manylinux: avoid bundling OpenSSL to fix FIPS import crash

AdityaMishra3000 · AdityaMishra3000 · commit dc2e8951a025 · 2026-01-24T23:51:04.000+05:30
diff --git a/docker/manylinux2014/Dockerfile_x86_64 b/docker/manylinux2014/Dockerfile_x86_64
@@ -9,152 +9,169 @@ ARG FREETYPE_VERSION=2.14.1
 ARG LIBPNG_VERSION=1.6.53
 ARG VPX_VERSION=v1.15.2
 ARG NASM_VERSION=2.15.04
-ARG OPENSSL_VERSION=1_1_1w
 ARG QT_VERSION=5.15.18
 ARG YASM_VERSION=1.3.0
 ARG AOM_VERSION=v3.13.1
 ARG AVIF_VERSION=v1.3.0
 
 ENV LD_LIBRARY_PATH /usr/local/lib:$LD_LIBRARY_PATH
 
-# epel-release need for aarch64 to get openblas packages
-RUN yum install zlib-devel curl-devel xcb-util-renderutil-devel xcb-util-devel xcb-util-image-devel xcb-util-keysyms-devel xcb-util-wm-devel mesa-libGL-devel libxkbcommon-devel libxkbcommon-x11-devel libXi-devel lapack-devel epel-release -y && \
-    yum install openblas-devel dejavu-sans-fonts -y && \
+# Base dependencies + system OpenSSL (FIPS-safe)
+RUN yum install -y \
+        zlib-devel \
+        curl-devel \
+        xcb-util-renderutil-devel \
+        xcb-util-devel \
+        xcb-util-image-devel \
+        xcb-util-keysyms-devel \
+        xcb-util-wm-devel \
+        mesa-libGL-devel \
+        libxkbcommon-devel \
+        libxkbcommon-x11-devel \
+        libXi-devel \
+        lapack-devel \
+        epel-release \
+        openssl \
+        openssl-devel && \
+    yum install -y openblas-devel dejavu-sans-fonts && \
     cp /usr/include/openblas/*.h /usr/include/ && \
     cp /usr/include/lapacke/lapacke*.h /usr/include/ && \
-    # libpng will be built from source
-    yum remove libpng -y
+    yum remove -y libpng
 
+# libpng
 RUN mkdir ~/libpng_sources && \
     cd ~/libpng_sources && \
     curl -O -L https://download.sourceforge.net/libpng/libpng-${LIBPNG_VERSION}.tar.gz && \
     tar -xf libpng-${LIBPNG_VERSION}.tar.gz && \
     cd libpng-${LIBPNG_VERSION} && \
     ./configure --prefix=/usr/local && \
-    make && \
-    make install && \
-    cd .. && \
-    rm -rf ~/libpng_sources
+    make && make install && \
+    cd .. && rm -rf ~/libpng_sources
 
+# freetype
 RUN mkdir ~/freetype_sources && \
     cd ~/freetype_sources && \
     curl -O -L https://download.savannah.gnu.org/releases/freetype/freetype-${FREETYPE_VERSION}.tar.gz && \
     tar -xf freetype-${FREETYPE_VERSION}.tar.gz && \
     cd freetype-${FREETYPE_VERSION} && \
     ./configure --prefix="/ffmpeg_build" --enable-freetype-config && \
-    make && \
-    make install && \
-    cd .. && \
-    rm -rf ~/freetype_sources
+    make && make install && \
+    cd .. && rm -rf ~/freetype_sources
 
+# Qt (explicitly without OpenSSL)
 RUN curl -O -L https://download.qt.io/archive/qt/5.15/${QT_VERSION}/single/qt-everywhere-opensource-src-${QT_VERSION}.tar.xz && \
     tar -xf qt-everywhere-opensource-src-${QT_VERSION}.tar.xz && \
     cd qt-everywhere-src-${QT_VERSION} && \
     export MAKEFLAGS=-j$(nproc) && \
-    ./configure -prefix /opt/Qt${QT_VERSION} -release -opensource -confirm-license -qtnamespace QtOpenCVPython -xcb -xcb-xlib -bundled-xcb-xinput -no-openssl -no-dbus -skip qt3d -skip qtactiveqt -skip qtcanvas3d -skip qtconnectivity -skip qtdatavis3d -skip qtdoc -skip qtgamepad -skip qtgraphicaleffects -skip qtimageformats -skip qtlocation -skip qtmultimedia -skip qtpurchasing -skip qtqa -skip qtremoteobjects -skip qtrepotools -skip qtscript -skip qtscxml -skip qtsensors -skip qtserialbus -skip qtserialport -skip qtspeech -skip qttranslations -skip qtwayland -skip qtwebchannel -skip qtwebengine -skip qtwebsockets -skip qtwebview -skip xmlpatterns -skip declarative -make libs && \
-    make && \
-    make install && \
-    cd .. && \
-    rm -rf qt-everywhere*
+    ./configure -prefix /opt/Qt${QT_VERSION} -release -opensource -confirm-license \
+        -qtnamespace QtOpenCVPython \
+        -xcb -xcb-xlib -bundled-xcb-xinput \
+        -no-openssl -no-dbus \
+        -skip qt3d -skip qtactiveqt -skip qtcanvas3d -skip qtconnectivity \
+        -skip qtdatavis3d -skip qtdoc -skip qtgamepad -skip qtgraphicaleffects \
+        -skip qtimageformats -skip qtlocation -skip qtmultimedia -skip qtpurchasing \
+        -skip qtqa -skip qtremoteobjects -skip qtrepotools -skip qtscript \
+        -skip qtscxml -skip qtsensors -skip qtserialbus -skip qtserialport \
+        -skip qtspeech -skip qttranslations -skip qtwayland -skip qtwebchannel \
+        -skip qtwebengine -skip qtwebsockets -skip qtwebview -skip xmlpatterns \
+        -skip declarative -make libs && \
+    make && make install && \
+    cd .. && rm -rf qt-everywhere*
 
 ENV QTDIR /opt/Qt${QT_VERSION}
 ENV PATH "$QTDIR/bin:$PATH"
 
-RUN mkdir ~/openssl_sources && \
-    cd ~/openssl_sources && \
-    curl -O -L https://github.com/openssl/openssl/archive/OpenSSL_${OPENSSL_VERSION}.tar.gz && \
-    tar -xf OpenSSL_${OPENSSL_VERSION}.tar.gz && \
-    cd openssl-OpenSSL_${OPENSSL_VERSION} && \
-    ./config --prefix="/ffmpeg_build" --openssldir="/ffmpeg_build" no-pinshared shared zlib && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    # skip installing documentation
-    make install_sw && \
-    cd .. && \
-    rm -rf ~/openssl_build ~/openssl_sources
-
+# nasm
 RUN mkdir ~/nasm_sources && \
     cd ~/nasm_sources && \
     curl -O -L http://www.nasm.us/pub/nasm/releasebuilds/${NASM_VERSION}/nasm-${NASM_VERSION}.tar.gz && \
-    tar -xf nasm-${NASM_VERSION}.tar.gz && cd nasm-${NASM_VERSION} && ./autogen.sh && \
+    tar -xf nasm-${NASM_VERSION}.tar.gz && \
+    cd nasm-${NASM_VERSION} && ./autogen.sh && \
     ./configure --prefix="/ffmpeg_build" --bindir="$HOME/bin" && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
-    cd .. && \
-    rm -rf ~/nasm_sources
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
+    cd .. && rm -rf ~/nasm_sources
 
+# yasm
 RUN mkdir ~/yasm_sources && \
     cd ~/yasm_sources && \
     curl -O -L http://www.tortall.net/projects/yasm/releases/yasm-${YASM_VERSION}.tar.gz && \
     tar -xf yasm-${YASM_VERSION}.tar.gz && \
     cd yasm-${YASM_VERSION} && \
     ./configure --prefix="/ffmpeg_build" --bindir="$HOME/bin" && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
-    cd .. && \
-    rm -rf ~/yasm_sources
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
+    cd .. && rm -rf ~/yasm_sources
 
+# libvpx
 RUN mkdir ~/libvpx_sources && \
     cd ~/libvpx_sources && \
     git clone --depth 1 -b ${VPX_VERSION} https://chromium.googlesource.com/webm/libvpx.git && \
     cd libvpx && \
-    ./configure --prefix="/ffmpeg_build" --disable-examples --disable-unit-tests --enable-vp9-highbitdepth --as=yasm --enable-pic --enable-shared && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
-    cd .. && \
-    rm -rf ~/libvpx_sources
-
+    ./configure --prefix="/ffmpeg_build" \
+        --disable-examples --disable-unit-tests \
+        --enable-vp9-highbitdepth --as=yasm \
+        --enable-pic --enable-shared && \
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
+    cd .. && rm -rf ~/libvpx_sources
+
+# aom
 RUN mkdir ~/aom_sources && \
     cd ~/aom_sources && \
     git clone --depth 1 -b ${AOM_VERSION} https://aomedia.googlesource.com/aom && \
     mkdir build && cd build && \
-    cmake -DCMAKE_C_COMPILER=$(dirname $(which g++))/gcc -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_SHARED_LIBS=ON -DENABLE_TESTS=OFF ../aom/ && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
+    cmake -DCMAKE_INSTALL_PREFIX=/usr -DBUILD_SHARED_LIBS=ON -DENABLE_TESTS=OFF ../aom && \
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
     cd / && rm -rf ~/aom_sources
 
+# avif
 RUN mkdir ~/avif_sources && \
     cd ~/avif_sources && \
     git clone -b ${AVIF_VERSION} https://github.com/AOMediaCodec/libavif.git && \
     mkdir build && cd build && \
-    cmake -DCMAKE_INSTALL_PREFIX=/usr -DAVIF_CODEC_AOM=SYSTEM -DAVIF_LIBYUV=LOCAL -DAVIF_BUILD_APPS=OFF ../libavif && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
+    cmake -DCMAKE_INSTALL_PREFIX=/usr \
+          -DAVIF_CODEC_AOM=SYSTEM \
+          -DAVIF_LIBYUV=LOCAL \
+          -DAVIF_BUILD_APPS=OFF ../libavif && \
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
     cd / && rm -rf ~/avif_sources
 
+# ffmpeg (uses system OpenSSL for FIPS compatibility)
 RUN mkdir ~/ffmpeg_sources && \
     cd ~/ffmpeg_sources && \
     curl -O -L https://ffmpeg.org/releases/ffmpeg-${FFMPEG_VERSION}.tar.gz && \
     tar -xf ffmpeg-${FFMPEG_VERSION}.tar.gz && \
     cd ffmpeg-${FFMPEG_VERSION} && \
     PATH=~/bin:$PATH && \
-    PKG_CONFIG_PATH="/ffmpeg_build/lib/pkgconfig" ./configure --prefix="/ffmpeg_build" --extra-cflags="-I/ffmpeg_build/include" --extra-ldflags="-L/ffmpeg_build/lib" --enable-openssl --enable-libvpx --enable-shared --enable-pic --bindir="$HOME/bin" && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
+    PKG_CONFIG_PATH="/usr/lib64/pkgconfig:/usr/lib/pkgconfig:/ffmpeg_build/lib/pkgconfig" \
+    ./configure \
+        --prefix="/ffmpeg_build" \
+        --extra-cflags="-I/ffmpeg_build/include" \
+        --extra-ldflags="-L/ffmpeg_build/lib" \
+        --enable-openssl \
+        --enable-libvpx \
+        --enable-shared \
+        --enable-pic \
+        --bindir="$HOME/bin" && \
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
     echo "/ffmpeg_build/lib/" >> /etc/ld.so.conf && \
     ldconfig && \
     rm -rf ~/ffmpeg_sources
 
+# ccache
 RUN curl -O -L https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}.tar.gz && \
     tar -xf ccache-${CCACHE_VERSION}.tar.gz && \
     cd ccache-${CCACHE_VERSION} && \
     ./configure && \
-    make -j$(getconf _NPROCESSORS_ONLN) && \
-    make install && \
-    cd .. && \
-    rm -rf ccache-${CCACHE_VERSION}.tar.gz
+    make -j$(getconf _NPROCESSORS_ONLN) && make install && \
+    cd .. && rm -rf ccache-${CCACHE_VERSION}.tar.gz
 
-# GitHub Actions user`s UID is 1001
+# CI user
 RUN useradd ci -m -s /bin/bash -G users --uid=1001 && \
-    mkdir /io && \
-    chown -R ci:ci /io && \
-    # This needs to find ffmpeg packages from ci user
+    mkdir /io && chown -R ci:ci /io && \
     chown -R ci:ci /ffmpeg_build && \
-    # This calls in mutlibuild scripts and cannot be run without permissions
     chown -R ci:ci /opt/_internal/pipx/venvs/auditwheel
 
 USER ci
 
-# Git security vulnerability: https://github.blog/2022-04-12-git-security-vulnerability-announced
 RUN git config --global --add safe.directory /io
 
 ENV PKG_CONFIG_PATH /usr/local/lib/pkgconfig:/ffmpeg_build/lib/pkgconfig
