Skip to content

Reinstall Ruby grpc gem with system OpenSSL for FIPS builds

Stan Hu requested to merge sh-grpc-system-ssl-fips into master

What does this MR do?

By default, the Ruby grpc gem installs itself as a native gem and bundles its own copy of BoringSSL. BoringSSL is a fork of OpenSSL, and while there are FIPS-validated versions available, a BoringSSL FIPS library is not generally available. However, we can ensure FIPS compliance by building and linking against the system OpenSSL.

Unfortunately, the gRPC upstream has not made it possible to configure the Ruby compilation options (https://github.com/grpc/grpc/pull/27881).

To work around this, we patch the Ruby extconf.rb to link against the system OpenSSL. This commit:

  1. Determines which grpc gems have been installed in the system.
  2. Uninstalls all versions. Note that it's possible to install the same version with both the Ruby and x86 native platforms.
  3. For each version, download the gem, patch it with the handy gem-patch tool, and reinstall the patched gem.

Related issues

Related Omnibus merge request: gitlab-org/omnibus-gitlab!6172 (merged)

Relates to gitlab-org/omnibus-gitlab#6687 (closed)

Testing

Installed the images via:

     --set global.certificates.image.tag=20211220-r0-fips \
     --set gitlab.gitaly.image.pullPolicy=Always \
     --set gitlab.gitaly.image.tag=sh-grpc-system-ssl-fips-fips \
     --set gitlab.sidekiq.image.pullPolicy=Always \
     --set gitlab.sidekiq.image.tag=sh-grpc-system-ssl-fips-fips \
     --set gitlab.webservice.image.pullPolicy=Always \
     --set gitlab.webservice.image.tag=sh-grpc-system-ssl-fips-fips \
     --set gitlab.webservice.workhorse.pullPolicy=Always \
     --set gitlab.webservice.workhorse.tag=sh-grpc-system-ssl-fips-fips \
     --set gitlab.sidekiq.image.pullPolicy=Always \
     --set gitlab.sidekiq.image.tag=sh-grpc-system-ssl-fips-fips \

gitaly-ruby starts just fine. Validated the libssl is being linked:

[git@gitlab-gitaly-0 /]$ ldd ./srv/gitaly-ruby/vendor/bundle/ruby/2.7.0/extensions/x86_64-linux/2.7.0/grpc-1.42.0/grpc/grpc_c.so
	linux-vdso.so.1 (0x00007ffd95fa3000)
	libssl.so.1.1 => /usr/lib64/libssl.so.1.1 (0x00007fa6ad60f000)
	libruby.so.2.7 => /usr/lib64/libruby.so.2.7 (0x00007fa6ad062000)
	libm.so.6 => /usr/lib64/libm.so.6 (0x00007fa6acce0000)
	libc.so.6 => /usr/lib64/libc.so.6 (0x00007fa6ac91b000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fa6adf79000)
	libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007fa6ac432000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x00007fa6ac21a000)
	libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fa6ac016000)
	libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fa6abdf6000)
	librt.so.1 => /usr/lib64/librt.so.1 (0x00007fa6abbee000)
	libjemalloc.so.2 => /usr/lib64/libjemalloc.so.2 (0x00007fa6ab71e000)
	libcrypt.so.1 => /usr/lib64/libcrypt.so.1 (0x00007fa6ab4f5000)
	libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fa6ab160000)
	libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fa6aaf48000)

Size of image looks reasonable:

$ docker images | grep gitaly
registry.gitlab.com/gitlab-org/build/cng/gitaly                       sh-grpc-system-ssl-fips-fips   1d77ac161f3c   6 hours ago   1.04GB
registry.gitlab.com/gitlab-org/build/cng/gitaly                       master-ubi8                    1aeec13388fd   9 hours ago   1.06GB

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Integration tests added to GitLab QA
  • The impact any change in container size has should be evaluated
Edited by Stan Hu

Merge request reports