-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Packaging] Use CentOS Stream 8 to build el8
RPM package
#20918
Conversation
ARG cli_version=dev | ||
|
||
RUN yum update -y | ||
RUN yum install -y wget rpm-build gcc libffi-devel python3-devel openssl-devel make bash diffutils patch dos2unix python3-virtualenv perl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
coreutils
is not compatible with preinstalled coreutils-single
, so we don't need to install coreutils
.
# dnf list installed | grep coreutils
coreutils-single.x86_64 8.30-12.el8 @baseos
# yum install -y coreutils
Last metadata expiration check: 0:13:00 ago on Thu Jan 6 09:04:58 2022.
Error:
Problem: problem with installed package coreutils-single-8.30-12.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-12.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-10.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-8.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-9.el8.x86_64
- cannot install the best candidate for the job
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perl
is not installed by rpm-build
on CentOS Stream 8, so we should manually install it.
For unknown reason, the rpm builder on CentOS Stream 8 is extremely slow at step
I thought this could be related to compression:
but the the result is exactly the same on
|
@glaubitz, just wondering if you have any experience with the above problem (#20918 (comment))? Any insights are greatly appreciated. 😊 |
el8
RPM packageel8
RPM package
Did you check the process list during this step? Or maybe |
@@ -681,8 +681,8 @@ jobs: | |||
displayName: 'Test Homebrew Package' | |||
|
|||
|
|||
- job: BuildYumPackageMariner | |||
displayName: Build Yum Package Mariner | |||
- job: BuildRpmPackageMariner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RPM is the actual package and YUM is the package manager (see https://packages.microsoft.com/yumrepos/azure-cli/). YUM has been replaced by DNF in many modern systems. So RPM should be the correct name here, like DEB (package) vs APT (package manager).
# mkdir -p ${BUILD_STAGINGDIRECTORY}/docker | ||
# docker save azure/azure-cli:${IMAGE}-builder | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}-builder.tar.gz & | ||
# docker save azure/azure-cli:${IMAGE} | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}.tar.gz & | ||
# wait |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually we never rehydrated these files. We disable them to save space on ADO.
timeoutInMinutes: 120 | ||
dependsOn: BuildYumPackage | ||
dependsOn: BuildRpmPackageCentOS7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed in
- Add support for 'dependsOn' for individual matrix jobs microsoft/azure-pipelines-yaml#420
- Add cross-product matrix strategy microsoft/azure-pipelines-yaml#20
- https://developercommunity.visualstudio.com/t/support-for-dependson-for-individual-matrix-jobs/1007464
dependsOn
only works for the base job (all matrixes), and it can't work on a specific matrix. Since CentOS Stream 8's rpm builder is extremely slow for some reason, TestRpmPackage
will wait for it to finish, making the whole pipeline much slower.
Here we make 2 deferent jobs:
BuildRpmPackageCentOS7
BuildRpmPackageCentOSStream8
so that TestRpmPackage
can start right after BuildRpmPackageCentOS7
finishes, like before.
Co-authored-by: ZelinWang <zelinwang@microsoft.com>
I tried to verify the RPM on a RHEL 8.4 VM without FIPS:
After enabling FIPS following https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies,
Not sure if this is expected. |
After code signing, we got
This indicate the package now
|
\o/ |
- job: BuildRpmPackageCentOS7 | ||
displayName: Build Rpm Package CentOS 7 | ||
# Uncomment this line to disable this job on Pull Requests | ||
# condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI', 'Manual', 'Schedule')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line was removed by #20608. Bring it back as a comment.
Description
#11204 added
el8
for RHEL 8 but was reverted by #11325.As CentOS 7's RPM (4.11.3) can't generate SHA256 digests and causes failure on FIPS-enabled RHEL system (#20719), we have to use CentOS Stream 8's RPM (4.14.3) to build.
Now we can see Payload SHA256 digest is calculated as expected:
References
quay.io/centos/centos:stream8
at https://quay.io/repository/centos/centos?tab=tags. See https://wiki.centos.org/FAQ/CentOSStream