Merge pull request #54 from alphagov/sengi/openssl-1-eol

Update to OpenSSL 3 and remove Ruby 2.7.

.github/workflows/build.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['2_7', '3_1', '3_1_2', '3_2', '3_2_0']
+        version: ['3_1', '3_1_2', '3_2', '3_2_0']
     permissions:
       packages: write
     steps:

SHA256SUMS

@@ -1,5 +1,3 @@
-d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0  openssl-1.1.1v.tar.gz
-e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10  ruby-2.7.6.tar.gz
 61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e  ruby-3.1.2.tar.gz
 5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e  ruby-3.1.3.tar.gz
 daaa78e1360b2783f98deeceb677ad900f3a36c0ffa6e2b6b19090be77abc272  ruby-3.2.0.tar.gz

base.Dockerfile

@@ -11,14 +11,12 @@ RUN : "${RUBY_MAJOR?}" "${RUBY_VERSION?}"
 # Environment variables required for build.
 ENV LANG=C.UTF-8 \
     CPPFLAGS=-DENABLE_PATH_CHECK=0 \
-    OPENSSL_VERSION=1.1.1v \
     RUBY_MAJOR=${RUBY_MAJOR} \
     RUBY_VERSION=${RUBY_VERSION}
 
 # Build-time dependencies for Ruby.
-# TODO: remove perl once we no longer need to build OpenSSL.
 # TODO: remove curl and gpg once downloads are done in the build script.
-RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev perl
+RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libssl-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev
 
 # Process the repo signing key for nodesource so we don't have to include gpg
 # in the final image.
@@ -28,18 +26,6 @@ RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dear
 # TODO: do the download and verification externally, in the build script.
 COPY SHA256SUMS /
 
-# TODO: remove OpenSSL build once https://www.github.com/ruby/openssl/issues/369 is fixed.
-WORKDIR /usr/src/openssl
-RUN set -x; \
-    MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
-    openssl_tarball="openssl-${OPENSSL_VERSION}.tar.gz"; \
-    curl -fsSLO "https://www.openssl.org/source/${openssl_tarball}"; \
-    grep "${openssl_tarball}" /SHA256SUMS | sha256sum --check --strict; \
-    tar -xf "${openssl_tarball}" --strip-components=1; \
-    ./config --prefix=/opt/openssl --openssldir=/opt/openssl no-tests shared zlib; \
-    make; \
-    make install_sw;  # Avoid building manpages and such.
-
 # Build/install Ruby and update the default gems so that we have an up-to-date
 # version of Bundler.
 #
@@ -52,7 +38,7 @@ RUN set -x; \
     MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
     ruby_tarball="ruby-${RUBY_VERSION}.tar.gz"; \
     curl -fsSLO "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR}/${ruby_tarball}"; \
-    grep "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
+    grep -F "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
     tar -xf "${ruby_tarball}" --strip-components=1; \
     arch="$(uname -m)-linux-gnu"; \
     ./configure \
@@ -61,7 +47,6 @@ RUN set -x; \
       --mandir=/tmp/throwaway \
       --disable-install-doc \
       --enable-shared \
-      --with-openssl-dir=/opt/openssl \
     ; \
     make; \
     make install; \
@@ -79,10 +64,6 @@ COPY --from=builder /usr/local/bin/ /usr/local/bin/
 COPY --from=builder /usr/local/include/ /usr/local/include/
 COPY --from=builder /usr/local/lib/ /usr/local/lib/
 COPY --from=builder /usr/local/share/ /usr/local/share/
-COPY --from=builder /opt/openssl /opt/openssl
-# Make our locally-built OpenSSL use the system cacert store.
-RUN rm -fr /opt/openssl/certs; \
-    ln -s /etc/ssl/certs /opt/openssl/certs
 
 # Environment variables common to most GOV.UK apps.
 ENV APP_HOME=/app \

builder.Dockerfile

@@ -1,7 +1,7 @@
 ARG RUBY_MAJOR
 FROM ghcr.io/alphagov/govuk-ruby-base:${RUBY_MAJOR}
 
-RUN install_packages g++ libc-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
+RUN install_packages g++ libc-dev libssl-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
 
 # Environment variables to make build cleaner and faster
 ENV BUNDLE_IGNORE_MESSAGES=1 \