Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openssl command not found in Azure CLI 2.43.0 docker image #24836

Closed
jiasli opened this issue Dec 8, 2022 · 5 comments
Closed

openssl command not found in Azure CLI 2.43.0 docker image #24836

jiasli opened this issue Dec 8, 2022 · 5 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Installation question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog

Comments

@jiasli
Copy link
Member

jiasli commented Dec 8, 2022
edited
Loading

Symptom

The latest Azure CLI 2.43.0 docker image doesn't contain openssl command anymore.

> docker run -it mcr.microsoft.com/azure-cli
0c12bf6c7b2f:/# openssl
bash: openssl: command not found

This causes failure if a user's workload relies on openssl command.

Root cause

According to Alpine Linux 3.17's release history:

https://alpinelinux.org/posts/Alpine-3.17.0-released.html

OpenSSL 3.0 is now the default OpenSSL version. OpenSSL 1.1 is available via the openssl1.1-compat package.

openssl package in alpine:3.17 is now OpenSSL 3.0:

> docker run -it alpine:3.17
# apk search openssl
...
openssl-3.0.7-r0

OpenSSL 3.0 is not compatible with cryptography 3.3.2 which Azure CLI currently uses. For compatibility with cryptography, we now installs openssl1.1-compat:

openssl1.1-compat installs /usr/bin/openssl1.1 command:

# apk add openssl1.1-compat
# apk info --contents openssl1.1-compat
openssl1.1-compat-1.1.1s-r0 contains:
usr/bin/openssl1.1
# command -v openssl1.1
/usr/bin/openssl1.1

Because openssl package is not installed anymore, /usr/bin/openssl command is not available.

For the released docker image, Azure CLI (az command) is the only tool that is guaranteed to work. The availability of other tools or packages are not guaranteed. If you rely on a certain tool or package such as openssl, you have to manually install it with apk add before using it.

However, it is still a good practice for us to explicitly mention such changes. For example:

Proposed solutions

  • Install openssl, either in the docker image by us or by your own workload. This will make openssl command available again, but this may introduce other breaking changes as openssl 3.0 may not be backward compatible with openssl 1.1, even though they share the same name.
  • Switch to using openssl1.1 in your workload, until you have fully tested openssl 3.0 works as expected with your workload.
  • Temporarily use Azure CLI 2.42.0 docker image until we add openssl in Azure CLI 2.44.0.
  • We make a symbol link for openssl that points to openssl1.1 in the docker image, but this is very difficult to maintain and introduces more inconsistency and complexity.

Additional information

#22864 unpinned the base image Alpine Linux version. Now I am more inclined not to do so, as Alpine Linux frequently introduces breaking changes. We should also declare the version update in our history notes if we update the underlying base image version. However, a side effect is that CVEs of the base image can't be fixed automatically and quickly, which is the original motivation for unpinning it.
@ghost ghost added Auto-Assign Auto assign by bot Installation labels Dec 8, 2022
@ghost ghost assigned jiasli Dec 8, 2022
@ghost ghost added this to the Backlog milestone Dec 8, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Dec 8, 2022

A really good description about openssl issue

@jiasli
Copy link
Member Author

jiasli commented Dec 8, 2022
edited
Loading

openssl can be installed side by side with openssl1.1-compat:

# apk add openssl
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
(1/1) Installing openssl (3.0.7-r0)
Executing busybox-1.35.0-r29.trigger
OK: 240 MiB in 87 packages

But openssl-dev conflicts with openssl1.1-compat-dev:

# apk add openssl-dev
ERROR: unable to select packages:
  openssl-dev-3.0.7-r0:
    breaks: openssl1.1-compat-dev-1.1.1s-r0[!openssl-dev]
    satisfies: world[openssl-dev]

@yonzhan yonzhan added Azure CLI Team The command of the issue is owned by Azure CLI team bug This issue requires a change to an existing behavior in the product in order to be resolved. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that and removed bug This issue requires a change to an existing behavior in the product in order to be resolved. labels Dec 8, 2022
@jiasli jiasli mentioned this issue Dec 8, 2022
Merged
@bebound
Copy link
Contributor

bebound commented Dec 8, 2022
edited
Loading

I agree that Azure CLI (az command) is the only tool that is guaranteed to work.

The image should only contains the main program to keep it small and simple. The official Best practices for writing Dockerfiles also suggests Don’t install unnecessary packages. I think the right thing to do is remove it from docker in breaking window.

In Python-alpine Dockerfile, the building dependencies are added in the .build-deps virtual package and removed after Python is built.

apk add --no-cache --virtual .build-deps
apk del --no-network .build-deps; \

leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
788ae50 
…li#24836
@leleueri leleueri mentioned this issue Dec 9, 2022
Merged
leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
4b04269 
…li#24836
@leleueri leleueri mentioned this issue Dec 9, 2022
Merged
leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
ee71030 
…li#24836
@leleueri leleueri mentioned this issue Dec 9, 2022
Merged
leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
afe7063 
…li#24836
leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
b924ed4 
…li#24836
leleueri added a commit to gravitee-io/gravitee-access-management that referenced this issue Dec 9, 2022
@leleueri
chore(ci): fix azure-cli version to avoid Openssl issue Azure/azure-c…
18fa7c0 
…li#24836
@yonzhan yonzhan closed this as completed Jan 2, 2023
@jiasli
Copy link
Member Author

jiasli commented Jan 17, 2023

We have released a new image for 2.43.0 that has openssl installed. You may run docker pull to get the updated 2.43.0 image or use the latest version (currently 2.44.1).

@bebound bebound mentioned this issue Feb 9, 2023
Closed
3 tasks
@niklastanner
Copy link

Why did you remove openssl after version 2.53.1?
We still need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team Installation question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@bebound @jiasli @yonzhan @niklastanner