search

chainguard-images / images

Public Chainguard Images
https://chainguard.dev/chainguard-images
Apache License 2.0
543 stars 140 forks source link

rust image build fails with "error: failed to run custom build command for `openssl-sys v0.9.102`" #2863

Closed rolinux closed 1 week ago

rolinux commented 1 month ago

Which image/versions are related to this issue/feature request?

Using the rust image:

docker images
REPOSITORY               TAG         IMAGE ID      CREATED     SIZE
cgr.dev/chainguard/rust  latest      263f2ccfb761  4 days ago  1 GB

with the Cargo.toml:

[package]
name = "versions"
version = "0.1.0"
edition = "2021"

[dependencies]
lettre = "0.11"
chrono = { version = "0.4", features = ["serde"] }
jsonpath_lib = "0.3"
reqwest = { version = "0.12", features = ["json"] }
rusqlite = { version = "0.31.0", features = ["bundled"] }
serde = "1.0"
serde_json = "1.0"
thiserror = "1.0"
tokio = { version = "1", features = ["full"] }

and the example Dockerfile and command:

ARG PACKAGE=myapp

FROM cgr.dev/chainguard/rust as build
WORKDIR /app
COPY . .
RUN cargo build --release

FROM cgr.dev/chainguard/glibc-dynamic
COPY --from=build --chown=nonroot:nonroot /app/target/release/${PACKAGE} /usr/local/bin/${PACKAGE}
CMD ["/usr/local/bin/${PACKAGE}"]

Getting the following error:

docker build -t versions --build-arg PACKAGE=versions .
[1/2] STEP 1/4: FROM cgr.dev/chainguard/rust AS build
[1/2] STEP 2/4: WORKDIR /app
--> Using cache 2709f0d1ae89d42ee059b530df70479e0549b31525aee90e39c5c49a9dc9edad
--> 2709f0d1ae89
[1/2] STEP 3/4: COPY . .
--> 386bd99b3e8f
[1/2] STEP 4/4: RUN cargo build --release
    Updating crates.io index
 Downloading crates ...
  Downloaded thiserror-impl v1.0.62
  Downloaded autocfg v1.3.0
  Downloaded tinyvec_macros v0.1.1
  Downloaded thiserror v1.0.62
  Downloaded want v0.3.1
  Downloaded zeroize v1.8.1
  Downloaded version_check v0.9.4
  Downloaded unicode-bidi v0.3.15
  Downloaded url v2.5.2
  Downloaded serde v1.0.204
  Downloaded nom v7.1.3
  Downloaded mio v0.8.11
  Downloaded unicode-normalization v0.1.23
  Downloaded zerocopy v0.7.35
  Downloaded vcpkg v0.2.15
  Downloaded rustls-webpki v0.102.5
  Downloaded chrono v0.4.38
  Downloaded reqwest v0.12.5
  Downloaded syn v2.0.71
  Downloaded openssl v0.10.64
  Downloaded jsonpath_lib v0.3.0
  Downloaded idna v0.5.0
  Downloaded lettre v0.11.7
  Downloaded h2 v0.4.5
  Downloaded futures-util v0.3.30
  Downloaded rustls v0.23.11
  Downloaded serde_json v1.0.120
  Downloaded rusqlite v0.31.0
  Downloaded hyper v1.4.1
  Downloaded hashbrown v0.14.5
  Downloaded minimal-lexical v0.2.1
  Downloaded memchr v2.7.4
  Downloaded http v1.1.0
  Downloaded indexmap v2.2.6
  Downloaded hyper-util v0.1.6
  Downloaded chumsky v0.9.3
  Downloaded libc v0.2.155
  Downloaded cc v1.1.2
  Downloaded base64 v0.22.1
  Downloaded tracing v0.1.40
  Downloaded tower v0.4.13
  Downloaded tokio-util v0.7.11
  Downloaded socket2 v0.5.7
  Downloaded ryu v1.0.18
  Downloaded openssl-sys v0.9.102
  Downloaded tracing-core v0.1.32
  Downloaded tokio v1.38.0
  Downloaded serde_derive v1.0.204
  Downloaded proc-macro2 v1.0.86
  Downloaded pin-project v1.1.5
  Downloaded bytes v1.6.1
  Downloaded allocator-api2 v0.2.18
  Downloaded unicode-ident v1.0.12
  Downloaded tokio-macros v2.3.0
  Downloaded smallvec v1.13.2
  Downloaded pin-project-internal v1.1.5
  Downloaded encoding_rs v0.8.34
  Downloaded parking_lot v0.12.3
  Downloaded num-traits v0.2.19
  Downloaded log v0.4.22
  Downloaded hashlink v0.9.1
  Downloaded bitflags v2.6.0
  Downloaded ahash v0.8.11
  Downloaded untrusted v0.9.0
  Downloaded try-lock v0.2.5
  Downloaded tokio-rustls v0.26.0
  Downloaded tokio-native-tls v0.3.1
  Downloaded spin v0.9.8
  Downloaded rustls-pki-types v1.7.0
  Downloaded rustls-pemfile v2.1.2
  Downloaded quote v1.0.36
  Downloaded pkg-config v0.3.30
  Downloaded pin-project-lite v0.2.14
  Downloaded parking_lot_core v0.9.10
  Downloaded once_cell v1.19.0
  Downloaded native-tls v0.2.12
  Downloaded lock_api v0.4.12
  Downloaded ipnet v2.9.0
  Downloaded iana-time-zone v0.1.60
  Downloaded hyper-rustls v0.27.2
  Downloaded httparse v1.9.4
  Downloaded http-body-util v0.1.2
  Downloaded hostname v0.4.0
  Downloaded getrandom v0.2.15
  Downloaded futures-task v0.3.30
  Downloaded futures-io v0.3.30
  Downloaded futures-core v0.3.30
  Downloaded futures-channel v0.3.30
  Downloaded form_urlencoded v1.2.1
  Downloaded fnv v1.0.7
  Downloaded fastrand v2.1.0
  Downloaded fallible-streaming-iterator v0.1.9
  Downloaded fallible-iterator v0.3.0
  Downloaded email_address v0.2.5
  Downloaded email-encoding v0.3.0
  Downloaded tower-service v0.3.2
  Downloaded tower-layer v0.3.2
  Downloaded sync_wrapper v1.0.1
  Downloaded openssl-macros v0.1.1
  Downloaded futures-sink v0.3.30
  Downloaded subtle v2.6.1
  Downloaded stacker v0.1.15
  Downloaded slab v0.4.9
  Downloaded signal-hook-registry v1.4.2
  Downloaded serde_urlencoded v0.7.1
  Downloaded scopeguard v1.2.0
  Downloaded quoted_printable v0.5.0
  Downloaded psm v0.1.21
  Downloaded percent-encoding v2.3.1
  Downloaded num_cpus v1.16.0
  Downloaded mime v0.3.17
  Downloaded itoa v1.0.11
  Downloaded hyper-tls v0.6.0
  Downloaded httpdate v1.0.3
  Downloaded cfg-if v1.0.0
  Downloaded pin-utils v0.1.0
  Downloaded tinyvec v1.8.0
  Downloaded openssl-probe v0.1.5
  Downloaded http-body v1.0.1
  Downloaded foreign-types-shared v0.1.1
  Downloaded foreign-types v0.3.2
  Downloaded equivalent v1.0.1
  Downloaded atomic-waker v1.1.2
  Downloaded ring v0.17.8
  Downloaded libsqlite3-sys v0.28.0
   Compiling proc-macro2 v1.0.86
   Compiling unicode-ident v1.0.12
   Compiling cfg-if v1.0.0
   Compiling libc v0.2.155
   Compiling autocfg v1.3.0
   Compiling cc v1.1.2
   Compiling once_cell v1.19.0
   Compiling version_check v0.9.4
   Compiling quote v1.0.36
   Compiling ahash v0.8.11
   Compiling vcpkg v0.2.15
   Compiling syn v2.0.71
   Compiling pkg-config v0.3.30
   Compiling zerocopy v0.7.35
   Compiling allocator-api2 v0.2.18
   Compiling pin-project-lite v0.2.14
   Compiling lock_api v0.4.12
   Compiling parking_lot_core v0.9.10
   Compiling bytes v1.6.1
   Compiling smallvec v1.13.2
   Compiling hashbrown v0.14.5
   Compiling slab v0.4.9
   Compiling scopeguard v1.2.0
   Compiling futures-core v0.3.30
   Compiling itoa v1.0.11
   Compiling openssl-sys v0.9.102
   Compiling socket2 v0.5.7
   Compiling memchr v2.7.4
error: failed to run custom build command for `openssl-sys v0.9.102`

Caused by:
  process didn't exit successfully: `/app/target/release/build/openssl-sys-d64035dfe9ac851b/build-script-main` (exit status: 101)
  --- stdout
  cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR
  X86_64_UNKNOWN_LINUX_GNU_OPENSSL_LIB_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_LIB_DIR
  OPENSSL_LIB_DIR unset
  cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR
  X86_64_UNKNOWN_LINUX_GNU_OPENSSL_INCLUDE_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR
  OPENSSL_INCLUDE_DIR unset
  cargo:rerun-if-env-changed=X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR
  X86_64_UNKNOWN_LINUX_GNU_OPENSSL_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_DIR
  OPENSSL_DIR unset
  cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG
  cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG
  cargo:rerun-if-env-changed=PKG_CONFIG
  cargo:rerun-if-env-changed=OPENSSL_STATIC
  cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
  cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
  cargo:rerun-if-env-changed=PKG_CONFIG_PATH
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
  cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-linux-gnu
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_linux_gnu
  cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
  cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
  run pkg_config fail: 
  pkg-config exited with status code 1
  > PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 pkg-config --libs --cflags openssl

  The system library `openssl` required by crate `openssl-sys` was not found.
  The file `openssl.pc` needs to be installed and the PKG_CONFIG_PATH environment variable must contain its parent directory.
  The PKG_CONFIG_PATH environment variable is not set.

  HINT: if you have installed the library, try setting PKG_CONFIG_PATH to the directory containing `openssl.pc`.

  --- stderr
  thread 'main' panicked at /home/nonroot/.cargo/registry/src/index.crates.io-6f17d22bba15001f/openssl-sys-0.9.102/build/find_normal.rs:190:5:

  Could not find directory of OpenSSL installation, and this `-sys` crate cannot
  proceed without this knowledge. If OpenSSL is installed and this crate had
  trouble finding it,  you can set the `OPENSSL_DIR` environment variable for the
  compilation process.

  Make sure you also have the development packages of openssl installed.
  For example, `libssl-dev` on Ubuntu or `openssl-devel` on Fedora.

  If you're in a situation where you think the directory *should* be found
  automatically, please open a bug at https://github.com/sfackler/rust-openssl
  and include information about your system as well as this message.

  $HOST = x86_64-unknown-linux-gnu
  $TARGET = x86_64-unknown-linux-gnu
  openssl-sys = 0.9.102

  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
Error: building at STEP "RUN cargo build --release": while running runtime: exit status 101

Is this a problem with dependencies/crates or with the rust image? I've noticed that go has a version called go-openssl but didn't find one for rust.

Anything else I can help with to debug this further?

Thank you, Radu

Issue/Feature description

Running on x86_64

amouat commented 1 month ago

The openssl crate needs the openssl library. Try using the cgr.dev/chainguard/rust:latest-dev image and adding apk add openssl-dev to your Dockerfile. (I've not tested this).

crasite commented 1 month ago

The openssl crate needs the openssl library. Try using the cgr.dev/chainguard/rust:latest-dev image and adding apk add openssl-dev to your Dockerfile. (I've not tested this).

Can confirm that this almost works.

ARG PACKAGE=myapp

FROM cgr.dev/chainguard/rust:latest-dev as build
USER root
RUN apk update && apk add openssl-dev
WORKDIR /app
COPY . .
RUN cargo build --release

FROM cgr.dev/chainguard/glibc-dynamic
COPY --from=build --chown=nonroot:nonroot /app/target/release/${PACKAGE} /usr/local/bin/${PACKAGE}
CMD ["/usr/local/bin/${PACKAGE}"]

now build the images, but the final image isn't able to run. It output an error stating that /usr/local/bin/myapp: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory It look like glibc-dynamic doesn't contains openssl. The only options is to use glibc-dynamic:latest-dev to install openssl, but then it bloat up the final binary size by around 50 MBs and add unnecessary binaries.

rolinux commented 1 month ago

The following Docker file works and the image generated is 68.8 MB:

ARG PACKAGE=myapp

FROM cgr.dev/chainguard/rust:latest-dev as build
USER root
RUN apk update && apk add openssl-dev
WORKDIR /app
COPY . .
RUN cargo install --path .

FROM cgr.dev/chainguard/glibc-dynamic:latest-dev
USER root
RUN apk update && apk add openssl-dev
COPY --from=build --chown=nonroot:nonroot /root/.cargo/bin/${PACKAGE} /usr/local/bin/${PACKAGE}
USER nonroot
CMD ["/usr/local/bin/${PACKAGE}"]

Unsure if there is a better way to deal with rust compilation when openssl is required.

crasite commented 1 month ago

I found a better way to create the image. Here's my Dockerfile

FROM cgr.dev/chainguard/rust:latest-dev AS build
WORKDIR /app
COPY . .
USER root
RUN apk update && apk add libssl3 openssl-dev libcrypto3
RUN --mount=type=cache,target=/usr/local/cargo/registry \
    --mount=type=cache,target=/app/target \
    cargo build --release && cp /app/target/release/myapp ./myapp

FROM cgr.dev/chainguard/glibc-dynamic
COPY --from=build /usr/lib/libssl.so.3 /usr/lib/libssl.so.3
COPY --from=build /usr/lib/libcrypto.so.3 /usr/lib/libcrypto.so.3 
COPY --from=build --chown=nonroot:nonroot /app/myapp /usr/local/bin/myapp
CMD ["/usr/local/bin/myapp"]

You could copy the libraries from the build part to the final image. The process I used to figure this out include

  1. docker run -it --rm cgr.dev/chainguard/wolfi-base /bin/sh -l : to run base wolfi image and do apk update
  2. apk info libssl3 -L : run this inside the container to what files are included on the package. (my application also required libcrypto3, but yours could be different)
  3. copy those file into the final images.

The final image size for me is ~20MB which is expected.

rolinux commented 1 week ago

Thank you @crasite, this works as expected