Ensure gitlab-rails's rugged gem works fine with system openssl for FIPS compliance

The following discussion from !5548 (merged) should be addressed:

• @balasankarc started a discussion: (+1 comment)

  None of my attempts to make rugged use the system openssl library seems to have worked. We might have no way other than bundling our own libgit2.

changed milestone to %14.3

added devopssystems groupdistribution sectioncore platform typemaintenance labels

assigned to @balasankarc

added to epic &6454 (closed)

added typefeature label

mentioned in merge request !5548 (merged)

added Deliverable label

unassigned @balasankarc

added [deprecated] Accepting merge requests label

mentioned in issue #6316 (closed)

added priority3 label

mentioned in issue gitlab-org/quality/triage-reports#4512 (closed)

@balasankarc would you like an extra set of eyes to help with this?

Because we decided to moverest of FIPS issues to %14.4 to focus on openshift in %14.3, I think this also should be moved.

But to answer your question - definitely. Any help is welcome.

/cc @mendeni @dorrino

assigned to @rmarshall

Per conversation with @mendeni today - assigning to self and taking it on for %14.3

mentioned in commit ecde2a50

mentioned in merge request !5591 (merged)

First thing found while building, we do not seem to be able to build gitaly on its own.

I have opened !5591 (merged) as a small iteration to fix.

I was able to successfully build, but not pass health check:

            [HealthCheck] E | 2021-09-09T23:12:36+00:00 | The following binaries have unsafe or unmet dependencies:

            [HealthCheck] E | 2021-09-09T23:12:36+00:00 | The following libraries cannot be guaranteed to be on target systems:
    --> /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8a1a151000)
    --> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f8a19e68000)
    --> /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff9a62e0000)
    --> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff9a5ff7000)
    --> /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff53e90d000)
    --> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff53e624000)
    --> /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fa368c0a000)
    --> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fa368921000)
    --> /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f68ff17d000)
    --> /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f68fee94000)

            [HealthCheck] E | 2021-09-09T23:12:36+00:00 | The precise failures were:
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/openssl.so
    DEPENDS ON: libssl.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f8a1a151000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/openssl.so
    DEPENDS ON: libcrypto.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f8a19e68000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/sha2.so
    DEPENDS ON: libssl.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff9a62e0000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/sha2.so
    DEPENDS ON: libcrypto.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff9a5ff7000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/sha1.so
    DEPENDS ON: libssl.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007ff53e90d000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/sha1.so
    DEPENDS ON: libcrypto.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007ff53e624000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/rmd160.so
    DEPENDS ON: libssl.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007fa368c0a000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/rmd160.so
    DEPENDS ON: libcrypto.so.1.1
      COUNT: 1
      PROVIDED BY: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007fa368921000)
      FAILED BECAUSE: Unsafe dependency
    --> /opt/simple/embedded/lib/ruby/2.7.0/x86_64-linux/digest/md5.so

This is the next hurdle to surmount, I am going to put together a Draft merge request with what I've done for review, it will include the change as noted in !5591 (merged)

Hmm, quite interesting. Now I cannot repeat the build, but that's since fixing a rubocop error.

I think it built, and generated the errors above, because of a syntax error.

Investigating - TL;DR - I set the env inside an if statement setting a variable, and the by product was likely setting it such that I passed no configuration in but did set the local library paths.

Validating that theory.

I have opened !5592 (merged) as draft.

Here's what's happened thus far:

without setting the libraries in the env, it looks like we get a build against the system SSL libraries.

This fails the health check.

I'm going to start from here; we shouldn't have to bring our own copy of the libgit2 library because rugged will do that for us, as seen in the proof of concept draft.

It's just a matter of co-ordinating all the environment and build options.

removed [deprecated] Accepting merge requests label