FelixYBW commented on code in PR #12178: URL: https://github.com/apache/gluten/pull/12178#discussion_r3329630149
########## docs/get-started/VeloxDynamicOpenSSL.md: ########## @@ -0,0 +1,49 @@ +--- +layout: page +title: Dynamic OpenSSL with FIPS Support in vcpkg Build +nav_order: 8 +parent: Getting-Started +--- + +# Dynamic OpenSSL with FIPS Support in vcpkg Build + +## Overview + +By default, Gluten's vcpkg build statically links OpenSSL into the native libraries (`libvelox.so` and `libgluten.so`). However, in environments requiring FIPS (Federal Information Processing Standards) compliance or dynamic OpenSSL linking, Gluten now supports building with dynamically linked OpenSSL. + +This feature is particularly useful for: +- **FIPS compliance**: Organizations requiring FIPS 140-2/140-3 validated cryptographic modules +- **Security updates**: Easier OpenSSL security patching without rebuilding Gluten +- **System integration**: Using system-provided OpenSSL libraries + +## Prerequisites + +- vcpkg-based build system (requires `enable_vcpkg=ON`) +- OpenSSL development libraries installed on the system +- Supported platforms: x86_64 and aarch64 Linux + +## Building with Dynamic OpenSSL + +### Basic Build Command + +To enable dynamic OpenSSL linking with FIPS support, set the `VCPKG_DYNAMIC_OPENSSL` environment variable: + +```bash +export VCPKG_DYNAMIC_OPENSSL=ON +./dev/buildbundle-veloxbe.sh --enable_vcpkg=ON +``` + +## How It Works + +When `VCPKG_DYNAMIC_OPENSSL=ON` is set: + +1. **vcpkg Configuration**: The `dynamic-openssl` feature is enabled in `vcpkg.json`, which includes OpenSSL with FIPS support +2. **Triplet Override**: Custom vcpkg triplets (`x64-linux-avx.cmake` and `arm64-linux-neon.cmake`) detect the environment variable and switch OpenSSL from static to dynamic linkage +3. **Build Process**: The `init.sh` script adds the `--x-feature=dynamic-openssl` flag to vcpkg install +4. **Library Packaging**: OpenSSL shared libraries are excluded from static linking but must be available at runtime Review Comment: @zhouyuan can you also add the openssl version in vcpkg here? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
