CPBR-2901: Fix Docker Build Failures Due to OpenSSL/Python Version Conflicts #953
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KrishVora01
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Description
The Docker build process was failing with ImportError:
/usr/local/lib64/libcrypto.so.3: version 'OPENSSL_3.4.0' not founderrors when attempting to run Python-based tools (such as yum, update-crypto-policies) during the container build process for the 8.0.2-cp2 branch.This issue emerged after redhat updated the Python versions in its UBI9 base images, where the system Python 3.9.23 was compiled against OpenSSL 3.5.1 and required OPENSSL_3.4.0 symbols that were not present in the manually installed FIPS-compliant OpenSSL 3.1.2. The root cause was that the LD_LIBRARY_PATH environment variable was forcing all applications, including system Python, to use the incompatible FIPS OpenSSL instead of the system OpenSSL that Python was compiled against.
Fix
The key insight was to install FIPS OpenSSL to a custom prefix (/opt/openssl-fips) instead of the standard /usr/local location, and to avoid setting LD_LIBRARY_PATH globally. This allows system tools to continue functioning normally while making FIPS OpenSSL available for applications that explicitly need it.
Dockerfile Changes (base/Dockerfile.ubi9 and base-java/Dockerfile.ubi9):
The installation order was restructured to prevent conflicts between system packages and custom OpenSSL. System packages (including Python, Java, and package management tools) are now installed first to establish a stable baseline before introducing the FIPS OpenSSL. This prevents the custom OpenSSL installation from interfering with Python's SSL module dependencies during the build process. The OpenSSL installation was moved to use a custom prefix (--prefix=/opt/openssl-fips --openssldir=/opt/openssl-fips/ssl) to isolate it from system libraries, preventing library path conflicts that previously broke Python-based tools.
LD_LIBRARY_PATH
Previously, we set LD_LIBRARY_PATH to point to the FIPS OpenSSL libraries, but this broke system Python because it forced Python to use the wrong OpenSSL version. The fix removes this global setting and instead only adds the FIPS OpenSSL commands to the system PATH. This means system tools like Python work normally, while applications that specifically need FIPS OpenSSL can still find and use it when needed.
openssl-fips.cnf
The openssl-fips.cnf file tells OpenSSL where to find its FIPS module. Since we moved FIPS OpenSSL from /usr/local to /opt/openssl-fips, we had to update the file paths to match the new location. We also added a missing configuration section that actually turns on FIPS mode - without this section, FIPS wouldn't work even though OpenSSL was installed.
Testing
Green PR Build: https://semaphore.ci.confluent.io/workflows/d02ddde0-a83b-466b-95fe-4b62863771a9?pipeline_id=03fc2a6a-02f4-4bfe-941e-0da7639befc1
Testing 2:
As per https://confluent.slack.com/archives/C04JK67QSQ3/p1727989701357349?thread_ts=1725640416.517819&cid=C04JK67QSQ3: