From 72601c22ebce47d718787f462041e69f3ccba930 Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Tue, 9 Jul 2024 12:55:03 +1000 Subject: [PATCH] [v14] buildbox: Update centos7 buildbox for EOL, using vault (#43902) * [v14] buildbox: Update centos7 buildbox for EOL, using vault CentOS 7 became EOL on 2024/06/30. `mirrorlist` and `mirror.centos.org` became unavailable, so use `baseurl` and `vault.centos.org` instead, updating all references in `/etc/yum.repos.d/*`. The software collection stuff (`centos-release-scl-rh`) is on a different path on `vault.centos.org` for `aarch64` so also update those paths. Apply these changes multiple times as installing `centos-release-scl-rh` installs a yum repo file with the old paths, as does installing `centos-release-scl`. This backport is a little more involved than the original master PR as `branch/v14` has old Dockerfiles here - there is no single base stage to modify - a new `base` stage was added with the common stuff and the other stages build from that instead of `centos:7`. Also added is a `syntax` line to the two touched dockerfiles. This is needed for here-documents to work (`< /etc/yum.repos.d/${DEVTOOLSET}-build.repo' -# Install required dependencies. +# mirrorlist is no longer available since CentOS 7 EOL. The software collection +# stuff for arm64 (aarch64) is in /altarch not /centos on vault.centos.org. +# Make the fixup a script as it needs to be run multiple times as installing +# and updating centos-release-scl-rh leaves the old unavailable URLs. +# https://serverfault.com/a/1161847 +RUN cat < /tmp/fix-yum-repo-list.sh +#!/bin/sh +sed -e 's/mirror.centos.org/vault.centos.org/g' \ + -e 's/^#.*baseurl=http/baseurl=http/g' \ + -e 's/^mirrorlist=http/#mirrorlist=http/g' \ + -i /etc/yum.repos.d/*.repo +if [ "$(uname -m)" = 'aarch64' ]; then + sed 's|centos/7/sclo|altarch/7/sclo|' -i /etc/yum.repos.d/*.repo +fi +EOF +RUN chmod 755 /tmp/fix-yum-repo-list.sh && \ + /tmp/fix-yum-repo-list.sh + RUN yum groupinstall -y 'Development Tools' && \ yum install -y \ + centos-release-scl-rh \ + centos-release-scl && \ + /tmp/fix-yum-repo-list.sh + +## GIT2 ################################################################### + +# git2 packages are not available on ARM64, so we need to build it from source. +FROM base AS git2 + +ARG BUILDARCH + +# Install required dependencies. +RUN yum install -y \ ca-certificates \ curl-devel \ expat-devel \ @@ -29,9 +59,6 @@ RUN yum groupinstall -y 'Development Tools' && \ perl-CPAN \ perl-devel wget && \ yum update -y && \ - yum -y install centos-release-scl-rh && \ - yum install -y \ - centos-release-scl && \ yum clean all # As mentioned above, these packages are unsigned. @@ -55,22 +82,9 @@ FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDAR ## LIBFIDO2 ################################################################### # Build libfido2 separately for isolation, speed and flexibility. -FROM centos:7 AS libfido2 - -ARG DEVTOOLSET -ARG TARGETARCH - -# devtoolset-12 is only in CentOS buildlogs. The rpms are unsigned since they never were -# published to the official CentOS SCL repos. -ENV DEVTOOLSET=${DEVTOOLSET} \ - TARGETARCH=${TARGETARCH} - -RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ - echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' +FROM base AS libfido2 -RUN yum groupinstall -y 'Development Tools' && \ - yum install -y epel-release && \ - yum install -y centos-release-scl-rh && \ +RUN yum install -y epel-release && \ yum update -y && \ yum install -y \ cmake3 \ @@ -133,26 +147,12 @@ RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.13.0 && \ ## LIBBPF ##################################################################### -FROM centos:7 AS libbpf - -ARG DEVTOOLSET -ARG TARGETARCH - -# devtoolset-12 is only in CentOS buildlogs. The rpms are unsigned since they never were -# published to the official CentOS SCL repos. -ENV DEVTOOLSET=${DEVTOOLSET} \ - TARGETARCH=${TARGETARCH} - -RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ - echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' +FROM base AS libbpf # Install required dependencies. -RUN yum groupinstall -y 'Development Tools' && \ - yum install -y epel-release && \ +RUN yum install -y epel-release && \ yum update -y && \ - yum -y install centos-release-scl-rh && \ yum install -y \ - centos-release-scl \ elfutils-libelf-devel-static \ scl-utils && \ yum clean all @@ -173,28 +173,14 @@ RUN mkdir -p /opt && cd /opt && \ ## LIBPCSCLITE ##################################################################### -FROM centos:7 AS libpcsclite - -ARG DEVTOOLSET -ARG TARGETARCH - -# devtoolset-12 is only in CentOS buildlogs. The rpms are unsigned since they never were -# published to the official CentOS SCL repos. -ENV DEVTOOLSET=${DEVTOOLSET} \ - TARGETARCH=${TARGETARCH} - -RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ - echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' +FROM base AS libpcsclite # Install required dependencies. -RUN yum groupinstall -y 'Development Tools' && \ - yum update -y && \ - yum -y install centos-release-scl-rh && \ +RUN yum update -y && \ yum install -y \ autoconf-archive \ libudev-devel \ - scl-utils \ - centos-release-scl \ + scl-utils && \ yum clean all # As mentioned above, these packages are unsigned. @@ -213,7 +199,7 @@ RUN git clone --depth=1 https://github.com/gravitational/PCSC.git -b ${LIBPCSCLI ## BUILDBOX ################################################################### -FROM centos:7 AS buildbox +FROM base AS buildbox ENV LANGUAGE=en_US.UTF-8 \ LANG=en_US.UTF-8 \ @@ -230,22 +216,10 @@ ARG GID RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) -# devtoolset-12 is only in CentOS buildlogs. The rpms are unsigned since they never were -# published to the official CentOS SCL repos. -ENV DEVTOOLSET=${DEVTOOLSET} \ - TARGETARCH=${TARGETARCH} - -RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ - echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' - -RUN yum groupinstall -y 'Development Tools' && \ - yum install -y epel-release && \ +RUN yum install -y epel-release && \ yum update -y && \ - yum -y install centos-release-scl-rh && \ yum install -y \ # required by libbpf - centos-release-scl \ - # required by libbpf elfutils-libelf-devel-static \ net-tools \ # required by Teleport PAM support diff --git a/build.assets/Dockerfile-centos7-fips b/build.assets/Dockerfile-centos7-fips index 27a1e71c06d24..35a566871c3fb 100644 --- a/build.assets/Dockerfile-centos7-fips +++ b/build.assets/Dockerfile-centos7-fips @@ -1,8 +1,11 @@ +# syntax=docker/dockerfile:1 + # Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155 ARG BUILDARCH FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDARCH} AS teleport-buildbox-centos7-assets -FROM centos:7 AS libbpf +# Set up a base container from centos:7 adjusted for using vault.centos.org +FROM centos:7 AS base ARG BUILDARCH ARG TARGETARCH @@ -16,13 +19,36 @@ ENV DEVTOOLSET=${DEVTOOLSET} \ RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' -# Install required dependencies. +# mirrorlist is no longer available since CentOS 7 EOL. The software collection +# stuff for arm64 (aarch64) is in /altarch not /centos on vault.centos.org. +# Make the fixup a script as it needs to be run multiple times as installing +# and updating centos-release-scl-rh leaves the old unavailable URLs. +# https://serverfault.com/a/1161847 +RUN cat < /tmp/fix-yum-repo-list.sh +#!/bin/sh +sed -e 's/mirror.centos.org/vault.centos.org/g' \ + -e 's/^#.*baseurl=http/baseurl=http/g' \ + -e 's/^mirrorlist=http/#mirrorlist=http/g' \ + -i /etc/yum.repos.d/*.repo +if [ "$(uname -m)" = 'aarch64' ]; then + sed 's|centos/7/sclo|altarch/7/sclo|' -i /etc/yum.repos.d/*.repo +fi +EOF +RUN chmod 755 /tmp/fix-yum-repo-list.sh && \ + /tmp/fix-yum-repo-list.sh + RUN yum groupinstall -y 'Development Tools' && \ - yum install -y epel-release && \ + yum install -y \ + centos-release-scl-rh \ + centos-release-scl && \ + /tmp/fix-yum-repo-list.sh + +FROM base AS libbpf + +# Install required dependencies. +RUN yum install -y epel-release && \ yum update -y && \ - yum -y install centos-release-scl-rh && \ yum install -y \ - centos-release-scl \ elfutils-libelf-devel-static \ scl-utils && \ yum clean all @@ -41,7 +67,7 @@ RUN mkdir -p /opt && cd /opt && \ cd /opt/libbpf-${LIBBPF_VERSION}/src && \ scl enable ${DEVTOOLSET} "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install install_uapi_headers" -FROM centos:7 +FROM base ARG BUILDARCH ARG TARGETARCH @@ -57,22 +83,10 @@ ARG GID RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \ mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport) -# devtoolset-12 is only in CentOS buildlogs. The rpms are unsigned since they never were -# published to the official CentOS SCL repos. -ENV DEVTOOLSET=${DEVTOOLSET} \ - TARGETARCH=${TARGETARCH} - -RUN bash -c 'if [ "${TARGETARCH}" = "arm64" ]; then export TARGETARCH="aarch64"; fi; \ - echo -e "[${DEVTOOLSET}-build]\nname=${DEVTOOLSET} - Build\nbaseurl=https://buildlogs.centos.org/c7-${DEVTOOLSET}.${TARGETARCH}/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/${DEVTOOLSET}-build.repo' - # Install required dependencies. -RUN yum groupinstall -y 'Development Tools' && \ - yum install -y epel-release && \ +RUN yum install -y epel-release && \ yum update -y && \ - yum -y install centos-release-scl-rh && \ yum install -y \ - # required by libbpf - centos-release-scl \ # required by Clang/LLVM cmake3 \ # required by libbpf