Skip to content

Use gitlab-grpc gem to link against OpenSSL

Stan Hu requested to merge sh-use-gitlab-grpc into master

What does this MR do and why?

gRPC links against an embedded BoringSSL library. However, for FIPS compliance we need to link against the system OpenSSL. The forked gitlab-gprc gem does this by default.

Note that Bundler's install_if will not actually attempt to install and compile gitlab-grpc. This will be used with the nightly FIPS builds that define USE_SYSTEM_SSL=true.

Relates to omnibus-gitlab#6687 (closed)

How to set up and validate locally

  1. See the test builds in https://dev.gitlab.org/gitlab/omnibus-gitlab/-/merge_requests/213. Note that we only build FIPS builds with CentOS 8, Ubuntu 18.04, and Ubuntu 20.04. The other failing builds use gcc 4.8.5, which is not supported by gRPC.
  2. Download the package and validate grpc_c.so is linked against the system OpenSSL. For example:
wget https://omnibus-builds.s3.amazonaws.com/el-8-fips/gitlab-ee-14.8.3%2Brfbranch.fips.230033.a58b4f28-0.el8.x86_64.rpm
rpm2cpio gitlab-ee-14.8.3+rfbranch.fips.230033.a58b4f28-0.el8.x86_64.rpm | cpio -idmv
find . -name grpc_c.so | xargs ldd

Notice the libssl.so.1.1 link in gitlab-grpc but not in grpc:

$ find . -name grpc_c.so | xargs ldd
./opt/gitlab/embedded/lib/ruby/gems/2.7.0/extensions/x86_64-linux/2.7.0/gitlab-grpc-1.42.1.gitlab/grpc/grpc_c.so:
	linux-vdso.so.1 (0x00007ffc3dff1000)
	libssl.so.1.1 => /opt/gitlab/embedded/lib/libssl.so.1.1 (0x00007fe8df5c8000)
	libruby.so.2.7 => /opt/gitlab/embedded/lib/libruby.so.2.7 (0x00007fe8df200000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe8df0a4000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe8deeb2000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fe8dfd9d000)
	libcrypto.so.1.1 => /opt/gitlab/embedded/lib/libcrypto.so.1.1 (0x00007fe8debcd000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe8debaa000)
	libz.so.1 => /opt/gitlab/embedded/lib/libz.so.1 (0x00007fe8deb8b000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fe8deb81000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe8deb7b000)
	libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fe8deb40000)
./opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/grpc-1.42.0-x86_64-linux/src/ruby/lib/grpc/2.7/grpc_c.so:
	linux-vdso.so.1 (0x00007fff08f10000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f7cca29c000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7cca0aa000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f7ccaa3c000)
./opt/gitlab/embedded/lib/ruby/gems/2.7.0/gems/gitlab-grpc-1.42.1.gitlab/src/ruby/lib/grpc/grpc_c.so:
	linux-vdso.so.1 (0x00007ffc355b3000)
	libssl.so.1.1 => /opt/gitlab/embedded/lib/libssl.so.1.1 (0x00007fc08e0fb000)
	libruby.so.2.7 => /opt/gitlab/embedded/lib/libruby.so.2.7 (0x00007fc08dd33000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc08dbd7000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc08d9e5000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc08e8d0000)
	libcrypto.so.1.1 => /opt/gitlab/embedded/lib/libcrypto.so.1.1 (0x00007fc08d700000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc08d6dd000)
	libz.so.1 => /opt/gitlab/embedded/lib/libz.so.1 (0x00007fc08d6be000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc08d6b4000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc08d6ae000)
	libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fc08d673000)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports