Update to OpenSSL 3 and remove Ruby 2.7.

OpenSSL 1.1.1 is end-of-life today. Ruby still doesn't properly support OpenSSL 3 but staying on 1.1.1 is no longer viable. In practice it works fine though and everyone else has been using it for ages now. Ruby 2.7 doesn't compile against OpenSSL 3, but went out of maintenance 5 months ago and we no longer have anything that's using it.
alphagov · Sep 11, 2023 · b54d144 · b54d144
1 parent 97ecb65
commit b54d144
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 27 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        version: ['2_7', '3_1', '3_1_2', '3_2', '3_2_0']
+        version: ['3_1', '3_1_2', '3_2', '3_2_0']
     permissions:
       packages: write
     steps:

diff --git a/SHA256SUMS b/SHA256SUMS
@@ -1,5 +1,3 @@
-d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0  openssl-1.1.1v.tar.gz
-e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10  ruby-2.7.6.tar.gz
 61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e  ruby-3.1.2.tar.gz
 5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e  ruby-3.1.3.tar.gz
 daaa78e1360b2783f98deeceb677ad900f3a36c0ffa6e2b6b19090be77abc272  ruby-3.2.0.tar.gz

diff --git a/base.Dockerfile b/base.Dockerfile
@@ -11,14 +11,12 @@ RUN : "${RUBY_MAJOR?}" "${RUBY_VERSION?}"
 # Environment variables required for build.
 ENV LANG=C.UTF-8 \
     CPPFLAGS=-DENABLE_PATH_CHECK=0 \
-    OPENSSL_VERSION=1.1.1v \
     RUBY_MAJOR=${RUBY_MAJOR} \
     RUBY_VERSION=${RUBY_VERSION}
 
 # Build-time dependencies for Ruby.
-# TODO: remove perl once we no longer need to build OpenSSL.
 # TODO: remove curl and gpg once downloads are done in the build script.
-RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev perl
+RUN install_packages curl ca-certificates g++ gpg libc-dev make bison patch libdb-dev libffi-dev libgdbm-dev libgmp-dev libreadline-dev libssl-dev libyaml-dev zlib1g-dev uuid-dev libjemalloc-dev
 
 # Process the repo signing key for nodesource so we don't have to include gpg
 # in the final image.
@@ -28,18 +26,6 @@ RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dear
 # TODO: do the download and verification externally, in the build script.
 COPY SHA256SUMS /
 
-# TODO: remove OpenSSL build once https://www.github.com/ruby/openssl/issues/369 is fixed.
-WORKDIR /usr/src/openssl
-RUN set -x; \
-    MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
-    openssl_tarball="openssl-${OPENSSL_VERSION}.tar.gz"; \
-    curl -fsSLO "https://www.openssl.org/source/${openssl_tarball}"; \
-    grep "${openssl_tarball}" /SHA256SUMS | sha256sum --check --strict; \
-    tar -xf "${openssl_tarball}" --strip-components=1; \
-    ./config --prefix=/opt/openssl --openssldir=/opt/openssl no-tests shared zlib; \
-    make; \
-    make install_sw;  # Avoid building manpages and such.
-
 # Build/install Ruby and update the default gems so that we have an up-to-date
 # version of Bundler.
 #
@@ -52,7 +38,7 @@ RUN set -x; \
     MAKEFLAGS=-j"$(nproc)"; export MAKEFLAGS; \
     ruby_tarball="ruby-${RUBY_VERSION}.tar.gz"; \
     curl -fsSLO "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR}/${ruby_tarball}"; \
-    grep "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
+    grep -F "${ruby_tarball}" /SHA256SUMS | sha256sum --check --strict; \
     tar -xf "${ruby_tarball}" --strip-components=1; \
     arch="$(uname -m)-linux-gnu"; \
     ./configure \
@@ -61,7 +47,6 @@ RUN set -x; \
       --mandir=/tmp/throwaway \
       --disable-install-doc \
       --enable-shared \
-      --with-openssl-dir=/opt/openssl \
     ; \
     make; \
     make install; \
@@ -79,10 +64,6 @@ COPY --from=builder /usr/local/bin/ /usr/local/bin/
 COPY --from=builder /usr/local/include/ /usr/local/include/
 COPY --from=builder /usr/local/lib/ /usr/local/lib/
 COPY --from=builder /usr/local/share/ /usr/local/share/
-COPY --from=builder /opt/openssl /opt/openssl
-# Make our locally-built OpenSSL use the system cacert store.
-RUN rm -fr /opt/openssl/certs; \
-    ln -s /etc/ssl/certs /opt/openssl/certs
 
 # Environment variables common to most GOV.UK apps.
 ENV APP_HOME=/app \

diff --git a/builder.Dockerfile b/builder.Dockerfile
@@ -1,7 +1,7 @@
 ARG RUBY_MAJOR
 FROM ghcr.io/alphagov/govuk-ruby-base:${RUBY_MAJOR}
 
-RUN install_packages g++ libc-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
+RUN install_packages g++ libc-dev libssl-dev make git gpg libmariadb-dev-compat libpq-dev xz-utils
 
 # Environment variables to make build cleaner and faster
 ENV BUNDLE_IGNORE_MESSAGES=1 \

diff --git a/versions/2_7 b/versions/2_7