[pull] main from MaterializeInc:main#1042
Merged
Merged
Conversation
…efore origin (#36661) When `source < origin` and `tm_diff` was an exact multiple of the stride, the unconditional `tm_delta -= stride_ns` shifted the result back a whole extra bin. Also use `checked_sub` so that the `i64::MIN` nanosecond boundary surfaces `DateBinOutOfRange` instead of silently wrapping. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…5858) ## Summary Infrastructure for FIPS 140-3 compliant SSH tunnels, enabling distroless container migration for environmentd and clusterd: - **Static OpenSSH build Dockerfile** (`misc/images/openssh-static/`): Builds a statically-linked `ssh` client binary (~3-6MB) using AWS-LC-FIPS as the crypto backend. OpenSSH natively supports AWS-LC — no patches needed. - **FIPS SSH algorithm enforcement** (`src/ssh-util/src/tunnel.rs`): When `MZ_FIPS=1` is set, writes a restrictive SSH config that limits connections to NIST-approved algorithms only (AES-GCM/CTR, ECDH, HMAC-SHA2, ECDSA/RSA). ### Background environmentd and clusterd can't move to distroless containers because the `openssh` Rust crate shells out to `/usr/bin/ssh`. The `russh` pure-Rust alternative was evaluated but **cannot be made FIPS-compliant** (only AEAD ciphers use aws-lc-rs; key exchange, signing, and HMACs use non-FIPS RustCrypto crates). Shipping a static OpenSSH binary built against AWS-LC-FIPS is the pragmatic path: zero code changes to tunnel logic, battle-tested SSH implementation, and FIPS-validated crypto. ### Follow-up PRs - CI builder integration to actually build and cache the static ssh binary - Migrate environmentd/clusterd Dockerfiles from `prod-base` to `distroless-prod-base` - Replace bash entrypoint scripts with static/compiled entrypoints Part of SEC-236. ## Test plan - [x] `cargo check -p mz-ssh-util` passes - [x] `cargo fmt` clean - [ ] Docker build of `misc/images/openssh-static/` produces working static binary - [ ] SSH tunnel tests pass with `MZ_FIPS=1` against a FIPS-compatible SSH server --- 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Jason Hernandez <7144515+jasonhernandez@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
) Flake seen in https://buildkite.com/materialize/nightly/builds/16627 Test run: https://buildkite.com/materialize/nightly/builds/16634 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )