[Packaging] Use CentOS Stream 8 to build el8 RPM package
#20918
Conversation
| ARG cli_version=dev | ||
|
|
||
| RUN yum update -y | ||
| RUN yum install -y wget rpm-build gcc libffi-devel python3-devel openssl-devel make bash diffutils patch dos2unix python3-virtualenv perl |
There was a problem hiding this comment.
coreutils is not compatible with preinstalled coreutils-single, so we don't need to install coreutils.
# dnf list installed | grep coreutils
coreutils-single.x86_64 8.30-12.el8 @baseos
# yum install -y coreutils
Last metadata expiration check: 0:13:00 ago on Thu Jan 6 09:04:58 2022.
Error:
Problem: problem with installed package coreutils-single-8.30-12.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-12.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-10.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-8.el8.x86_64
- package coreutils-8.30-12.el8.x86_64 conflicts with coreutils-single provided by coreutils-single-8.30-9.el8.x86_64
- cannot install the best candidate for the job
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
There was a problem hiding this comment.
perl is not installed by rpm-build on CentOS Stream 8, so we should manually install it.
|
For unknown reason, the rpm builder on CentOS Stream 8 is extremely slow at step I thought this could be related to compression: but the the result is exactly the same on |
|
@glaubitz, just wondering if you have any experience with the above problem (#20918 (comment))? Any insights are greatly appreciated. 😊 |
jiasli
changed the title
el8 RPM packageel8 RPM package
Did you check the process list during this step? Or maybe |
| @@ -681,8 +681,8 @@ jobs: | |||
| displayName: 'Test Homebrew Package' | |||
|
|
|||
|
|
|||
| - job: BuildYumPackageMariner | |||
| displayName: Build Yum Package Mariner | |||
| - job: BuildRpmPackageMariner | |||
There was a problem hiding this comment.
RPM is the actual package and YUM is the package manager (see https://packages.microsoft.com/yumrepos/azure-cli/). YUM has been replaced by DNF in many modern systems. So RPM should be the correct name here, like DEB (package) vs APT (package manager).
| # mkdir -p ${BUILD_STAGINGDIRECTORY}/docker | ||
| # docker save azure/azure-cli:${IMAGE}-builder | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}-builder.tar.gz & | ||
| # docker save azure/azure-cli:${IMAGE} | gzip > ${BUILD_STAGINGDIRECTORY}/docker/azure_azure-cli_${IMAGE}.tar.gz & | ||
| # wait |
There was a problem hiding this comment.
Actually we never rehydrated these files. We disable them to save space on ADO.
| timeoutInMinutes: 120 | ||
| dependsOn: BuildYumPackage | ||
| dependsOn: BuildRpmPackageCentOS7 |
There was a problem hiding this comment.
As discussed in
- Add support for 'dependsOn' for individual matrix jobs microsoft/azure-pipelines-yaml#420
- Add cross-product matrix strategy microsoft/azure-pipelines-yaml#20
- https://developercommunity.visualstudio.com/t/support-for-dependson-for-individual-matrix-jobs/1007464
dependsOn only works for the base job (all matrixes), and it can't work on a specific matrix. Since CentOS Stream 8's rpm builder is extremely slow for some reason, TestRpmPackage will wait for it to finish, making the whole pipeline much slower.
Here we make 2 deferent jobs:
BuildRpmPackageCentOS7BuildRpmPackageCentOSStream8
so that TestRpmPackage can start right after BuildRpmPackageCentOS7 finishes, like before.
Co-authored-by: ZelinWang <zelinwang@microsoft.com>
|
I tried to verify the RPM on a RHEL 8.4 VM without FIPS: After enabling FIPS following https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies, Not sure if this is expected. |
|
After code signing, we got This indicate the package now
|
|
\o/ |
| - job: BuildRpmPackageCentOS7 | ||
| displayName: Build Rpm Package CentOS 7 | ||
| # Uncomment this line to disable this job on Pull Requests | ||
| # condition: and(succeeded(), in(variables['Build.Reason'], 'IndividualCI', 'BatchedCI', 'Manual', 'Schedule')) |
There was a problem hiding this comment.
This line was removed by #20608. Bring it back as a comment.
Description
#11204 added
el8for RHEL 8 but was reverted by #11325.As CentOS 7's RPM (4.11.3) can't generate SHA256 digests and causes failure on FIPS-enabled RHEL system (#20719), we have to use CentOS Stream 8's RPM (4.14.3) to build.
Now we can see Payload SHA256 digest is calculated as expected:
References
quay.io/centos/centos:stream8at https://quay.io/repository/centos/centos?tab=tags. See https://wiki.centos.org/FAQ/CentOSStream