nic-6443 commented on code in PR #13432:
URL: https://github.com/apache/apisix/pull/13432#discussion_r3297122225
##########
ci/linux-install-openresty.sh:
##########
@@ -22,38 +22,64 @@ source ./ci/common.sh
export_version_info
ARCH=${ARCH:-`(uname -m | tr '[:upper:]' '[:lower:]')`}
-arch_path=""
-if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
- arch_path="arm64/"
-fi
-
-wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
-sudo apt-get -y update --fix-missing
-sudo apt-get -y install software-properties-common
-sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
-sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
-
-sudo apt-get update
-sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev build-essential
gcc g++ cpanminus
SSL_LIB_VERSION=${SSL_LIB_VERSION-openssl}
ENABLE_FIPS=${ENABLE_FIPS:-"false"}
-if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
- export openssl_prefix=/usr/local/tongsuo
- export zlib_prefix=$OPENRESTY_PREFIX/zlib
- export pcre_prefix=$OPENRESTY_PREFIX/pcre
+if [ "$SSL_LIB_VERSION" == "tongsuo" ] || [ "$ENABLE_FIPS" == "true" ]; then
+ arch_path=""
+ if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
+ arch_path="arm64/"
+ fi
- export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
- export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
-fi
+ wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+ wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
+ sudo apt-get -y update --fix-missing
+ sudo apt-get -y install software-properties-common
+ sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
+ sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
Review Comment:
This branch is intentionally left on the existing source-build path for
Tongsuo/FIPS because those variants need custom runtime build options. The
apt-key/HTTP cleanup is worth doing, but it is unrelated to switching the
default OpenSSL CI path to prebuilt runtime packages, so I am not changing it
in this PR.
##########
ci/linux-install-openresty.sh:
##########
@@ -22,38 +22,64 @@ source ./ci/common.sh
export_version_info
ARCH=${ARCH:-`(uname -m | tr '[:upper:]' '[:lower:]')`}
-arch_path=""
-if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
- arch_path="arm64/"
-fi
-
-wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
-wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
-sudo apt-get -y update --fix-missing
-sudo apt-get -y install software-properties-common
-sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
-sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
-
-sudo apt-get update
-sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev build-essential
gcc g++ cpanminus
SSL_LIB_VERSION=${SSL_LIB_VERSION-openssl}
ENABLE_FIPS=${ENABLE_FIPS:-"false"}
-if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
- export openssl_prefix=/usr/local/tongsuo
- export zlib_prefix=$OPENRESTY_PREFIX/zlib
- export pcre_prefix=$OPENRESTY_PREFIX/pcre
+if [ "$SSL_LIB_VERSION" == "tongsuo" ] || [ "$ENABLE_FIPS" == "true" ]; then
+ arch_path=""
+ if [[ $ARCH == "arm64" ]] || [[ $ARCH == "aarch64" ]]; then
+ arch_path="arm64/"
+ fi
- export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
- export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
-fi
+ wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
+ wget -qO - http://repos.apiseven.com/pubkey.gpg | sudo apt-key add -
+ sudo apt-get -y update --fix-missing
+ sudo apt-get -y install software-properties-common
+ sudo add-apt-repository -y "deb
https://openresty.org/package/${arch_path}ubuntu $(lsb_release -sc) main"
+ sudo add-apt-repository -y "deb
http://repos.apiseven.com/packages/${arch_path}debian bullseye main"
+
+ sudo apt-get update
+ sudo apt-get install -y openresty-pcre-dev openresty-zlib-dev
build-essential gcc g++ cpanminus
+
+ if [ "$SSL_LIB_VERSION" == "tongsuo" ]; then
+ export openssl_prefix=/usr/local/tongsuo
+ export zlib_prefix=$OPENRESTY_PREFIX/zlib
+ export pcre_prefix=$OPENRESTY_PREFIX/pcre
+
+ export cc_opt="-DNGX_LUA_ABORT_AT_PANIC -I${zlib_prefix}/include
-I${pcre_prefix}/include -I${openssl_prefix}/include"
+ export ld_opt="-L${zlib_prefix}/lib -L${pcre_prefix}/lib
-L${openssl_prefix}/lib64
-Wl,-rpath,${zlib_prefix}/lib:${pcre_prefix}/lib:${openssl_prefix}/lib64"
+ fi
+
+ install_apisix_runtime
+
+ if [ ! "$ENABLE_FIPS" == "true" ]; then
+ curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
+
https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
+ fi
+else
+ sudo apt-get -y update --fix-missing
+ sudo apt-get install -y build-essential gcc g++ cpanminus
+
+ case "$ARCH" in
+ x86_64|amd64)
+ DEB_ARCH="amd64"
+ ;;
+ arm64|aarch64)
+ DEB_ARCH="arm64"
+ ;;
+ *)
+ echo "Unsupported architecture: $ARCH" >&2
+ exit 1
+ ;;
+ esac
-install_apisix_runtime
+
DEB_NAME="apisix-runtime-debug_${APISIX_RUNTIME}-0.debianbookworm-slim_${DEB_ARCH}.deb"
+
RELEASE_URL="https://github.com/api7/apisix-build-tools/releases/download/apisix-runtime%2F${APISIX_RUNTIME}/${DEB_NAME}";
-if [ ! "$ENABLE_FIPS" == "true" ]; then
-curl -o /usr/local/openresty/openssl3/ssl/openssl.cnf \
-
https://raw.githubusercontent.com/api7/apisix-build-tools/apisix-runtime/${APISIX_RUNTIME}/conf/openssl3/openssl.cnf
+ wget --no-verbose --tries=3 --retry-connrefused "$RELEASE_URL" -O
"/tmp/$DEB_NAME"
+ sudo apt-get install -y "/tmp/$DEB_NAME"
+ rm -f "/tmp/$DEB_NAME"
Review Comment:
Good point. I added SHA256 verification for the downloaded runtime package
before installing it. The checksums are tied to the current APISIX_RUNTIME
value from .requirements, so a future runtime bump has to update them
explicitly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
