From 4169b31587b14a921f50239f0d9dbc4f3dbdecd3 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Feb 2022 07:53:33 +0100 Subject: [PATCH 1/4] bootstrap: Fix CentOS8 runner CentOS8 is EOL since December 31, 2021. The packages move to vault.centos.org. We should migrate to CentOS8 Stream soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Feb 3 14:31:01 UTC 2022 on sn-devel-184 [abartlet@samba.org Adapted from commit 0c6554aa0d6812343a8155fca3d7a7993cd5c703 by updating sha1sum] --- .gitlab-ci-main.yml | 2 +- bootstrap/config.py | 9 +++++++++ bootstrap/generated-dists/centos8/bootstrap.sh | 9 +++++++++ bootstrap/sha1sum.txt | 2 +- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 125b3901832..c9864707de4 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: dd2b9a1848eed2d200e1a525695e40f06c23d888 + SAMBA_CI_CONTAINER_TAG: fcac3e6e4fef4e0bef6c6e364c35e6e192b23add # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index fd75a771252..326d96ff9d8 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -235,6 +235,10 @@ CENTOS8_YUM_BOOTSTRAP = r""" {GENERATED_MARKER} set -xueo pipefail +# CentOS8 is EOL +sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* +sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + yum update -y yum install -y dnf-plugins-core yum install -y epel-release @@ -244,6 +248,11 @@ yum config-manager --set-enabled PowerTools -y || \ yum config-manager --set-enabled powertools -y yum config-manager --set-enabled Devel -y || \ yum config-manager --set-enabled devel -y + +# CentOS8 is EOL +sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* +sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + yum update -y yum install -y \ diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index 60cf3937cf7..db9d0bb8b6c 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -7,6 +7,10 @@ set -xueo pipefail +# CentOS8 is EOL +sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* +sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + yum update -y yum install -y dnf-plugins-core yum install -y epel-release @@ -16,6 +20,11 @@ yum config-manager --set-enabled PowerTools -y || \ yum config-manager --set-enabled powertools -y yum config-manager --set-enabled Devel -y || \ yum config-manager --set-enabled devel -y + +# CentOS8 is EOL +sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* +sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* + yum update -y yum install -y \ diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 11369ced5f7..5716af2a689 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -dd2b9a1848eed2d200e1a525695e40f06c23d888 +fcac3e6e4fef4e0bef6c6e364c35e6e192b23add -- 2.25.1 From 685f019e3e23937febcfb7bdcaaaf4ef2b0a28ef Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 6 May 2022 13:29:05 +1200 Subject: [PATCH 2/4] bootstrap: chown the whole cloned repo, not just the subfolders Modern git versions have started to notice the possible security issue. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider [abartlet@samba.org adapted from commit c771d197eeebf2b01d46451cc51b698a99502935 with new sha1sum] --- .gitlab-ci-main.yml | 2 +- bootstrap/.gitlab-ci.yml | 2 +- bootstrap/sha1sum.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index c9864707de4..2c7548e41d6 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: fcac3e6e4fef4e0bef6c6e364c35e6e192b23add + SAMBA_CI_CONTAINER_TAG: d541fb969b486082ab6113df5945debfc5ff95c6 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 33534f5f1dd..168272e9872 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -47,7 +47,7 @@ services: diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt # run smoke test with samba-o3 or samba-fuzz docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ - /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" + /bin/bash -c "sudo chown -R samba:samba ${samba_repo_root} && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG} docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag} # We build all images, but only upload is it's not marked as broken diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 5716af2a689..0d8cc2224b2 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -fcac3e6e4fef4e0bef6c6e364c35e6e192b23add +d541fb969b486082ab6113df5945debfc5ff95c6 -- 2.25.1 From 7d3f7df98458767f9fbbba56486a699157a7a544 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 3 Feb 2022 15:43:54 +0100 Subject: [PATCH 3/4] bootstrap: Migrate to CentOS8 Stream BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Feb 4 21:11:40 UTC 2022 on sn-devel-184 [adapted from commit 136ec5bc01e2648bae34a1158f923fbf5a86d561 in the hope of getting lmdb-devel to be available for the CentoS 8 image] --- .gitlab-ci-main.yml | 8 +++---- bootstrap/.gitlab-ci.yml | 2 +- bootstrap/config.py | 22 +++++-------------- bootstrap/generated-dists/Vagrantfile | 10 ++++----- .../{centos8 => centos8s}/Dockerfile | 2 +- .../{centos8 => centos8s}/bootstrap.sh | 12 +--------- .../{centos8 => centos8s}/locale.sh | 0 .../{centos8 => centos8s}/packages.yml | 0 bootstrap/sha1sum.txt | 2 +- 9 files changed, 19 insertions(+), 39 deletions(-) rename bootstrap/generated-dists/{centos8 => centos8s}/Dockerfile (90%) rename bootstrap/generated-dists/{centos8 => centos8s}/bootstrap.sh (79%) rename bootstrap/generated-dists/{centos8 => centos8s}/locale.sh (100%) rename bootstrap/generated-dists/{centos8 => centos8s}/packages.yml (100%) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 2c7548e41d6..b8bae9b10b7 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: d541fb969b486082ab6113df5945debfc5ff95c6 + SAMBA_CI_CONTAINER_TAG: fbf9c4c8a2055936d4ca279878df7811af46d86d # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -64,7 +64,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33 SAMBA_CI_CONTAINER_IMAGE_fedora34: fedora34 SAMBA_CI_CONTAINER_IMAGE_centos7: centos7 - SAMBA_CI_CONTAINER_IMAGE_centos8: centos8 + SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s include: # The image creation details are specified in a separate file @@ -594,10 +594,10 @@ centos7-samba-o3: # We need a newer GnuTLS version on CentOS7 PKG_CONFIG_PATH: "/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig" -centos8-samba-o3: +centos8s-samba-o3: extends: .samba-o3-template variables: - SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8} + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8s} fedora33-samba-o3: extends: .samba-o3-template diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 168272e9872..58e0642a70d 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -112,7 +112,7 @@ fedora33: fedora34: extends: .build_image_template -centos8: +centos8s: extends: .build_image_template centos7: diff --git a/bootstrap/config.py b/bootstrap/config.py index 326d96ff9d8..164ab306329 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -230,28 +230,18 @@ if [ ! -f /usr/bin/python3 ]; then fi """ -CENTOS8_YUM_BOOTSTRAP = r""" +CENTOS8S_YUM_BOOTSTRAP = r""" #!/bin/bash {GENERATED_MARKER} set -xueo pipefail -# CentOS8 is EOL -sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* -sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* - yum update -y yum install -y dnf-plugins-core yum install -y epel-release yum -v repolist all -yum config-manager --set-enabled PowerTools -y || \ +yum config-manager --set-enabled powertools -y || \ yum config-manager --set-enabled powertools -y -yum config-manager --set-enabled Devel -y || \ - yum config-manager --set-enabled devel -y - -# CentOS8 is EOL -sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* -sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* yum update -y @@ -480,10 +470,10 @@ RPM_DISTS = { 'tracker-devel': '', # do not install } }, - 'centos8': { - 'docker_image': 'centos:8', - 'vagrant_box': 'centos/8', - 'bootstrap': CENTOS8_YUM_BOOTSTRAP, + 'centos8s': { + 'docker_image': 'quay.io/centos/centos:stream8', + 'vagrant_box': 'centos/stream8', + 'bootstrap': CENTOS8S_YUM_BOOTSTRAP, 'replace': { 'lsb-release': 'redhat-lsb', '@development-tools': '"@Development Tools"', # add quotes diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 780320ec7c8..10075800c01 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -17,11 +17,11 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "centos7/locale.sh" end - config.vm.define "centos8" do |v| - v.vm.box = "centos/8" - v.vm.hostname = "centos8" - v.vm.provision :shell, path: "centos8/bootstrap.sh" - v.vm.provision :shell, path: "centos8/locale.sh" + config.vm.define "centos8s" do |v| + v.vm.box = "centos/stream8" + v.vm.hostname = "centos8s" + v.vm.provision :shell, path: "centos8s/bootstrap.sh" + v.vm.provision :shell, path: "centos8s/locale.sh" end config.vm.define "debian10" do |v| diff --git a/bootstrap/generated-dists/centos8/Dockerfile b/bootstrap/generated-dists/centos8s/Dockerfile similarity index 90% rename from bootstrap/generated-dists/centos8/Dockerfile rename to bootstrap/generated-dists/centos8s/Dockerfile index f6343e9d5a2..1c932f58a94 100644 --- a/bootstrap/generated-dists/centos8/Dockerfile +++ b/bootstrap/generated-dists/centos8s/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM centos:8 +FROM quay.io/centos/centos:stream8 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh similarity index 79% rename from bootstrap/generated-dists/centos8/bootstrap.sh rename to bootstrap/generated-dists/centos8s/bootstrap.sh index db9d0bb8b6c..1111450c400 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8s/bootstrap.sh @@ -7,23 +7,13 @@ set -xueo pipefail -# CentOS8 is EOL -sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* -sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* - yum update -y yum install -y dnf-plugins-core yum install -y epel-release yum -v repolist all -yum config-manager --set-enabled PowerTools -y || \ +yum config-manager --set-enabled powertools -y || \ yum config-manager --set-enabled powertools -y -yum config-manager --set-enabled Devel -y || \ - yum config-manager --set-enabled devel -y - -# CentOS8 is EOL -sed -i -e "s|^mirrorlist=|#mirrorlist=|g" /etc/yum.repos.d/CentOS-* -sed -i -e "s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g" /etc/yum.repos.d/CentOS-* yum update -y diff --git a/bootstrap/generated-dists/centos8/locale.sh b/bootstrap/generated-dists/centos8s/locale.sh similarity index 100% rename from bootstrap/generated-dists/centos8/locale.sh rename to bootstrap/generated-dists/centos8s/locale.sh diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8s/packages.yml similarity index 100% rename from bootstrap/generated-dists/centos8/packages.yml rename to bootstrap/generated-dists/centos8s/packages.yml diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 0d8cc2224b2..120d935186d 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -d541fb969b486082ab6113df5945debfc5ff95c6 +fbf9c4c8a2055936d4ca279878df7811af46d86d -- 2.25.1 From 3bbbd1ac99f9e9eacc05603a667b93d31a0ff32d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 6 May 2022 17:53:29 +1200 Subject: [PATCH 4/4] .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765 It was realised that git would run commands found in a git repo (eg from configuration). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit dd568490089ae6d5bcf03068bfc4ca6b9103badb) --- .gitlab-ci-main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index b8bae9b10b7..e0b9b9d20b9 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -137,6 +137,8 @@ include: - export CXX="ccache c++" - ccache -z -M 500M - ccache -s + # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI + - git config --global --add safe.directory `pwd` after_script: - mount - df -h -- 2.25.1