2 [no ci] * Adjust for change in package folder structure [no ci]
This commit is contained in:
parent
606de50535
commit
0593a233cf
@ -3,6 +3,8 @@
|
||||
# List of available tags for Microsoft's powershell docker image: https://mcr.microsoft.com/v2/powershell/tags/list.
|
||||
# This Dockerfile requires Powershell 7+. e.g. lts-windowsservercore-1809
|
||||
ARG BASE_IMAGE_TAG=latest
|
||||
|
||||
# Start
|
||||
FROM mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}
|
||||
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
|
||||
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
|
||||
@ -14,6 +16,10 @@ ARG REF=main
|
||||
|
||||
SHELL ["pwsh", "-Command"]
|
||||
|
||||
# Print build args
|
||||
RUN Write-Host BASE_IMAGE_TAG: $Env:BASE_IMAGE_TAG
|
||||
RUN Write-Host REF: $Env:REF
|
||||
|
||||
# Output Powershell Version
|
||||
# This Dockerfile requires Powershell 7+.
|
||||
RUN $PSVersionTable
|
||||
@ -64,8 +70,8 @@ RUN Start-Process -FilePath 'C:/vs_buildtools.exe' -ArgumentList \"--quiet --wai
|
||||
RUN Write-Host "Finished installing Visual Studio Build Tools."
|
||||
|
||||
# Download and extract pre-built openssl
|
||||
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.1.4.zip', 'C:/openssl-3.1.zip'))
|
||||
RUN Expand-Archive C:/openssl-3.1.zip -DestinationPath C:/openssl_files
|
||||
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.3.1.zip', 'C:/openssl-3.zip'))
|
||||
RUN Expand-Archive C:/openssl-3.zip -DestinationPath C:/openssl_files
|
||||
WORKDIR C:/openssl_files/openssl-3
|
||||
RUN cp -Recurse -Force C:/openssl_files/openssl-3/x64 'C:/Program Files/openssl'
|
||||
|
||||
@ -87,7 +93,11 @@ RUN echo $Env:JAVA_HOME
|
||||
# Clone ibmswtpm2 and build
|
||||
RUN git clone https://github.com/kgoldman/ibmswtpm2.git C:/ibmswtpm2
|
||||
## tpm_server.sln is looking for the openssl crypto lib in a fixed location
|
||||
## Copying twice because sometimes it references either filename
|
||||
RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto64md.lib'
|
||||
RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto.lib'
|
||||
## Assume compatibility with any version of openssl3
|
||||
RUN (Get-Content C:/ibmswtpm2/src/BnToOsslMath.h) -replace '0x30200ff0L', '0x40200ff0L' | Out-File C:/ibmswtpm2/src/BnToOsslMath.h
|
||||
WORKDIR C:/ibmswtpm2/tpmvstudio/tpm_server
|
||||
#IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
|
||||
RUN MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
|
||||
@ -96,8 +106,8 @@ RUN MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x
|
||||
# Clone ibmtss and build
|
||||
RUN git clone https://github.com/kgoldman/ibmtss.git C:/ibmtss
|
||||
## Again, This VS project is looking for the openssl crypto library in a fixed location. The paths are imported into multiple subprojects. Easier to edit the paths than attempt to copy the library everywhere.
|
||||
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto64mdd','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
|
||||
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto64md','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
|
||||
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
|
||||
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
|
||||
WORKDIR C:/ibmtss/tpmutils
|
||||
# IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
|
||||
RUN MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
|
||||
@ -112,7 +122,7 @@ RUN echo $Env:PATH
|
||||
WORKDIR C:/
|
||||
RUN git config --global --add core.autocrlf false
|
||||
RUN git config --global --add safe.directory '*'
|
||||
RUN git clone -b ${REF} https://github.com/nsacyber/hirs.git C:/repo
|
||||
RUN git clone -b $Env:REF https://github.com/nsacyber/hirs.git C:/repo
|
||||
|
||||
# Defensive copy of the repo so it's easy to start fresh if needed
|
||||
WORKDIR C:/repo
|
||||
@ -144,4 +154,4 @@ RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_le
|
||||
# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
|
||||
HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD pwsh -Command try { $response = Invoke-WebRequest -Uri https://localhost:8443; if ($response.StatusCode -eq 200) { return 0 } else { return 1 }; } catch { return 1 }
|
||||
|
||||
CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]
|
||||
CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]
|
||||
|
6
.github/workflows/create_aca_images.yml
vendored
6
.github/workflows/create_aca_images.yml
vendored
@ -110,7 +110,7 @@ jobs:
|
||||
- name: Build the docker image for ${{ github.repository }}
|
||||
run: |
|
||||
cd ./.ci/docker
|
||||
docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
|
||||
docker build --build-arg REF=${{ github.ref_name }} -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
|
||||
|
||||
- name: Push the docker image
|
||||
run: |
|
||||
@ -135,7 +135,7 @@ jobs:
|
||||
- name: Build the docker image for ${{ github.repository }}
|
||||
run: |
|
||||
cd ./.ci/docker
|
||||
docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
|
||||
docker build --build-arg REF=${{ github.ref_name }} -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
|
||||
|
||||
- name: Push the docker image
|
||||
run: |
|
||||
@ -181,4 +181,4 @@ jobs:
|
||||
run: |
|
||||
docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
|
||||
docker manifest push $PUBLIC_IMAGE_TAG_LATEST
|
||||
|
||||
|
||||
|
@ -43,7 +43,7 @@ $global:SSL_DB_CLIENT_CERT=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PA
|
||||
$global:SSL_DB_CLIENT_KEY=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_db_client_rsa_3k_sha384.key')
|
||||
# HIRS Relative directories assumed structure
|
||||
# package
|
||||
# scripts
|
||||
# linux
|
||||
# aca
|
||||
# db
|
||||
# db_create.sql
|
||||
@ -65,7 +65,7 @@ $global:SSL_DB_CLIENT_KEY=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PAT
|
||||
$global:HIRS_REL_WIN_ACA_HOME=(Split-Path -parent $PSCommandPath)
|
||||
$global:HIRS_REL_WIN_HOME=(Join-Path -Resolve $global:HIRS_REL_WIN_ACA_HOME ..)
|
||||
$global:HIRS_REL_PACKAGE_HOME=(Join-Path -Resolve $global:HIRS_REL_WIN_HOME ..)
|
||||
$global:HIRS_REL_SCRIPTS_HOME=(Join-Path -Resolve $global:HIRS_REL_PACKAGE_HOME 'scripts')
|
||||
$global:HIRS_REL_SCRIPTS_HOME=(Join-Path -Resolve $global:HIRS_REL_PACKAGE_HOME 'linux')
|
||||
$global:HIRS_REL_SCRIPTS_ACA_HOME=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_HOME 'aca')
|
||||
$global:HIRS_REL_SCRIPTS_DB_HOME=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_HOME 'db')
|
||||
$global:HIRS_REL_SCRIPTS_DB_CREATE_SQL=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_DB_HOME 'db_create.sql')
|
||||
|
Loading…
x
Reference in New Issue
Block a user