From 7bbf6ff19bf53e1acf9ef6223b78ecade4dce852 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 16 Jan 2024 11:40:56 +0000 Subject: [PATCH 01/11] build: Refactor build scripts Signed-off-by: Paulo Gomes --- .gitignore | 1 + Makefile | 44 +++++++++++++++++------------------ hack/build | 36 ++++++++++++++++++++++++++++ policy/centos7/Dockerfile | 16 +++++++++++++ policy/centos7/scripts/build | 21 ----------------- policy/centos7/scripts/entry | 12 ---------- policy/centos8/Dockerfile | 16 +++++++++++++ policy/centos8/scripts/build | 22 ------------------ policy/centos8/scripts/entry | 12 ---------- policy/centos9/Dockerfile | 16 +++++++++++++ policy/centos9/scripts/build | 22 ------------------ policy/centos9/scripts/entry | 12 ---------- policy/fedora37/Dockerfile | 14 +++++++++++ policy/fedora37/scripts/build | 20 ---------------- policy/fedora37/scripts/entry | 12 ---------- policy/microos/Dockerfile | 14 +++++++++++ policy/microos/scripts/build | 20 ---------------- policy/microos/scripts/entry | 12 ---------- 18 files changed, 134 insertions(+), 188 deletions(-) create mode 100755 hack/build create mode 100644 policy/centos7/Dockerfile delete mode 100755 policy/centos7/scripts/build delete mode 100755 policy/centos7/scripts/entry create mode 100644 policy/centos8/Dockerfile delete mode 100755 policy/centos8/scripts/build delete mode 100755 policy/centos8/scripts/entry create mode 100644 policy/centos9/Dockerfile delete mode 100755 policy/centos9/scripts/build delete mode 100755 policy/centos9/scripts/entry create mode 100644 policy/fedora37/Dockerfile delete mode 100755 policy/fedora37/scripts/build delete mode 100755 policy/fedora37/scripts/entry create mode 100644 policy/microos/Dockerfile delete mode 100755 policy/microos/scripts/build delete mode 100755 policy/microos/scripts/entry diff --git a/.gitignore b/.gitignore index 417485f..1002264 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .dapper /dist /.idea +/build diff --git a/Makefile b/Makefile index 1ad7a29..0385704 100644 --- a/Makefile +++ b/Makefile @@ -1,29 +1,27 @@ -CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts)) -CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts)) -CENTOS9_TARGETS := $(addprefix centos9-,$(shell ls policy/centos9/scripts)) -MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts)) -FEDORA37_TARGETS := $(addprefix fedora37-,$(shell ls policy/fedora37/scripts)) +RUNNER ?= docker -.dapper: - @echo Downloading dapper - @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp - @@chmod +x .dapper.tmp - @./.dapper.tmp -v - @mv .dapper.tmp .dapper +POLICIES=$(shell find policy -mindepth 2 -maxdepth 2 -type f -name 'Dockerfile' | sort -u | cut -f 2 -d'/') -$(CENTOS7_TARGETS): .dapper - ./.dapper -f Dockerfile.centos7.dapper $(@:centos7-%=%) +RPM_VERSION := v0.1.1 +RPM_RELEASE := testing -$(CENTOS8_TARGETS): .dapper - ./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%) +.PHONY: build +build: + $(MAKE) $(addsuffix -build-clean, $(POLICIES)) + $(MAKE) $(addsuffix -build-image, $(POLICIES)) + $(MAKE) $(addsuffix -build-artefacts, $(POLICIES)) -$(CENTOS9_TARGETS): .dapper - ./.dapper -f Dockerfile.centos9.dapper $(@:centos9-%=%) +%-build-image: + $(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \ + -t rancher-selinux:$(subst :,/,$*) -f policy/$(subst :,/,$*)/Dockerfile . -$(MICROOS_TARGETS): .dapper - ./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%) +%-build-clean: + rm -rf $(shell pwd)/build/$(subst :,/,$*) + mkdir -p $(shell pwd)/build/$(subst :,/,$*) -$(FEDORA37_TARGETS): .dapper - ./.dapper -f Dockerfile.fedora37.dapper $(@:fedora37-%=%) - -.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(CENTOS9_TARGETS) $(MICROOS_TARGETS) $(FEDORA37_TARGETS) +%-build-artefacts: + $(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -v $(shell pwd)/build/$(subst :,/,$*):/out \ + --workdir /src \ + rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE) diff --git a/hack/build b/hack/build new file mode 100755 index 0000000..a00ed67 --- /dev/null +++ b/hack/build @@ -0,0 +1,36 @@ +#!/bin/bash +set -eoux pipefail + +OUTDIR="${OUTDIR:-/out}" +USER="${USER:-1000}" +GROUP="${GROUP:-1000}" + +function build(){ + local RPM_VERSION=$1 + local RPM_RELEASE=$2 + + make -f /usr/share/selinux/devel/Makefile rancher.pp + + rpmbuild \ + --define "rancher_selinux_version ${RPM_VERSION}" \ + --define "rancher_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${OUTDIR}/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${OUTDIR}/dist" \ + -ba rancher-selinux.spec +} + +function main(){ + build "$1" "$2" + chown -R "${USER}:${GROUP}" "${OUTDIR}/" +} + +if [ "$#" -ne 2 ]; then + echo "usage: $0 " + exit 1 +fi + +main "$1" "$2" diff --git a/policy/centos7/Dockerfile b/policy/centos7/Dockerfile new file mode 100644 index 0000000..e12bd3f --- /dev/null +++ b/policy/centos7/Dockerfile @@ -0,0 +1,16 @@ +FROM quay.io/centos/centos:centos7 + +RUN yum install -y \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/policy/centos7/scripts/build b/policy/centos7/scripts/build deleted file mode 100755 index 4ebb6f7..0000000 --- a/policy/centos7/scripts/build +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/centos7/scripts/entry b/policy/centos7/scripts/entry deleted file mode 100755 index dca70b3..0000000 --- a/policy/centos7/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos7/scripts/"$1" ]; then - ./policy/centos7/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/centos8/Dockerfile b/policy/centos8/Dockerfile new file mode 100644 index 0000000..801a0fa --- /dev/null +++ b/policy/centos8/Dockerfile @@ -0,0 +1,16 @@ +FROM quay.io/centos/centos:stream8 + +RUN yum install -y \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/policy/centos8/scripts/build b/policy/centos8/scripts/build deleted file mode 100755 index ce2cc30..0000000 --- a/policy/centos8/scripts/build +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec - diff --git a/policy/centos8/scripts/entry b/policy/centos8/scripts/entry deleted file mode 100755 index cdc8005..0000000 --- a/policy/centos8/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos8/scripts/"$1" ]; then - ./policy/centos8/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/centos9/Dockerfile b/policy/centos9/Dockerfile new file mode 100644 index 0000000..5c7265c --- /dev/null +++ b/policy/centos9/Dockerfile @@ -0,0 +1,16 @@ +FROM quay.io/centos/centos:stream9 + +RUN yum install -y \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/policy/centos9/scripts/build b/policy/centos9/scripts/build deleted file mode 100755 index ce2cc30..0000000 --- a/policy/centos9/scripts/build +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y epel-release -yum install -y container-selinux selinux-policy-devel yum-utils rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec - diff --git a/policy/centos9/scripts/entry b/policy/centos9/scripts/entry deleted file mode 100755 index 4e7c7fd..0000000 --- a/policy/centos9/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/centos9/scripts/"$1" ]; then - ./policy/centos9/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/fedora37/Dockerfile b/policy/fedora37/Dockerfile new file mode 100644 index 0000000..3995c25 --- /dev/null +++ b/policy/fedora37/Dockerfile @@ -0,0 +1,14 @@ +FROM fedora:37 + +RUN dnf install -y \ + container-selinux \ + selinux-policy-devel \ + rpm-build + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/policy/fedora37/scripts/build b/policy/fedora37/scripts/build deleted file mode 100755 index 8e6bbd5..0000000 --- a/policy/fedora37/scripts/build +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -dnf -y install container-selinux selinux-policy-devel rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/fedora37/scripts/entry b/policy/fedora37/scripts/entry deleted file mode 100755 index b4972bd..0000000 --- a/policy/fedora37/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/fedora37/scripts/"$1" ]; then - ./policy/fedora37/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi diff --git a/policy/microos/Dockerfile b/policy/microos/Dockerfile new file mode 100644 index 0000000..6eca366 --- /dev/null +++ b/policy/microos/Dockerfile @@ -0,0 +1,14 @@ +FROM opensuse/tumbleweed + +RUN zypper install -y \ + container-selinux \ + selinux-policy-devel \ + rpm-build + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/policy/microos/scripts/build b/policy/microos/scripts/build deleted file mode 100755 index 88c4716..0000000 --- a/policy/microos/scripts/build +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -zypper install -y container-selinux selinux-policy-devel rpm-build - -make -f /usr/share/selinux/devel/Makefile rancher.pp - -rpmbuild \ - --define "rancher_selinux_version ${RPM_VERSION}" \ - --define "rancher_selinux_release ${RPM_RELEASE}" \ - --define "_sourcedir $PWD" \ - --define "_specdir $PWD" \ - --define "_builddir $PWD" \ - --define "_srcrpmdir ${PWD}/dist/source" \ - --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${PWD}/dist" \ - -ba rancher-selinux.spec diff --git a/policy/microos/scripts/entry b/policy/microos/scripts/entry deleted file mode 100755 index 6fad799..0000000 --- a/policy/microos/scripts/entry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh -set -ex - -if [ -e ./policy/microos/scripts/"$1" ]; then - ./policy/microos/scripts/"$@" -else - exec "$@" -fi - -if [ "$DAPPER_UID" -ne "-1" ]; then - chown -R $DAPPER_UID:$DAPPER_GID . -fi From 568a8c43fc97b3c9bae389c926e0ecf6cc5e0af6 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 19 Jan 2024 14:22:57 +0000 Subject: [PATCH 02/11] build: Refactor versioning Signed-off-by: Paulo Gomes --- Makefile | 15 ++++++-- hack/make/version.mk | 50 +++++++++++++++++++++++++++ policy/centos7/scripts/version | 61 --------------------------------- policy/centos8/scripts/version | 60 -------------------------------- policy/centos9/scripts/version | 60 -------------------------------- policy/fedora37/scripts/version | 60 -------------------------------- policy/microos/scripts/version | 60 -------------------------------- 7 files changed, 63 insertions(+), 303 deletions(-) create mode 100644 hack/make/version.mk delete mode 100755 policy/centos7/scripts/version delete mode 100755 policy/centos8/scripts/version delete mode 100755 policy/centos9/scripts/version delete mode 100755 policy/fedora37/scripts/version delete mode 100755 policy/microos/scripts/version diff --git a/Makefile b/Makefile index 0385704..f18205a 100644 --- a/Makefile +++ b/Makefile @@ -2,8 +2,7 @@ RUNNER ?= docker POLICIES=$(shell find policy -mindepth 2 -maxdepth 2 -type f -name 'Dockerfile' | sort -u | cut -f 2 -d'/') -RPM_VERSION := v0.1.1 -RPM_RELEASE := testing +include hack/make/version.mk .PHONY: build build: @@ -25,3 +24,15 @@ build: -v $(shell pwd)/build/$(subst :,/,$*):/out \ --workdir /src \ rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE) + +version: +ifdef VERSION_MSG + @echo $(VERSION_MSG); exit 1 +endif + + @echo Version Information + @echo + @echo RPM_VERSION: $(RPM_VERSION) + @echo RPM_RELEASE: $(RPM_RELEASE) + @echo RPM_CHANNEL: $(RPM_CHANNEL) + @echo VERSION: $(VERSION) diff --git a/hack/make/version.mk b/hack/make/version.mk new file mode 100644 index 0000000..01e4cdc --- /dev/null +++ b/hack/make/version.mk @@ -0,0 +1,50 @@ +TAG ?= $(GITHUB_TAG) +TREE_STATE := clean +COMMIT := $(shell git rev-parse --short HEAD) + +CHANGES = $(shell git status --porcelain --untracked-files=no) +ifneq ($(CHANGES),) + TREE_STATE = dirty + DIRTY = dirty +endif + +# If worktree is clean and a TAG was not provided, try to +# get the first tag that points to the current commit. +ifeq ($(TREE_STATE),clean) + ifeq ($(TAG),) + TAG = $(shell git tag -l --contains HEAD | head -n 1) + endif +endif + +VERSION := +# Expected tag format: v0.1.{testing,production}.1 +ifneq ($(TAG),) + ifeq ($(TREE_STATE),clean) + VERSION = $(TAG) + endif +endif + +# If a tag was not set, or worktree is dirty, fallback +# to default format: v0.0~aaaaaadirty.testing.0 +ifeq ($(VERSION),) + VERSION = "v0.0~$(COMMIT)$(DIRTY).testing.0" +endif + +rpm_version_regex := s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$$/\1/; +rpm_channel_regex := s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$$/\1/; +rpm_release_regex := s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$$/\1/; + +CHECKED_VERSION = $(shell echo $(VERSION) | grep -E 'v[0-9]+\.[0-9]+[~a-zA-Z0-9]*\.[a-z]+\.[0-9]+') + +ifneq ($(CHECKED_VERSION),) + RPM_VERSION = $(shell sed -E -e "$(rpm_version_regex)" <<<"$(VERSION)") + RPM_RELEASE = $(shell sed -E -e "$(rpm_release_regex)" <<<"$(VERSION)") + RPM_CHANNEL = $(shell sed -E -e "$(rpm_channel_regex)" <<<"$(VERSION)") + + ALLOWED_CHANNELS := production testing + ifneq ($(filter-out $(ALLOWED_CHANNELS),$(RPM_CHANNEL)),) + VERSION_MSG = "RPM_CHANNEL $(RPM_CHANNEL) does not match one of: [testing, production]" + endif +else + VERSION_MSG = "Tag ($(TAG)) or version ($(VERSION)) does not match expected format" +endif diff --git a/policy/centos7/scripts/version b/policy/centos7/scripts/version deleted file mode 100755 index 018c1f0..0000000 --- a/policy/centos7/scripts/version +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - diff --git a/policy/centos8/scripts/version b/policy/centos8/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/centos8/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/centos9/scripts/version b/policy/centos9/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/centos9/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/fedora37/scripts/version b/policy/fedora37/scripts/version deleted file mode 100755 index 7b9ff71..0000000 --- a/policy/fedora37/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac diff --git a/policy/microos/scripts/version b/policy/microos/scripts/version deleted file mode 100755 index 1fadf40..0000000 --- a/policy/microos/scripts/version +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash - -TREE_STATE=clean -COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} -TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} - -if [ -d ${DAPPER_SOURCE}/.git ]; then - pushd ${DAPPER_SOURCE} - if [ -n "$(git status --porcelain --untracked-files=no)" ]; then - DIRTY="dirty" - TREE_STATE=dirty - fi - - if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then - TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit - fi - - COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) - if [ -z "$COMMIT" ]; then - COMMIT=$(git rev-parse HEAD || true) - fi - popd -fi - -if [[ -n "$TAG" ]]; then - if [[ "$TREE_STATE" = "clean" ]]; then - VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. - fi -else - VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" -fi - -# v0.1.testing.1 - -if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then - echo "Version $VERSION does not match our expected format. Exiting." - exit 1 -fi -rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' -rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' -rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' - -RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") -RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") -RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") - -if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then - echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" - RPM_CHANNEL="testing" -fi - -case "$RPM_CHANNEL" in - "testing"|"production") - echo "RPM_CHANNEL matched our expected variants" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac From 4ba7aa20522632362310eb10bf33c3d269b297df Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 19 Jan 2024 14:23:49 +0000 Subject: [PATCH 03/11] build: Add %-build target This target groups all the subtargets needed to build a specific policy Signed-off-by: Paulo Gomes --- Makefile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index f18205a..b548ec0 100644 --- a/Makefile +++ b/Makefile @@ -6,9 +6,12 @@ include hack/make/version.mk .PHONY: build build: - $(MAKE) $(addsuffix -build-clean, $(POLICIES)) - $(MAKE) $(addsuffix -build-image, $(POLICIES)) - $(MAKE) $(addsuffix -build-artefacts, $(POLICIES)) + $(MAKE) $(addsuffix -build, $(POLICIES)) + +%-build: version + $(MAKE) $(subst :,/,$*)-build-clean + $(MAKE) $(subst :,/,$*)-build-image + $(MAKE) $(subst :,/,$*)-build-artefacts %-build-image: $(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \ From bff28f77d9d2e829f3c483c580be6f4e2fb9f84d Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 19 Jan 2024 17:28:56 +0000 Subject: [PATCH 04/11] build: Consolidate into a single Dockerfile Signed-off-by: Paulo Gomes --- Dockerfile | 59 ++++++++++++++++++++++++++++++++++++++ Makefile | 4 +-- policy/centos7/Dockerfile | 16 ----------- policy/centos8/Dockerfile | 16 ----------- policy/centos9/Dockerfile | 16 ----------- policy/fedora37/Dockerfile | 14 --------- policy/microos/Dockerfile | 14 --------- 7 files changed, 61 insertions(+), 78 deletions(-) create mode 100644 Dockerfile delete mode 100644 policy/centos7/Dockerfile delete mode 100644 policy/centos8/Dockerfile delete mode 100644 policy/centos9/Dockerfile delete mode 100644 policy/fedora37/Dockerfile delete mode 100644 policy/microos/Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..3fd5334 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,59 @@ +ARG POLICY + +# This Dockerfile is used to create the appropriate environment +# to build the SELinux policies and package them as RPM for each +# of the target platforms. + +FROM quay.io/centos/centos:centos7 as centos7 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +FROM quay.io/centos/centos:stream8 as centos8 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +FROM quay.io/centos/centos:stream9 as centos9 +RUN yum install -y \ + createrepo_c \ + epel-release \ + container-selinux \ + selinux-policy-devel \ + yum-utils \ + rpm-build + +FROM fedora:37 as fedora37 +RUN dnf install -y \ + createrepo_c \ + container-selinux \ + selinux-policy-devel \ + rpm-build + +FROM opensuse/tumbleweed as microos +RUN zypper install -y \ + container-selinux \ + selinux-policy-devel \ + rpm-build + +# libglib is required to install createrepo_c in Tumbleweed. +RUN zypper install -y libglib-2_0-0 createrepo_c + +# Pick base image based on the target policy. +FROM ${POLICY} + +WORKDIR /src + +ARG POLICY +COPY policy/${POLICY}/rancher-selinux.spec \ + policy/${POLICY}/rancher.fc \ + policy/${POLICY}/rancher.te \ + hack/build . diff --git a/Makefile b/Makefile index b548ec0..9f0bad6 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ RUNNER ?= docker -POLICIES=$(shell find policy -mindepth 2 -maxdepth 2 -type f -name 'Dockerfile' | sort -u | cut -f 2 -d'/') +POLICIES=$(shell find policy -mindepth 2 -maxdepth 2 -type d | sort -u | cut -f 2 -d'/') include hack/make/version.mk @@ -15,7 +15,7 @@ build: %-build-image: $(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \ - -t rancher-selinux:$(subst :,/,$*) -f policy/$(subst :,/,$*)/Dockerfile . + -t rancher-selinux:$(subst :,/,$*) -f Dockerfile . %-build-clean: rm -rf $(shell pwd)/build/$(subst :,/,$*) diff --git a/policy/centos7/Dockerfile b/policy/centos7/Dockerfile deleted file mode 100644 index e12bd3f..0000000 --- a/policy/centos7/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM quay.io/centos/centos:centos7 - -RUN yum install -y \ - epel-release \ - container-selinux \ - selinux-policy-devel \ - yum-utils \ - rpm-build - -WORKDIR /src - -ARG POLICY -COPY policy/${POLICY}/rancher-selinux.spec \ - policy/${POLICY}/rancher.fc \ - policy/${POLICY}/rancher.te \ - hack/build . diff --git a/policy/centos8/Dockerfile b/policy/centos8/Dockerfile deleted file mode 100644 index 801a0fa..0000000 --- a/policy/centos8/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM quay.io/centos/centos:stream8 - -RUN yum install -y \ - epel-release \ - container-selinux \ - selinux-policy-devel \ - yum-utils \ - rpm-build - -WORKDIR /src - -ARG POLICY -COPY policy/${POLICY}/rancher-selinux.spec \ - policy/${POLICY}/rancher.fc \ - policy/${POLICY}/rancher.te \ - hack/build . diff --git a/policy/centos9/Dockerfile b/policy/centos9/Dockerfile deleted file mode 100644 index 5c7265c..0000000 --- a/policy/centos9/Dockerfile +++ /dev/null @@ -1,16 +0,0 @@ -FROM quay.io/centos/centos:stream9 - -RUN yum install -y \ - epel-release \ - container-selinux \ - selinux-policy-devel \ - yum-utils \ - rpm-build - -WORKDIR /src - -ARG POLICY -COPY policy/${POLICY}/rancher-selinux.spec \ - policy/${POLICY}/rancher.fc \ - policy/${POLICY}/rancher.te \ - hack/build . diff --git a/policy/fedora37/Dockerfile b/policy/fedora37/Dockerfile deleted file mode 100644 index 3995c25..0000000 --- a/policy/fedora37/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM fedora:37 - -RUN dnf install -y \ - container-selinux \ - selinux-policy-devel \ - rpm-build - -WORKDIR /src - -ARG POLICY -COPY policy/${POLICY}/rancher-selinux.spec \ - policy/${POLICY}/rancher.fc \ - policy/${POLICY}/rancher.te \ - hack/build . diff --git a/policy/microos/Dockerfile b/policy/microos/Dockerfile deleted file mode 100644 index 6eca366..0000000 --- a/policy/microos/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM opensuse/tumbleweed - -RUN zypper install -y \ - container-selinux \ - selinux-policy-devel \ - rpm-build - -WORKDIR /src - -ARG POLICY -COPY policy/${POLICY}/rancher-selinux.spec \ - policy/${POLICY}/rancher.fc \ - policy/${POLICY}/rancher.te \ - hack/build . From e233d7f1c74dc45dd12c7685d4ca12a826672309 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 19 Jan 2024 18:17:25 +0000 Subject: [PATCH 05/11] build: Refactor repo-metadata Signed-off-by: Paulo Gomes --- Dockerfile | 29 ++++++++++++++++++++++----- Makefile | 26 +++++++++++++++--------- hack/build | 2 +- hack/repo-metadata | 22 ++++++++++++++++++++ policy/centos7/scripts/repo-metadata | 15 -------------- policy/centos8/scripts/repo-metadata | 15 -------------- policy/centos9/scripts/repo-metadata | 15 -------------- policy/fedora37/scripts/repo-metadata | 14 ------------- policy/microos/scripts/repo-metadata | 15 -------------- 9 files changed, 64 insertions(+), 89 deletions(-) create mode 100755 hack/repo-metadata delete mode 100755 policy/centos7/scripts/repo-metadata delete mode 100755 policy/centos8/scripts/repo-metadata delete mode 100755 policy/centos9/scripts/repo-metadata delete mode 100755 policy/fedora37/scripts/repo-metadata delete mode 100755 policy/microos/scripts/repo-metadata diff --git a/Dockerfile b/Dockerfile index 3fd5334..2338d70 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,11 @@ RUN yum install -y \ container-selinux \ selinux-policy-devel \ yum-utils \ - rpm-build + rpm-build \ + rpm-sign expect + +# Confirm this is needed, move to final if not. +COPY hack/centos7_sign /usr/local/bin/sign FROM quay.io/centos/centos:stream8 as centos8 RUN yum install -y \ @@ -20,7 +24,11 @@ RUN yum install -y \ container-selinux \ selinux-policy-devel \ yum-utils \ - rpm-build + rpm-build \ + rpm-sign + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign FROM quay.io/centos/centos:stream9 as centos9 RUN yum install -y \ @@ -29,7 +37,11 @@ RUN yum install -y \ container-selinux \ selinux-policy-devel \ yum-utils \ - rpm-build + rpm-build \ + rpm-sign + +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign FROM fedora:37 as fedora37 RUN dnf install -y \ @@ -38,6 +50,9 @@ RUN dnf install -y \ selinux-policy-devel \ rpm-build +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + FROM opensuse/tumbleweed as microos RUN zypper install -y \ container-selinux \ @@ -47,8 +62,11 @@ RUN zypper install -y \ # libglib is required to install createrepo_c in Tumbleweed. RUN zypper install -y libglib-2_0-0 createrepo_c +# Move to final stage if centos7_sign is removed. +COPY hack/sign /usr/local/bin/sign + # Pick base image based on the target policy. -FROM ${POLICY} +FROM ${POLICY} as final WORKDIR /src @@ -56,4 +74,5 @@ ARG POLICY COPY policy/${POLICY}/rancher-selinux.spec \ policy/${POLICY}/rancher.fc \ policy/${POLICY}/rancher.te \ - hack/build . + hack/build \ + hack/repo-metadata . diff --git a/Makefile b/Makefile index 9f0bad6..70ec46a 100644 --- a/Makefile +++ b/Makefile @@ -1,34 +1,39 @@ RUNNER ?= docker - -POLICIES=$(shell find policy -mindepth 2 -maxdepth 2 -type d | sort -u | cut -f 2 -d'/') +POLICIES = $(shell find policy -mindepth 2 -maxdepth 2 -type d | sort -u | cut -f 2 -d'/') include hack/make/version.mk .PHONY: build -build: +build: ## build all policies. $(MAKE) $(addsuffix -build, $(POLICIES)) -%-build: version +%-build: version ## build a specific policy. $(MAKE) $(subst :,/,$*)-build-clean $(MAKE) $(subst :,/,$*)-build-image $(MAKE) $(subst :,/,$*)-build-artefacts + $(MAKE) $(subst :,/,$*)-build-metadata -%-build-image: +%-build-image: ## build the container image used to generate a given policy. $(RUNNER) build --build-arg POLICY=$(subst :,/,$*) \ -t rancher-selinux:$(subst :,/,$*) -f Dockerfile . -%-build-clean: +%-build-clean: ## remove any artefacts related to the building of a policy. rm -rf $(shell pwd)/build/$(subst :,/,$*) mkdir -p $(shell pwd)/build/$(subst :,/,$*) -%-build-artefacts: +%-build-artefacts: ## generate artefacts of a given policy. $(RUNNER) run --rm \ -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ -v $(shell pwd)/build/$(subst :,/,$*):/out \ - --workdir /src \ rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE) -version: +%-build-metadata: ## generate repository metadata for a given policy. + $(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -v $(shell pwd)/build/$(subst :,/,$*):/dist \ + rancher-selinux:$(subst :,/,$*) ./repo-metadata + +version: ## parse and display version. ifdef VERSION_MSG @echo $(VERSION_MSG); exit 1 endif @@ -39,3 +44,6 @@ endif @echo RPM_RELEASE: $(RPM_RELEASE) @echo RPM_CHANNEL: $(RPM_CHANNEL) @echo VERSION: $(VERSION) + +help: ## display Makefile's help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) diff --git a/hack/build b/hack/build index a00ed67..12ec0e7 100755 --- a/hack/build +++ b/hack/build @@ -19,7 +19,7 @@ function build(){ --define "_builddir $PWD" \ --define "_srcrpmdir ${OUTDIR}/source" \ --define "_buildrootdir $PWD/.build" \ - --define "_rpmdir ${OUTDIR}/dist" \ + --define "_rpmdir ${OUTDIR}" \ -ba rancher-selinux.spec } diff --git a/hack/repo-metadata b/hack/repo-metadata new file mode 100755 index 0000000..fa88adf --- /dev/null +++ b/hack/repo-metadata @@ -0,0 +1,22 @@ +#!/bin/bash +set -euxo pipefail + +OUTDIR="${OUTDIR:-/dist}" +USER="${USER:-1000}" +GROUP="${GROUP:-1000}" + +DIRS=("noarch" "source") + +function extract_metadata() { + for dir in "${DIRS[@]}"; do + echo "Creating repository metadata for $dir" + createrepo_c "${OUTDIR}/$dir/" + done +} + +function main(){ + extract_metadata + chown -R "${USER}:${GROUP}" "${OUTDIR}/" +} + +main diff --git a/policy/centos7/scripts/repo-metadata b/policy/centos7/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos7/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/centos8/scripts/repo-metadata b/policy/centos8/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos8/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/centos9/scripts/repo-metadata b/policy/centos9/scripts/repo-metadata deleted file mode 100755 index 79f8d45..0000000 --- a/policy/centos9/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -yum install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - diff --git a/policy/fedora37/scripts/repo-metadata b/policy/fedora37/scripts/repo-metadata deleted file mode 100755 index f5f400e..0000000 --- a/policy/fedora37/scripts/repo-metadata +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -dnf install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done diff --git a/policy/microos/scripts/repo-metadata b/policy/microos/scripts/repo-metadata deleted file mode 100755 index c92ddc9..0000000 --- a/policy/microos/scripts/repo-metadata +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -set -e -x - -DIRS=("noarch" "source") - -cd $(dirname $0)/.. -. ./scripts/version - -zypper install -y createrepo_c - -for dir in "${DIRS[@]}"; do - echo "Creating repository metadata for $dir" - createrepo_c "dist/$dir/" -done - From 4490c7c59b2cdbf55b124e2fbb90fe5540450816 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Fri, 19 Jan 2024 18:17:54 +0000 Subject: [PATCH 06/11] build: Add GHA for testing build process Signed-off-by: Paulo Gomes --- .github/workflows/tests.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/tests.yml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..ceabb35 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,22 @@ +name: Tests + +on: + push: + pull_request: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: make build From a39f1c669060e19d243e242ecc7f0eae44a8b21b Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 23 Jan 2024 09:14:01 +0000 Subject: [PATCH 07/11] build: Refactor signing process Signed-off-by: Paulo Gomes --- .github/workflows/tests.yml | 2 +- Dockerfile | 17 +++++-- Makefile | 24 ++++++++++ hack/centos7_sign | 93 ++++++++++++++++++++++++++++++++++++ hack/sign | 92 +++++++++++++++++++++++++++++++++++ policy/centos7/scripts/sign | 44 ----------------- policy/centos8/scripts/sign | 71 --------------------------- policy/centos9/scripts/sign | 71 --------------------------- policy/fedora37/scripts/sign | 70 --------------------------- policy/microos/scripts/sign | 71 --------------------------- 10 files changed, 222 insertions(+), 333 deletions(-) create mode 100755 hack/centos7_sign create mode 100755 hack/sign delete mode 100755 policy/centos7/scripts/sign delete mode 100755 policy/centos8/scripts/sign delete mode 100755 policy/centos9/scripts/sign delete mode 100755 policy/fedora37/scripts/sign delete mode 100755 policy/microos/scripts/sign diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ceabb35..12a7e2e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -19,4 +19,4 @@ jobs: with: go-version: 'stable' - - run: make build + - run: make build DRY_RUN=true diff --git a/Dockerfile b/Dockerfile index 2338d70..d8a7f44 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,8 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign expect + rpm-sign expect \ + unzip # Confirm this is needed, move to final if not. COPY hack/centos7_sign /usr/local/bin/sign @@ -25,7 +26,8 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign + rpm-sign \ + unzip # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -38,7 +40,8 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign + rpm-sign \ + unzip # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -48,7 +51,9 @@ RUN dnf install -y \ createrepo_c \ container-selinux \ selinux-policy-devel \ - rpm-build + rpm-build \ + rpm-sign \ + unzip # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -57,7 +62,9 @@ FROM opensuse/tumbleweed as microos RUN zypper install -y \ container-selinux \ selinux-policy-devel \ - rpm-build + rpm-build \ + rpm \ + unzip # libglib is required to install createrepo_c in Tumbleweed. RUN zypper install -y libglib-2_0-0 createrepo_c diff --git a/Makefile b/Makefile index 70ec46a..eb4d8f6 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,19 @@ RUNNER ?= docker POLICIES = $(shell find policy -mindepth 2 -maxdepth 2 -type d | sort -u | cut -f 2 -d'/') +DRY_RUN ?= false +SIGN_KEY_EMAIL ?= ci@rancher.com +PRIVATE_KEY ?= +PRIVATE_KEY_PASS_PHRASE ?= +TESTING_PRIVATE_KEY ?= +TESTING_PRIVATE_KEY_PASS_PHRASE ?= + +ifeq ($(DRY_RUN),true) + DRY_RUN_SIGN := --dry-run +endif + +SHELL := /bin/bash + include hack/make/version.mk .PHONY: build @@ -11,6 +24,7 @@ build: ## build all policies. $(MAKE) $(subst :,/,$*)-build-clean $(MAKE) $(subst :,/,$*)-build-image $(MAKE) $(subst :,/,$*)-build-artefacts + $(MAKE) $(subst :,/,$*)-build-sign $(MAKE) $(subst :,/,$*)-build-metadata %-build-image: ## build the container image used to generate a given policy. @@ -27,6 +41,16 @@ build: ## build all policies. -v $(shell pwd)/build/$(subst :,/,$*):/out \ rancher-selinux:$(subst :,/,$*) ./build $(RPM_VERSION) $(RPM_RELEASE) +%-build-sign: ## sign the generate rpms of a given policy. + @$(RUNNER) run --rm \ + -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ + -e SIGN_KEY_EMAIL -e RPM_CHANNEL="$(RPM_CHANNEL)" \ + -e TESTING_PRIVATE_KEY_PASS_PHRASE \ + -e TESTING_PRIVATE_KEY \ + -e PRIVATE_KEY -e PRIVATE_KEY_PASS_PHRASE \ + -v $(shell pwd)/build/$(subst :,/,$*):/dist \ + rancher-selinux:$(subst :,/,$*) sign $(DRY_RUN_SIGN) + %-build-metadata: ## generate repository metadata for a given policy. $(RUNNER) run --rm \ -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ diff --git a/hack/centos7_sign b/hack/centos7_sign new file mode 100755 index 0000000..60e5972 --- /dev/null +++ b/hack/centos7_sign @@ -0,0 +1,93 @@ +#!/bin/bash +set -eo pipefail + +PASSPHRASE_VAR="" + +function dryrun() { + export TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) + export PASSPHRASE_VAR=TESTING_PRIVATE_KEY_PASS_PHRASE + + cat <<\EOF >~/.rpmmacros +%_signature gpg +%_gpg_name disposable-ci-test-key +EOF + + gpg --gen-key --batch <(echo "Key-Type: 1"; \ + echo "Key-Length: 2048"; \ + echo "Subkey-Type: 1"; \ + echo "Subkey-Length: 2048"; \ + echo "Expire-Date: 0"; \ + echo "Name-Real: disposable-ci-test-key"; \ + echo "Name-Email: disposable-ci-test-key"; \ + echo "%no-protection"; ) + + sign_rpms +} + +function check_vars() +{ + echo "checking for required vars" + + local required_vars + required_vars=(SIGN_KEY_EMAIL RPM_CHANNEL) + + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && exit 1 + return 0 +} + +function import_key() { + cat <<\EOF >~/.rpmmacros +%_signature gpg +%_gpg_name ci@rancher.com +EOF + + case "${RPM_CHANNEL}" in + "testing") + PASSPHRASE_VAR="TESTING_PRIVATE_KEY_PASS_PHRASE" + KEY_VAR="TESTING_PRIVATE_KEY" + ;; + "production") + PASSPHRASE_VAR="PRIVATE_KEY_PASS_PHRASE" + KEY_VAR="PRIVATE_KEY" + ;; + *) + echo "RPM_CHANNEL ${RPM_CHANNEL} does not match one of: [testing, production]" + exit 1 + ;; + esac + + if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"${!KEY_VAR}"; then + echo "${KEY_VAR} not defined, failing rpm sign" + exit 1 + fi + gpg --import - <<<"${!KEY_VAR}" + echo "Signing keys imported successfully" +} + +function sign_rpms() { + expect < /dev/null; then + echo "${KEY_VAR} not defined, failing rpm sign" + exit 1 + fi + echo "Importing GPG private key ${KEY_VAR}" + gpg --yes --pinentry-mode loopback --batch --passphrase "${!PASSPHRASE_VAR}" --import - <<< "${TESTING_PRIVATE_KEY}" + echo "Signing keys imported successfully" +} + +function sign_rpms(){ + gpg --armor --export --output "${SIGN_KEY_EMAIL}" "${SIGN_KEY_EMAIL}" + rpm --import "${SIGN_KEY_EMAIL}" + + echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" + rpmsign --addsign /dist/**/rancher-*.rpm \ + --define "_gpg_name ${SIGN_KEY_EMAIL}" \ + --define "_gpgbin /usr/bin/gpg" \ + --define "__gpg_sign_cmd %{__gpg} gpg \ + --batch \ + --no-armor \ + --pinentry-mode loopback \ + --passphrase ${!PASSPHRASE_VAR} \ + -u %{_gpg_name} \ + -sbo %{__signature_filename} \ + --digest-algo sha256 %{__plaintext_filename}" +} + +function verify_signatures(){ + echo "Verifying RPMs signatures" + rpm --checksig --verbose /dist/**/rancher-*.rpm +} + +function main (){ + check_vars + check_channel + sign_rpms + verify_signatures +} + +if [[ "$1" == "--dry-run" ]]; then + dryrun +else + main +fi diff --git a/policy/centos7/scripts/sign b/policy/centos7/scripts/sign deleted file mode 100755 index 8453718..0000000 --- a/policy/centos7/scripts/sign +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash -set -e -x - -yum install -y rpm-sign expect - -cd $(dirname $0)/.. -. ./scripts/version - -cat <<\EOF >~/.rpmmacros -%_signature gpg -%_gpg_name ci@rancher.com -EOF - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - gpg --import - <<<"$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - gpg --import - <<<"$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -expect < /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - diff --git a/policy/centos9/scripts/sign b/policy/centos9/scripts/sign deleted file mode 100755 index 2cf8568..0000000 --- a/policy/centos9/scripts/sign +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -yum install -y rpm-sign - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - diff --git a/policy/fedora37/scripts/sign b/policy/fedora37/scripts/sign deleted file mode 100755 index 33db6cb..0000000 --- a/policy/fedora37/scripts/sign +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -dnf install -y rpm-sign - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm \ No newline at end of file diff --git a/policy/microos/scripts/sign b/policy/microos/scripts/sign deleted file mode 100755 index f3225da..0000000 --- a/policy/microos/scripts/sign +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash -set -e - -DRY_RUN=$1 -SIGN_KEY_EMAIL="ci@rancher.com" - -export GPG_TTY=$(tty) - -zypper install -y rpm - -cd $(dirname $0)/.. -. ./scripts/version - -if [ "${DRY_RUN}" = "--dry-run" ] -then - echo "!! Executing in dry-run mode" - echo "!! Generating a temporary disposable GPG key to test the signing" - echo "!! process (this is only useful when testing PRs)" - - SIGN_KEY_EMAIL="disposable-ci-test-key" - TESTING_PRIVATE_KEY_PASS_PHRASE=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c20) - RPM_CHANNEL="testing" - - gpg --no-tty --quick-gen-key --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --yes "$SIGN_KEY_EMAIL" rsa2048 - - TESTING_PRIVATE_KEY=$(gpg --armor --pinentry-mode loopback --passphrase "$TESTING_PRIVATE_KEY_PASS_PHRASE" --export-secret-key "$SIGN_KEY_EMAIL") -fi - -case "$RPM_CHANNEL" in - "testing") - export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY" > /dev/null; then - echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key TESTING_PRIVATE_KEY" - gpg --yes --pinentry-mode loopback --batch --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$TESTING_PRIVATE_KEY" - ;; - "production") - if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY" > /dev/null; then - echo "PRIVATE_KEY not defined, failing rpm sign" - exit 1 - fi - echo "Importing GPG private key PRIVATE_KEY" - gpg --yes --batch --pinentry-mode loopback --passphrase $PRIVATE_KEY_PASS_PHRASE --import - <<< "$PRIVATE_KEY" - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -gpg --armor --export --output "$SIGN_KEY_EMAIL" "$SIGN_KEY_EMAIL" -rpm --import "$SIGN_KEY_EMAIL" - -echo "Signing RPMs with ${SIGN_KEY_EMAIL} GPG KEY" -rpmsign --addsign dist/**/rancher-*.rpm \ - --define "_gpg_name ${SIGN_KEY_EMAIL}" \ - --define "_gpgbin /usr/bin/gpg" \ - --define "__gpg_sign_cmd %{__gpg} gpg \ - --batch \ - --no-armor \ - --pinentry-mode loopback \ - --passphrase ${PRIVATE_KEY_PASS_PHRASE} \ - -u %{_gpg_name} \ - -sbo %{__signature_filename} \ - --digest-algo sha256 %{__plaintext_filename}" - -echo "Verifying RPMs signatures" -rpm --checksig --verbose dist/**/rancher-*.rpm - From 804b8daedbab7e2c68c5d781249e60c0871e9fe5 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 23 Jan 2024 11:32:19 +0000 Subject: [PATCH 08/11] build: Refactor upload process Signed-off-by: Paulo Gomes --- Makefile | 28 +++++++++- hack/make/tools.mk | 7 +++ hack/upload | 85 +++++++++++++++++++++++++++++ policy/centos7/scripts/upload-repo | 72 ------------------------ policy/centos8/scripts/upload-repo | 73 ------------------------- policy/centos9/scripts/upload-repo | 73 ------------------------- policy/fedora37/scripts/upload-repo | 72 ------------------------ policy/microos/scripts/upload-repo | 73 ------------------------- 8 files changed, 117 insertions(+), 366 deletions(-) create mode 100644 hack/make/tools.mk create mode 100755 hack/upload delete mode 100755 policy/centos7/scripts/upload-repo delete mode 100755 policy/centos8/scripts/upload-repo delete mode 100755 policy/centos9/scripts/upload-repo delete mode 100755 policy/fedora37/scripts/upload-repo delete mode 100755 policy/microos/scripts/upload-repo diff --git a/Makefile b/Makefile index eb4d8f6..8c8603a 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,7 @@ RUNNER ?= docker -POLICIES = $(shell find policy -mindepth 2 -maxdepth 2 -type d | sort -u | cut -f 2 -d'/') +POLICIES = $(shell find policy -mindepth 1 -maxdepth 1 -type d | sort -u | cut -f 2 -d'/') +# GPG Signing DRY_RUN ?= false SIGN_KEY_EMAIL ?= ci@rancher.com PRIVATE_KEY ?= @@ -8,6 +9,14 @@ PRIVATE_KEY_PASS_PHRASE ?= TESTING_PRIVATE_KEY ?= TESTING_PRIVATE_KEY_PASS_PHRASE ?= +# S3 Upload +TESTING_AWS_ACCESS_KEY_ID ?= +TESTING_AWS_SECRET_ACCESS_KEY ?= +TESTING_AWS_S3_BUCKET ?= +PRODUCTION_AWS_ACCESS_KEY_ID ?= +PRODUCTION_AWS_SECRET_ACCESS_KEY ?= +PRODUCTION_AWS_S3_BUCKET ?= + ifeq ($(DRY_RUN),true) DRY_RUN_SIGN := --dry-run endif @@ -15,6 +24,7 @@ endif SHELL := /bin/bash include hack/make/version.mk +include hack/make/tools.mk .PHONY: build build: ## build all policies. @@ -55,7 +65,20 @@ build: ## build all policies. $(RUNNER) run --rm \ -e USER=$(shell id -u) -e GROUP=$(shell id -g) \ -v $(shell pwd)/build/$(subst :,/,$*):/dist \ - rancher-selinux:$(subst :,/,$*) ./repo-metadata + rancher-selinux:$(subst :,/,$*) ./metadata + +upload: $(AWSCLI) version ## uploads all artefacts from each policy into S3. + $(MAKE) $(addsuffix -upload, $(POLICIES)) + +%-upload: + RPM_CHANNEL=$(RPM_CHANNEL) POLICY=$(subst :,/,$*) \ + TESTING_AWS_ACCESS_KEY_ID="$(TESTING_AWS_ACCESS_KEY_ID)" \ + TESTING_AWS_SECRET_ACCESS_KEY="$(TESTING_AWS_SECRET_ACCESS_KEY)" \ + TESTING_AWS_S3_BUCKET="$(TESTING_AWS_S3_BUCKET)" \ + PRODUCTION_AWS_ACCESS_KEY_ID="$(PRODUCTION_AWS_ACCESS_KEY_ID)" \ + PRODUCTION_AWS_SECRET_ACCESS_KEY="$(PRODUCTION_AWS_SECRET_ACCESS_KEY)" \ + PRODUCTION_AWS_S3_BUCKET="$(PRODUCTION_AWS_S3_BUCKET)" \ + ./hack/upload version: ## parse and display version. ifdef VERSION_MSG @@ -63,7 +86,6 @@ ifdef VERSION_MSG endif @echo Version Information - @echo @echo RPM_VERSION: $(RPM_VERSION) @echo RPM_RELEASE: $(RPM_RELEASE) @echo RPM_CHANNEL: $(RPM_CHANNEL) diff --git a/hack/make/tools.mk b/hack/make/tools.mk new file mode 100644 index 0000000..a2c5e42 --- /dev/null +++ b/hack/make/tools.mk @@ -0,0 +1,7 @@ +TOOLS_BIN := $(shell mkdir -p build/tools && realpath build/tools) + +AWSCLI = $(TOOLS_BIN)/aws/dist/aws +$(AWSCLI): ## Download awscliv2 if not yet downloaded. + curl "https://awscli.amazonaws.com/awscli-exe-linux-$(shell uname -m).zip" -o "$(TOOLS_BIN)/awscliv2.zip" + cd $(TOOLS_BIN) && unzip -q $(TOOLS_BIN)/awscliv2.zip + rm $(TOOLS_BIN)/awscliv2.zip diff --git a/hack/upload b/hack/upload new file mode 100755 index 0000000..0ccfe58 --- /dev/null +++ b/hack/upload @@ -0,0 +1,85 @@ +#!/bin/bash +set -eo pipefail + +declare AWS_S3_BUCKET_VAR + +function check_vars() +{ + echo "checking for required vars" + + local required_vars + required_vars=(RPM_CHANNEL POLICY) + + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && exit 1 + return 0 +} + +function aws_auth() +{ + case "${RPM_CHANNEL}" in + "testing") + export AWS_ACCESS_KEY_ID="${TESTING_AWS_ACCESS_KEY_ID}" + export AWS_SECRET_ACCESS_KEY="${TESTING_AWS_SECRET_ACCESS_KEY}" + export AWS_S3_BUCKET_VAR=TESTING_AWS_S3_BUCKET + ;; + "production") + export AWS_ACCESS_KEY_ID="${PRODUCTION_AWS_ACCESS_KEY_ID}" + export AWS_SECRET_ACCESS_KEY="${PRODUCTION_AWS_SECRET_ACCESS_KEY}" + export AWS_S3_BUCKET_VAR=PRODUCTION_AWS_S3_BUCKET + ;; + *) + echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" + exit 1 + ;; + esac + + required_vars=("${AWS_S3_BUCKET_VAR}" AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY) + for var in "${required_vars[@]}"; do + [ -z "${!var}" ] && echo "$var is not set." && var_unset=true + done + + [ -n "${var_unset}" ] && echo "failing rpm upload" && exit 1 + return 0 +} + +function upload_artefacts() +{ + case "${POLICY}" in + "centos7") + S3_POLICY_DIR="centos/7" + ;; + "centos8") + S3_POLICY_DIR="centos/8" + ;; + "centos9") + S3_POLICY_DIR="centos/9" + ;; + "fedora37") + S3_POLICY_DIR="fedora/37" + ;; + "microos") + S3_POLICY_DIR="microos" + ;; + *) + echo "unsupported policy: ${POLICY}" + exit 1 + ;; + esac + + echo "Uploading RPMs packages and repo metadata files" + aws s3 cp "build/${POLICY}/noarch/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/noarch/" --recursive + aws s3 cp "build/${POLICY}/source/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/source/" --recursive +} + +function main() +{ + check_vars + aws_auth + upload_artefacts +} + +main diff --git a/policy/centos7/scripts/upload-repo b/policy/centos7/scripts/upload-repo deleted file mode 100755 index 1c499b5..0000000 --- a/policy/centos7/scripts/upload-repo +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -yum install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL7_S3_PATH="rancher/$RPM_CHANNEL/centos/7/noarch" -TARGET_EL7_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/7/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -aws s3 cp dist/noarch s3://"$AWS_S3_BUCKET"/"$TARGET_EL7_S3_PATH"/ --recursive -aws s3 cp dist/source s3://"$AWS_S3_BUCKET"/"$TARGET_EL7_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/centos8/scripts/upload-repo b/policy/centos8/scripts/upload-repo deleted file mode 100755 index 115186a..0000000 --- a/policy/centos8/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -yum install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL8_S3_PATH="rancher/$RPM_CHANNEL/centos/8/noarch" -TARGET_EL8_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/8/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL8_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL8_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/centos9/scripts/upload-repo b/policy/centos9/scripts/upload-repo deleted file mode 100755 index 74d08e0..0000000 --- a/policy/centos9/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -yum install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_EL9_S3_PATH="rancher/$RPM_CHANNEL/centos/9/noarch" -TARGET_EL9_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/centos/9/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL9_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_EL9_SOURCE_S3_PATH"/ --recursive - diff --git a/policy/fedora37/scripts/upload-repo b/policy/fedora37/scripts/upload-repo deleted file mode 100755 index 2e8a90b..0000000 --- a/policy/fedora37/scripts/upload-repo +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -dnf install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_FC37_S3_PATH="rancher/$RPM_CHANNEL/fedora/37/noarch" -TARGET_FC37_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/fedora/37/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_FC37_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_FC37_SOURCE_S3_PATH"/ --recursive \ No newline at end of file diff --git a/policy/microos/scripts/upload-repo b/policy/microos/scripts/upload-repo deleted file mode 100755 index 7e43466..0000000 --- a/policy/microos/scripts/upload-repo +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -set -e -x - -cd $(dirname $0)/.. -. ./scripts/version - -# Package required to unzip awscliv2.zip -zypper install -y unzip - -# Install the awscli-v2 from AWS -curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" -unzip -q awscliv2.zip -./aws/install - -# Test if awscli-v2 is installed -if aws --version &> /dev/null; then - echo "AWS CLI is installed." -else - echo "AWS CLI not found, exiting." - exit 1 -fi - -# Prepare and Upload RPMs -if [ -z "$RPM_CHANNEL" ]; then - echo "RPM_CHANNEL not defined, failing rpm upload" - exit 1 -fi - -TARGET_SLE_S3_PATH="rancher/$RPM_CHANNEL/microos/noarch" -TARGET_SLE_SOURCE_S3_PATH="rancher/$RPM_CHANNEL/microos/source" - -case "$RPM_CHANNEL" in - "testing") - if [ -z "$TESTING_AWS_S3_BUCKET" ]; then - echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then - echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then - echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY - export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET - ;; - "production") - if [ -z "$AWS_S3_BUCKET" ]; then - echo "AWS_S3_BUCKET not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_ACCESS_KEY_ID" ]; then - echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" - exit 1 - fi - if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then - echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" - exit 1 - fi - ;; - *) - echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" - exit 1 - ;; -esac - -echo "Uploading RPMs packages and repo metadata files" -aws s3 cp dist/noarch/ s3://"$AWS_S3_BUCKET"/"$TARGET_SLE_S3_PATH"/ --recursive -aws s3 cp dist/source/ s3://"$AWS_S3_BUCKET"/"$TARGET_SLE_SOURCE_S3_PATH"/ --recursive - From 6d43eef81d30c1445447977c73986c6b5882fd64 Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Tue, 23 Jan 2024 12:09:55 +0000 Subject: [PATCH 09/11] build: Transition release from drone to GHA Signed-off-by: Paulo Gomes --- .drone.yml | 470 ------------------------------- .github/workflows/release.yml | 37 +++ Dockerfile | 17 +- hack/{repo-metadata => metadata} | 0 4 files changed, 43 insertions(+), 481 deletions(-) delete mode 100644 .drone.yml create mode 100644 .github/workflows/release.yml rename hack/{repo-metadata => metadata} (100%) diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 21b8521..0000000 --- a/.drone.yml +++ /dev/null @@ -1,470 +0,0 @@ ---- -kind: pipeline -name: RPM Build EL7 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL7 - image: centos:7 - commands: - - policy/centos7/scripts/build - -- name: Sign RPM EL7 - image: centos:7 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos7/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL7 - image: centos:7 - commands: - - policy/centos7/scripts/repo-metadata - -- name: Upload RPM EL7 - image: centos:7 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos7/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL7 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos7-noarch.txt - checksum_flatten: true - files: - - "policy/centos7/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag ---- -kind: pipeline -name: RPM Build EL8 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/build - -- name: Sign RPM EL8 (dry-run) - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos8/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/repo-metadata - -- name: Yum Repo Upload RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos8/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL8 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos8-noarch.txt - checksum_flatten: true - files: - - "policy/centos8/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build EL9 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/build - -- name: Sign RPM EL9 (dry-run) - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos9/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/repo-metadata - -- name: Upload RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos9/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL9 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos9-noarch.txt - checksum_flatten: true - files: - - "policy/centos9/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build MicroOS - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM MicroOS - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/build - -- name: Sign RPM MicroOS (dry-run) - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM MicroOS - image: opensuse/tumbleweed - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/microos/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Microos - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/repo-metadata - -- name: Yum Repo Upload RPM MicroOS - image: opensuse/tumbleweed - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/microos/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM MicroOS - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-microos-noarch.txt - checksum_flatten: true - files: - - "policy/microos/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build Fedora37 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/build - -- name: Sign RPM Fedora37 (dry-run) - image: fedora:37 - commands: - - policy/fedora37/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM Fedora37 - image: fedora:37 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/fedora37/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/repo-metadata - -- name: Yum Repo Upload Fedora37 - image: fedora:37 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/fedora37/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release Fedora37 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-fedora37-noarch.txt - checksum_flatten: true - files: - - "policy/fedora37/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..157cfe2 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: Release + +on: + push: + tags: + - v* + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: make build + env: + PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} + PRIVATE_KEY_PASS_PHRASE: ${{ secrets.PRIVATE_KEY_PASS_PHRASE }} + TESTING_PRIVATE_KEY: ${{ secrets.TESTING_PRIVATE_KEY }} + TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ secrets.TESTING_PRIVATE_KEY_PASS_PHRASE }} + + - run: make upload + env: + TESTING_AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }} + TESTING_AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }} + TESTING_AWS_S3_BUCKET: ${{ secrets.TESTING_AWS_S3_BUCKET }} + PRODUCTION_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }} + PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }} + PRODUCTION_AWS_S3_BUCKET: ${{ secrets.PRODUCTION_AWS_S3_BUCKET }} diff --git a/Dockerfile b/Dockerfile index d8a7f44..411c33c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,8 +12,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign expect \ - unzip + rpm-sign expect # Confirm this is needed, move to final if not. COPY hack/centos7_sign /usr/local/bin/sign @@ -26,8 +25,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -40,8 +38,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -52,8 +49,7 @@ RUN dnf install -y \ container-selinux \ selinux-policy-devel \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -63,8 +59,7 @@ RUN zypper install -y \ container-selinux \ selinux-policy-devel \ rpm-build \ - rpm \ - unzip + rpm # libglib is required to install createrepo_c in Tumbleweed. RUN zypper install -y libglib-2_0-0 createrepo_c @@ -82,4 +77,4 @@ COPY policy/${POLICY}/rancher-selinux.spec \ policy/${POLICY}/rancher.fc \ policy/${POLICY}/rancher.te \ hack/build \ - hack/repo-metadata . + hack/metadata . diff --git a/hack/repo-metadata b/hack/metadata similarity index 100% rename from hack/repo-metadata rename to hack/metadata From 8b1f6c84e828c0615c0762a6dd8ff1090d2e761b Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Wed, 24 Jan 2024 17:58:43 +0000 Subject: [PATCH 10/11] build: Fix aws cli path Signed-off-by: Paulo Gomes --- hack/upload | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/hack/upload b/hack/upload index 0ccfe58..6a0b8de 100755 --- a/hack/upload +++ b/hack/upload @@ -3,6 +3,9 @@ set -eo pipefail declare AWS_S3_BUCKET_VAR +TOOLS_BIN="${TOOLS_BIN:-build/tools}" +AWS_BIN="${TOOLS_BIN}/aws/dist/aws" + function check_vars() { echo "checking for required vars" @@ -71,8 +74,8 @@ function upload_artefacts() esac echo "Uploading RPMs packages and repo metadata files" - aws s3 cp "build/${POLICY}/noarch/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/noarch/" --recursive - aws s3 cp "build/${POLICY}/source/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/source/" --recursive + "${AWS_BIN}" s3 cp "build/${POLICY}/noarch/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/noarch/" --recursive + "${AWS_BIN}" s3 cp "build/${POLICY}/source/" "s3://${!AWS_S3_BUCKET_VAR}/rancher/${RPM_CHANNEL}/${S3_POLICY_DIR}/source/" --recursive } function main() From 0a78af5e8ffa690f10ebc4a4cc09b81765162fdb Mon Sep 17 00:00:00 2001 From: Paulo Gomes Date: Thu, 25 Jan 2024 17:24:53 +0000 Subject: [PATCH 11/11] build: Fix production sign process Signed-off-by: Paulo Gomes --- hack/sign | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/sign b/hack/sign index a95dda7..059d3d1 100755 --- a/hack/sign +++ b/hack/sign @@ -51,7 +51,7 @@ function check_channel(){ exit 1 fi echo "Importing GPG private key ${KEY_VAR}" - gpg --yes --pinentry-mode loopback --batch --passphrase "${!PASSPHRASE_VAR}" --import - <<< "${TESTING_PRIVATE_KEY}" + gpg --yes --pinentry-mode loopback --batch --passphrase "${!PASSPHRASE_VAR}" --import - <<< "${!KEY_VAR}" echo "Signing keys imported successfully" }