SRE-2832 Packaging update part 1

Packaging update part 1 which needs a test build of Libfabric.
No functional code changes.

In the future, there were be only Dockerfile.ubuntu which should
handle all the releases of Ubuntu that will be supported.

Currently the pbuilder program is refusing to validate HTTPS
certificates that are not using a well known root CA.

Signed-off-by: John E. Malmberg <[email protected]>

Author: JohnMalmberg

.dockerignore

@@ -0,0 +1,8 @@
+# .dockerignore file for DAOS.
+
+# Firstly deny everything and then allow only directories and files that we're
+# interested in.  Other files will not be required for the build and they
+# just generate noise and extra work for docker.
+*
+!packaging/scripts
+!packaging/*

Jenkinsfile

@@ -1,6 +1,7 @@
 #!/usr/bin/groovy
 // SPDX-License-Identifier: BSD-2-Clause-Patent
-// Copyright (c) 2019-2024 Intel Corporation
+// Copyright 2019-2024 Intel Corporation
+// Copyright 2025 Hewlett Packard Enterprise Development LP
 
 // To use a test branch (i.e. PR) until it lands to master
 // I.e. for testing library changes

README.md

@@ -1,2 +1,6 @@
 # libfabric
+
 libfabric RPM packaging
+
+This project just contains code to package a distribution from its
+official repository.

libfabric.spec

@@ -234,7 +234,7 @@ find %{buildroot} -name '*.la' -exec rm -f {} ';'
 
 * Wed May  4 2022 Brian J. Murrell <[email protected]> - 1.15.0~rc3-2
 - Add _hardened_build flag to build PIE binaries on CentOS 7
-- Add optoins to C*FLAGS to build PIE binaries on Leap 15
+- Add options to C*FLAGS to build PIE binaries on Leap 15
 
 * Tue Apr 19 2022 Lei Huang <[email protected]> - 1.15.0~rc3-1
 - Update to v1.15.0rc3

packaging/Dockerfile.coverity

@@ -1,12 +1,13 @@
 #
 # Copyright 2018-2020, Intel Corporation
+# Copyright 2025 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker to build for a Coverity scan.
 #
 
 # Pull base image
 FROM fedora:latest
-MAINTAINER daos-stack <[email protected]>
+LABEL maintainer="daos-stack <[email protected]>""
 
 # use same UID as host and default value of 1000 if not specified
 ARG UID=1000

packaging/Dockerfile.mockbuild

@@ -1,5 +1,6 @@
 #
 # Copyright 2018-2024 Intel Corporation
+# Copyright 2025 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker to build an RPM
 #
@@ -13,15 +14,16 @@ LABEL maintainer="[email protected]"
 
 # Use local repo server if present
 ARG REPO_FILE_URL
-RUN if [ -n "$REPO_FILE_URL" ]; then                            \
-        cd /etc/yum.repos.d/ &&                                 \
-        curl -k -f -o daos_ci-fedora-artifactory.repo.tmp       \
-             "$REPO_FILE_URL"daos_ci-fedora-artifactory.repo && \
-        for file in *.repo; do                                  \
-            true > $file;                                       \
-        done;                                                   \
-        mv daos_ci-fedora-artifactory.repo{.tmp,};              \
-    fi
+ARG DAOS_LAB_CA_FILE_URL
+ARG REPOSITORY_NAME
+# script to install OS updates basic tools and daos dependencies
+# COPY ./utils/scripts/install-fedora.sh /tmp/install.sh
+# script to setup local repo if available
+COPY ./packaging/scripts/repo-helper-fedora.sh /tmp/repo-helper.sh
+
+RUN chmod +x /tmp/repo-helper.sh &&                 \
+    /tmp/repo-helper.sh &&                          \
+    rm -f /tmp/repo-helper.sh
 
 # Install basic tools
 RUN dnf -y install mock make                                        \
@@ -33,13 +35,15 @@ RUN dnf -y install mock make                                        \
 ARG UID=1000
 
 # Add build user (to keep rpmbuild happy)
-ENV USER build
-ENV PASSWD build
+ENV USER=build
+ENV PASSWD=build
 # add the user to the mock group so it can run mock
 RUN if [ $UID != 0 ]; then                   \
         useradd -u $UID -ms /bin/bash $USER; \
         echo "$USER:$PASSWD" | chpasswd;     \
         usermod -a -G mock $USER;            \
+        mkdir -p /var/cache/mock;            \
+        chown $USER:root /var/cache/mock;    \
     fi
 
 ARG CB0

packaging/Dockerfile.ubuntu

@@ -0,0 +1,51 @@
+# Keep Dockerfile.ubuntu the same as this file until all packaging
+# jobs are fixed to have a Dockerfile.ubuntu, and then the common
+# Jenkinsfile will be changed to use Dockerfile.ubuntu.
+#
+# Copyright 2019-2021, Intel Corporation
+# Copyright 2025 Hewlett Packard Enterprise Development LP
+#
+# 'recipe' for Docker to build an Debian package
+#
+# Pull base image
+ARG BASE_DISTRO=ubuntu:20.04
+FROM $BASE_DISTRO
+LABEL org.opencontainers.image.authors="[email protected]"
+# Needed for later use of BASE_DISTRO
+ARG BASE_DISTRO
+
+ARG REPO_FILE_URL
+ARG DAOS_LAB_CA_FILE_URL
+ARG REPOSITORY_NAME
+# script to setup local repo if available
+COPY ./packaging/scripts/repo-helper-ubuntu.sh /tmp/repo-helper.sh
+
+RUN chmod +x /tmp/repo-helper.sh &&                 \
+    /tmp/repo-helper.sh &&                          \
+    rm -f /tmp/repo-helper.sh
+
+# Install basic tools
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+            autoconf bash ca-certificates curl debhelper dh-make        \
+            dpkg-dev dh-python doxygen gcc git git-buildpackage         \
+            javahelper locales make patch pbuilder pkg-config           \
+            python3-dev python3-distro python3-distutils rpm scons wget \
+            cmake valgrind rpmdevtools
+
+# use same UID as host and default value of 1000 if not specified
+ARG UID=1000
+
+# Add build user (to keep chrootbuild happy)
+ENV USER=build
+RUN useradd -u $UID -ms /bin/bash $USER
+
+# need to run the build command as root, as it needs to chroot
+RUN if ! grep "^#includedir /etc/sudoers.d" /etc/sudoers; then                                     \
+        echo "#includedir /etc/sudoers.d" >> /etc/sudoers;                                         \
+    fi;                                                                                            \
+    echo "Defaults env_keep += \"DPKG_GENSYMBOLS_CHECK_LEVEL\"" > /etc/sudoers.d/build;            \
+    echo "build ALL=(ALL) NOPASSWD: /usr/bin/tee /root/.pbuilderrc" >> /etc/sudoers.d/build;       \
+    echo "build ALL=(ALL) NOPASSWD: /usr/sbin/pbuilder" >> /etc/sudoers.d/build;                   \
+    chmod 0440 /etc/sudoers.d/build;                                                               \
+    visudo -c;                                                                                     \
+    sudo -l -U build

packaging/Dockerfile.ubuntu.20.04

@@ -1,62 +1,50 @@
+# Keep Dockerfile.ubuntu the same as this file until all packaging
+# jobs are fixed to have a Dockerfile.ubuntu, and then the common
+# Jenkinsfile will be changed to use Dockerfile.ubuntu.
 #
 # Copyright 2019-2021, Intel Corporation
+# Copyright 2025 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker to build an Debian package
 #
 # Pull base image
-FROM ubuntu:20.04
+ARG BASE_DISTRO=ubuntu:20.04
+FROM $BASE_DISTRO
 LABEL org.opencontainers.image.authors="[email protected]"
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    curl gpg
+# Needed for later use of BASE_DISTRO
+ARG BASE_DISTRO
 
 ARG REPO_FILE_URL
-RUN if [ -n "$REPO_FILE_URL" ]; then                                 \
-        cd /etc/apt/sources.list.d &&                                \
-        curl -f -o daos_ci-ubuntu20.04-artifactory.list.tmp          \
-             "$REPO_FILE_URL"daos_ci-ubuntu20.04-artifactory.list && \
-        true > ../sources.list &&                                    \
-        mv daos_ci-ubuntu20.04-artifactory.list.tmp                  \
-           daos_ci-ubuntu20.04-artifactory.list;                     \
-        url="${REPO_FILE_URL%/*/}/hpe-ilorest-ubuntu-bionic-proxy/"; \
-    else                                                             \
-        url="https://downloads.linux.hpe.com/SDR/repo/ilorest/";     \
-    fi;                                                              \
-    cd -;                                                            \
-    mkdir -p /usr/local/share/keyrings/;                             \
-    curl -f -O "$url"GPG-KEY-hprest;                                 \
-    gpg --no-default-keyring --keyring ./temp-keyring.gpg            \
-        --import GPG-KEY-hprest;                                     \
-    gpg --no-default-keyring --keyring ./temp-keyring.gpg --export   \
-        --output /usr/local/share/keyrings/hpe-sdr-public.gpg;       \
-    rm ./temp-keyring.gpg;                                           \
-    curl -f -O "$REPO_FILE_URL"esad_repo.key;                        \
-    gpg --no-default-keyring --keyring ./temp-keyring.gpg            \
-        --import esad_repo.key;                                      \
-    gpg --no-default-keyring --keyring ./temp-keyring.gpg --export   \
-        --output /usr/local/share/keyrings/daos-stack-public.gpg
+ARG DAOS_LAB_CA_FILE_URL
+ARG REPOSITORY_NAME
+# script to setup local repo if available
+COPY ./packaging/scripts/repo-helper-ubuntu.sh /tmp/repo-helper.sh
+
+RUN chmod +x /tmp/repo-helper.sh &&                 \
+    /tmp/repo-helper.sh &&                          \
+    rm -f /tmp/repo-helper.sh
 
-# Install basic tools
+# Install basic tools - rpmdevtools temporary commented out.
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
             autoconf bash ca-certificates curl debhelper dh-make        \
             dpkg-dev dh-python doxygen gcc git git-buildpackage         \
             javahelper locales make patch pbuilder pkg-config           \
-            python3-dev python3-distro python3-distutils rpm scons wget \
-            cmake valgrind rpmdevtools
+            python3-dev python3-distro python3-distutils rpm scons sudo \
+            wget cmake valgrind # rpmdevtools
 
 # use same UID as host and default value of 1000 if not specified
 ARG UID=1000
 
 # Add build user (to keep chrootbuild happy)
-ENV USER build
+ENV USER=build
 RUN useradd -u $UID -ms /bin/bash $USER
 
 # need to run the build command as root, as it needs to chroot
 RUN if ! grep "^#includedir /etc/sudoers.d" /etc/sudoers; then                                     \
         echo "#includedir /etc/sudoers.d" >> /etc/sudoers;                                         \
     fi;                                                                                            \
     echo "Defaults env_keep += \"DPKG_GENSYMBOLS_CHECK_LEVEL\"" > /etc/sudoers.d/build;            \
-    echo "build ALL=(ALL) NOPASSWD: /usr/bin/tee /root/.pbuilderrc" >> /etc/sudoers.d/build; \
+    echo "build ALL=(ALL) NOPASSWD: /usr/bin/tee /root/.pbuilderrc" >> /etc/sudoers.d/build;       \
     echo "build ALL=(ALL) NOPASSWD: /usr/sbin/pbuilder" >> /etc/sudoers.d/build;                   \
     chmod 0440 /etc/sudoers.d/build;                                                               \
     visudo -c;                                                                                     \

packaging/Dockerfile.ubuntu.rolling

@@ -1,11 +1,12 @@
 #
 # Copyright 2019, Intel Corporation
+# Copyright 2025 Hewlett Packard Enterprise Development LP
 #
 # 'recipe' for Docker to build an Debian package
 #
 # Pull base image
 FROM ubuntu:rolling
-Maintainer daos-stack <daos@daos.groups.io>
+LABEL org.opencontainers.image.authors="[email protected]"
 
 # use same UID as host and default value of 1000 if not specified
 ARG UID=1000

packaging/debian_chrootbuild

@@ -2,17 +2,31 @@
 
 set -uex
 
+: "${REPO_FILE_URL:=}"
+
+# Currently not working
 if [ -n "${ARTIFACTORY_URL:-}" ] && "$LOCAL_REPOS"; then
-    echo "MIRRORSITE=${ARTIFACTORY_URL}artifactory/ubuntu-proxy" | sudo tee /root/.pbuilderrc
+    pbuilderrc="./pbuilder_rc.txt"
+    rm -f "$pbuilderrc"
+    #echo "MIRRORSITE=${ARTIFACTORY_URL}/ubuntu-proxy/ubuntu" > "$pbuilderrc"
+    echo "export http_proxy=\"${HTTPS_PROXY}\"" >> "$pbuilderrc"
+    #if [ -n "$REPO_FILE_URL" ]; then
+    #    direct="${REPO_FILE_URL##*//}"
+    #    direct="${direct%%/*}"
+    #    echo "no_proxy=\"${direct}\"" >> "$pbuilderrc"
+    #fi
+    # shellcheck disable=SC2002
+    cat "$pbuilderrc" | sudo tee /root/.pbuilderrc
 fi
 
 # shellcheck disable=SC2086
 sudo pbuilder create                        \
     --extrapackages "gnupg ca-certificates" \
-    $DISTRO_ID_OPT
+    $DISTRO_ID_OPT || true  #  Ignore error status for now.
 
 repo_args=""
 repos_added=()
+# currently a bit broken, pbuilder will not accept user provided CAs.
 for repo in $DISTRO_BASE_PR_REPOS $PR_REPOS; do
     branch="master"
     build_number="lastSuccessfulBuild"
@@ -32,31 +46,34 @@ for repo in $DISTRO_BASE_PR_REPOS $PR_REPOS; do
     repo_args="$repo_args|deb [trusted=yes] ${JENKINS_URL:-https://build.hpdd.intel.com/}job/daos-stack/job/$repo/job/$branch/$build_number/artifact/artifacts/$DISTRO/ ./"
 done
 
-repo_args+="|$(curl -sSf "$REPO_FILE_URL"daos_ci-"$DISTRO"-artifactory.list |
-            sed -e 's/#.*//' -e '/ubuntu-proxy/d' -e '/^$/d' -e '/^$/d'     \
-                -e 's/signed-by=.*\.gpg/trusted=yes/'                       |
-            sed -e ':a; N; $!ba; s/\n/|/g')"
-for repo in $JOB_REPOS; do
-    repo_name=${repo##*://}
-    repo_name=${repo_name//\//_}
-    if [[ " ${repos_added[*]} " = *\ ${repo_name}\ * ]]; then
-        # don't add duplicates, first found wins
-        continue
-    fi
-    repos_added+=("$repo_name")
-    repo_args+="|deb ${repo} $VERSION_CODENAME main"
-done
-# NB: This PPA is needed to support modern go toolchains on ubuntu 20.04.
-# After the build is updated to use 22.04, which supports go >= 1.18, it
-# should no longer be needed.
-repo_args="$repo_args|deb [trusted=yes] https://ppa.launchpadcontent.net/longsleep/golang-backports/ubuntu $VERSION_CODENAME main"
-echo "$repo_args"
-if [ "$repo_args" = "|" ]; then
-    repo_args=""
-else
-    #repo_args="--othermirror"${repo_args#|}\""
-    repo_args="${repo_args#|}"
-fi
+# currently broken, builder will not accept internal certs.
+# repo_args+="|$(curl -sSf "$REPO_FILE_URL"daos_ci-"$DISTRO"-artifactory.list |
+#            sed -e 's/#.*//' -e '/ubuntu-proxy/d' -e '/^$/d' -e '/^$/d'     \
+#                -e 's/signed-by=.*\.gpg/trusted=yes/'                       |
+#            sed -e ':a; N; $!ba; s/\n/|/g')"
+#for repo in $JOB_REPOS; do
+#    repo_name=${repo##*://}
+#    repo_name=${repo_name//\//_}
+#    if [[ " ${repos_added[*]} " = *\ ${repo_name}\ * ]]; then
+#        # don't add duplicates, first found wins
+#        continue
+#    fi
+#    repos_added+=("$repo_name")
+#    repo_args+="|deb ${repo} $VERSION_CODENAME main"
+#done
+
+## NB: This PPA is needed to support modern go toolchains on ubuntu 20.04.
+## After the build is updated to use 22.04, which supports go >= 1.18, it
+## should no longer be needed.
+# currently broken - claim is public key not available.
+#repo_args="$repo_args|deb [trusted=yes] https://ppa.launchpadcontent.net/longsleep/golang-backports/ubuntu $VERSION_CODENAME main"
+#echo "$repo_args"
+#if [ "$repo_args" = "|" ]; then
+#    repo_args=""
+#else
+#    #repo_args="--othermirror"${repo_args#|}\""
+#    repo_args="${repo_args#|}"
+#fi
 cd "$DEB_TOP"
 # shellcheck disable=SC2086
 sudo pbuilder update --override-config $DISTRO_ID_OPT ${repo_args:+--othermirror "$repo_args"}