From 9f1b0d83097cacb233acd6f49958e994b9b3b906 Mon Sep 17 00:00:00 2001 From: Mauro Ezequiel Moltrasio Date: Thu, 4 Dec 2025 13:50:14 +0100 Subject: [PATCH] ROX-31430: use FIPS mode for gRPC communication With this patch, we move away from using the tonic provided TLS implementation to injecting a manually built native-tls configuration, then using that to create a hyper HttpsConnector and finally telling tonic to use that connector for handling the underlying HTTPs connections needed for gRPC. In case no TLS certificates are provided, plain HTTP is used. --- Cargo.lock | 258 +++++++++++++++++++++++++++------------- Cargo.toml | 7 +- Containerfile | 10 +- fact/Cargo.toml | 4 + fact/src/output/grpc.rs | 134 +++++++++++---------- konflux.Containerfile | 10 +- rpms.in.yaml | 2 + rpms.lock.yaml | 14 +++ 8 files changed, 291 insertions(+), 148 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3a79bb7e..ddcb3959 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -351,6 +351,22 @@ dependencies = [ "version_check", ] +[[package]] +name = "core-foundation" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" +dependencies = [ + "core-foundation-sys", + "libc", +] + +[[package]] +name = "core-foundation-sys" +version = "0.8.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" + [[package]] name = "crc32fast" version = "1.4.2" @@ -429,9 +445,12 @@ dependencies = [ "fact-ebpf", "http-body-util", "hyper", + "hyper-tls", "hyper-util", "libc", "log", + "native-tls", + "openssl", "prometheus-client", "prost", "prost-types", @@ -439,6 +458,7 @@ dependencies = [ "serde_json", "tempfile", "tokio", + "tokio-native-tls", "tokio-stream", "tonic", "uuid", @@ -493,6 +513,21 @@ version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + [[package]] name = "futures-channel" version = "0.3.31" @@ -532,17 +567,6 @@ dependencies = [ "pin-utils", ] -[[package]] -name = "getrandom" -version = "0.2.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592" -dependencies = [ - "cfg-if", - "libc", - "wasi 0.11.1+wasi-snapshot-preview1", -] - [[package]] name = "getrandom" version = "0.3.3" @@ -692,6 +716,22 @@ dependencies = [ "tower-service", ] +[[package]] +name = "hyper-tls" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" +dependencies = [ + "bytes", + "http-body-util", + "hyper", + "hyper-util", + "native-tls", + "tokio", + "tokio-native-tls", + "tower-service", +] + [[package]] name = "hyper-util" version = "0.1.16" @@ -877,6 +917,23 @@ version = "0.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084" +[[package]] +name = "native-tls" +version = "0.2.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e" +dependencies = [ + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "nom" version = "7.1.3" @@ -911,6 +968,50 @@ version = "1.70.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad" +[[package]] +name = "openssl" +version = "0.10.75" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328" +dependencies = [ + "bitflags", + "cfg-if", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "openssl-probe" +version = "0.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" + +[[package]] +name = "openssl-sys" +version = "0.9.111" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321" +dependencies = [ + "cc", + "libc", + "pkg-config", + "vcpkg", +] + [[package]] name = "parking_lot" version = "0.12.4" @@ -982,6 +1083,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "pkg-config" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" + [[package]] name = "portable-atomic" version = "1.11.1" @@ -1166,20 +1273,6 @@ version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" -[[package]] -name = "ring" -version = "0.17.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" -dependencies = [ - "cc", - "cfg-if", - "getrandom 0.2.16", - "libc", - "untrusted", - "windows-sys 0.52.0", -] - [[package]] name = "rustc-demangle" version = "0.1.25" @@ -1206,57 +1299,54 @@ dependencies = [ ] [[package]] -name = "rustls" -version = "0.23.29" +name = "rustversion" +version = "1.0.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2491382039b29b9b11ff08b76ff6c97cf287671dbb74f0be44bda389fffe9bd1" -dependencies = [ - "log", - "once_cell", - "ring", - "rustls-pki-types", - "rustls-webpki", - "subtle", - "zeroize", -] +checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d" [[package]] -name = "rustls-pki-types" -version = "1.12.0" +name = "ryu" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79" -dependencies = [ - "zeroize", -] +checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" [[package]] -name = "rustls-webpki" -version = "0.103.4" +name = "schannel" +version = "0.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a17884ae0c1b773f1ccd2bd4a8c72f16da897310a98b0e84bf349ad5ead92fc" +checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1" dependencies = [ - "ring", - "rustls-pki-types", - "untrusted", + "windows-sys 0.61.2", ] [[package]] -name = "rustversion" -version = "1.0.21" +name = "scopeguard" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a0d197bd2c9dc6e53b84da9556a69ba4cdfab8619eb41a8bd1cc2027a0f6b1d" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" [[package]] -name = "ryu" -version = "1.0.20" +name = "security-framework" +version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" +checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" +dependencies = [ + "bitflags", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] [[package]] -name = "scopeguard" -version = "1.2.0" +name = "security-framework-sys" +version = "2.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" +checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0" +dependencies = [ + "core-foundation-sys", + "libc", +] [[package]] name = "serde" @@ -1343,12 +1433,6 @@ version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" -[[package]] -name = "subtle" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" - [[package]] name = "syn" version = "2.0.104" @@ -1373,7 +1457,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e8a64e3985349f2441a1a9ef0b853f869006c3855f2cda6862a94d26ebb9d6a1" dependencies = [ "fastrand", - "getrandom 0.3.3", + "getrandom", "once_cell", "rustix", "windows-sys 0.59.0", @@ -1430,12 +1514,12 @@ dependencies = [ ] [[package]] -name = "tokio-rustls" -version = "0.26.2" +name = "tokio-native-tls" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e727b36a1a0e8b74c376ac2211e40c2c8af09fb4013c60d910495810f008e9b" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" dependencies = [ - "rustls", + "native-tls", "tokio", ] @@ -1486,7 +1570,6 @@ dependencies = [ "socket2 0.6.0", "sync_wrapper", "tokio", - "tokio-rustls", "tokio-stream", "tower", "tower-layer", @@ -1613,12 +1696,6 @@ version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" -[[package]] -name = "untrusted" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" - [[package]] name = "utf8parse" version = "0.2.2" @@ -1631,11 +1708,17 @@ version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3cf4199d1e5d15ddd86a694e4d0dffa9c323ce759fea589f00fef9d81cc1931d" dependencies = [ - "getrandom 0.3.3", + "getrandom", "js-sys", "wasm-bindgen", ] +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.5" @@ -1724,6 +1807,12 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "windows-link" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" + [[package]] name = "windows-sys" version = "0.52.0" @@ -1742,6 +1831,15 @@ dependencies = [ "windows-targets", ] +[[package]] +name = "windows-sys" +version = "0.61.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc" +dependencies = [ + "windows-link", +] + [[package]] name = "windows-targets" version = "0.52.6" @@ -1825,9 +1923,3 @@ dependencies = [ "encoding_rs", "hashlink", ] - -[[package]] -name = "zeroize" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" diff --git a/Cargo.toml b/Cargo.toml index fd144c07..a7938bb6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,23 +18,28 @@ clap = { version = "4.5.41", features = ["derive", "env"] } env_logger = { version = "0.11.5", default-features = false, features = ["humantime"] } http-body-util = "0.1.3" hyper = { version = "1.6.0", default-features = false } +hyper-tls = "0.6.0" hyper-util = { version = "0.1.16", default-features = false } libc = { version = "0.2.159", default-features = false } log = { version = "0.4.22", default-features = false } +native-tls = { version = "0.2.14", features = ["alpn"] } +openssl = "0.10.75" prometheus-client = { version = "0.24.0", default-features = false } prost = "0.14.0" prost-types = "0.14.0" serde = { version = "1.0.219", features = ["derive"] } serde_json = "1.0.142" tokio = { version = "1.40.0", default-features = false, features = [ + "fs", "macros", "rt", "rt-multi-thread", "net", "signal", ] } +tokio-native-tls = "0.3.1" tokio-stream = { version = "0.1.17", features = ["sync"] } -tonic = { version = "0.14.0", features = ["tls-ring"] } +tonic = { version = "0.14.0" } tonic-prost = "0.14.0" tonic-prost-build = "0.14.0" uuid = { version = "1.17.0", features = ["v4"] } diff --git a/Containerfile b/Containerfile index e01c58ed..ef52906d 100644 --- a/Containerfile +++ b/Containerfile @@ -3,6 +3,7 @@ FROM quay.io/centos/centos:stream9 AS builder RUN dnf install --enablerepo=crb -y \ clang \ libbpf-devel \ + openssl-devel \ protobuf-compiler \ protobuf-devel && \ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \ @@ -22,7 +23,14 @@ RUN --mount=type=cache,target=/root/.cargo/registry \ cargo build --release && \ cp target/release/fact fact -FROM registry.access.redhat.com/ubi9/ubi-micro:latest +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest + +RUN microdnf install -y openssl-libs && \ + microdnf clean all && \ + rpm --verbose -e --nodeps $( \ + rpm -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*' 'libyaml*' 'libarchive*' \ + ) && \ + rm -rf /var/cache/yum COPY --from=build /app/fact /usr/local/bin diff --git a/fact/Cargo.toml b/fact/Cargo.toml index 808635a1..8bbc97a2 100644 --- a/fact/Cargo.toml +++ b/fact/Cargo.toml @@ -12,11 +12,15 @@ clap = { workspace = true } env_logger = { workspace = true } http-body-util = { workspace = true } hyper = { workspace = true } +hyper-tls = { workspace = true } hyper-util = { workspace = true } libc = { workspace = true } log = { workspace = true } +native-tls = { workspace = true } +openssl = { workspace = true } tonic = { workspace = true } tokio = { workspace = true } +tokio-native-tls = { workspace = true } tokio-stream = { workspace = true } prometheus-client = { workspace = true } prost = { workspace = true } diff --git a/fact/src/output/grpc.rs b/fact/src/output/grpc.rs index 0cebb735..9ed220f4 100644 --- a/fact/src/output/grpc.rs +++ b/fact/src/output/grpc.rs @@ -1,9 +1,14 @@ -use std::{fs::read_to_string, path::Path, sync::Arc, time::Duration}; +use std::{sync::Arc, time::Duration}; -use anyhow::bail; +use anyhow::{bail, Context}; use fact_api::file_activity_service_client::FileActivityServiceClient; +use hyper_tls::HttpsConnector; +use hyper_util::client::legacy::connect::HttpConnector; use log::{debug, info, warn}; +use native_tls::{Certificate, Identity}; +use openssl::{ec::EcKey, pkey::PKey}; use tokio::{ + fs, sync::{broadcast, watch}, time::sleep, }; @@ -11,47 +16,10 @@ use tokio_stream::{ wrappers::{errors::BroadcastStreamRecvError, BroadcastStream}, StreamExt, }; -use tonic::{ - metadata::MetadataValue, - service::Interceptor, - transport::{Certificate, Channel, ClientTlsConfig, Endpoint, Identity}, -}; +use tonic::transport::Channel; use crate::{config::GrpcConfig, event::Event, metrics::EventCounter}; -struct Certs { - pub ca: Certificate, - pub identity: Identity, -} - -impl TryFrom<&Path> for Certs { - type Error = anyhow::Error; - - fn try_from(path: &Path) -> Result { - let ca = read_to_string(path.join("ca.pem"))?; - let ca = Certificate::from_pem(ca); - let cert = read_to_string(path.join("cert.pem"))?; - let key = read_to_string(path.join("key.pem"))?; - let identity = Identity::from_pem(cert, key); - - Ok(Self { ca, identity }) - } -} - -struct UserAgentInterceptor {} - -impl Interceptor for UserAgentInterceptor { - fn call( - &mut self, - mut request: tonic::Request<()>, - ) -> Result, tonic::Status> { - request - .metadata_mut() - .insert("user-agent", MetadataValue::from_static("Rox SFA Agent")); - Ok(request) - } -} - pub struct Client { rx: broadcast::Receiver>, running: watch::Receiver, @@ -89,46 +57,88 @@ impl Client { info!("Stopping gRPC output..."); break; } - Err(e) => warn!("gRPC error: {e}"), + Err(e) => warn!("gRPC error: {e:?}"), } } }); } - fn create_channel(&self) -> anyhow::Result { - let config = self.config.borrow(); - let Some(url) = config.url() else { - bail!("Attempting to run gRPC client with no URL"); + async fn get_tls_connector(&self) -> anyhow::Result> { + let certs = { + let config = self.config.borrow(); + let Some(certs) = config.certs() else { + return Ok(None); + }; + certs.to_owned() + }; + let (ca, cert, key) = tokio::try_join!( + fs::read(certs.join("ca.pem")), + fs::read(certs.join("cert.pem")), + fs::read(certs.join("key.pem")), + )?; + let ca = Certificate::from_pem(&ca).context("Failed to parse CA")?; + + // The key is in PKCS#1 format using EC algorithm, we + // need it in PKCS#8 format for native-tls, so we + // convert it here + let key = EcKey::private_key_from_pem(&key)?; + let key = PKey::from_ec_key(key)?; + let key = key.private_key_to_pem_pkcs8()?; + + let id = Identity::from_pkcs8(&cert, &key).context("Failed to create TLS identity")?; + let connector = native_tls::TlsConnector::builder() + .add_root_certificate(ca) + .identity(id) + .request_alpns(&["h2"]) + .build()?; + Ok(Some(connector.into())) + } + + fn get_https_connector( + &self, + connector: Option, + ) -> Option> { + connector.map(|c| { + let mut http = HttpConnector::new(); + http.enforce_http(false); + let mut connector = HttpsConnector::from((http, c)); + connector.https_only(true); + connector + }) + } + + async fn create_channel( + &self, + connector: Option>, + ) -> anyhow::Result { + let url = match self.config.borrow().url() { + Some(url) => url.to_string(), + None => bail!("Attempting to run gRPC client with no URL"), + }; + let channel = Channel::from_shared(url)?; + let channel = match connector { + Some(connector) => channel.connect_with_connector(connector).await?, + None => channel.connect().await?, }; - let url = url.to_string(); - let certs = config.certs().map(Certs::try_from).transpose()?; - let mut channel = Channel::from_shared(url)?; - if let Some(certs) = certs { - let tls = ClientTlsConfig::new() - .domain_name("sensor.stackrox.svc") - .ca_certificate(certs.ca.clone()) - .identity(certs.identity.clone()); - channel = channel.tls_config(tls)?; - } Ok(channel) } async fn run(&mut self) -> anyhow::Result { - let channel = self.create_channel()?; + let tls_connector = self.get_tls_connector().await?; + let connector = self.get_https_connector(tls_connector); loop { info!("Attempting to connect to gRPC server..."); - let channel = match channel.connect().await { + let channel = match self.create_channel(connector.clone()).await { Ok(channel) => channel, Err(e) => { - debug!("Failed to connect to server: {e}"); - sleep(Duration::new(1, 0)).await; + debug!("Failed to connect to server: {e:?}"); + sleep(Duration::from_secs(1)).await; continue; } }; info!("Successfully connected to gRPC server"); - let mut client = - FileActivityServiceClient::with_interceptor(channel, UserAgentInterceptor {}); + let mut client = FileActivityServiceClient::new(channel); let metrics = self.metrics.clone(); let rx = @@ -149,7 +159,7 @@ impl Client { res = client.communicate(rx) => { match res { Ok(_) => info!("gRPC stream ended"), - Err(e) => warn!("gRPC stream error: {e}"), + Err(e) => warn!("gRPC stream error: {e:?}"), } } _ = self.config.changed() => return Ok(true), diff --git a/konflux.Containerfile b/konflux.Containerfile index c9e5e18b..e84dc327 100644 --- a/konflux.Containerfile +++ b/konflux.Containerfile @@ -6,6 +6,7 @@ RUN echo "Checking required FACT_TAG"; [[ "${FACT_TAG}" != "" ]] RUN dnf install -y \ clang \ libbpf-devel \ + openssl-devel \ protobuf-compiler \ protobuf-devel \ cargo \ @@ -17,7 +18,7 @@ COPY . . RUN cargo build --release -FROM registry.access.redhat.com/ubi9/ubi-micro@sha256:f45ee3d1f8ea8cd490298769daac2ac61da902e83715186145ac2e65322ddfc8 +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:6fc28bcb6776e387d7a35a2056d9d2b985dc4e26031e98a2bd35a7137cd6fd71 ARG FACT_TAG @@ -39,6 +40,13 @@ LABEL \ # We also set it to not inherit one from a base stage in case it's RHEL or UBI. release="1" +RUN microdnf install -y openssl-libs && \ + microdnf clean all && \ + rpm --verbose -e --nodeps $( \ + rpm -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*' 'libyaml*' 'libarchive*' \ + ) && \ + rm -rf /var/cache/yum + COPY --from=builder /app/target/release/fact /usr/local/bin ENTRYPOINT ["fact"] diff --git a/rpms.in.yaml b/rpms.in.yaml index ebde2d1c..e5fe3dcc 100644 --- a/rpms.in.yaml +++ b/rpms.in.yaml @@ -5,6 +5,8 @@ packages: - cargo - clang - libbpf-devel +- openssl-libs +- openssl-devel - protobuf-compiler - protobuf-devel - rust diff --git a/rpms.lock.yaml b/rpms.lock.yaml index 75919b56..0008e648 100644 --- a/rpms.lock.yaml +++ b/rpms.lock.yaml @@ -200,6 +200,13 @@ arches: name: llvm-libs evr: 20.1.8-3.el9 sourcerpm: llvm-20.1.8-3.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/Packages/o/openssl-devel-3.5.1-4.el9_7.aarch64.rpm + repoid: rhel-9-for-aarch64-appstream-rpms + size: 4996902 + checksum: sha256:a250fae31cced54a51c0c4aacdd44855044652eb39f4141e23fe197d2528ff0b + name: openssl-devel + evr: 1:3.5.1-4.el9_7 + sourcerpm: openssl-3.5.1-4.el9_7.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/Packages/p/policycoreutils-python-utils-3.6-3.el9.noarch.rpm repoid: rhel-9-for-aarch64-appstream-rpms size: 77697 @@ -1499,6 +1506,13 @@ arches: name: llvm-libs evr: 20.1.8-3.el9 sourcerpm: llvm-20.1.8-3.el9.src.rpm + - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/o/openssl-devel-3.5.1-4.el9_7.x86_64.rpm + repoid: rhel-9-for-x86_64-appstream-rpms + size: 4997984 + checksum: sha256:3aeba34c9a9c3313b16166111a1dfe61a29ffaff671bb8f0be95eb0e2dede860 + name: openssl-devel + evr: 1:3.5.1-4.el9_7 + sourcerpm: openssl-3.5.1-4.el9_7.src.rpm - url: https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os/Packages/p/policycoreutils-python-utils-3.6-3.el9.noarch.rpm repoid: rhel-9-for-x86_64-appstream-rpms size: 77697