Windows Docker images needed some work (#817)

* Use openssl 3.3 in aca windows images [no ci]

* Further attempt to compile the tpm simulator on Windows [no ci]

* Sw tpm vs solution was updated to look for libcrypto in different place
[no ci]

* Similar steps for tss tools [no ci]

* Change workflow ref [no ci]

* REF not connecting [no ci]

* Try accessing through Env [no ci]

* Tried to print build args before selecting image [no ci]

* Different arg access before shell change [no ci]

* Fun with docker args [no ci]

* Fun with docker build args 2 [no ci]

* Adjust for change in package folder structure [no ci]
This commit is contained in:
5B96790E3664F40075A67E6ADF737EDB15B4408DBC91A81228B31537B0CE3E26 2024-07-25 19:19:18 -04:00 committed by chubtub
parent 606de50535
commit 0593a233cf
3 changed files with 21 additions and 11 deletions

View File

@ -3,6 +3,8 @@
# List of available tags for Microsoft's powershell docker image: https://mcr.microsoft.com/v2/powershell/tags/list.
# This Dockerfile requires Powershell 7+. e.g. lts-windowsservercore-1809
ARG BASE_IMAGE_TAG=latest
# Start
FROM mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
@ -14,6 +16,10 @@ ARG REF=main
SHELL ["pwsh", "-Command"]
# Print build args
RUN Write-Host BASE_IMAGE_TAG: $Env:BASE_IMAGE_TAG
RUN Write-Host REF: $Env:REF
# Output Powershell Version
# This Dockerfile requires Powershell 7+.
RUN $PSVersionTable
@ -64,8 +70,8 @@ RUN Start-Process -FilePath 'C:/vs_buildtools.exe' -ArgumentList \"--quiet --wai
RUN Write-Host "Finished installing Visual Studio Build Tools."
# Download and extract pre-built openssl
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.1.4.zip', 'C:/openssl-3.1.zip'))
RUN Expand-Archive C:/openssl-3.1.zip -DestinationPath C:/openssl_files
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.3.1.zip', 'C:/openssl-3.zip'))
RUN Expand-Archive C:/openssl-3.zip -DestinationPath C:/openssl_files
WORKDIR C:/openssl_files/openssl-3
RUN cp -Recurse -Force C:/openssl_files/openssl-3/x64 'C:/Program Files/openssl'
@ -87,7 +93,11 @@ RUN echo $Env:JAVA_HOME
# Clone ibmswtpm2 and build
RUN git clone https://github.com/kgoldman/ibmswtpm2.git C:/ibmswtpm2
## tpm_server.sln is looking for the openssl crypto lib in a fixed location
## Copying twice because sometimes it references either filename
RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto64md.lib'
RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto.lib'
## Assume compatibility with any version of openssl3
RUN (Get-Content C:/ibmswtpm2/src/BnToOsslMath.h) -replace '0x30200ff0L', '0x40200ff0L' | Out-File C:/ibmswtpm2/src/BnToOsslMath.h
WORKDIR C:/ibmswtpm2/tpmvstudio/tpm_server
#IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
RUN MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
@ -96,8 +106,8 @@ RUN MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x
# Clone ibmtss and build
RUN git clone https://github.com/kgoldman/ibmtss.git C:/ibmtss
## Again, This VS project is looking for the openssl crypto library in a fixed location. The paths are imported into multiple subprojects. Easier to edit the paths than attempt to copy the library everywhere.
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto64mdd','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto64md','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
WORKDIR C:/ibmtss/tpmutils
# IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
RUN MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
@ -112,7 +122,7 @@ RUN echo $Env:PATH
WORKDIR C:/
RUN git config --global --add core.autocrlf false
RUN git config --global --add safe.directory '*'
RUN git clone -b ${REF} https://github.com/nsacyber/hirs.git C:/repo
RUN git clone -b $Env:REF https://github.com/nsacyber/hirs.git C:/repo
# Defensive copy of the repo so it's easy to start fresh if needed
WORKDIR C:/repo
@ -144,4 +154,4 @@ RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_le
# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD pwsh -Command try { $response = Invoke-WebRequest -Uri https://localhost:8443; if ($response.StatusCode -eq 200) { return 0 } else { return 1 }; } catch { return 1 }
CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]
CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]

View File

@ -110,7 +110,7 @@ jobs:
- name: Build the docker image for ${{ github.repository }}
run: |
cd ./.ci/docker
docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
docker build --build-arg REF=${{ github.ref_name }} -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
- name: Push the docker image
run: |
@ -135,7 +135,7 @@ jobs:
- name: Build the docker image for ${{ github.repository }}
run: |
cd ./.ci/docker
docker build --build-arg "REF=${{ github.ref_name }}" -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
docker build --build-arg REF=${{ github.ref_name }} -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
- name: Push the docker image
run: |
@ -181,4 +181,4 @@ jobs:
run: |
docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
docker manifest push $PUBLIC_IMAGE_TAG_LATEST

View File

@ -43,7 +43,7 @@ $global:SSL_DB_CLIENT_CERT=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PA
$global:SSL_DB_CLIENT_KEY=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_db_client_rsa_3k_sha384.key')
# HIRS Relative directories assumed structure
# package
# scripts
# linux
# aca
# db
# db_create.sql
@ -65,7 +65,7 @@ $global:SSL_DB_CLIENT_KEY=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PAT
$global:HIRS_REL_WIN_ACA_HOME=(Split-Path -parent $PSCommandPath)
$global:HIRS_REL_WIN_HOME=(Join-Path -Resolve $global:HIRS_REL_WIN_ACA_HOME ..)
$global:HIRS_REL_PACKAGE_HOME=(Join-Path -Resolve $global:HIRS_REL_WIN_HOME ..)
$global:HIRS_REL_SCRIPTS_HOME=(Join-Path -Resolve $global:HIRS_REL_PACKAGE_HOME 'scripts')
$global:HIRS_REL_SCRIPTS_HOME=(Join-Path -Resolve $global:HIRS_REL_PACKAGE_HOME 'linux')
$global:HIRS_REL_SCRIPTS_ACA_HOME=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_HOME 'aca')
$global:HIRS_REL_SCRIPTS_DB_HOME=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_HOME 'db')
$global:HIRS_REL_SCRIPTS_DB_CREATE_SQL=(Join-Path -Resolve $global:HIRS_REL_SCRIPTS_DB_HOME 'db_create.sql')