From b7a3f98fab4d404df1afc2b88d8321a834126c72 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 09:48:56 -0400 Subject: [PATCH 01/10] dockerfile: compile openssl instead of using the one bundled on the crystal alpine image. --- docker/Dockerfile | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 4cfc3c726..f64adbc55 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,6 +1,20 @@ -FROM crystallang/crystal:1.16.3-alpine AS builder +# https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 +ARG OPENSSL_VERSION='3.5.2' +FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal + +FROM dependabot-crystal AS openssl-builder +RUN apk add curl perl linux-headers + +WORKDIR / + +ARG OPENSSL_VERSION +RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" | tar xz +RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j + +FROM dependabot-crystal AS builder RUN apk add --no-cache sqlite-static yaml-static +RUN apk del openssl-dev openssl-libs-static ARG release @@ -20,13 +34,19 @@ COPY ./assets/ ./assets/ COPY ./videojs-dependencies.yml ./videojs-dependencies.yml RUN crystal spec --warnings all \ - --link-flags "-lxml2 -llzma" +--link-flags "-lxml2 -llzma" + +ARG OPENSSL_VERSION +COPY --from=openssl-builder /openssl-${OPENSSL_VERSION} /openssl-${OPENSSL_VERSION} + RUN --mount=type=cache,target=/root/.cache/crystal if [[ "${release}" == 1 ]] ; then \ + PKG_CONFIG_PATH=/openssl-${OPENSSL_VERSION} \ crystal build ./src/invidious.cr \ --release \ --static --warnings all \ --link-flags "-lxml2 -llzma"; \ else \ + PKG_CONFIG_PATH=/openssl-${OPENSSL_VERSION} \ crystal build ./src/invidious.cr \ --static --warnings all \ --link-flags "-lxml2 -llzma"; \ From 258b7e1fc414bb84a7a12814dc914c798cc41714 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 10:05:20 -0400 Subject: [PATCH 02/10] fix formatting --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index f64adbc55..a43f41e23 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -34,7 +34,7 @@ COPY ./assets/ ./assets/ COPY ./videojs-dependencies.yml ./videojs-dependencies.yml RUN crystal spec --warnings all \ ---link-flags "-lxml2 -llzma" + --link-flags "-lxml2 -llzma" ARG OPENSSL_VERSION COPY --from=openssl-builder /openssl-${OPENSSL_VERSION} /openssl-${OPENSSL_VERSION} From cbf8cd07cee9a5abfa605b51ab87f468eb3812e5 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 11:03:45 -0400 Subject: [PATCH 03/10] CI: add --no-cache to openssl-builder --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index a43f41e23..374a5bae0 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -3,7 +3,7 @@ ARG OPENSSL_VERSION='3.5.2' FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal FROM dependabot-crystal AS openssl-builder -RUN apk add curl perl linux-headers +RUN apk add --no-cache curl perl linux-headers WORKDIR / From 28633346c0112d4c427522a13e8670b8744dac0c Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 11:06:23 -0400 Subject: [PATCH 04/10] CI: add Dockerfile.arm64 version --- docker/Dockerfile.arm64 | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 758e79506..1b128806c 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -1,6 +1,20 @@ -FROM alpine:3.21 AS builder +# https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 +ARG OPENSSL_VERSION='3.5.2' +FROM alpine:3.21 AS dependabot-alpine + +FROM dependabot-alpine AS openssl-builder +RUN apk add --no-cache curl perl linux-headers build-base + +WORKDIR / + +ARG OPENSSL_VERSION +RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" | tar xz +RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j + +FROM dependabot-alpine AS builder RUN apk add --no-cache 'crystal=1.14.0-r0' shards sqlite-static yaml-static yaml-dev libxml2-static \ - zlib-static openssl-libs-static openssl-dev musl-dev xz-static + zlib-static musl-dev xz-static +RUN apk del openssl-dev openssl-libs-static ARG release @@ -22,12 +36,17 @@ COPY ./videojs-dependencies.yml ./videojs-dependencies.yml RUN crystal spec --warnings all \ --link-flags "-lxml2 -llzma" +ARG OPENSSL_VERSION +COPY --from=openssl-builder /openssl-${OPENSSL_VERSION} /openssl-${OPENSSL_VERSION} + RUN --mount=type=cache,target=/root/.cache/crystal if [[ "${release}" == 1 ]] ; then \ + PKG_CONFIG_PATH=/openssl-${OPENSSL_VERSION} \ crystal build ./src/invidious.cr \ --release \ --static --warnings all \ --link-flags "-lxml2 -llzma"; \ else \ + PKG_CONFIG_PATH=/openssl-${OPENSSL_VERSION} \ crystal build ./src/invidious.cr \ --static --warnings all \ --link-flags "-lxml2 -llzma"; \ From c707122a45ecca1ebd5ea16355cc4a65d1f3d604 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 11:08:37 -0400 Subject: [PATCH 05/10] add comment why we compile openssl ourselves --- docker/Dockerfile | 4 ++++ docker/Dockerfile.arm64 | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 374a5bae0..ff96d623b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,9 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' + +# We compile openssl ourselves due to a memory leak in how crystal interacts +# with openssl +# Reference: https://github.com/iv-org/invidious/issues/1438#issuecomment-3087636228 FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal FROM dependabot-crystal AS openssl-builder diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 1b128806c..8a56de107 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -1,5 +1,9 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' + +# We compile openssl ourselves due to a memory leak in how crystal interacts +# with openssl +# Reference: https://github.com/iv-org/invidious/issues/1438#issuecomment-3087636228 FROM alpine:3.21 AS dependabot-alpine FROM dependabot-alpine AS openssl-builder From 0e4204c971482a28f4c5cac99361bfa788b9d71b Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 11:09:58 -0400 Subject: [PATCH 06/10] fix wrong position of comment --- docker/Dockerfile | 4 ++-- docker/Dockerfile.arm64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index ff96d623b..b4bbfc92a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,11 +1,11 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' +FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal + # We compile openssl ourselves due to a memory leak in how crystal interacts # with openssl # Reference: https://github.com/iv-org/invidious/issues/1438#issuecomment-3087636228 -FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal - FROM dependabot-crystal AS openssl-builder RUN apk add --no-cache curl perl linux-headers diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 8a56de107..536dacc77 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -1,11 +1,11 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' +FROM alpine:3.21 AS dependabot-alpine + # We compile openssl ourselves due to a memory leak in how crystal interacts # with openssl # Reference: https://github.com/iv-org/invidious/issues/1438#issuecomment-3087636228 -FROM alpine:3.21 AS dependabot-alpine - FROM dependabot-alpine AS openssl-builder RUN apk add --no-cache curl perl linux-headers build-base From 18b15dceb9d4578e94b1fb0ba46058d318827b53 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Tue, 2 Sep 2025 11:30:22 -0400 Subject: [PATCH 07/10] oopsie --- docker/Dockerfile.arm64 | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 536dacc77..ac1a3646f 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -18,7 +18,6 @@ RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make - FROM dependabot-alpine AS builder RUN apk add --no-cache 'crystal=1.14.0-r0' shards sqlite-static yaml-static yaml-dev libxml2-static \ zlib-static musl-dev xz-static -RUN apk del openssl-dev openssl-libs-static ARG release From 9ddee6304dc1326f6f192249d21efea10c2a8c8e Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 6 Sep 2025 15:54:45 -0400 Subject: [PATCH 08/10] verify openssl checksums --- docker/Dockerfile | 5 ++++- docker/Dockerfile.arm64 | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index b4bbfc92a..557837e43 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -12,7 +12,10 @@ RUN apk add --no-cache curl perl linux-headers WORKDIR / ARG OPENSSL_VERSION -RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" | tar xz +RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" --output openssl-${OPENSSL_VERSION}.tar.gz +RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c +RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz + RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j FROM dependabot-crystal AS builder diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index ac1a3646f..994ab0674 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -12,7 +12,10 @@ RUN apk add --no-cache curl perl linux-headers build-base WORKDIR / ARG OPENSSL_VERSION -RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" | tar xz +RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" --output openssl-${OPENSSL_VERSION}.tar.gz +RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c +RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz + RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j FROM dependabot-alpine AS builder From 539ae2d1f6fed6da96004e8b9fa1ea456dce8544 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 6 Sep 2025 15:59:05 -0400 Subject: [PATCH 09/10] set nproc for openssl make --- docker/Dockerfile | 2 +- docker/Dockerfile.arm64 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 557837e43..1ac793e82 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -16,7 +16,7 @@ RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPE RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz -RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j +RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j$(nproc) FROM dependabot-crystal AS builder diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 994ab0674..5351bbd2e 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -16,7 +16,7 @@ RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPE RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz -RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j +RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j$(nproc) FROM dependabot-alpine AS builder RUN apk add --no-cache 'crystal=1.14.0-r0' shards sqlite-static yaml-static yaml-dev libxml2-static \ From 53de719b9d0af618b500df2c39302adaf77b31e7 Mon Sep 17 00:00:00 2001 From: Fijxu Date: Sat, 6 Sep 2025 17:29:51 -0400 Subject: [PATCH 10/10] use ARG for openssl sha256 checksum --- docker/Dockerfile | 4 +++- docker/Dockerfile.arm64 | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 1ac793e82..3e0d2f7f2 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,6 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' +ARG OPENSSL_SHA256='c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec' FROM crystallang/crystal:1.16.3-alpine AS dependabot-crystal @@ -12,8 +13,9 @@ RUN apk add --no-cache curl perl linux-headers WORKDIR / ARG OPENSSL_VERSION +ARG OPENSSL_SHA256 RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" --output openssl-${OPENSSL_VERSION}.tar.gz -RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c +RUN echo "${OPENSSL_SHA256} openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j$(nproc) diff --git a/docker/Dockerfile.arm64 b/docker/Dockerfile.arm64 index 5351bbd2e..b02cc8cef 100644 --- a/docker/Dockerfile.arm64 +++ b/docker/Dockerfile.arm64 @@ -1,5 +1,6 @@ # https://github.com/openssl/openssl/releases/tag/openssl-3.5.2 ARG OPENSSL_VERSION='3.5.2' +ARG OPENSSL_SHA256='c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec' FROM alpine:3.21 AS dependabot-alpine @@ -12,8 +13,9 @@ RUN apk add --no-cache curl perl linux-headers build-base WORKDIR / ARG OPENSSL_VERSION +ARG OPENSSL_SHA256 RUN curl -Ls "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz" --output openssl-${OPENSSL_VERSION}.tar.gz -RUN echo "c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c +RUN echo "${OPENSSL_SHA256} openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c RUN tar -xzvf openssl-${OPENSSL_VERSION}.tar.gz RUN cd openssl-${OPENSSL_VERSION} && ./Configure --openssldir=/etc/ssl && make -j$(nproc)