diff --git a/.gitignore b/.gitignore index dd7a6c6..ec1812a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/osbuild-16.tar.gz +SOURCES/osbuild-18.tar.gz diff --git a/.osbuild.metadata b/.osbuild.metadata index 76ea34f..ca68f10 100644 --- a/.osbuild.metadata +++ b/.osbuild.metadata @@ -1 +1 @@ -fab7501d09204678e86b07aed347ab646589b9c8 SOURCES/osbuild-16.tar.gz +9bf4e1ce90639dcefba530df762de397f8e39bd6 SOURCES/osbuild-18.tar.gz diff --git a/SOURCES/no-floats-in-sources.patch b/SOURCES/no-floats-in-sources.patch new file mode 100644 index 0000000..61ce923 --- /dev/null +++ b/SOURCES/no-floats-in-sources.patch @@ -0,0 +1,53 @@ +From 7b0db90c76c6b0de6a4d481e63450e8f0d1a1d9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Budai?= +Date: Thu, 25 Jun 2020 09:56:30 +0200 +Subject: [PATCH] sources/files: do not pass floats to --max-time + +curl uses strtod from the C standard library to convert the --max-time's value +from string to double. However, this is what strtod expects: + +nonempty sequence of decimal digits optionally containing decimal-point +character (as determined by the current C locale) + +Yeah, unfortunately, the decimal-point character is determined by the current +C locale. For example, Czech and German locale uses a comma as the +decimal-point character. + +For reasons I don't fully understand, Python thinks it's running on en_US +locale, even though LC_NUMERIC is set to cs_CZ, so it uses a full stop as the +decimal-point character when converting float to string. However, as written +before, curl fails to parse this because it expects comma. + +The fix I chose is simple: Use math.ceil, so only an integer can be passed to +curl. Why ceil? Because --max-time == 0 sounds fishy. math.ceil should return +an integer (and it does in Python 3.8) but the documentation is not 100% clear +on this topic, so let's be paranoid and also convert it to int after the +ceiling. +--- + sources/org.osbuild.files | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sources/org.osbuild.files b/sources/org.osbuild.files +index 42ff6ca..13ce9b8 100755 +--- a/sources/org.osbuild.files ++++ b/sources/org.osbuild.files +@@ -17,6 +17,7 @@ import concurrent.futures + import glob + import itertools + import json ++import math + import os + import subprocess + import sys +@@ -102,7 +103,7 @@ def fetch(url, checksum, directory): + curl_command = [ + "curl", + "--silent", +- "--max-time", f"{300 - elapsed_time}", ++ "--max-time", f"{int(math.ceil(300 - elapsed_time))}", + "--connect-timeout", "60", + "--fail", + "--location", +-- +2.26.2 + diff --git a/SPECS/osbuild.spec b/SPECS/osbuild.spec index 4f04d4b..52fe41e 100644 --- a/SPECS/osbuild.spec +++ b/SPECS/osbuild.spec @@ -1,6 +1,7 @@ %global forgeurl https://github.com/osbuild/osbuild +%global selinuxtype targeted -Version: 16 +Version: 18 %forgemeta @@ -8,12 +9,13 @@ Version: 16 %global pkgdir %{_prefix}/lib/%{pypi_name} Name: %{pypi_name} -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 URL: %{forgeurl} Source0: %{forgesource} +Patch0: no-floats-in-sources.patch BuildArch: noarch Summary: A build system for OS images @@ -34,6 +36,7 @@ Requires: systemd-container Requires: tar Requires: util-linux Requires: python3-%{pypi_name} = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) # Turn off dependency generators for assemblers, runners and stages. # They run in a container, so there's no reason to generate dependencies @@ -63,13 +66,33 @@ Requires: rpm-ostree Contains the necessary stages, assembler and source to build OSTree based images. +%package selinux +Summary: SELinux policies +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +Contains the necessary SELinux policies that allows +osbuild to use labels unknown to the host inside the +containers it uses to build OS artifacts. + %prep %forgesetup +%patch0 -p1 %build %py3_build make man +# SELinux +make -f /usr/share/selinux/devel/Makefile osbuild.pp +bzip2 -9 osbuild.pp + +%pre +%selinux_relabel_pre -s %{selinuxtype} + %install %py3_install @@ -99,6 +122,10 @@ mkdir -p %{buildroot}%{_mandir}/man5 install -p -m 0644 -t %{buildroot}%{_mandir}/man1/ docs/*.1 install -p -m 0644 -t %{buildroot}%{_mandir}/man5/ docs/*.5 +# SELinux +install -D -m 644 -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} %{name}.pp.bz2 +install -D -m 644 -t %{buildroot}%{_mandir}/man8 selinux/%{name}_selinux.8 + %check exit 0 # We have some integration tests, but those require running a VM, so that would @@ -129,7 +156,37 @@ exit 0 %{pkgdir}/stages/org.osbuild.ostree %{pkgdir}/stages/org.osbuild.rpm-ostree +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%{_mandir}/man8/%{name}_selinux.8.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + + %changelog +* Fri Jun 26 2020 Christian Kellner - 18-2 +- Add patch to not pass floats to curl in the files source + https://github.com/osbuild/osbuild/pull/459 + +* Tue Jun 23 2020 Christian Kellner - 18-1 +- Upstream release 18 +- All RHEL runners now use platform-python. + +* Wed Jun 10 2020 Christian Kellner - 17-1 +- Upstream release 17 +- Add custom SELinux policy that lets osbuild set labels inside + the build root that are unknown to the host. + * Thu Jun 4 2020 Christian Kellner - 16-1 - Upstream release 16 - Drop sources-fix-break-when-secrets-is-None.patch included in