From fed35a1d5e1339e1addf5fb7529307c0d2294481 Mon Sep 17 00:00:00 2001 From: James Hartig Date: Thu, 25 Mar 2021 16:17:05 -0400 Subject: [PATCH] feat: update redis and nginx Update redis to 6.2.1 and add openssl 1.1.1k Update nginx to use openssl 1.1.1k --- BUILD/.gitignore | 2 - BUILDROOT/.gitignore | 2 - README.md | 24 ++++---- SOURCES/redis.service | 3 +- SPECS/nginx.spec | 87 +++++++++++++------------- SPECS/redis.spec | 102 ++++++++++++++++++++++--------- Vagrantfile | 138 ------------------------------------------ 7 files changed, 131 insertions(+), 227 deletions(-) delete mode 100644 BUILD/.gitignore delete mode 100644 BUILDROOT/.gitignore delete mode 100644 Vagrantfile diff --git a/BUILD/.gitignore b/BUILD/.gitignore deleted file mode 100644 index d6b7ef3..0000000 --- a/BUILD/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/BUILDROOT/.gitignore b/BUILDROOT/.gitignore deleted file mode 100644 index d6b7ef3..0000000 --- a/BUILDROOT/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -* -!.gitignore diff --git a/README.md b/README.md index 2ce7715..2fa9219 100644 --- a/README.md +++ b/README.md @@ -3,17 +3,15 @@ Our rpmbuild repo for rpms we have built. You can check out all the options for rpms to be built in the `SPECS` folder, and build any of them by doing: +```shell +docker run --rm -it -v ${PWD}:/root/rpmbuild centos:7 /bin/bash +# From inside docker image +yum update -y +yum groupinstall -y 'Development Tools' +yum install -y rpmdevtools yum-utils centos-release-scl +cd /root/rpmbuild +spectool -g -C ./SOURCES SPECS/whatever.spec +yum-builddep -y SPECS/whatever.spec +rm -rf /tmp/rpmbuild +rpmbuild --define "_topdir `pwd`" --define "_builddir /tmp/rpmbuild/build" --define "_buildrootdir /tmp/rpmbuild/buildroot" -ba SPECS/whatever.spec ``` -vagrant up -vagrant ssh -# From inside the vagrant box -cd rpmbuild -cp -Rf /vagrant/* . -rm -rf BUILD/* -rm -rf SOURCES/*.gz -spectool -g -R SPECS/whatever.spec -rpmbuild -ba SPECS/whatever.spec -``` - -`vagrant provision` should download all required source files and install all -build dependencies. If any source versions change you'll have to re-run `vagrant provision`. diff --git a/SOURCES/redis.service b/SOURCES/redis.service index 0b67733..6b17c6c 100644 --- a/SOURCES/redis.service +++ b/SOURCES/redis.service @@ -3,7 +3,8 @@ Description=Redis persistent key-value database After=network.target [Service] -ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --daemonize no +ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --daemonize no --supervised systemd +Type=notify User=redis Group=redis diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 0a6db1a..4d47d03 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -1,16 +1,15 @@ -# %define nginx_home %{_localstatedir}/cache/nginx %define nginx_user nginx %define nginx_group nginx %define main_version 1.18.0 -%define main_release 1%{?dist}.levenlabs +%define main_release 2%{?dist}.levenlabs -%define openssl_version 1.1.1g +%define openssl_version 1.1.1k %define pcre_version 8.44 %define zlib_version 1.2.11 - %define nginx_more_headers_version 0.33 + %define WITH_CC_OPT $(echo %{optflags} $(pcre-config --cflags)) -fPIC %define WITH_LD_OPT -Wl,-z,relro -Wl,-z,now -pie %define bdir %{_builddir}/%{name}-%{main_version} @@ -51,17 +50,17 @@ nginx [engine x] is an HTTP and reverse proxy server %prep %setup -q -tar xf %{SOURCE90} -C $RPM_BUILD_DIR +tar xf %{SOURCE90} -C %{_builddir} -git clone https://github.com/vozlt/nginx-module-vts $RPM_BUILD_DIR/nginx-module-vts -cd $RPM_BUILD_DIR/nginx-module-vts && git submodule update --init +git clone https://github.com/vozlt/nginx-module-vts %{_builddir}/nginx-module-vts +cd %{_builddir}/nginx-module-vts && git submodule update --init -git clone https://github.com/google/ngx_brotli $RPM_BUILD_DIR/ngx_brotli -cd $RPM_BUILD_DIR/ngx_brotli && git submodule update --init +git clone https://github.com/google/ngx_brotli %{_builddir}/ngx_brotli +cd %{_builddir}/ngx_brotli && git submodule update --init -mkdir $RPM_BUILD_DIR/openssl && tar zxf %{SOURCE100} -C $RPM_BUILD_DIR/openssl --strip-components 1 -mkdir $RPM_BUILD_DIR/pcre && tar zxf %{SOURCE101} -C $RPM_BUILD_DIR/pcre --strip-components 1 -mkdir $RPM_BUILD_DIR/zlib && tar zxf %{SOURCE102} -C $RPM_BUILD_DIR/zlib --strip-components 1 +mkdir %{_builddir}/openssl && tar zxf %{SOURCE100} -C %{_builddir}/openssl --strip-components 1 +mkdir %{_builddir}/pcre && tar zxf %{SOURCE101} -C %{_builddir}/pcre --strip-components 1 +mkdir %{_builddir}/zlib && tar zxf %{SOURCE102} -C %{_builddir}/zlib --strip-components 1 %build ./configure \ @@ -106,71 +105,71 @@ mkdir $RPM_BUILD_DIR/zlib && tar zxf %{SOURCE102} -C $RPM_BUILD_DIR/zlib --strip --with-pcre-jit \ --with-stream \ --with-stream_ssl_module \ - --with-openssl=$RPM_BUILD_DIR/openssl --with-openssl-opt=enable-tls1_3 \ + --with-openssl=%{_builddir}/openssl --with-openssl-opt=enable-tls1_3 \ --with-stream_ssl_preread_module \ - --with-pcre=$RPM_BUILD_DIR/pcre \ + --with-pcre=%{_builddir}/pcre \ --with-pcre-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' \ - --with-zlib=$RPM_BUILD_DIR/zlib \ + --with-zlib=%{_builddir}/zlib \ --with-zlib-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' \ - --add-module=$RPM_BUILD_DIR/nginx-module-vts \ + --add-module=%{_builddir}/nginx-module-vts \ --with-cc-opt="%{WITH_CC_OPT}" \ --with-ld-opt="%{WITH_LD_OPT}" \ - --add-module=$RPM_BUILD_DIR/headers-more-nginx-module-%{nginx_more_headers_version} \ - --add-module=$RPM_BUILD_DIR/ngx_brotli \ + --add-module=%{_builddir}/headers-more-nginx-module-%{nginx_more_headers_version} \ + --add-module=%{_builddir}/ngx_brotli \ make %{?_smp_mflags} %install -%{__rm} -rf $RPM_BUILD_ROOT -%{__make} DESTDIR=$RPM_BUILD_ROOT install +%{__rm} -rf %{buildroot} +%{__make} DESTDIR=%{buildroot} install -%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/nginx -%{__mv} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/html $RPM_BUILD_ROOT%{_datadir}/nginx/ +%{__mkdir} -p %{buildroot}%{_datadir}/nginx +%{__mv} %{buildroot}%{_sysconfdir}/nginx/html %{buildroot}%{_datadir}/nginx/ -%{__rm} -f $RPM_BUILD_ROOT%{_sysconfdir}/nginx/*.default -%{__rm} -f $RPM_BUILD_ROOT%{_sysconfdir}/nginx/fastcgi.conf +%{__rm} -f %{buildroot}%{_sysconfdir}/nginx/*.default +%{__rm} -f %{buildroot}%{_sysconfdir}/nginx/fastcgi.conf -%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/log/nginx -%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/run/nginx -%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/cache/nginx -%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/nginx/modules -cd $RPM_BUILD_ROOT%{_sysconfdir}/nginx && \ +%{__mkdir} -p %{buildroot}%{_localstatedir}/log/nginx +%{__mkdir} -p %{buildroot}%{_localstatedir}/run/nginx +%{__mkdir} -p %{buildroot}%{_localstatedir}/cache/nginx +%{__mkdir} -p %{buildroot}%{_datadir}/nginx/modules +cd %{buildroot}%{_sysconfdir}/nginx && \ %{__ln_s} ../..%{_libdir}/nginx/modules modules && cd - -%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-%{main_version} +%{__mkdir} -p %{buildroot}%{_datadir}/doc/%{name}-%{main_version} %{__install} -m 644 -p LICENSE \ - $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-%{main_version}/COPYRIGHT + %{buildroot}%{_datadir}/doc/%{name}-%{main_version}/COPYRIGHT -%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/nginx/conf.d -%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/nginx.conf +%{__mkdir} -p %{buildroot}%{_sysconfdir}/nginx/conf.d +%{__rm} %{buildroot}%{_sysconfdir}/nginx/nginx.conf %{__install} -m 644 -p %{SOURCE4} \ - $RPM_BUILD_ROOT%{_sysconfdir}/nginx/nginx.conf + %{buildroot}%{_sysconfdir}/nginx/nginx.conf # we don't need default.conf # %{__install} -m 644 -p %{SOURCE5} \ -# $RPM_BUILD_ROOT%{_sysconfdir}/nginx/conf.d/default.conf +# %{buildroot}%{_sysconfdir}/nginx/conf.d/default.conf -%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +%{__mkdir} -p %{buildroot}%{_sysconfdir}/sysconfig %{__install} -m 644 -p %{SOURCE3} \ - $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/nginx + %{buildroot}%{_sysconfdir}/sysconfig/nginx %{__install} -p -D -m 0644 %{bdir}/objs/nginx.8 \ - $RPM_BUILD_ROOT%{_mandir}/man8/nginx.8 + %{buildroot}%{_mandir}/man8/nginx.8 # install log rotation stuff -%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +%{__mkdir} -p %{buildroot}%{_sysconfdir}/logrotate.d %{__install} -m 644 -p %{SOURCE1} \ - $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/nginx + %{buildroot}%{_sysconfdir}/logrotate.d/nginx # install systemd-specific files -%{__mkdir} -p $RPM_BUILD_ROOT%{_unitdir} +%{__mkdir} -p %{buildroot}%{_unitdir} %{__install} -m644 %SOURCE8 \ - $RPM_BUILD_ROOT%{_unitdir}/nginx.service + %{buildroot}%{_unitdir}/nginx.service %check -%{__rm} -rf $RPM_BUILD_ROOT/usr/src +%{__rm} -rf %{buildroot}/usr/src %clean -%{__rm} -rf $RPM_BUILD_ROOT +%{__rm} -rf %{buildroot} %files %defattr(-,root,root) diff --git a/SPECS/redis.spec b/SPECS/redis.spec index 857089d..91983df 100644 --- a/SPECS/redis.spec +++ b/SPECS/redis.spec @@ -1,52 +1,100 @@ -Packager: Joe Admin +%define openssl_version 1.1.1k Name: redis -Version: 4.0.6 -Release: 0%{dist} - -Summary: levenlab's redis 3.2.3 compilation - +Version: 6.2.1 +Release: 1%{dist} +Summary: A persistent key-value database License: BSD +URL: http://redis.io Source: http://download.redis.io/releases/%{name}-%{version}.tar.gz Source1: redis.service +Source100: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz +BuildRequires: gcc +BuildRequires: devtoolset-8-toolchain +BuildRequires: devtoolset-8-libatomic-devel +BuildRequires: procps-ng BuildRequires: tcl - -%define installprefix /usr +BuildRequires: pkgconfig(libsystemd) +BuildRequires: systemd +BuildRequires: which +Requires(postun): systemd %description +redis is an advanced key-value store %prep %setup -q -n redis-%{version} +sed -i -e 's|^dir .*$|dir %{_sharedstatedir}/redis|g' %{_builddir}/redis-%{version}/redis.conf + +mkdir %{_builddir}/openssl && tar zxf %{SOURCE100} -C %{_builddir}/openssl --strip-components 1 && cd %{_builddir}/openssl && ./config --prefix=%{_builddir}/redis-%{version}/deps/openssl no-shared no-threads enable-tls1_3 && make && make install_sw LIBDIR=lib + +sed -i 's;-lssl;%{_builddir}/redis-%{version}/deps/openssl/lib/libssl.a;g' %{_builddir}/redis-%{version}/src/Makefile +sed -i 's;-lcrypto;%{_builddir}/redis-%{version}/deps/openssl/lib/libcrypto.a;g' %{_builddir}/redis-%{version}/src/Makefile + +%global make_flags LDFLAGS="%{?__global_ldflags} -I%{_builddir}/redis-%{version}/deps/openssl/lib" CFLAGS+="%{optflags} -fPIC -I%{_builddir}/redis-%{version}/deps/openssl/include" INSTALL="install -p" PREFIX=%{buildroot}%{_prefix} BUILD_TLS=yes USE_SYSTEMD=yes +: %{make_flags} + + %build -make +source /opt/rh/devtoolset-8/enable +make %{make_flags} %install -make PREFIX=$RPM_BUILD_ROOT%{installprefix} install +source /opt/rh/devtoolset-8/enable +make %{make_flags} install + +install -d %{buildroot}%{_sysconfdir}/redis +install -d %{buildroot}%{_unitdir} +install -d %{buildroot}%{_libdir}/redis +install -d %{buildroot}%{_libdir}/redis/modules +install -d %{buildroot}%{_sharedstatedir}/redis +install -d %{buildroot}%{_localstatedir}/run/redis +install -d %{buildroot}%{_includedir} +install -m 0644 redis.conf %{buildroot}%{_sysconfdir}/redis/redis.conf +install -m 0644 sentinel.conf %{buildroot}%{_sysconfdir}/redis/sentinel.conf +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/redis.service +install -m 0644 src/redismodule.h %{buildroot}%{_includedir}/redismodule.h -install -d $RPM_BUILD_ROOT/etc/redis -install -d $RPM_BUILD_ROOT/usr/lib/systemd/system -install -d $RPM_BUILD_ROOT/var/lib/redis -install -d $RPM_BUILD_ROOT/var/run/redis -install -m 0644 redis.conf $RPM_BUILD_ROOT/etc/redis/redis.conf -install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/systemd/system/redis.service -install -m 0644 sentinel.conf $RPM_BUILD_ROOT/etc/redis/sentinel.conf -install -m 0755 src/redis-trib.rb $RPM_BUILD_ROOT/usr/bin/redis-trib.rb +chmod 755 %{buildroot}%{_bindir}/redis-* + +%check +# https://github.com/redis/redis/issues/1417 +taskset -c 1 make %{make_flags} test +make %{make_flags} test-sentinel %files %defattr(-,root,root) -/etc/redis -/usr/lib/systemd/system/redis.service -/var/lib/redis -/var/run/redis -%{installprefix}/bin/* +%dir %{_sysconfdir}/redis +%config(noreplace) %{_sysconfdir}/redis/redis.conf +%config(noreplace) %{_sysconfdir}/redis/sentinel.conf +%{_unitdir}/redis.service +%dir %{_libdir}/redis +%dir %{_libdir}/redis/modules +%dir %{_sharedstatedir}/redis +%dir %{_localstatedir}/run/redis +%{_bindir}/redis-* +%{_includedir}/redismodule.h %clean +%{__rm} -rf %{buildroot} + +%pre +getent group redis >/dev/null || groupadd -r redis +getent passwd redis >/dev/null || \ + useradd -r -g redis -s /sbin/nologin \ + -d %{_sharedstatedir}/redis -c "redis user" redis +exit 0 %post -useradd -M -r -s /bin/false redis -chown redis:redis /var/lib/redis -chown redis:redis /var/run/redis -systemctl daemon-reload +chown redis:redis %{_sharedstatedir}/redis +chown redis:redis %{_localstatedir}/run/redis +chown redis:redis %{_libdir}/redis +chown redis:redis %{_libdir}/redis/modules + +%postun +if [ $1 -eq 2 ]; then + systemctl daemon-reload >/dev/null 2>&1 +fi diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 9de2b5e..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,138 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -Vagrant.configure(2) do |config| - # All Vagrant configuration is done here. The most common configuration - # options are documented and commented below. For a complete reference, - # please see the online documentation at vagrantup.com. - - # Every Vagrant virtual environment requires a box to build off of. - config.vm.box = "centos/7" - - # Disable automatic box update checking. If you disable this, then - # boxes will only be checked for updates when the user runs - # `vagrant box outdated`. This is not recommended. - # config.vm.box_check_update = false - - # Create a forwarded port mapping which allows access to a specific port - # within the machine from a port on the host machine. In the example below, - # accessing "localhost:8080" will access port 80 on the guest machine. - # config.vm.network "forwarded_port", guest: 80, host: 8080 - - # Create a private network, which allows host-only access to the machine - # using a specific IP. - # config.vm.network "private_network", ip: "192.168.33.10" - - # Create a public network, which generally matched to bridged network. - # Bridged networks make the machine appear as another physical device on - # your network. - # config.vm.network "public_network" - - # If true, then any SSH connections made will enable agent forwarding. - # Default value: false - # config.ssh.forward_agent = true - - # Share an additional folder to the guest VM. The first argument is - # the path on the host to the actual folder. The second argument is - # the path on the guest to mount the folder. And the optional third - # argument is a set of non-required options. - # config.vm.synced_folder "../data", "/vagrant_data" - config.vm.synced_folder ".", "/vagrant", type: "virtualbox" - - # Provider-specific configuration so you can fine-tune various - # backing providers for Vagrant. These expose provider-specific options. - # Example for VirtualBox: - # - # config.vm.provider "virtualbox" do |vb| - # # Don't boot with headless mode - # vb.gui = true - # - # # Use VBoxManage to customize the VM. For example to change memory: - # vb.customize ["modifyvm", :id, "--memory", "1024"] - # end - # - # View the documentation for the provider you're using for more - # information on available options. - - # Enable provisioning with CFEngine. CFEngine Community packages are - # automatically installed. For example, configure the host as a - # policy server and optionally a policy file to run: - # - # config.vm.provision "cfengine" do |cf| - # cf.am_policy_hub = true - # # cf.run_file = "motd.cf" - # end - # - # You can also configure and bootstrap a client to an existing - # policy server: - # - # config.vm.provision "cfengine" do |cf| - # cf.policy_server_address = "10.0.2.15" - # end - - # Enable provisioning with Puppet stand alone. Puppet manifests - # are contained in a directory path relative to this Vagrantfile. - # You will need to create the manifests directory and a manifest in - # the file default.pp in the manifests_path directory. - # - # config.vm.provision "puppet" do |puppet| - # puppet.manifests_path = "manifests" - # puppet.manifest_file = "default.pp" - # end - - # Enable provisioning with chef solo, specifying a cookbooks path, roles - # path, and data_bags path (all relative to this Vagrantfile), and adding - # some recipes and/or roles. - # - # config.vm.provision "chef_solo" do |chef| - # chef.cookbooks_path = "../my-recipes/cookbooks" - # chef.roles_path = "../my-recipes/roles" - # chef.data_bags_path = "../my-recipes/data_bags" - # chef.add_recipe "mysql" - # chef.add_role "web" - # - # # You may also specify custom JSON attributes: - # chef.json = { mysql_password: "foo" } - # end - - # Enable provisioning with chef server, specifying the chef server URL, - # and the path to the validation key (relative to this Vagrantfile). - # - # The Opscode Platform uses HTTPS. Substitute your organization for - # ORGNAME in the URL and validation key. - # - # If you have your own Chef Server, use the appropriate URL, which may be - # HTTP instead of HTTPS depending on your configuration. Also change the - # validation key to validation.pem. - # - # config.vm.provision "chef_client" do |chef| - # chef.chef_server_url = "https://api.opscode.com/organizations/ORGNAME" - # chef.validation_key_path = "ORGNAME-validator.pem" - # end - # - # If you're using the Opscode platform, your validator client is - # ORGNAME-validator, replacing ORGNAME with your organization name. - # - # If you have your own Chef Server, the default validation client name is - # chef-validator, unless you changed the configuration. - # - # chef.validation_client_name = "ORGNAME-validator" - - config.vm.provision "shell", inline: "yum update -y" - config.vm.provision "shell", inline: "yum groupinstall -y 'Development Tools'" - config.vm.provision "shell", inline: "yum install -y rpmdevtools yum-utils" - config.vm.provision "shell", inline: <