sameersbn · sachilles · Oct 19, 2021 · Sep 15, 2021 · Oct 10, 2021 · Sep 15, 2021
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,8 @@ FROM ubuntu:focal-20210827
 ARG VERSION=14.2.5
 
 ENV GITLAB_VERSION=${VERSION} \
-    RUBY_VERSION=2.7 \
+    RUBY_VERSION=2.7.2 \
+    RUBY_SOURCE_SHA256SUM="6e5706d0d4ee4e1e2f883db9d768586b4d06567debea353c796ec45e8321c3d4" \
     GOLANG_VERSION=1.17.1 \
     GITLAB_SHELL_VERSION=13.19.1 \
     GITLAB_PAGES_VERSION=1.42.0 \
@@ -31,8 +32,6 @@ RUN apt-get update \
 RUN set -ex && \
     apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv E1DD270288B4E6030699E45FA1715D88E1DF1F24 \
  && echo "deb http://ppa.launchpad.net/git-core/ppa/ubuntu focal main" >> /etc/apt/sources.list \
- && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 80F70E11F0F0D5F10CB20E62F5DA5F09C3173AA6 \
- && echo "deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu focal main" >> /etc/apt/sources.list \
  && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 8B3981E7A6852F782CC4951600A6F0A3C300EE8C \
  && echo "deb http://ppa.launchpad.net/nginx/stable/ubuntu focal main" >> /etc/apt/sources.list \
  && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
@@ -46,15 +45,14 @@ RUN set -ex && \
  && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
       sudo supervisor logrotate locales curl \
       nginx openssh-server postgresql-client-12 postgresql-contrib-12 redis-tools \
-      git-core ruby${RUBY_VERSION} python3 python3-docutils nodejs yarn gettext-base graphicsmagick \
+      git-core python3 python3-docutils nodejs yarn gettext-base graphicsmagick \
       libpq5 zlib1g libyaml-0-2 libssl1.1 \
       libgdbm6 libreadline8 libncurses5 libffi7 \
       libxml2 libxslt1.1 libcurl4 libicu66 libre2-dev tzdata unzip libimage-exiftool-perl \
       libmagic1 \
  && update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
  && locale-gen en_US.UTF-8 \
  && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales \
- && gem install --no-document bundler -v 2.1.4 \
  && rm -rf /var/lib/apt/lists/*
 
 COPY assets/build/ ${GITLAB_BUILD_DIR}/

diff --git a/assets/build/install.sh b/assets/build/install.sh
@@ -18,7 +18,7 @@ PATH=${GOROOT}/bin:$PATH
 export GOROOT PATH
 
 BUILD_DEPENDENCIES="gcc g++ make patch pkg-config cmake paxctl \
-  libc6-dev ruby${RUBY_VERSION}-dev \
+  libc6-dev \
   libpq-dev zlib1g-dev libyaml-dev libssl-dev \
   libgdbm-dev libreadline-dev libncurses5-dev libffi-dev \
   libxml2-dev libxslt-dev libcurl4-openssl-dev libicu-dev \
@@ -37,11 +37,25 @@ exec_as_git() {
 apt-get update
 DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y ${BUILD_DEPENDENCIES}
 
+# build ruby from source
+echo "Building ruby v${RUBY_VERSION} from source..."
+PWD_ORG="$PWD"
+mkdir /tmp/ruby && cd /tmp/ruby
+curl --remote-name -Ss "https://cache.ruby-lang.org/pub/ruby/${RUBY_VERSION%.*}/ruby-${RUBY_VERSION}.tar.gz"
+printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c -
+tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}"
+./configure --disable-install-rdoc --enable-shared
+make -j"$(nproc)"
+make install
+cd "$PWD_ORG" && rm -rf /tmp/ruby
+
+gem install bundler -N -v 2.1.4
+
 # PaX-mark ruby
 # Applying the mark late here does make the build usable on PaX kernels, but
 # still the build itself must be executed on a non-PaX kernel. It's done here
 # only for simplicity.
-paxctl -cvm "$(command -v ruby${RUBY_VERSION})"
+paxctl -cvm "$(command -v ruby)"
 # https://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Node.js
 paxctl -cvm "$(command -v node)"