Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Packaging] Use CentOS Stream 8 to build el8 RPM package #20918

Merged
merged 12 commits into from
Mar 15, 2022
Merged

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Jan 6, 2022

Description

#11204 added el8 for RHEL 8 but was reverted by #11325.

As CentOS 7's RPM (4.11.3) can't generate SHA256 digests and causes failure on FIPS-enabled RHEL system (#20719), we have to use CentOS Stream 8's RPM (4.14.3) to build.

Now we can see Payload SHA256 digest is calculated as expected:

$ docker run -it --rm quay.io/centos/centos:stream8

# curl 'https://artprodcus3.artifacts.visualstudio.com/A0fb41ef4-5012-48a9-bf39-4ee3de03ee35/29ec6040-b234-4e31-b139-33dc4287b756/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL2F6dXJlLXNkay9wcm9qZWN0SWQvMjllYzYwNDAtYjIzNC00ZTMxLWIxMzktMzNkYzQyODdiNzU2L2J1aWxkSWQvMTI3ODY5MC9hcnRpZmFjdE5hbWUveXVtLWNlbnRvc19zdHJlYW040/content?format=file&subPath=%2Fazure-cli-2.32.0-1.el8.x86_64.rpm' -o azure-cli.rpm

# rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

References

ARG cli_version=dev

RUN yum update -y
RUN yum install -y wget rpm-build gcc libffi-devel python3-devel openssl-devel make bash diffutils patch dos2unix python3-virtualenv perl
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

coreutils is not compatible with preinstalled coreutils-single, so we don't need to install coreutils.

# dnf list installed | grep coreutils
coreutils-single.x86_64                       8.30-12.el8                     @baseos

# yum install -y coreutils
Last metadata expiration check: 0:13:00 ago on Thu Jan  6 09:04:58 2022.
Error:
 Problem: problem with installed package coreutils-single-8.30-12.el8.x86_64
  - package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-12.el8.x86_64
  - package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-10.el8.x86_64
  - package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-8.el8.x86_64
  - package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-9.el8.x86_64
  - cannot install the best candidate for the job
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Copy link
Member Author

@jiasli jiasli Jan 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perl is not installed by rpm-build on CentOS Stream 8, so we should manually install it.

@jiasli
Copy link
Member Author

jiasli commented Jan 6, 2022

For unknown reason, the rpm builder on CentOS Stream 8 is extremely slow at step Processing files: azure-cli-2.32.0-1.el8.x86_64:

https://dev.azure.com/azure-sdk/29ec6040-b234-4e31-b139-33dc4287b756/_apis/build/builds/1278426/logs/507

2022-01-06T10:46:32.3684420Z [0mProcessing files: azure-cli-2.32.0-1.el8.x86_64
2022-01-06T11:19:00.3310021Z Provides: azure-cli = 2.32.0-1.el8 azure-cli(x86-64) = 2.32.0-1.el8 config(az

I thought this could be related to compression:

$ docker run -it --rm quay.io/centos/centos:stream

# yum install -y rpm-build

# rpm --showrc | grep _binary_payload
-13: _binary_payload    w2.xzdio

# grep -R _binary_payload /usr/lib/rpm/
/usr/lib/rpm/macros:#%_binary_payload   w9.gzdio
/usr/lib/rpm/redhat/macros:%_binary_payload w2.xzdio

but the the result is exactly the same on centos:7, while the rpm-build on latest fedora uses zstd: https://fedoraproject.org/wiki/Changes/Switch_RPMs_to_zstd_compression

$ docker run -it --rm fedora:36

# yum install -y rpm-build

# rpm --showrc | grep _binary_payload
-13: _binary_payload    w19.zstdio

# grep -R _binary_payload /usr/lib/rpm/
/usr/lib/rpm/macros:#%_binary_payload   w9.gzdio
/usr/lib/rpm/redhat/macros:%_binary_payload w19.zstdio

@jiasli
Copy link
Member Author

jiasli commented Jan 6, 2022

@glaubitz, just wondering if you have any experience with the above problem (#20918 (comment))? Any insights are greatly appreciated. 😊

@jiasli jiasli requested review from fabnord and ahelal January 6, 2022 15:12
@jiasli jiasli changed the title {Packaging} Use CentOS Stream 8 to build el8 RPM package [Packaging] Use CentOS Stream 8 to build el8 RPM package Jan 6, 2022
@glaubitz
Copy link

@glaubitz, just wondering if you have any experience with the above problem (#20918 (comment))? Any insights are greatly appreciated. blush

Did you check the process list during this step? Or maybe iotop or strace?

@jiasli jiasli marked this pull request as ready for review February 9, 2022 05:58
@@ -681,8 +681,8 @@ jobs:
displayName: 'Test Homebrew Package'


- job: BuildYumPackageMariner
displayName: Build Yum Package Mariner
- job: BuildRpmPackageMariner
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RPM is the actual package and YUM is the package manager (see https://packages.microsoft.com/yumrepos/azure-cli/). YUM has been replaced by DNF in many modern systems. So RPM should be the correct name here, like DEB (package) vs APT (package manager).

Comment on lines +40 to +43
# mkdir -p ${BUILD_STAGINGDIRECTORY}/docker
# docker save azure/azure-cli:${IMAGE}-builder | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}-builder.tar.gz &
# docker save azure/azure-cli:${IMAGE} | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}.tar.gz &
# wait
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually we never rehydrated these files. We disable them to save space on ADO.

azure-pipelines.yml Outdated Show resolved Hide resolved
timeoutInMinutes: 120
dependsOn: BuildYumPackage
dependsOn: BuildRpmPackageCentOS7
Copy link
Member Author

@jiasli jiasli Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in

dependsOn only works for the base job (all matrixes), and it can't work on a specific matrix. Since CentOS Stream 8's rpm builder is extremely slow for some reason, TestRpmPackage will wait for it to finish, making the whole pipeline much slower.

Here we make 2 deferent jobs:

  • BuildRpmPackageCentOS7
  • BuildRpmPackageCentOSStream8

so that TestRpmPackage can start right after BuildRpmPackageCentOS7 finishes, like before.

Co-authored-by: ZelinWang <zelinwang@microsoft.com>
@jiasli
Copy link
Member Author

jiasli commented Feb 9, 2022

I tried to verify the RPM on a RHEL 8.4 VM without FIPS:

$ curl 'https://artprodcus3.artifacts.visualstudio.com/A0fb41ef4-5012-48a9-bf39-4ee3de03ee35/29ec6040-b234-4e31-b139-33dc4287b756/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL2F6dXJlLXNkay9wcm9qZWN0SWQvMjllYzYwNDAtYjIzNC00ZTMxLWIxMzktMzNkYzQyODdiNzU2L2J1aWxkSWQvMTM1NTA2My9hcnRpZmFjdE5hbWUvcnBtLWNlbnRvc19zdHJlYW040/content?format=file&subPath=%2Fazure-cli-2.33.0-1.el8.x86_64.rpm' -o azure-cli.rpm

$ rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

After enabling FIPS following https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies, MD5 digest: OK is no loner shown:

$ rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
$

Not sure if this is expected.

@jiasli
Copy link
Member Author

jiasli commented Feb 9, 2022

After code signing, we got

$ rpm --checksig --verbose azure-cli-2.33.0-1.el8.x86_64.rpm
azure-cli-2.33.0-1.el8.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID be1229cf: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID be1229cf: OK

$ sudo yum localinstall azure-cli-2.33.0-1.el8.x86_64.rpm
...
Installed:
  azure-cli-2.33.0-1.el8.x86_64

Complete!

This indicate the package now

  • has SHA256 so can be installed on FIPS-enabled machines
  • is correctly signed

@archoversight
Copy link

\o/

- job: BuildRpmPackageCentOS7
displayName: Build Rpm Package CentOS 7
# Uncomment this line to disable this job on Pull Requests
# condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI', 'Manual', 'Schedule'))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line was removed by #20608. Bring it back as a comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Azure CLI installation fails on FIPS enabled Linux systems
7 participants