root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Use make for OCI workflow (#11042) 

* Use make instead of bazel for the OCI workflow
This commit is contained in:
Rin Kuryloski 2024-04-19 20:05:24 +02:00 committed by GitHub
parent d32a2a8c15
commit 4e720d7fe1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 397 additions and 533 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
.github/workflows/oci-base.yaml vendored
View File

@ -1,69 +0,0 @@
# https://github.com/marketplace/actions/build-and-push-docker-images
name: OCI Base Image
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
jobs:
build-publish:
runs-on: ubuntu-20.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up QEMU
id: qemu
uses: docker/setup-qemu-action@v3
with:
image: tonistiigi/binfmt:latest
platforms: linux/amd64,linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Available platforms
run: echo ${{ steps.buildx.outputs.platforms }}
- name: Cache Docker layers
uses: actions/cache@v4.0.2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-${{ github.event.pull_request.head.sha || github.sha }}
restore-keys: |
${{ runner.os }}-${{ matrix.image_tag_suffix }}-buildx-
- name: Check for Push Credentials
id: authorized
run: |
if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then
echo "PUSH=true" >> $GITHUB_OUTPUT
else
echo "PUSH=false" >> $GITHUB_OUTPUT
fi
- name: Login to DockerHub
if: steps.authorized.outputs.PUSH == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: packaging/base-image
platforms: linux/amd64,linux/arm64
pull: true
push: ${{ steps.authorized.outputs.PUSH }}
tags: |
pivotalrabbitmq/ubuntu:20.04
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new
# Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache

155
.github/workflows/oci-make.yaml vendored Normal file
View File

@ -0,0 +1,155 @@
# https://github.com/marketplace/actions/build-and-push-docker-images
name: OCI (make)
on:
push:
paths-ignore:
- '.github/workflows/secondary-umbrella.yaml'
- '.github/workflows/update-elixir-patches.yaml'
- '.github/workflows/update-otp-patches.yaml'
workflow_dispatch:
env:
REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
build-package-generic-unix:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure Erlang
uses: erlef/setup-beam@v1
with:
otp-version: 26.2
elixir-version: 1.15
- name: make package-generic-unix
run: |
make package-generic-unix
- name: Upload package-generic-unix
uses: actions/upload-artifact@v4.3.1
with:
name: package-generic-unix
path: PACKAGES/rabbitmq-server-*.tar.xz
build:
needs: build-package-generic-unix
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64
steps:
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@v4
- name: Download package-generic-unix
uses: actions/download-artifact@v4
with:
name: package-generic-unix
path: PACKAGES
- name: Rename package-generic-unix
run: |
cp \
PACKAGES/rabbitmq-server-generic-unix-*.tar.xz \
packaging/docker-image/package-generic-unix.tar.xz
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and push by digest
id: build
uses: docker/build-push-action@v5
with:
context: packaging/docker-image
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
cache-to: type=registry,ref=ghcr.io/rabbitmq/rabbitmq:buildcache-${{ env.PLATFORM_PAIR }},mode=max
cache-from: type=registry,ref=ghcr.io/rabbitmq/rabbitmq:buildcache-${{ env.PLATFORM_PAIR }}
outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
- name: Export digest
run: |
mkdir -p /tmp/digests
digest="${{ steps.build.outputs.digest }}"
touch "/tmp/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: /tmp/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY_IMAGE }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,format=long
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
summary-oci:
needs:
- build-package-generic-unix
- build
- merge
runs-on: ubuntu-latest
steps:
- name: SUMMARY
run: |
cat << 'EOF' | jq -e 'map(.result == "success") | all(.)'
${{ toJson(needs) }}
EOF

139
.github/workflows/oci.yaml vendored
View File

@ -1,139 +0,0 @@
# https://github.com/marketplace/actions/build-and-push-docker-images
name: OCI
on:
push:
paths-ignore:
- '.github/workflows/secondary-umbrella.yaml'
- '.github/workflows/update-elixir-patches.yaml'
- '.github/workflows/update-otp-patches.yaml'
workflow_dispatch:
env:
VERSION: ${{ github.event.pull_request.head.sha || github.sha }}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
build-publish-dev-bazel:
runs-on: ubuntu-latest
services:
registry:
image: registry
ports:
- 5001:5000
steps:
- name: Checkout
uses: actions/checkout@v4
- name: 'Login to GitHub Container Registry'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Configure Erlang
uses: erlef/setup-beam@v1
with:
otp-version: 26.2
elixir-version: 1.15
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v3
- name: Configure Bazel
run: |
if [ -n "${{ secrets.BUILDBUDDY_API_KEY }}" ]; then
cat << EOF >> user.bazelrc
build:buildbuddy --remote_header=x-buildbuddy-api-key=${{ secrets.BUILDBUDDY_API_KEY }}
EOF
fi
cat << EOF >> user.bazelrc
build:buildbuddy --build_metadata=ROLE=CI
build:buildbuddy --build_metadata=VISIBILITY=PRIVATE
build:buildbuddy --color=yes
build --action_env EXTRA_BUILDX_OPTS="--cache-from=type=gha --cache-to=type=gha"
EOF
- name: Build package-generic-unix
run: |
bazelisk build :package-generic-unix \
--config=buildbuddy
- name: Build amd64 Base
run: |
bazelisk build //packaging/base-image:docker-build-amd64 \
--config=buildbuddy \
--experimental_ui_max_stdouterr_bytes=4194304
- name: Build amd64
run: |
bazelisk build //packaging/docker-image:rabbitmq-amd64 \
--config=buildbuddy
- name: Build arm64 Base
run: |
bazelisk build //packaging/base-image:docker-build-arm64 \
--config=buildbuddy \
--experimental_ui_max_stdouterr_bytes=4194304
- name: Build arm64
run: |
bazelisk build //packaging/docker-image:rabbitmq-arm64 \
--config=buildbuddy
- name: Test
run: |
OCI_TESTS=$(bazel cquery 'tests(//packaging/docker-image/...)' | awk '{ print $1 }')
bazelisk test ${OCI_TESTS} \
--config=buildbuddy
- name: Check for Push Credentials
id: authorized
run: |
if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ]; then
echo "PUSH=true" >> $GITHUB_OUTPUT
else
echo "PUSH=false" >> $GITHUB_OUTPUT
fi
- name: Assemble Multi-Arch
run: |
bazelisk build //packaging/docker-image:rabbitmq \
--config=buildbuddy
- name: Login to DockerHub
if: steps.authorized.outputs.PUSH == 'true'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Tag and Push
if: steps.authorized.outputs.PUSH == 'true'
run: |
TAG_1="${{ env.VERSION }}"
REF_NAME="${{ github.ref_name }}"
TAG_2="${REF_NAME//\//-}"
set -x
bazelisk run //packaging/docker-image:push \
--config=buildbuddy -- \
--tag ${TAG_1} \
--tag ${TAG_2}
summary-oci:
needs:
- build-publish-dev-bazel
runs-on: ubuntu-latest
steps:
- name: SUMMARY
run: |
echo "SUCCESS"

18
.github/workflows/rabbitmq_peer_discovery_aws.yaml vendored
View File

@ -21,13 +21,17 @@ jobs:
steps:
- name: CHECKOUT REPOSITORY
uses: actions/checkout@v4
- name: WAIT FOR OCI IMAGE WORKFLOW
uses: lewagon/wait-on-check-action@v1.3.4
- uses: docker/metadata-action@v4
id: metadata
with:
ref: ${{ github.ref }}
check-name: build-publish-dev-bazel
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30 # seconds
images: pivotalrabbitmq/rabbitmq
tags: |
type=sha,format=long
- uses: int128/wait-for-docker-image-action@v1
with:
tags: ${{ steps.metadata.outputs.tags }}
timeout-seconds: 3600
polling-seconds: 60
- name: CONFIGURE BAZEL
run: |
cat << EOF >> user.bazelrc
@ -51,6 +55,6 @@ jobs:
--build_tests_only \
--test_env AWS_ACCESS_KEY_ID=${{ secrets.CONCOURSE_AWS_ACCESS_KEY_ID }} \
--test_env AWS_SECRET_ACCESS_KEY=${{ secrets.CONCOURSE_AWS_SECRET_ACCESS_KEY }} \
--test_env RABBITMQ_IMAGE="pivotalrabbitmq/rabbitmq:${{ github.sha }}" \
--test_env RABBITMQ_IMAGE="pivotalrabbitmq/rabbitmq:sha-${{ github.sha }}" \
--test_env AWS_ECS_CLUSTER_NAME="rabbitmq-peer-discovery-aws-actions-${branch_or_tag//[._]/-}" \
--verbose_failures

1
packaging/base-image/.dockerignore
View File

@ -1 +0,0 @@
BUILD.bazel

40
packaging/base-image/BUILD.bazel
View File

@ -1,40 +0,0 @@
_ARCHS = [
"amd64",
"arm64",
]
_TAGS = [
"docker",
"manual",
"no-sandbox",
"no-remote-exec", # buildbuddy runners do not have the emulator available
]
[
genrule(
name = "docker-build-%s" % arch,
srcs = [
"Dockerfile",
],
outs = [
"image-%s.tar" % arch,
],
cmd = """set -euo pipefail
CONTEXT="$$(mktemp -d)"
cp $(location Dockerfile) "$$CONTEXT"
docker buildx \\
build \\
"$$CONTEXT" \\
--platform linux/{arch} \\
--output type=tar,dest=$(location image-{arch}.tar) $${{EXTRA_BUILDX_OPTS:-}}
""".format(
arch = arch,
),
tags = _TAGS,
visibility = ["//packaging:__subpackages__"],
)
for arch in _ARCHS
]

234
packaging/base-image/Dockerfile
View File

@ -1,234 +0,0 @@
#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
# The official Canonical Ubuntu Focal image is ideal from a security perspective,
# especially for the enterprises that we, the RabbitMQ team, have to deal with
FROM ubuntu:22.04 as build-base
ARG BUILDKIT_SBOM_SCAN_STAGE=true
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
gnupg \
libncurses5-dev \
wget
FROM build-base as openssl-builder
ARG BUILDKIT_SBOM_SCAN_STAGE=true
# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
ARG PGP_KEYSERVER=keyserver.ubuntu.com
# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.13 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.13/ubuntu
# For context, see https://github.com/docker-library/official-images/issues/4252
ENV OPENSSL_VERSION 3.1.5
ENV OPENSSL_SOURCE_SHA256="6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
# https://www.openssl.org/community/otc.html
# https://www.openssl.org/source/
ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D 0xEFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5"
ENV OTP_VERSION 26.2.2
# TODO add PGP checking when the feature will be added to Erlang/OTP's build system
# https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
ENV OTP_SOURCE_SHA256="d537ff4ac5d8c1cb507aedaf7198fc1f155ea8aa65a8d83edb35c2802763cc28"
# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
# Install dependencies required to build Erlang/OTP from source
# https://erlang.org/doc/installation_guide/INSTALL.html
# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
# gnupg: Required to verify OpenSSL artefacts
# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli
RUN set -eux; \
OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
\
# Required by the crypto & ssl Erlang/OTP applications
wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \
export GNUPGHOME="$(mktemp -d)"; \
for key in $OPENSSL_PGP_KEY_IDS; do \
gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key"; \
done; \
gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME"; \
echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \
mkdir -p "$OPENSSL_PATH"; \
tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \
\
# Configure OpenSSL for compilation
cd "$OPENSSL_PATH"; \
# without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??)
# OpenSSL's "config" script uses a lot of "uname"-based target detection...
dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
# https://deb.debian.org/debian/dists/unstable/main/
case "$dpkgArch" in \
# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
amd64) opensslMachine='linux-x86_64' ;; \
arm64) opensslMachine='linux-aarch64' ;; \
# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
i386) opensslMachine='linux-x86' ;; \
ppc64el) opensslMachine='linux-ppc64le' ;; \
riscv64) opensslMachine='linux64-riscv64' ;; \
s390x) opensslMachine='linux64-s390x' ;; \
*) echo >&2 "error: unsupported arch: '$apkArch'"; exit 1 ;; \
esac; \
MACHINE="$opensslMachine" \
RELEASE="4.x.y-z" \
SYSTEM='Linux' \
BUILD='???' \
./Configure \
"$opensslMachine" \
enable-fips \
--prefix="$OPENSSL_INSTALL_PATH_PREFIX" \
--openssldir="$OPENSSL_CONFIG_DIR" \
--libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
${opensslExtraConfig:-} \
; \
# Compile, install OpenSSL, verify that the command-line works & development headers are present
make -j "$(getconf _NPROCESSORS_ONLN)"; \
make install_sw install_ssldirs install_fips; \
ldconfig; \
# use Debian's CA certificates
rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \
ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"
# smoke test
RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
FROM openssl-builder as erlang-builder
ARG BUILDKIT_SBOM_SCAN_STAGE=true
RUN set -eux; \
OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \
\
# Download, verify & extract OTP_SOURCE
mkdir -p "$OTP_PATH"; \
wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \
echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \
\
# Configure Erlang/OTP for compilation, disable unused features & applications
# https://erlang.org/doc/applications.html
# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation
cd "$OTP_PATH"; \
export ERL_TOP="$OTP_PATH"; \
CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \
hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
# JIT is only supported on amd64 + arm64; https://github.com/erlang/otp/blob/OTP-25.3.2.2/erts/configure#L24306-L24347
jitFlag=; \
case "$dpkgArch" in \
amd64 | arm64) jitFlag='--enable-jit' ;; \
esac; \
./configure \
--prefix="$ERLANG_INSTALL_PATH_PREFIX" \
--host="$hostArch" \
--build="$buildArch" \
--disable-hipe \
--disable-sctp \
--disable-silent-rules \
--enable-builtin-zlib \
--enable-clock-gettime \
--enable-hybrid-heap \
--enable-kernel-poll \
--enable-smp-support \
--enable-threads \
--with-microstate-accounting=extra \
--with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \
--without-common_test \
--without-debugger \
--without-dialyzer \
--without-diameter \
--without-edoc \
--without-erl_docgen \
--without-et \
--without-eunit \
--without-ftp \
--without-hipe \
--without-jinterface \
--without-megaco \
--without-observer \
--without-odbc \
--without-reltool \
--without-ssh \
--without-tftp \
--without-wx \
$jitFlag \
; \
\
# Compile & install Erlang/OTP
make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \
make install; \
\
# Remove unnecessary files
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH
RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }'
RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
FROM ubuntu:22.04
# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again
ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX
RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.2","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json
COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json
ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
RUN set -eux; \
# Configure OpenSSL to use system certs
ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
\
# Check that OpenSSL still works after copying from previous builder
ldconfig; \
sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
[ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \
openssl version; \
openssl version -d; \
\
# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \
\
# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM
groupadd --gid 999 --system rabbitmq; \
useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \
mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
chmod 1777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie

1
packaging/docker-image/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
package-generic-unix.tar.xz

13
packaging/docker-image/BUILD.bazel
View File

@ -36,7 +36,6 @@ _TAGS = [
genrule(
name = "docker-build-%s" % arch,
srcs = [
"//packaging/base-image:image-%s.tar" % arch,
":context-files",
],
outs = [
@ -48,22 +47,10 @@ CONTEXT="$$(mktemp -d)"
cp $(locations :context-files) "$$CONTEXT"
BASE_IMAGE="ghcr.io/rabbitmq/rabbitmq-base"
set -x
docker import \\
--platform linux/{arch} \\
"$(location //packaging/base-image:image-{arch}.tar)" \\
$$BASE_IMAGE:{arch}
DIGEST="$$(docker push $$BASE_IMAGE:{arch} | sed -n 's/.*\\(sha256:[a-z0-9]*\\).*/\\1/p')"
docker buildx \\
build \\
"$$CONTEXT" \\
--platform linux/{arch} \\
--build-arg BASE_IMAGE="$$BASE_IMAGE@$$DIGEST" \\
--build-arg RABBITMQ_VERSION="{rmq_version}" \\
--output type=tar,dest=$(location image-{arch}.tar) $${{EXTRA_BUILDX_OPTS:-}}
""".format(

229
packaging/docker-image/Dockerfile
View File

@ -1,13 +1,238 @@
ARG BASE_IMAGE=ghcr.io/rabbitmq/rabbitmq-base:amd64
FROM ${BASE_IMAGE}
#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
# The official Canonical Ubuntu Focal image is ideal from a security perspective,
# especially for the enterprises that we, the RabbitMQ team, have to deal with
FROM ubuntu:22.04 as build-base
ARG BUILDKIT_SBOM_SCAN_STAGE=true
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
gnupg \
libncurses5-dev \
wget
FROM build-base as openssl-builder
ARG BUILDKIT_SBOM_SCAN_STAGE=true
# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
ARG PGP_KEYSERVER=keyserver.ubuntu.com
# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.13 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.13/ubuntu
# For context, see https://github.com/docker-library/official-images/issues/4252
ENV OPENSSL_VERSION 3.1.5
ENV OPENSSL_SOURCE_SHA256="6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
# https://www.openssl.org/community/otc.html
# https://www.openssl.org/source/
ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D 0xEFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5"
ENV OTP_VERSION 26.2.2
# TODO add PGP checking when the feature will be added to Erlang/OTP's build system
# https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
ENV OTP_SOURCE_SHA256="d537ff4ac5d8c1cb507aedaf7198fc1f155ea8aa65a8d83edb35c2802763cc28"
# install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
# Install dependencies required to build Erlang/OTP from source
# https://erlang.org/doc/installation_guide/INSTALL.html
# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
# gnupg: Required to verify OpenSSL artefacts
# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli
RUN set -eux; \
OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
\
# Required by the crypto & ssl Erlang/OTP applications
wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \
export GNUPGHOME="$(mktemp -d)"; \
for key in $OPENSSL_PGP_KEY_IDS; do \
gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key"; \
done; \
gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME"; \
echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \
mkdir -p "$OPENSSL_PATH"; \
tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \
\
# Configure OpenSSL for compilation
cd "$OPENSSL_PATH"; \
# without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??)
# OpenSSL's "config" script uses a lot of "uname"-based target detection...
dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
# https://deb.debian.org/debian/dists/unstable/main/
case "$dpkgArch" in \
# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
amd64) opensslMachine='linux-x86_64' ;; \
arm64) opensslMachine='linux-aarch64' ;; \
# https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
# https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
i386) opensslMachine='linux-x86' ;; \
ppc64el) opensslMachine='linux-ppc64le' ;; \
riscv64) opensslMachine='linux64-riscv64' ;; \
s390x) opensslMachine='linux64-s390x' ;; \
*) echo >&2 "error: unsupported arch: '$apkArch'"; exit 1 ;; \
esac; \
MACHINE="$opensslMachine" \
RELEASE="4.x.y-z" \
SYSTEM='Linux' \
BUILD='???' \
./Configure \
"$opensslMachine" \
enable-fips \
--prefix="$OPENSSL_INSTALL_PATH_PREFIX" \
--openssldir="$OPENSSL_CONFIG_DIR" \
--libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
${opensslExtraConfig:-} \
; \
# Compile, install OpenSSL, verify that the command-line works & development headers are present
make -j "$(getconf _NPROCESSORS_ONLN)"; \
make install_sw install_ssldirs install_fips; \
ldconfig; \
# use Debian's CA certificates
rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \
ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"
# smoke test
RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
FROM openssl-builder as erlang-builder
ARG BUILDKIT_SBOM_SCAN_STAGE=true
RUN set -eux; \
OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \
\
# Download, verify & extract OTP_SOURCE
mkdir -p "$OTP_PATH"; \
wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \
echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \
\
# Configure Erlang/OTP for compilation, disable unused features & applications
# https://erlang.org/doc/applications.html
# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation
cd "$OTP_PATH"; \
export ERL_TOP="$OTP_PATH"; \
CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \
hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
# JIT is only supported on amd64 + arm64; https://github.com/erlang/otp/blob/OTP-25.3.2.2/erts/configure#L24306-L24347
jitFlag=; \
case "$dpkgArch" in \
amd64 | arm64) jitFlag='--enable-jit' ;; \
esac; \
./configure \
--prefix="$ERLANG_INSTALL_PATH_PREFIX" \
--host="$hostArch" \
--build="$buildArch" \
--disable-hipe \
--disable-sctp \
--disable-silent-rules \
--enable-builtin-zlib \
--enable-clock-gettime \
--enable-hybrid-heap \
--enable-kernel-poll \
--enable-smp-support \
--enable-threads \
--with-microstate-accounting=extra \
--with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \
--without-common_test \
--without-debugger \
--without-dialyzer \
--without-diameter \
--without-edoc \
--without-erl_docgen \
--without-et \
--without-eunit \
--without-ftp \
--without-hipe \
--without-jinterface \
--without-megaco \
--without-observer \
--without-odbc \
--without-reltool \
--without-ssh \
--without-tftp \
--without-wx \
$jitFlag \
; \
\
# Compile & install Erlang/OTP
make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \
make install; \
\
# Remove unnecessary files
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH
RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }'
RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
FROM ubuntu:22.04
# OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again
ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX
RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.2","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json
COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json
ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
RUN set -eux; \
# Configure OpenSSL to use system certs
ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
\
# Check that OpenSSL still works after copying from previous builder
ldconfig; \
sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
-e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
[ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \
openssl version; \
openssl version -d; \
\
# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \
\
# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM
groupadd --gid 999 --system rabbitmq; \
useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \
mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
chmod 1777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie
# Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html)
ARG RABBITMQ_VERSION=4.0.0
ENV RABBITMQ_VERSION=${RABBITMQ_VERSION}

31
packaging/docker-image/Makefile
View File

@ -34,24 +34,14 @@ endif
IMAGE_TAG_1 ?= $(subst +,-,$(VERSION))
endif
OTP_VERSION ?= 25.0.4
OTP_SHA256 ?= 05878cb51a64b33c86836b12a21903075c300409b609ad5e941ddb0feb8c2120
REPO ?= pivotalrabbitmq/rabbitmq
SKIP_PGP_VERIFY ?= false
PGP_KEYSERVER ?= pgpkeys.eu
ALT1_PGP_KEYSERVER ?= keyserver.ubuntu.com
ALT2_PGP_KEYSERVER ?= pgpkeys.uk
all: dist
dist:
xzcat $(GENERIC_UNIX_ARCHIVE) | tar xvf -
cp -f $(GENERIC_UNIX_ARCHIVE) package-generic-unix.tar.xz
docker build --pull \
--build-arg SKIP_PGP_VERIFY=$(SKIP_PGP_VERIFY) \
--build-arg PGP_KEYSERVER=$(PGP_KEYSERVER) \
--build-arg OTP_VERSION=$(OTP_VERSION) \
--build-arg OTP_SHA256=$(OTP_SHA256) \
--build-arg RABBITMQ_BUILD=rabbitmq_server-$(VERSION) \
--build-arg RABBITMQ_VERSION=$(VERSION) \
--tag $(REPO):$(IMAGE_TAG_1) \
.
@ -63,19 +53,4 @@ ifdef IMAGE_TAG_2
endif
clean:
rm -rf rabbitmq_server-*
OTP_VERSION_MATCH ?= 25[0-9.]+
define LATEST_STABLE_OTP_VERSION
curl --silent --fail https://api.github.com/repos/erlang/otp/git/refs/tags | \
jq -r '.[].ref | sub("refs/tags/OTP.{1}";"") | match("^$(OTP_VERSION_MATCH)$$") | .string' | \
tail -n 1
endef
.PHONY: find-otp-sha256
find-otp-sha256:
@printf "Version: " && \
export VERSION="$$($(LATEST_STABLE_OTP_VERSION))" && \
echo "$$VERSION" && \
printf "Checksum: " && \
wget --continue --quiet --output-document="/tmp/OTP-$$VERSION.tar.gz" "https://github.com/erlang/otp/archive/OTP-$$VERSION.tar.gz" && \
shasum -a 256 "/tmp/OTP-$$VERSION.tar.gz"
rm -f rabbitmq_server-*