Merge remote-tracking branch 'origin/master' into f/centos75

Change-Id: I1e44bd44a6771c6df6032d58da7dcbf96f97bad9
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
This commit is contained in:
Dean Troyer 2018-09-14 10:40:32 -05:00
commit 21bcc10955
4 changed files with 167 additions and 138 deletions

View File

@ -23,43 +23,43 @@ export MOCK=/usr/bin/mock
# check input variables
function check_vars {
# need access to repo, which should normally be defined as MY_REPO in the env
# need access to repo, which should normally be defined as MY_REPO in the env
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO
fi
if [ ! -z "$MY_REPO" ] && [ -d "$MY_REPO" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " unable to use \$MY_REPO (value \"$MY_REPO\")\n"
printf " -- checking \$MY_REPO_ROOT_DIR (value \"$MY_REPO_ROOT_DIR\")\n"
if [ ! -z "$MY_REPO_ROOT_DIR" ] && [ -d "$MY_REPO_ROOT_DIR/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_REPO_ROOT_DIR/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " No joy -- checking for \$MY_WORKSPACE/cgcs-root\n"
if [ -d "$MY_WORKSPACE/cgcs-root" ] ; then
INTERNAL_REPO_ROOT=$MY_WORKSPACE/cgcs-root
printf " Found!\n"
fi
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n"
exit 1
fi
if [ -z "$INTERNAL_REPO_ROOT" ] ; then
printf " Error -- could not locate cgcs-root repo.\n"
exit 1
fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1
fi
if [ -z "$MY_BUILD_ENVIRONMENT" ] ; then
printf " Error -- missing environment variable MY_BUILD_ENVIRONMENT"
exit 1
fi
if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1
fi
if [ -z "$MY_BUILD_DIR" ] ; then
printf " Error -- missing environment variable MY_BUILD_DIR"
exit 1
fi
}
@ -73,119 +73,155 @@ function check_vars {
# This process is using mock because the build servers do not have the same rpm / rpmsign version
#
function _local_cleanup {
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
}
function __local_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_local_cleanup
exit 1
}
function sign_packages {
OLD_PWD=$PWD
OLD_PWD=$PWD
_MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk
_MOCK_PKG_DIR=/mnt/Packages
_IMA_PRIV_KEY=ima_signing_key.priv
_KEY_DIR=$MY_REPO/build-tools/signing
_MOCK_KEY_DIR=/mnt/keys
_SIGN_MAKEFILE=_sign_pkgs.mk
_MK_DIR=$MY_REPO/build-tools/mk
_MOCK_MK_DIR=/mnt/mk
# mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# mock confgiuration file
_MOCK_CFG=$MY_BUILD_DIR/${MY_BUILD_ENVIRONMENT}-sign.cfg
# recreate configuration file
rm $_MOCK_CFG
export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG
# and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
# recreate configuration file
rm $_MOCK_CFG
export BUILD_TYPE=std
export MY_BUILD_DIR_TOP=$MY_BUILD_DIR
modify-build-cfg $_MOCK_CFG
# and customize
echo "config_opts['chroot_setup_cmd'] = 'install shadow-utils make rpm-sign'" >> $_MOCK_CFG
echo "config_opts['root'] = 'mock-sign'" >> $_MOCK_CFG
echo "config_opts['basedir'] = '${MY_WORKSPACE}'" >> $_MOCK_CFG
echo "config_opts['cache_topdir'] = '${MY_WORKSPACE}/mock-cache'" >> $_MOCK_CFG
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
echo "Signing packages in $_PKG_DIR with $NPROCS threads"
echo "using development key $_KEY_DIR/$_IMA_PRIV_KEY"
printf "Initializing mock environment\n"
printf "Initializing mock environment\n"
# invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
trap __local_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
retval=$?
# invoke make in mock to sign packages.
# this call will also create and initialize the mock env
eval $MOCK -q -r $_MOCK_CFG \'--plugin-option=bind_mount:dirs=[\(\"$_PKG_DIR\", \"$_MOCK_PKG_DIR\"\),\(\"$_MK_DIR\",\"$_MOCK_MK_DIR\"\),\(\"$_KEY_DIR\",\"$_MOCK_KEY_DIR\"\)]\' --shell \"cd $_MOCK_PKG_DIR\; make -j $NPROCS -f $_MOCK_MK_DIR/$_SIGN_MAKEFILE KEY=$_MOCK_KEY_DIR/$_IMA_PRIV_KEY\"
printf "Cleaning mock environment\n"
$MOCK -q -r $_MOCK_CFG --scrub=all
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
trap - SIGHUP SIGINT SIGABRT SIGTERM
cd $OLD_PWD
_local_cleanup
if [ $retval -ne 0 ] ; then
echo "failed to add file signatures to RPMs in mock environment."
return $retval
fi
cd $OLD_PWD
}
function _copy_and_sign {
# upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server."
return $retval
fi
# upload rpms to server
scp $_PKG_DIR/*.rpm $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy RPM files to signing server."
return $retval
fi
# get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files."
return $retval
fi
# get server to sign packages.
ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -s -d $sub
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to sign RPM files."
return $retval
fi
# download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval
fi
# download results back. This overwrites the original files.
scp $SIGNING_USER@$SIGNING_SERVER:$_UPLOAD_DIR/*.rpm $_PKG_DIR
retval=$?
if [ $retval -ne 0 ] ; then
echo "ERROR: failed to copy signed RPM files back from signing server."
return $retval
fi
return $retval
return $retval
}
function _server_cleanup {
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory ${SIGNING_SERVER}:${_UPLOAD_DIR}."
fi
}
function __server_trapdoor {
printf "caught signal while attempting to sign files. Cleaning up."
_server_cleanup
exit 1
}
function sign_packages_on_server {
retval=0
retval=0
# obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
# obtain temporary diretory to upload RPMs on signing server
_UPLOAD_DIR=`ssh $SIGNING_USER@$SIGNING_SERVER -- sudo $SIGNING_SERVER_SCRIPT -r`
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server."
return $retval
fi
retval=$?
if [ $retval -ne 0 ] ; then
echo "failed to obtain upload directory from signing server."
return $retval
fi
# extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR
# extract base chroot dir and rpm dir within chroot
read base com sub <<< $_UPLOAD_DIR
# this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub
# this is the upload temp dir, outside of chroot env
_UPLOAD_DIR=$base$sub
_copy_and_sign
retval=$?
trap __server_trapdoor SIGHUP SIGINT SIGABRT SIGTERM
# cleanup
ssh $SIGNING_USER@$SIGNING_SERVER rm $_UPLOAD_DIR/*.rpm
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove rpms from temporary upload directory."
fi
ssh $SIGNING_USER@$SIGNING_SERVER rmdir $_UPLOAD_DIR
if [ $? -ne 0 ] ; then
echo "Warning : failed to remove temporary upload directory."
fi
_copy_and_sign
retval=$?
return $retval
trap - SIGHUP SIGINT SIGABRT SIGTERM
_server_cleanup
return $retval
}
@ -196,9 +232,6 @@ function sign_packages_on_server {
# Check args
HELP=0
SIGNING_SERVER=yow-tiks01
SIGNING_USER=signing
SIGNING_SERVER_SCRIPT=/opt/signing/sign_rpms_18.03.sh
# return value
retval=0
@ -206,8 +239,8 @@ retval=0
# read the options
TEMP=`getopt -o hd: --long help,pkg-dir: -n 'test.sh' -- "$@"`
if [ $? -ne 0 ] ; then
echo "Invalid parameters - exiting"
exit 1
echo "Invalid parameters - exiting"
exit 1
fi
eval set -- "$TEMP"
@ -223,21 +256,21 @@ while true ; do
done
if [ $HELP -eq 1 ]; then
usage
exit 0
usage
exit 0
fi
# package directory must be defined
if [ -z "$_PKG_DIR" ]; then
echo "Need package directory. Use -d/--pkg-dir option"
usage
exit 1
echo "Need package directory. Use -d/--pkg-dir option"
usage
exit 1
fi
# ... and must exist
if [ ! -d "$_PKG_DIR" ]; then
echo "Package directory $_PKG_DIR does not exist"
exit 1
echo "Package directory $_PKG_DIR does not exist"
exit 1
fi
# Init variables

View File

@ -454,8 +454,6 @@ if [ "x$MY_WORKSPACE" == "x" ]; then
fi
ARCH="x86_64"
SIGNING_SERVER=yow-tiks01
SIGNING_USER=signing
SIGNING_SCRIPT=/opt/signing/sign.sh
UPLOAD_PATH=`ssh $SIGNING_USER@$SIGNING_SERVER sudo $SIGNING_SCRIPT -r`
SIGNED_PKG_DB=${MY_WORKSPACE}/signed_pkg_list.txt

View File

@ -16,7 +16,6 @@ ISO_FILE_PATH=$1
ISO_FILE_NAME=$(basename ${ISO_FILE_PATH})
ISO_FILE_ROOT=$(dirname ${ISO_FILE_PATH})
ISO_FILE_NOEXT="${ISO_FILE_NAME%.*}"
SIGNING_SERVER="signing@yow-tiks01"
GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
REQUEST_SIGN="sudo /opt/signing/sign_iso.sh"
SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
@ -24,7 +23,7 @@ SIGNATURE_FILE="$ISO_FILE_NOEXT.sig"
# Make a request for an upload path
# Output is a path where we can upload stuff, of the form
# "Upload: /tmp/sign_upload.5jR11pS0"
UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
if [ $? -ne 0 ]; then
echo "Could not get upload path. Do you have permissions on the signing server?"
exit 1
@ -32,7 +31,7 @@ fi
UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
echo "Uploading file"
scp -q ${ISO_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
scp -q ${ISO_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
if [ $? -ne 0 ]; then
echo "Could not upload ISO"
exit 1
@ -41,22 +40,22 @@ echo "File uploaded to signing server -- signing"
# Make the signing request.
# Output is path of detached signature
RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${ISO_FILE_NAME}`
if [ $? -ne 0 ]; then
echo "Could not perform signing -- output $RESULT"
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
exit 1
fi
echo "Signing complete. Downloading detached signature"
scp -q ${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${ISO_FILE_ROOT}/${SIGNATURE_FILE}
if [ $? -ne 0 ]; then
echo "Could not download newly signed file"
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
exit 1
fi
# Clean up (ISOs are big)
ssh ${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
ssh ${SIGNING_USER}@${SIGNING_SERVER} rm -f ${UPLOAD_PATH}/${ISO_FILE_NAME}
echo "${ISO_FILE_ROOT}/${SIGNATURE_FILE} detached signature"

View File

@ -13,21 +13,20 @@ fi
PATCH_FILE_PATH=$1
PATCH_FILE_NAME=$(basename ${PATCH_FILE_PATH})
SIGNING_SERVER="signing@yow-tiks01"
GET_UPLOAD_PATH="sudo /opt/signing/sign.sh -r"
REQUEST_SIGN="sudo /opt/signing/sign_patch.sh"
# Make a request for an upload path
# Output is a path where we can upload stuff, of the form
# "Upload: /tmp/sign_upload.5jR11pS0"
UPLOAD_PATH=`ssh ${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
UPLOAD_PATH=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${GET_UPLOAD_PATH}`
if [ $? -ne 0 ]; then
echo "Could not get upload path. Do you have permissions on the signing server?"
exit 1
fi
UPLOAD_PATH=`echo ${UPLOAD_PATH} | cut -d ' ' -f 2`
scp -q ${PATCH_FILE_PATH} ${SIGNING_SERVER}:${UPLOAD_PATH}
scp -q ${PATCH_FILE_PATH} ${SIGNING_USER}@${SIGNING_SERVER}:${UPLOAD_PATH}
if [ $? -ne 0 ]; then
echo "Could upload patch"
exit 1
@ -36,14 +35,14 @@ echo "File uploaded to signing server"
# Make the signing request.
# Output is path of newly signed file
RESULT=`ssh ${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
RESULT=`ssh ${SIGNING_USER}@${SIGNING_SERVER} ${REQUEST_SIGN} ${UPLOAD_PATH}/${PATCH_FILE_NAME}`
if [ $? -ne 0 ]; then
echo "Could not perform signing -- output $RESULT"
exit 1
fi
echo "Signing complete. Downloading"
scp -q ${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
scp -q ${SIGNING_USER}@${SIGNING_SERVER}:${RESULT} ${PATCH_FILE_PATH}
if [ $? -ne 0 ]; then
echo "Could not download newly signed file"
exit 1