| # ubuntu-16.04/Dockerfile |
| # |
| # Copyright (c) 2018-2021, ARM Limited, All Rights Reserved |
| # SPDX-License-Identifier: Apache-2.0 |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| # not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| # This file is part of Mbed TLS (https://www.trustedfirmware.org/projects/mbed-tls/) |
| |
| # Purpose |
| # ------- |
| # |
| # This docker file is for creating the ubuntu-16.04 image that is used in the |
| # CI. It can also be used for reproducing and testing CI failures. |
| |
| FROM ubuntu:16.04 |
| |
| ARG DEBIAN_FRONTEND=noninteractive |
| WORKDIR /opt/src |
| |
| # Support for i386: |
| # - for 32-bit builds+tests of Mbed TLS |
| # - required to install Arm Compiler 5.06 (armcc) |
| RUN dpkg --add-architecture i386 |
| |
| # Main apt-get call with all packages except those that have conflicts, |
| # handled below. One big alphabetised list, in order to avoid duplicates, with |
| # comments explaining why each package is needed. |
| RUN apt-get update -q && apt-get install -yq \ |
| # installed from source, but this installs the dependencies |
| abi-dumper \ |
| # to build Mbed TLS: gcc, binutils, make, etc. |
| build-essential \ |
| # to build Mbed TLS |
| clang \ |
| # to build Mbed TLS |
| cmake \ |
| # to build Mbed TLS's documentation |
| doxygen \ |
| # to cross-build Mbed TLS |
| gcc-mingw-w64-i686 \ |
| # to check out Mbed TLS and others |
| git \ |
| # to build Mbed TLS's documentation |
| graphviz \ |
| # to measure code coverage of Mbed TLS |
| lcov \ |
| # for 32-bit Mbed TLS testing and armcc |
| libc6-i386 \ |
| # for 32-bit Mbed TLS testing and armcc |
| libc6:i386 \ |
| # to build GnuTLS (nettle with public key support aka hogweed) |
| libgmp-dev \ |
| # to build GnuTLS >= 3.6 (could also use --with-included-unistring) |
| libunistring-dev \ |
| # for armcc |
| libstdc++6:i386 \ |
| # to build GnuTLS (except 3.6 which uses --with-included-libtasn1) |
| libtasn1-6-dev \ |
| # needed for armcc (see locale-gen below) |
| locales \ |
| # needed for basic-build-test.sh |
| lsb \ |
| # used by compat.sh and ssl-opt.sh |
| lsof \ |
| # to build GnuTLS (nettle) |
| m4 \ |
| # to build Mbed TLS and others |
| make \ |
| # to build GnuTLS with locally-compiled nettle |
| pkg-config \ |
| # to install the preferred version of pylint |
| python3-pip \ |
| # for Mbed TLS tests |
| valgrind \ |
| # to download things installed from other places |
| wget \ |
| # to build Mbed TLS with MBEDTLS_ZILIB_SUPPORT (removed in 3.0) |
| zlib1g \ |
| # to build Mbed TLS with MBEDTLS_ZILIB_SUPPORT (removed in 3.0) |
| zlib1g-dev \ |
| && rm -rf /var/lib/apt/lists/ |
| |
| # Install all the parts of gcc-multilib, which is necessary for 32-bit builds. |
| # gcc-multilib conflicts with cross-compiler packages that we'll install later, |
| # so don't keep it around. Just let it install its dependencies |
| # (gcc-<VERSION>-multilib and libc support), then remove it. Manually create |
| # one crucial symlink that's otherwise provided by the gcc-multilib package |
| # (without that symlink, 32-bit builds won't find system headers). Note that |
| # just installing the dependencies of gcc-multilib also brings in gcc-multilib |
| # as a Recommends dependency. |
| RUN apt-get update -q && apt-get install -yq \ |
| gcc-multilib \ |
| && rm -rf /var/lib/apt/lists/ && \ |
| dpkg -r gcc-multilib && \ |
| ln -s x86_64-linux-gnu/asm /usr/include/asm |
| |
| # Install arm-linux-gnueabi-gcc - to cross-build Mbed TLS |
| RUN apt-get update -q && apt-get install -yq \ |
| gcc-arm-linux-gnueabi \ |
| libc6-dev-armel-cross \ |
| && rm -rf /var/lib/apt/lists/ |
| |
| # Install ARM Compiler 5.06 |
| RUN wget -q https://developer.arm.com/-/media/Files/downloads/compiler/DS500-PA-00003-r5p0-22rel0.tgz && \ |
| tar -zxf DS500-PA-00003-r5p0-22rel0.tgz && \ |
| ./Installer/setup.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_5.06u3 --quiet && \ |
| rm -rf DS500-PA-00003-r5p0-22rel0.tgz releasenotes.html Installer/ |
| |
| ENV ARMC5_BIN_DIR=/usr/local/ARM_Compiler_5.06u3/bin/ |
| ENV PATH=$PATH:/usr/local/ARM_Compiler_5.06u3/bin |
| ENV ARMLMD_LICENSE_FILE=27000@flexnet.trustedfirmware.org |
| |
| # Install ARM Compiler 6.6 |
| RUN mkdir temp && cd temp && \ |
| wget -q --no-check-certificate https://developer.arm.com/-/media/Files/downloads/compiler/DS500-BN-00026-r5p0-07rel0.tgz?revision=8f0d9fb0-9616-458c-b2f5-d0dac83ea93c?product=Downloads,64-bit,,Linux,6.6 -O arm6.tgz && \ |
| tar -zxf arm6.tgz && ls -ltr && \ |
| ./install_x86_64.sh --i-agree-to-the-contained-eula --no-interactive -d /usr/local/ARM_Compiler_6.6 --quiet && \ |
| cd .. && rm -rf temp/ |
| |
| ENV ARMC6_BIN_DIR=/usr/local/ARM_Compiler_6.6/bin/ |
| |
| # Install arm-none-eabi-gcc |
| RUN wget -q https://developer.arm.com/-/media/Files/downloads/gnu-rm/5_4-2016q3/gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -O gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 && \ |
| tar -xjf gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 -C /opt && \ |
| rm gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 |
| |
| ENV PATH=/opt/gcc-arm-none-eabi-5_4-2016q3/bin:$PATH |
| |
| # Install exact upstream versions of OpenSSL and GnuTLS |
| # |
| # Distro packages tend to include patches that disrupt our testing scripts, |
| # and such patches may be added at any time. Avoid surprises by using fixed |
| # versions. |
| # |
| # GnuTLS has a number of (optional) dependencies: |
| # - nettle (crypto library): quite tighly coupled, so build one for each |
| # version of GnuTLS that we want. |
| # - libtasn1: can use the Ubuntu version, except for GnuTLS 3.7 which needs |
| # libtasn1 4.9 (Ubuntu 16.04 has 4.6); an config option |
| # --with-included-libtasn1 is available, so use it for GnuTLS 3.7. |
| # - p11-kit: optional, for smart-card support - configure it out |
| # - libunistring: since 3.6 - the Ubuntu package works; if it didn't a config |
| # option --with-included-libunistring is available. |
| |
| # Install openssl 1.0.2g - main version, in the PATH |
| RUN wget -q https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz && \ |
| tar -zxf openssl-1.0.2g.tar.gz && cd openssl-1.0.2g && \ |
| ./config --openssldir=/usr/local/openssl-1.0.2g enable-ssl-trace && \ |
| make clean && make && make install && cd .. && \ |
| rm -rf openssl-1.0.2g* |
| |
| ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl |
| ENV PATH=/usr/local/openssl-1.0.2g/bin:$PATH |
| |
| # Install openssl 1.0.1j - "legacy" version |
| RUN wget -q https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz && \ |
| tar -zxf openssl-1.0.1j.tar.gz && cd openssl-1.0.1j && \ |
| ./config --openssldir=/usr/local/openssl-1.0.1j && \ |
| make clean && make && make install && cd .. && \ |
| rm -rf openssl-1.0.1j* |
| |
| ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl |
| |
| # Install openssl 1.1.1a - "next" version |
| RUN wget -q https://www.openssl.org/source/openssl-1.1.1a.tar.gz && \ |
| tar -zxf openssl-1.1.1a.tar.gz && cd openssl-1.1.1a && \ |
| ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' enable-ssl-trace && \ |
| make clean && make && make install && cd .. && \ |
| rm -rf openssl-1.1.1a* |
| |
| ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl |
| |
| # Install Gnu TLS 3.4.10 (nettle 3.1) - main version, in the PATH |
| RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz && \ |
| tar -zxf nettle-3.1.tar.gz && cd nettle-3.1 && \ |
| ./configure --prefix=/usr/local/libnettle-3.1 --exec_prefix=/usr/local/libnettle-3.1 --disable-shared --disable-openssl && \ |
| make && make install && cd .. && rm -rf nettle-3.1* && \ |
| export PKG_CONFIG_PATH=/usr/local/libnettle-3.1/lib/pkgconfig:/usr/local/libnettle-3.1/lib64/pkgconfig:/usr/local/lib/pkgconfig && \ |
| wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz && \ |
| tar -xJf gnutls-3.4.10.tar.xz && cd gnutls-3.4.10 && \ |
| ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 --disable-shared --without-p11-kit && \ |
| make && make install && cat config.log && cd .. && \ |
| rm -rf gnutls-3.4.10* |
| |
| ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli |
| ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv |
| ENV PATH=/usr/local/gnutls-3.4.10/bin:$PATH |
| |
| # Install Gnu TLS 3.3.8 (nettle 2.7) - "legacy" version |
| RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz && \ |
| tar -zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1 && \ |
| ./configure --prefix=/usr/local/libnettle-2.7.1 --exec_prefix=/usr/local/libnettle-2.7.1 --disable-shared --disable-openssl && \ |
| make && make install && cd .. && rm -rf nettle-2.7.1* && \ |
| export PKG_CONFIG_PATH=/usr/local/libnettle-2.7.1/lib/pkgconfig:/usr/local/libnettle-2.7.1/lib64/pkgconfig:/usr/local/lib/pkgconfig && \ |
| wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz && \ |
| tar -xJf gnutls-3.3.8.tar.xz && cd gnutls-3.3.8 && \ |
| ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared --without-p11-kit && \ |
| make && make install && cat config.log && cd .. && \ |
| rm -rf gnutls-3.3.8* |
| |
| ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli |
| ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv |
| |
| # Instal GNU TLS 3.7.2 (nettle 3.7) - "next" version |
| RUN wget -q https://ftp.gnu.org/gnu/nettle/nettle-3.7.3.tar.gz && \ |
| tar -zxf nettle-3.7.3.tar.gz && cd nettle-3.7.3 && \ |
| ./configure --prefix=/usr/local/libnettle-3.7.3 --exec_prefix=/usr/local/libnettle-3.7.3 --disable-shared --disable-openssl && \ |
| make && make install && cd .. && rm -rf nettle-3.7.3* && \ |
| export PKG_CONFIG_PATH=/usr/local/libnettle-3.7.3/lib/pkgconfig:/usr/local/libnettle-3.7.3/lib64/pkgconfig:/usr/local/lib/pkgconfig && \ |
| wget -q https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-3.7.2.tar.xz && \ |
| tar -xJf gnutls-3.7.2.tar.xz && cd gnutls-3.7.2 && \ |
| ./configure --prefix=/usr/local/gnutls-3.7.2 --exec_prefix=/usr/local/gnutls-3.7.2 --disable-shared --with-included-libtasn1 --without-p11-kit && \ |
| make && make install && cat config.log && cd .. && \ |
| rm -rf gnutls-3.7.2* |
| |
| ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.7.2/bin/gnutls-cli |
| ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.7.2/bin/gnutls-serv |
| |
| # Install abi-compliance-checker |
| # The version in Ubuntu 16.04 is too old, we want at least the version below |
| RUN wget -q https://github.com/lvc/abi-compliance-checker/archive/2.3.tar.gz && \ |
| tar -zxf 2.3.tar.gz && cd abi-compliance-checker-2.3 && \ |
| make clean && make && make install prefix=/usr && cd .. && \ |
| rm -rf abi-compliance-checker* && rm 2.3.tar.gz |
| |
| # Install abi-dumper |
| # The version in Ubuntu 16.04 is too old, we want at least the version below |
| RUN git clone --branch 1.1 https://github.com/lvc/abi-dumper.git && \ |
| cd abi-dumper && make install prefix=/usr && cd .. && rm -rf abi-dumper |
| |
| # Install Python pip packages |
| # |
| # The pip wrapper scripts can get out of sync with pip due to upgrading it |
| # outside the package manager, so invoke the module directly. |
| # |
| # Ubuntu 16.04's pip (8.1) doesn't understand the Requires-Python |
| # directive (introduced in pip 9.0), and tries to install the wrong versions |
| # of pip and setuptools. Version 21 of pip drops support for Python 3.5 (the |
| # latest in 16.04), so pick an earlier version. |
| # |
| # Piping to cat suppresses the progress bar, but means that a failure |
| # won't be caught (`stuff | cat` succeeds if cat succeeds, even if `stuff` |
| # fails). The subsequent use of "pip config" (which requires pip >=10) |
| # will however fail if the installation of a more recent pip failed. |
| RUN python3 -m pip install 'pip<21' --upgrade | cat && \ |
| python3 -m pip config set global.progress_bar off && \ |
| python3 -m pip install setuptools --upgrade && \ |
| # For pylint we want a known version, as later versions may add checks at |
| # any time, making CI results unpredictable. |
| python3 -m pip install pylint==2.4.4 && \ |
| # For mypy, use the earliest version that works with our code base. |
| # See https://github.com/ARMmbed/mbedtls/pull/3953 . |
| python3 -m pip install mypy==0.780 && \ |
| # For jinja2, use the version that's in Ubuntu 20.04. |
| # See https://github.com/ARMmbed/mbedtls/pull/5067#discussion_r738794607 . |
| # Note that Jinja2 3.0 drops support for Python 3.5, so we need 2.x. |
| python3 -m pip install Jinja2==2.10.1 types-Jinja2 && \ |
| true |
| |
| # Set locale for ARMCC to work |
| RUN locale && \ |
| locale-gen "en_US.UTF-8" && \ |
| dpkg-reconfigure locales |
| |
| # Add user |
| RUN useradd -m user |
| |
| # Create workspace |
| ARG AGENT_WORKDIR=/var/lib/builds |
| RUN mkdir -p ${AGENT_WORKDIR} && chown user:user ${AGENT_WORKDIR} |
| USER user |
| ENV AGENT_WORKDIR=${AGENT_WORKDIR} |
| |
| WORKDIR ${AGENT_WORKDIR} |
| |
| ENTRYPOINT ["bash"] |