Build a manylinux2014 arm64 image

This is based on the upstream manylinux container images at

 https://github.com/pyca/infra

and builds a manylinux2014_aarch64 image with openssl installed in
such a way we can use the image to build cryptography manylinux
wheels, hopefully.

Change-Id: I0aea20081b7025c1f9cc4c75e49646737861ba8e

docker/manylinux2014_aarch64/Dockerfile

@@ -0,0 +1,10 @@
+FROM quay.io/pypa/manylinux2014_aarch64
+MAINTAINER Infra Root
+WORKDIR /root
+ADD install_libffi.sh /root/install_libffi.sh
+RUN sh install_libffi.sh manylinux2014_aarch64
+ADD install_openssl.sh /root/install_openssl.sh
+ADD openssl-version.sh /root/openssl-version.sh
+RUN sh install_openssl.sh manylinux2014_aarch64
+ADD install_virtualenv.sh /root/install_virtualenv.sh
+RUN sh install_virtualenv.sh manylinux2014_aarch64

docker/manylinux2014_aarch64/install_libffi.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -xe
+
+LIBFFI_SHA256="d06ebb8e1d9a22d19e38d63fdb83954253f39bedc5d46232a05645685722ca37"
+LIBFFI_VERSION="3.2.1"
+
+function check_sha256sum {
+    local fname=$1
+    local sha256=$2
+    echo "${sha256}  ${fname}" > "${fname}.sha256"
+    sha256sum -c "${fname}.sha256"
+    rm "${fname}.sha256"
+}
+
+curl -#O "https://mirrors.ocf.berkeley.edu/debian/pool/main/libf/libffi/libffi_${LIBFFI_VERSION}.orig.tar.gz"
+check_sha256sum "libffi_${LIBFFI_VERSION}.orig.tar.gz" ${LIBFFI_SHA256}
+tar zxf libffi*.orig.tar.gz
+PATH=/opt/perl/bin:$PATH
+pushd libffi*
+if [ "$1" == "manylinux1" ]; then
+  STACK_PROTECTOR_FLAGS="-fstack-protector --param=ssp-buffer-size=4"
+else
+  STACK_PROTECTOR_FLAGS="-fstack-protector-strong"
+fi
+./configure CFLAGS="-g -O2 $STACK_PROTECTOR_FLAGS -Wformat -Werror=format-security"
+make -j8 install
+popd
+rm -rf libffi*

docker/manylinux2014_aarch64/install_openssl.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+set -xe
+
+OPENSSL_URL="https://www.openssl.org/source/"
+source /root/openssl-version.sh
+
+function check_sha256sum {
+    local fname=$1
+    local sha256=$2
+    echo "${sha256}  ${fname}" > "${fname}.sha256"
+    sha256sum -c "${fname}.sha256"
+    rm "${fname}.sha256"
+}
+
+curl -#O "${OPENSSL_URL}/${OPENSSL_VERSION}.tar.gz"
+check_sha256sum ${OPENSSL_VERSION}.tar.gz ${OPENSSL_SHA256}
+tar zxf ${OPENSSL_VERSION}.tar.gz
+PATH=/opt/perl/bin:$PATH
+pushd ${OPENSSL_VERSION}
+./config $OPENSSL_BUILD_FLAGS --prefix=/opt/pyca/cryptography/openssl --openssldir=/opt/pyca/cryptography/openssl
+make depend
+make -j8
+# avoid installing the docs
+# https://github.com/openssl/openssl/issues/6685#issuecomment-403838728
+make install_sw install_ssldirs
+popd
+rm -rf openssl*

docker/manylinux2014_aarch64/install_virtualenv.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+set -xe
+
+for python in /opt/python/*; do
+    "$python/bin/pip" install virtualenv
+done

docker/manylinux2014_aarch64/openssl-version.sh

@@ -0,0 +1,6 @@
+export OPENSSL_VERSION="openssl-1.1.1g"
+export OPENSSL_SHA256="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
+# We need a base set of flags because on Windows using MSVC
+# enable-ec_nistp_64_gcc_128 doesn't work since there's no 128-bit type
+export OPENSSL_BUILD_FLAGS_WINDOWS="no-ssl3 no-ssl3-method no-zlib no-shared no-comp no-dynamic-engine"
+export OPENSSL_BUILD_FLAGS="${OPENSSL_BUILD_FLAGS_WINDOWS} enable-ec_nistp_64_gcc_128"

zuul.d/jobs.yaml

@@ -0,0 +1,13 @@
+- job:
+    name: pyca-cryptography-build-image-manylinux2014
+    description: Build a manylinux image
+    provides: pyca-crytopgraphy-manylinux2014-container-image
+    parent: opendev-build-docker-image
+    dependencies: opendev-buildset-registry
+    timeout: 10800
+    vars:
+      docker_images:
+        - context: docker/manylinux2014_aarch64
+          repository: opendevorg/pyca-manylinux2014_aarch64
+          arch:
+            - linux/arm64

zuul.d/projects.yaml

@@ -0,0 +1,9 @@
+- project:
+    name: pyca/infra
+    check:
+      jobs:
+        - opendev-buildset-registry
+        - pyca-cryptography-build-image-manylinux2014
+    gate:
+      jobs:
+        - noop