From 365729b0386e76b60e536f36f8c2c182ba395eae Mon Sep 17 00:00:00 2001 From: Andreas Gerstmayr Date: Wed, 29 Apr 2020 15:06:47 +0200 Subject: [PATCH] add helper scripts to SRPM, fix perms on upgrade, update changelog --- README.md | 6 +-- grafana.spec | 37 +++++++++++++------ ...ages.py => list_bundled_nodejs_packages.py | 0 ...ildrequires.sh => list_go_buildrequires.sh | 0 ...ntainer_build.sh => run_container_build.sh | 0 5 files changed, 28 insertions(+), 15 deletions(-) rename scripts/list_bundled_nodejs_packages.py => list_bundled_nodejs_packages.py (100%) rename scripts/list_go_buildrequires.sh => list_go_buildrequires.sh (100%) rename scripts/run_container_build.sh => run_container_build.sh (100%) diff --git a/README.md b/README.md index cdfcf17..a2871e3 100644 --- a/README.md +++ b/README.md @@ -6,11 +6,11 @@ The grafana package * update `Version` and `%changelog` in the specfile * download source tarball and create webpack: `./make_grafana_webpack.sh X.Y.Z` -* update golang buildrequires: `./scripts/list_go_buildrequires.sh grafana-X.Y.Z` and replace the old golang `BuildRequires:` with the new ones -* update nodejs provides: `./scripts/list_bundled_nodejs_packages.py grafana-X.Y.Z` and replace the old nodejs `Provides:` with the new ones +* update golang buildrequires: `./list_go_buildrequires.sh grafana-X.Y.Z` and replace the old golang `BuildRequires:` with the new ones +* update nodejs provides: `./list_bundled_nodejs_packages.py grafana-X.Y.Z` and replace the old nodejs `Provides:` with the new ones * check if the default configuration has changed: `diff grafana-X.Y.Z/conf/defaults.ini distro-defaults.ini` and update `distro-defaults.ini` if necessary * install all new golang build dependencies: `sudo dnf builddep grafana.spec` and create packages for missing dependencies * run local build: `rpkg local`, and if any patches fail, update them accordingly * run rpm linter: `rpkg lint` -* run local builds with different OS versions: `./scripts/run_container_build.sh version` (place not yet published dependencies in the `deps/` directory) +* run local builds with different OS versions: `./run_container_build.sh version` (place not yet published dependencies in the `deps/` directory) * run a scratch build: `fedpkg scratch-build --srpm` diff --git a/grafana.spec b/grafana.spec index cfe2ab8..416e254 100644 --- a/grafana.spec +++ b/grafana.spec @@ -27,11 +27,18 @@ Source0: https://github.com/grafana/grafana/archive/v%{version}/%{name} # Source1 contains the front-end javascript modules bundled into a webpack Source1: grafana_webpack-%{version}.tar.gz -# Source2 is the script to create the above webpack from grafana sources -Source2: make_grafana_webpack.sh +# Source2 contains Grafana configuration defaults for distributions +Source2: distro-defaults.ini + +# Source3 is the script to create the webpack from grafana sources +Source3: make_grafana_webpack.sh + +# Source4 is the script to generate the list of Go build dependencies: +Source4: list_go_buildrequires.sh + +# Source5 is the script to generate the list of bundled nodejs packages +Source5: list_bundled_nodejs_packages.py -# Source3 contains Grafana configuration defaults for distributions -Source3: distro-defaults.ini # Patches Patch1: 001-login-oauth-use-oauth2-exchange.patch @@ -59,7 +66,7 @@ ExclusiveArch: %{grafana_arches} %{?systemd_requires} Requires(pre): shadow-utils -BuildRequires: git, systemd, golang, go-srpm-macros go-rpm-macros +BuildRequires: git, systemd, golang, go-srpm-macros, go-rpm-macros Recommends: grafana-cloudwatch = %{version}-%{release} Recommends: grafana-elasticsearch = %{version}-%{release} @@ -355,11 +362,14 @@ The Grafana stackdriver datasource. %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 %patch6 -p1 + +%if 0%{?unbundle_vendor_sources} +%patch5 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 +%endif # Set up build subdirs and links mkdir -p %{_builddir}/src/github.com/grafana @@ -429,9 +439,9 @@ install -d %{buildroot}%{_sysconfdir}/%{name} install -d %{buildroot}%{_sysconfdir}/sysconfig # config defaults -install -p -m 640 %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}/grafana.ini +install -p -m 640 %{SOURCE2} %{buildroot}%{_sysconfdir}/%{name}/grafana.ini install -p -m 640 conf/ldap.toml %{buildroot}%{_sysconfdir}/%{name}/ldap.toml -install -p -m 644 %{SOURCE3} %{buildroot}%{_datadir}/%{name}/conf/defaults.ini +install -p -m 644 %{SOURCE2} %{buildroot}%{_datadir}/%{name}/conf/defaults.ini install -p -m 644 packaging/rpm/sysconfig/grafana-server \ %{buildroot}%{_sysconfdir}/sysconfig/grafana-server @@ -481,6 +491,10 @@ if [ -f %{_sharedstatedir}/%{name}/grafana.db ]; then chmod 640 %{_sharedstatedir}/%{name}/grafana.db fi +# required for upgrades +chmod 640 %{_sysconfdir}/%{name}/grafana.ini +chmod 640 %{_sysconfdir}/%{name}/ldap.toml + %postun %systemd_postun_with_restart grafana-server.service @@ -609,11 +623,10 @@ export GO111MODULE=off - set Grafana version in Grafana UI and grafana-cli --version - declare README.md as documentation of datasource plugins - create grafana.db on first installation (fixes RH BZ #1805472) -- change permissions of /var/lib/grafana to 750 +- change permissions of /var/lib/grafana to 750 (CVE-2020-12458) - change permissions of /var/lib/grafana/grafana.db to 640 and - user/group grafana:grafana -- change permissions of grafana.ini and ldap.toml to 640 - (contains secret_key/bind_password) + user/group grafana:grafana (CVE-2020-12458) +- change permissions of grafana.ini and ldap.toml to 640 (CVE-2020-12459) * Wed Feb 26 2020 Mark Goodwin 6.6.2-1 - added patch0 to set the version string correctly diff --git a/scripts/list_bundled_nodejs_packages.py b/list_bundled_nodejs_packages.py similarity index 100% rename from scripts/list_bundled_nodejs_packages.py rename to list_bundled_nodejs_packages.py diff --git a/scripts/list_go_buildrequires.sh b/list_go_buildrequires.sh similarity index 100% rename from scripts/list_go_buildrequires.sh rename to list_go_buildrequires.sh diff --git a/scripts/run_container_build.sh b/run_container_build.sh similarity index 100% rename from scripts/run_container_build.sh rename to run_container_build.sh