redict/redict-containers
8
8
Fork
You've already forked redict-containers
3

Build redict with ssl support #25

Merged
ddevault merged 4 commits from diestl/redict-containers:build-with-ssl-support into main 2024年06月13日 10:40:35 +02:00
Contributor
Copy link

Achieved by passing the BUILD_TLS=yes option to
make. As documented by https://redict.io/docs/usage/security/encryption/.

It is also necessary to add openssl as a run time dependency for the alpine image/container (what is the generic, non docker terminology here?) and libssl as a build time and run time dependency for the debian container.

The alpine container, as it appears in this PR, is how we're currently running redict in production. We've only just started doing that mind you, so I can't say for certain that there are no subtle bugs...

Achieved by passing the BUILD_TLS=yes option to make. As documented by https://redict.io/docs/usage/security/encryption/. It is also necessary to add openssl as a run time dependency for the alpine image/container (what is the generic, non docker terminology here?) and libssl as a build time and run time dependency for the debian container. The alpine container, as it appears in this PR, is how we're currently running redict in production. We've only just started doing that mind you, so I can't say for certain that there are no subtle bugs...
Achieved by passing the BUILD_TLS=yes option to
make. libssl/openssl is required at run time
Remove extra newline
diestl changed title from (削除) WIP: Build redict with ssl support (削除ここまで) to Build redict with ssl support 2024年06月11日 15:15:35 +02:00
mickenordin requested changes 2024年06月12日 09:31:13 +02:00
Dismissed
mickenordin left a comment
Owner
Copy link

I think these changes look good. However I would like to have the same thing for the "scratch" container. Can you add support for the same thing there? It likely means copying over some additional binaries from the build stage for ssl, although we do copy something over for that already.

I think these changes look good. However I would like to have the same thing for the "scratch" container. Can you add support for the same thing there? It likely means copying over some additional binaries from the build stage for ssl, although we do copy something over for that already.
Author
Contributor
Copy link

I think what's copied over, which is the /lib/libssl.so.* set of shared objects (really it's /lib/libssl.so.3 in alpine 3.19) is practically the entire contents of the libssl3 package. There is what I think is the same file in /usr/lib/libssl.so.3, but I suspect it's just a copy/link.

The openssl package, which is what I install in the alpine container actually only adds the openssl binary, which is probably unnecessary anyway. I shall tweak that too.

I *think* what's copied over, which is the /lib/libssl.so.* set of shared objects (really it's /lib/libssl.so.3 in alpine 3.19) is practically the entire contents of the libssl3 package. There is what I think is the same file in /usr/lib/libssl.so.3, but I suspect it's just a copy/link. The openssl package, which is what I install in the alpine container actually only adds the openssl binary, which is probably unnecessary anyway. I shall tweak that too.
Author
Contributor
Copy link

For reference:

Which is all to say, I think the current set of files copied into the scratch container is sufficient and it is desirable to install libssl3 rather than openssl in the alpine container

For reference: * The openssl package in alpine 3.19 contains only one executable: https://pkgs.alpinelinux.org/contents?branch=v3.19&name=openssl&arch=x86_64&repo=main * The libssl3 package in alpine 3.19 contains only the shared libraries: https://pkgs.alpinelinux.org/contents?branch=v3.19&name=libssl3&arch=x86_64&repo=main Which is all to say, I think the current set of files copied into the scratch container is sufficient and it is desirable to install libssl3 rather than openssl in the alpine container
mickenordin left a comment
Owner
Copy link

As far as I can tell from building the images with this patch and starting the containers, this looks good. Haven't done any more thorough testing wrt ssl, but since it is just building the normal binary, I assume that is fine.

As far as I can tell from building the images with this patch and starting the containers, this looks good. Haven't done any more thorough testing wrt ssl, but since it is just building the normal binary, I assume that is fine.

Thank you!

Thank you!
Sign in to join this conversation.
No reviewers
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
redict/redict-containers!25
Reference in a new issue
redict/redict-containers
No description provided.
Delete branch "diestl/redict-containers:build-with-ssl-support"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?