UBI: Avoid upgrading OpenSSL in gitlab-toolbox (!2099) · Merge requests · GitLab.org / Build / CNG

What does this MR do?

Previously we had:

`registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v17.4.4-fips`

[root@e5d5969b48d0 gitlab]# ls -al /usr/lib64/libssl.so.3
lrwxrwxrwx 1 root root 15 Sep  5 09:04 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

`registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v17.4.4-fips`

bash-5.1# ls -al /usr/lib64/libssl.so.3
lrwxrwxrwx 1 root root 15 Sep  3 15:34 /usr/lib64/libssl.so.3 -> libssl.so.3.0.7

By default, UBI 9.4 includes OpenSSL 3.0.7, but running microdnf install openssl pulls in the RHEL 9 AppStream packages and upgrades the version to OpenSSL 3.2.2. Let's avoid updating toolbox to ensure all images have the same version.

This is particularly important because PostgreSQL 15.6 and 16.2 have a fix in the client library for OpenSSL 3.2 compatibility. GitLab 17.5 just upgraded to PostgreSQL 16.4 via !2010 (merged).

Related issues

https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/6891

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

Merge Request Title, and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Integration tests added to GitLab QA
The impact any change in container size has should be evaluated
New dependencies are managed with GitLab forked renovatebot

Edited Nov 20, 2024 by Stan Hu

UBI: Avoid upgrading OpenSSL in gitlab-toolbox