Packit: Initial rpm spec addition

This commit enables: - upstream copr build jobs on PRs - rpm builds on podman-next copr after every commit to main - Fedora and CentOS Stream 10 downstream update jobs on every upstream release Before an upstream release is cut, `rpm/containers-common.spec` will need to be updated with the correct release tag of c/image, c/storage and c/shortnames so that the right configs and docs are fetched. Signed-off-by: Lokesh Mandvekar <[email protected]>
containers · Apr 25, 2024 · 734eee7 · 734eee7
1 parent b3b3947
commit 734eee7
Show file tree

Hide file tree

Showing 6 changed files with 340 additions and 1 deletion.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -22,7 +22,8 @@ jobs:
       # Version of codespell bundled with Ubuntu is way old, so use pip.
       run: pip install codespell
     - name: run codespell
-      run: codespell --dictionary=-
+      # passt is a dependency listed in rpm/containers-common.spec
+      run: codespell --dictionary=- -L passt
   lint:
     runs-on: ubuntu-22.04
     steps:

diff --git a/.packit.yaml b/.packit.yaml
@@ -0,0 +1,79 @@
+---
+# See the documentation for more information:
+# https://packit.dev/docs/configuration/
+
+downstream_package_name: containers-common
+upstream_tag_template: v{version}
+
+packages:
+  containers-common-fedora:
+    pkg_tool: fedpkg
+    specfile_path: rpm/containers-common.spec
+  containers-common-centos:
+    pkg_tool: centpkg
+    specfile_path: rpm/containers-common.spec
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    packages: [containers-common-fedora]
+    notifications: &ephemeral_build_failure_notification
+      failure_comment:
+        message: "Ephemeral COPR build failed. @containers/packit-build please check."
+    enable_net: true
+    targets:
+      fedora-development: {}
+      fedora-latest: {}
+      fedora-eln:
+        # Need this to fetch go-md2man which is present in koji envs but not by
+        # default on copr envs. Also helps to avoid bundling go-md2man in
+        # c/common.
+        additional_repos:
+          - https://kojipkgs.fedoraproject.org/repos/eln-build/latest/x86_64/
+
+  - job: copr_build
+    trigger: pull_request
+    packages: [containers-common-centos]
+    notifications: *ephemeral_build_failure_notification
+    enable_net: true
+    targets:
+      - epel-9
+      - centos-stream-10
+
+  # Run on commit to main branch
+  - job: copr_build
+    trigger: commit
+    notifications:
+      failure_comment:
+        message: "containers-common-next COPR build failed. @containers/packit-build please check."
+    branch: main
+    owner: rhcontainerbot
+    project: containers-common-next
+    enable_net: true
+
+  - job: propose_downstream
+    trigger: release
+    update_release: false
+    packages: [containers-common-fedora]
+    dist_git_branches:
+      - fedora-development
+      - fedora-latest
+
+  - job: propose_downstream
+    trigger: release
+    update_release: false
+    packages: [containers-common-centos]
+    dist_git_branches:
+      - c10s
+
+  - job: koji_build
+    trigger: commit
+    packages: [containers-common-fedora]
+    dist_git_branches:
+      - fedora-all
+
+  - job: bodhi_update
+    trigger: commit
+    packages: [containers-common-fedora]
+    dist_git_branches:
+      - fedora-branched # rawhide updates are created automatically
diff --git a/contrib/redhat/RPM-GPG-KEY-redhat-release b/contrib/redhat/RPM-GPG-KEY-redhat-release
@@ -0,0 +1,34 @@
+pub   4096R/FD431D51 2009-10-22
+      Key fingerprint = 567E 347A D004 4ADE 55BA  8A5F 199E 2F91 FD43 1D51
+uid                  Red Hat, Inc. (release key 2) <[email protected]>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.5 (GNU/Linux)
+
+mQINBErgSTsBEACh2A4b0O9t+vzC9VrVtL1AKvUWi9OPCjkvR7Xd8DtJxeeMZ5eF
+0HtzIG58qDRybwUe89FZprB1ffuUKzdE+HcL3FbNWSSOXVjZIersdXyH3NvnLLLF
+0DNRB2ix3bXG9Rh/RXpFsNxDp2CEMdUvbYCzE79K1EnUTVh1L0Of023FtPSZXX0c
+u7Pb5DI5lX5YeoXO6RoodrIGYJsVBQWnrWw4xNTconUfNPk0EGZtEnzvH2zyPoJh
+XGF+Ncu9XwbalnYde10OCvSWAZ5zTCpoLMTvQjWpbCdWXJzCm6G+/hx9upke546H
+5IjtYm4dTIVTnc3wvDiODgBKRzOl9rEOCIgOuGtDxRxcQkjrC+xvg5Vkqn7vBUyW
+9pHedOU+PoF3DGOM+dqv+eNKBvh9YF9ugFAQBkcG7viZgvGEMGGUpzNgN7XnS1gj
+/DPo9mZESOYnKceve2tIC87p2hqjrxOHuI7fkZYeNIcAoa83rBltFXaBDYhWAKS1
+PcXS1/7JzP0ky7d0L6Xbu/If5kqWQpKwUInXtySRkuraVfuK3Bpa+X1XecWi24JY
+HVtlNX025xx1ewVzGNCTlWn1skQN2OOoQTV4C8/qFpTW6DTWYurd4+fE0OJFJZQF
+buhfXYwmRlVOgN5i77NTIJZJQfYFj38c/Iv5vZBPokO6mffrOTv3MHWVgQARAQAB
+tDNSZWQgSGF0LCBJbmMuIChyZWxlYXNlIGtleSAyKSA8c2VjdXJpdHlAcmVkaGF0
+LmNvbT6JAjYEEwECACAFAkrgSTsCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAK
+CRAZni+R/UMdUWzpD/9s5SFR/ZF3yjY5VLUFLMXIKUztNN3oc45fyLdTI3+UClKC
+2tEruzYjqNHhqAEXa2sN1fMrsuKec61Ll2NfvJjkLKDvgVIh7kM7aslNYVOP6BTf
+C/JJ7/ufz3UZmyViH/WDl+AYdgk3JqCIO5w5ryrC9IyBzYv2m0HqYbWfphY3uHw5
+un3ndLJcu8+BGP5F+ONQEGl+DRH58Il9Jp3HwbRa7dvkPgEhfFR+1hI+Btta2C7E
+0/2NKzCxZw7Lx3PBRcU92YKyaEihfy/aQKZCAuyfKiMvsmzs+4poIX7I9NQCJpyE
+IGfINoZ7VxqHwRn/d5mw2MZTJjbzSf+Um9YJyA0iEEyD6qjriWQRbuxpQXmlAJbh
+8okZ4gbVFv1F8MzK+4R8VvWJ0XxgtikSo72fHjwha7MAjqFnOq6eo6fEC/75g3NL
+Ght5VdpGuHk0vbdENHMC8wS99e5qXGNDued3hlTavDMlEAHl34q2H9nakTGRF5Ki
+JUfNh3DVRGhg8cMIti21njiRh7gyFI2OccATY7bBSr79JhuNwelHuxLrCFpY7V25
+OFktl15jZJaMxuQBqYdBgSay2G0U6D1+7VsWufpzd/Abx1/c3oi9ZaJvW22kAggq
+dzdA27UUYjWvx42w9menJwh/0jeQcTecIUd0d0rFcw/c1pvgMMl/Q73yzKgKYw==
+=zbHE
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/contrib/redhat/registry.access.redhat.com.yaml b/contrib/redhat/registry.access.redhat.com.yaml
@@ -0,0 +1,3 @@
+docker:
+     registry.access.redhat.com:
+         sigstore: https://access.redhat.com/webassets/docker/content/sigstore
diff --git a/contrib/redhat/registry.redhat.io.yaml b/contrib/redhat/registry.redhat.io.yaml
@@ -0,0 +1,3 @@
+docker:
+     registry.redhat.io:
+         sigstore: https://registry.redhat.io/containers/sigstore
diff --git a/rpm/containers-common.spec b/rpm/containers-common.spec
@@ -0,0 +1,219 @@
+# Below definitions are used to deliver config files from a particular branch
+# of c/image, c/storage  and c/shortnames vendored in all of Buildah, Podman and Skopeo.
+# These vendored components must have the same version. If it is not the case,
+# pick the oldest version on c/image, c/storage and c/shortnames vendored in
+# Buildah/Podman/Skopeo.
+
+# Replace `main` below with upstream version tags before cutting a new release of c/common
+%global image_branch main
+%global storage_branch main
+%global shortnames_branch main
+
+%global github_containers https://raw.githubusercontent.com/containers
+
+Epoch: 5
+Name: containers-common
+# DO NOT TOUCH the Version string!
+# The TRUE source of this specfile is:
+# https://github.com/containers/podman/blob/main/rpm/podman.spec
+# If that's what you're reading, Version must be 0, and will be updated by Packit for
+# copr and koji builds.
+# If you're reading this on dist-git, the version is automatically filled in by Packit.
+Version: 0
+Release: %autorelease
+License: Apache-2.0
+BuildArch: noarch
+# for BuildRequires: go-md2man
+ExclusiveArch: %{golang_arches} noarch
+Summary: Common configuration and documentation for containers
+BuildRequires: git-core
+BuildRequires: go-md2man
+Provides: skopeo-containers = %{epoch}:%{version}-%{release}
+Requires: (container-selinux >= 2:2.162.1 if selinux-policy)
+Suggests: fuse-overlayfs
+Source0: %{git0}/archive/v%{version_no_tilde}.tar.gz
+Source1: %{github_containers}/image/%{image_branch}/docs/containers-auth.json.5.md
+Source2: %{github_containers}/image/%{image_branch}/docs/containers-certs.d.5.md
+Source3: %{github_containers}/image/%{image_branch}/docs/containers-policy.json.5.md
+Source4: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.5.md
+Source5: %{github_containers}/image/%{image_branch}/docs/containers-registries.conf.d.5.md
+Source6: %{github_containers}/image/%{image_branch}/docs/containers-registries.d.5.md
+Source7: %{github_containers}/image/%{image_branch}/docs/containers-signature.5.md
+Source8: %{github_containers}/image/%{image_branch}/docs/containers-transports.5.md
+Source9: %{github_containers}/image/%{image_branch}/registries.conf
+Source10: %{github_containers}/shortnames/%{shortnames_branch}/shortnames.conf
+Source11: %{github_containers}/image/%{image_branch}/default.yaml
+Source12: %{github_containers}/image/%{image_branch}/default-policy.json
+Source13: %{github_containers}/storage/%{storage_branch}/docs/containers-storage.conf.5.md
+Source14: %{github_containers}/storage/%{storage_branch}/storage.conf
+
+%description
+This package contains common configuration files and documentation for container
+tools ecosystem, such as Podman, Buildah and Skopeo.
+
+It is required because the most of configuration files and docs come from projects
+which are vendored into Podman, Buildah, Skopeo, etc. but they are not packaged
+separately.
+
+%package extra
+Summary: Extra dependencies for Podman and Buildah
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Requires: container-network-stack
+Requires: oci-runtime
+Conflicts: podman < 5:5.0.0~rc4-1
+Recommends: crun
+Recommends: composefs
+Requires: (crun if fedora-release-identity-server)
+Requires: netavark >= 1.10.3-1
+Suggests: slirp4netns
+Requires: passt
+Requires: iptables
+Requires: nftables
+Recommends: qemu-user-static
+Requires: (qemu-user-static-aarch64 if fedora-release-identity-server)
+Requires: (qemu-user-static-arm if fedora-release-identity-server)
+Requires: (qemu-user-static-x86 if fedora-release-identity-server)
+
+%description extra
+This subpackage will handle dependencies common to Podman and Buildah which are
+not required by Skopeo.
+
+%prep
+%autosetup -Sgit %{name}-%{version_no_tilde}
+cp %{SOURCE1} docs/.
+cp %{SOURCE2} docs/.
+cp %{SOURCE3} docs/.
+cp %{SOURCE4} docs/.
+cp %{SOURCE5} docs/.
+cp %{SOURCE6} docs/.
+cp %{SOURCE7} docs/.
+cp %{SOURCE8} docs/.
+cp %{SOURCE9} .
+cp %{SOURCE10} 000-shortnames.conf
+cp %{SOURCE11} .
+cp %{SOURCE12} policy.json
+cp %{SOURCE13} .
+cp %{SOURCE14} .
+
+# Patch storage.conf
+sed -i -e 's/^driver.*=.*/driver = "overlay"/' -e 's/^mountopt.*=.*/mountopt = "nodev,metacopy=on"/' \
+        -e '/additionalimage.*/a "/usr/lib/containers/storage",' \
+%if 0%{?fedora} > 40
+        -e 's/^pull_options.*=.*/pull_options = {enable_partial_images = \"true\", use_hard_links = \"false\", ostree_repos="", convert_images = "false"}/' \
+        -e 's/# use_composefs.*/use_composefs = "false"/g' \
+%endif
+        storage.conf
+
+# Patch seccomp.json
+[ `grep "keyctl" pkg/seccomp/seccomp.json | wc -l` == 0 ] && sed -i '/\"kill\",/i \
+                                "keyctl",' pkg/seccomp/seccomp.json
+sed -i '/\"socketcall\",/i \
+                                "socket",' pkg/seccomp/seccomp.json
+
+# Patch registries.conf
+sed -i 's/^#.*unqualified-search-registries.*=.*/unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "docker.io"]/g' \
+        registries.conf
+
+grep '^short-name-mode="enforcing"' registries.conf
+if [[ $? == 1 ]]; then
+    echo -e '\nshort-name-mode="enforcing"' >> registries.conf
+fi
+
+# Patch containers.conf
+sed -i -e 's/^#.*log_driver.*=.*/log_driver = "journald"/' \
+    -e 's/^#.*compression_format.*=.*/compression_format = "zstd:chunked"/' \
+    pkg/config/containers.conf
+
+
+%build
+mkdir -p man5
+for FILE in $(ls docs/*.5.md); do
+    go-md2man -in $FILE -out man5/$(basename $FILE .md)
+done
+
+cp man5/containerignore.5 man5/.containerignore.5
+
+%install
+# install config and policy files for registries
+install -dp %{buildroot}%{_sysconfdir}/containers/{certs.d,oci/hooks.d,systemd}
+install -dp %{buildroot}%{_sharedstatedir}/containers/sigstore
+install -dp %{buildroot}%{_datadir}/containers/systemd
+install -dp %{buildroot}%{_prefix}/lib/containers/storage
+install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-images
+touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-images/images.lock
+install -dp -m 700 %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers
+touch %{buildroot}%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
+
+install -Dp -m0644 default.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
+install -Dp -m0644 storage.conf -t %{buildroot}%{_datadir}/containers
+install -Dp -m0644 registries.conf -t %{buildroot}%{_sysconfdir}/containers
+install -Dp -m0644 000-shortnames.conf -t %{buildroot}%{_sysconfdir}/containers/registries.conf.d
+install -Dp -m0644 policy.json -t %{buildroot}%{_sysconfdir}/containers
+# RPM-GPG-KEY-redhat-release already exists on rhel envs, install only on
+# fedora and centos
+%if 0%{?fedora} || 0%{?centos}
+install -Dp -m0644 contrib/redhat/RPM-GPG-KEY-redhat-release -t %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+%endif
+install -Dp -m0644 contrib/redhat/registry.access.redhat.com.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
+install -Dp -m0644 contrib/redhat/registry.redhat.io.yaml -t %{buildroot}%{_sysconfdir}/containers/registries.d
+
+# install manpages
+for FILE in $(ls -a man5 | grep 5); do
+    install -Dp -m0644 man5/$FILE -t %{buildroot}%{_mandir}/man5
+done
+
+# install config files for mounts, containers and seccomp
+install -m0644 pkg/subscriptions/mounts.conf %{buildroot}%{_datadir}/containers/mounts.conf
+install -m0644 pkg/seccomp/seccomp.json %{buildroot}%{_datadir}/containers/seccomp.json
+install -m0644 pkg/config/containers.conf %{buildroot}%{_datadir}/containers/containers.conf
+
+# install secrets patch directory
+install -d -p -m 755 %{buildroot}/%{_datadir}/rhel/secrets
+# rhbz#1110876 - update symlinks for subscription management
+ln -s ../../../..%{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
+ln -s ../../../..%{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
+ln -s ../../../..%{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/redhat.repo
+
+%files
+%dir %{_sysconfdir}/containers
+%dir %{_sysconfdir}/containers/certs.d
+%dir %{_sysconfdir}/containers/oci
+%dir %{_sysconfdir}/containers/oci/hooks.d
+%dir %{_sysconfdir}/containers/registries.conf.d
+%dir %{_sysconfdir}/containers/registries.d
+%dir %{_sysconfdir}/containers/systemd
+%dir %{_prefix}/lib/containers/storage
+%dir %{_prefix}/lib/containers/storage/overlay-images
+%dir %{_prefix}/lib/containers/storage/overlay-layers
+%{_prefix}/lib/containers/storage/overlay-images/images.lock
+%{_prefix}/lib/containers/storage/overlay-layers/layers.lock
+
+%config(noreplace) %{_sysconfdir}/containers/policy.json
+%config(noreplace) %{_sysconfdir}/containers/registries.conf
+%config(noreplace) %{_sysconfdir}/containers/registries.conf.d/000-shortnames.conf
+%if 0%{?fedora} || 0%{?centos}
+%{_sysconfdir}/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+%endif
+%config(noreplace) %{_sysconfdir}/containers/registries.d/default.yaml
+%{_sysconfdir}/containers/registries.d/registry.redhat.io.yaml
+%{_sysconfdir}/containers/registries.d/registry.access.redhat.com.yaml
+%ghost %{_sysconfdir}/containers/storage.conf
+%ghost %{_sysconfdir}/containers/containers.conf
+%dir %{_sharedstatedir}/containers/sigstore
+%{_mandir}/man5/Containerfile.5.gz
+%{_mandir}/man5/containerignore.5.gz
+%{_mandir}/man5/.containerignore.5.gz
+%{_mandir}/man5/containers*.5.gz
+%dir %{_datadir}/containers
+%dir %{_datadir}/containers/systemd
+%{_datadir}/containers/storage.conf
+%{_datadir}/containers/containers.conf
+%{_datadir}/containers/mounts.conf
+%{_datadir}/containers/seccomp.json
+%dir %{_datadir}/rhel/secrets
+%{_datadir}/rhel/secrets/*
+
+%files extra
+
+%changelog
+%autochangelog