Add support for custom certificates to Docker (llvm-ml#19)

* Add support for custom certificates to Docker

This commit adds in support for using custom certificates in the
standalone Docker container along with changing some SSL settings so
that the build/container works in environments that are firewalled/have
custom SSL certificates.

* Add documentation about new flags to the README

* Add example of building a container image based on the changes in this PR

Author: boomanaiden154

.gitignore

@@ -1 +1,2 @@
 __pycache__
+*.crt

.packaging/Dockerfile

@@ -2,18 +2,30 @@ ARG UBUNTU_VERSION=22.04
 ARG LLVM_VERSION=16
 ARG JULIA_MAJOR_VERSION=8
 ARG JULIA_MINOR_VERSION=3
+ARG CUSTOM_CERT
+ARG ENABLE_LEGACY_RENEGOTIATION
 
 FROM ubuntu:$UBUNTU_VERSION
 
 ARG LLVM_VERSION
 ARG JULIA_MAJOR_VERSION
 ARG JULIA_MINOR_VERSION
+ARG CUSTOM_CERT
+ARG ENABLE_LEGACY_RENEGOTIATION
 
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Install the base dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends python3 python-is-python3 wget curl lsb-release ca-certificates software-properties-common build-essential gnupg2 python3-pip git pkg-config libssl-dev gcc gfortran
 
+# Setup a custom certificate/SSL settings depending upon build arguments
+# Include README.md here so that the build doesn't fail if there is no custom
+# certificate specified. Then we just delete it afterwards.
+COPY README.md $CUSTOM_CERT /usr/local/share/ca-certificates/
+RUN rm /usr/local/share/ca-certificates/README.md \
+  && update-ca-certificates
+RUN if [ -n "$ENABLE_LEGACY_RENEGOTIATION" ]; then echo "Options = UnsafeLegacyRenegotiation" >> /etc/ssl/openssl.cnf ; fi
+
 # Can this be converted into a native Ubuntu install as in the LLVM case
 ENV CARGO_HOME="/cargo"
 ENV RUSTUP_HOME="/rustup"

.packaging/README.md

@@ -11,3 +11,39 @@ repository:
 ```bash
 docker build -t llvm-ir-dataset-utils -f ./.packaging/Dockerfile .
 ```
+
+To get the image building on machines where an older firewall or custom SSL
+certificates are used, you can pass the following two build arguments to
+the Docker build to make the image build work in your environment:
+
+* `CUSTOM_CERT` - Pass the path to a `*.crt` file in the build context to make
+the container use the certificate. Note that the file extension must be `*.crt`
+and not `*.pem` or something else due to how Ubuntu's `update-ca-certificates`
+detects new certificates.
+* `ENABLE_LEGACY_RENEGOTIATION` - Enables legacy renegotiation which is a
+problem on some systems that have a firewall in place when accessing certain
+hosts.
+
+As an example, to build a container in an environment that doesn't support SSL
+renegotiation and with a custom certificate, you can run the following commands:
+
+1. Start by making sure your current working directory is the root of the
+project:
+```bash
+cd /path/to/llvm-ir-dataset-utils
+```
+2. Copy over the certificate (bundle) that you want the container to use:
+```bash
+cp /path/to/certificate.crt ./additional_cert.crt
+```
+3. Build the container image, making sure to specify the appropriate build
+flags:
+```bash
+docker build \
+  -t llvm-ir-dataset-utils \
+  -f ./.packaging/Dockerfile \
+  --build-arg="CUSTOM_CERT=./additional_cert.crt" \
+  --build-arg="ENABLE_LEGACY_RENEGOTIATION=ON"
+```
+
+Then you should end up with the desired container image.