Update and cleanup docker files

[minosgalanakis]

This PR is implementing the following:

Changes

• Align 16.04 to 18.04 Docker images
• Remove 16.04 related workarounds when possible
• Updated the ARMLMD_LICENSE_FILE files and removed workarounds in groovy scripts
• Created a 20.04 Docker Image file which is fully aligned to 18.04
• Added the --security-opt seccomp=unconfined to the docker run parameter
• Switched to distribution provided versions for abi-dumper, abi-compliance-checker libasn1

Testing

Image are tested locally using the build and run scripts, and isolated builds

• Test job mbedtls-release-ci-testing 347 (RUN_BASIC_BUILD_TEST @ 16.04) -> Passed

• Test job mbedtls-release-ci-testing 347 (RUN_BASIC_BUILD_TEST @ 18.04) -> Passed

• Test job mbedtls-release-ci-testing 347 (RUN_BASIC_BUILD_TEST @ 20.04) -> Passed

• Test job mbedtls-release-ci-testing 348 (RUN_ALL_SH@ 16.04) -> Passed

• [x ] Test job mbedtls-release-ci-testing 348 (RUN_ALL_SH@ 20.04) -> Passed

• Testing RUN_ABI_TEST in mbed-tls-pr-test-parametrized 225

• Test job mbedtls-release-ci-testing 352 (RUN_ALL_SH@ 20.04) -> Failed

• Test job mbedtls-release-ci-testing 352 (RUN_ALL_SH@ 20.04->18.04->16.04) -> Failed

Todo

Investigate why the following tests are failing at 20.04

• all_u20-check_doxygen
• all_u20-test_everest
• all_u20-test_se_default

[minosgalanakis]

Failure investigations

The following code was added to the get_release_jobs method in order to test including 20.04 images

`def gen_release_jobs(label_prefix='', run_examples=true) {
def jobs = [:]

common.get_branch_information()

if (env.RUN_BASIC_BUILD_TEST == "true") {
    jobs = jobs + gen_code_coverage_job('ubuntu-16.04');
}

if (env.RUN_ALL_SH == "true") {
    for (component in (common.available_all_sh_components['ubuntu-20.04'])) {
        jobs = jobs + gen_all_sh_jobs('ubuntu-20.04', component, label_prefix)
    }

    for (component in (common.available_all_sh_components['ubuntu-16.04'] -
                       common.available_all_sh_components['ubuntu-20.04'])) {
        jobs = jobs + gen_all_sh_jobs('ubuntu-16.04', component, label_prefix)
     }

    for (component in (common.available_all_sh_components['ubuntu-18.04'] -
                       common.available_all_sh_components['ubuntu-20.04'] -
                       common.available_all_sh_components['ubuntu-16.04'])) {
        jobs = jobs + gen_all_sh_jobs('ubuntu-18.04', component, label_prefix)
     }
}`

Job 352 only tested 20.4 and 353 tested previous docker platforms as well

The following items are currently failing with 20.04 image

• all_u20-check_doxygen
• all_u20-test_everest
• all_u20-test_se_default

all_u20-check_doxygen

This is a known issue with newer versions of doxygen as reported in mbedtls issue #3497

all_u20-test_everest

The test appears to fail by a runtime error full_log

PSA cipher encrypt: invalid key type .............................. /var/lib/build/library/psa_crypto.c:3595:16: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /var/lib/build/library/psa_crypto.c:3595:16 in 

all_u20-test_se_default

The test also fails because of a runtime error full_log

test_suite_pkparse ................................................ PASS
test_suite_pkwrite ................................................ PASS
test_suite_poly1305 ............................................... PASS
test_suite_psa_crypto ............................................. psa_crypto.c:3595:16: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior psa_crypto.c:3595:16 in 
FAIL
--------------------- Begin test_suite_psa_crypto ---------------------

[mpg]

This was just a first pass, I'll have a look at the test results tomorrow.

[mpg]

Please leave a note about --with-included-libtasn1 as a reminder, if in the future we need a bleeding-edge version of GnuTLS for which the Ubuntu version is not enough (like the comment on libunistring below).

[mpg]

I think it would be better to add that to the big invocation of apt-get install that starts on line 39:

• minimizing the number of times we call apt-get update reduces the time it takes to build the image
• I think have everything in one place in a sorted list makes it easier to maintain

[mpg]

More importantly: the 16.04 says we want at least version 2.3 of abi-compliance-checker. Unless I'm mistaken, Ubuntu 18.04 only has 2.2. So, shouldn't we still compile 2.3?

(OTOH, abi-dumper seems OK as the Ubuntu repos have 1.1.)

[mpg]

Same note as for the 18.04 file: let's keep all things installed with apt in the same place as much as possible.

[gilles-peskine-arm]

I reviewed the code changes. I haven't inspected CI results. Have you run the CI with the latest version? If not, please update the PR description once you do. You might wait until you've handled the review feedback.

[minosgalanakis]

I am quoting @gilles-peskine-arm from an slack channel thread

resources/docker_files/run.sh /some/directory ubuntu-16.04 no longer works out of the box because that results in HOME set to / which is not writable so installing python modules with scripts/min_requirements.py fails. Can we arrange to set HOME to the workspace directory mounted on /var/lib/ws

A new requirement/request is accepted to add an ENV entry for HOME->/var/lib/ws in all three images. It will be added in a single commit.

[gilles-peskine-arm]

Looks good to me except for HOME set to the wrong directory (sorry).

Please run at least a pr-merge test job and a release test job with the final version of the images.

[gilles-peskine-arm]

/var/lib/ws doesn't exist by default, and it's a directory outside the Docker image. /var/lib/builds is the one that's created by default and owned by user. So I think HOME should be set to that instead. Sorry, I wasn't thinking properly when I suggested /var/lib/ws.

[gilles-peskine-arm]

Looks good to me on code reading.

[mpg]

Looks good to me.

I noticed an outdated comment, but we might choose to ignore it for now in order to merge this PR quickly and unblock work that depends on it.

[mpg]

Minor: the comment above is outdated, as it says " Install pip<21" which is no longer what we're doing. (Non-blocker as this is only a comment.)

[gilles-peskine-arm]

@minosgalanakis I notice you've run at least https://jenkins-mbedtls.oss.arm.com/job/mbedtls-release-ci-testing/372/ on the latest commit. Can you please make a list of the jobs you've run?

[minosgalanakis]

As requested by @gilles-peskine-arm I am attaching the summary of the testing:

• Test job mbedtls-release-ci-testing 372 (RUN_BASIC_BUILD_TEST @ 16.04) -> Passed
• Test job mbedtls-release-ci-testing 372 (RUN_BASIC_BUILD_TEST @ 18.04) -> Passed
• Test job mbedtls-release-ci-testing 372 (RUN_BASIC_BUILD_TEST @ 20.04) -> Passed
• Test job mbedtls-release-ci-testing 348 (RUN_ALL_SH@ 16.04) -> Passed
• Test job mbedtls-release-ci-testing 348 (RUN_ALL_SH@ 18.04) -> Passed
• Test job mbedtls-release-ci-testing 348 (RUN_ALL_SH@ 20.04) -> Passed
• Testing RUN_ABI_TEST in mbed-tls-pr-test-parametrized 327 (RUN_ABI_CHECK) --> Failed
• Testing RUN_ALL in mbed-tls-pr-test-parametrized 327 (RUN_ALL_SH@ 16.04) --> Passed
• Testing RUN_ABI_TEST in mbed-tls-pr-test-parametrized 327 (RUN_ALL_SH@ 18.04) --> Passed

The abi-check failure can be reviewed here

<problems_with_types severity="High">
  <header name="ssl.h">
    <type name="struct mbedtls_ssl_context">
      <problem id="Removed_Field">
        <change target="client_auth">Field @target has been removed from this type.</change>
        <effect target="client_auth" type_name="struct mbedtls_ssl_context">Recompilation of a client program may be broken with the error message: '@type_name' has no member named '@target'.</effect>
      </problem>
      </type>
  </header>
</problems_with_types>

I am investigating weather that issue is caused by the tools/versions or the codebase

[gilles-peskine-arm]

327 attempts to merge bff88ab into a7a1dea which is quite a bit older. So API/ABI differences are to be expected.

I'm happy with the positive testing from 327, 372 and 348 for development. We should also check the LTS branch and some jobs that are expected to report failures. We can do that with the mbed-tls-pr-ci-testing job after reconfiguring it to point to the desired branch of mbedtls-test, then kicking off some PR jobs.

• 2.28 release
• pr-merge with expected failure of all cmake jobs

[mpg]

Testing looks good to me, but I want to clarify something: what do you mean when you write RUN_BASIC_BUILD_TEST @ 20.04? Looking at the job, it seems to me that basic-build-test.sh was only run on 16.04 as usual. But the job built the 20.04 image successfully. (Same for all.sh: it ran mostly on 16.04, some components on 18.04, and none on 20.04 AFAICS.)

Said otherwise, I think we have sufficient testing to be confident that we can merge this PR without breaking anything which is the goal.

I don't think we've tested how all.sh and basic-build-test.sh would run on the 18.04 or 20.04 images, but that's IMO out of scope for this task will be done later.

[gilles-peskine-arm]

Looking at the job, it seems to me that basic-build-test.sh was only run on 16.04 as usual. But the job built the 20.04 image successfully. (Same for all.sh: it ran mostly on 16.04, some components on 18.04, and none on 20.04 AFAICS.)

I don't think we've tested how all.sh and basic-build-test.sh would run on the 18.04 or 20.04 images, but that's IMO out of scope for this task will be done later.

Right, the goal here was only to update the Docker images. We're still dispatching jobs to 16.04 if possible, otherwise 18.04, and now 20.04 added as a third option. But since all current jobs can run on either 16.04 or 20.04, nothing is getting run on 20.04 yet.