update patch handling and instructions
Related: rhbz#1993215
This commit is contained in:
parent
d7d4057459
commit
8f43abb257
29
Makefile
29
Makefile
@ -8,10 +8,17 @@ SOURCE_TAR := $(NAME)-$(VERSION).tar.gz
|
||||
VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz
|
||||
WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz
|
||||
|
||||
ALL_PATCHES := $(sort $(wildcard *.patch))
|
||||
VENDOR_PATCHES := $(sort $(wildcard *.vendor.patch))
|
||||
COND_PATCHES := $(sort $(wildcard *.cond.patch))
|
||||
REGULAR_PATCHES := $(filter-out $(VENDOR_PATCHES) $(COND_PATCHES),$(ALL_PATCHES))
|
||||
# patches which must be applied before creating the vendor tarball, for example:
|
||||
# - changes in dependency versions
|
||||
# - changes in Go module imports (which affect the vendored Go modules)
|
||||
PATCHES_PRE_VENDOR := \
|
||||
005-remove-unused-dependencies.patch \
|
||||
008-remove-unused-frontend-crypto.patch
|
||||
|
||||
# patches which must be applied before creating the webpack, for example:
|
||||
# - changes in Node.js sources or vendored dependencies
|
||||
PATCHES_PRE_WEBPACK :=
|
||||
|
||||
|
||||
all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR)
|
||||
|
||||
@ -19,11 +26,12 @@ $(SOURCE_TAR):
|
||||
spectool -g $(RPM_NAME).spec
|
||||
|
||||
$(VENDOR_TAR): $(SOURCE_TAR)
|
||||
# start with a clean state
|
||||
rm -rf $(SOURCE_DIR)
|
||||
tar xf $(SOURCE_TAR)
|
||||
|
||||
# Patches to apply before vendoring
|
||||
for patch in $(REGULAR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
|
||||
for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
|
||||
|
||||
# Go
|
||||
cd $(SOURCE_DIR) && go mod vendor -v
|
||||
@ -46,15 +54,20 @@ $(VENDOR_TAR): $(SOURCE_TAR)
|
||||
rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples
|
||||
./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest
|
||||
|
||||
# Patches to apply after vendoring
|
||||
for patch in $(VENDOR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
|
||||
|
||||
# Create tarball
|
||||
XZ_OPT=-9 time -p tar cJf $@ \
|
||||
$(SOURCE_DIR)/vendor \
|
||||
$$(find $(SOURCE_DIR) -type d -name "node_modules" -prune)
|
||||
|
||||
$(WEBPACK_TAR): $(VENDOR_TAR)
|
||||
# start with a clean state
|
||||
rm -rf $(SOURCE_DIR)
|
||||
tar xf $(SOURCE_TAR)
|
||||
tar xf $(VENDOR_TAR)
|
||||
|
||||
# Patches to apply before creating the webpack
|
||||
for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
|
||||
|
||||
cd $(SOURCE_DIR) && \
|
||||
../build_frontend.sh
|
||||
|
||||
|
21
README.md
21
README.md
@ -14,19 +14,26 @@ The grafana package
|
||||
* upload new source tarballs: `fedpkg new-sources *.tar.gz *.tar.xz`
|
||||
* commit new `sources` file
|
||||
|
||||
## Backporting
|
||||
## Patches
|
||||
* create the patch
|
||||
* declare and apply (`%prep`) the patch in the specfile
|
||||
* if the patch affects Go or Node.js dependencies, or the webpack
|
||||
* add the patch to `PATCHES_PRE_VENDOR` or `PATCHES_PRE_WEBPACK` in the Makefile
|
||||
* create new tarballs
|
||||
* update the specfile with new tarball path and contents of the `.manifest` file
|
||||
* update the specfile with new tarball name and contents of the `.manifest` file
|
||||
|
||||
Note: the Makefile automatically applies patches before creating the tarballs
|
||||
### General guidelines
|
||||
* aim to apply all patches in the specfile
|
||||
* avoid rebuilding the tarballs
|
||||
|
||||
## Patches
|
||||
* `*.patch`: regular patches applied to the source, applied in the Makefile before vendoring and in the specfile (e.g. updating dependencies)
|
||||
* `*.vendor.patch`: patches applied to the vendor tarball (e.g. patching vendored sources before generating a webpack)
|
||||
* `*.cond.patch`: conditionally applied patches in the specfile
|
||||
Patches fall in several categories:
|
||||
* modify dependency versions
|
||||
* modify both sources and vendored dependencies (e.g. CVEs)
|
||||
* modify the Node.js source (i.e. affect the webpack)
|
||||
* some patches are conditional (e.g. FIPS)
|
||||
|
||||
Patches cannot be applied twice.
|
||||
It is not possible to unconditionally apply all patches in the Makefile, and great care must be taken to include the required patches at the correct stage of the build.
|
||||
|
||||
## Verification
|
||||
* compare the list of files with the upstream RPM at https://grafana.com/grafana/download
|
||||
|
@ -85,11 +85,11 @@ Patch8: 008-remove-unused-frontend-crypto.patch
|
||||
# The Makefile removes a few files with crypto implementations
|
||||
# from the vendor tarball, which are not used in Grafana.
|
||||
# This patch removes all references to the deleted files.
|
||||
Patch9: 009-patch-unused-backend-crypto.vendor.patch
|
||||
Patch9: 009-patch-unused-backend-crypto.patch
|
||||
|
||||
# This patch modifies the x/crypto/pbkdf2 function to use OpenSSL
|
||||
# if FIPS mode is enabled.
|
||||
Patch10: 010-fips.cond.patch
|
||||
Patch10: 010-fips.patch
|
||||
|
||||
# Intersection of go_arches and nodejs_arches
|
||||
ExclusiveArch: %{grafana_arches}
|
||||
@ -488,6 +488,7 @@ rm -r plugins-bundled
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%if %{enable_fips_mode}
|
||||
%patch10 -p1
|
||||
%endif
|
||||
|
17
recreate_tarballs.sh
Executable file
17
recreate_tarballs.sh
Executable file
@ -0,0 +1,17 @@
|
||||
#!/bin/bash -eu
|
||||
#
|
||||
# create vendor and webpack tarballs inside a container for reproducibility
|
||||
#
|
||||
|
||||
cat <<EOF | podman build -t grafana-build -f - .
|
||||
FROM fedora:34
|
||||
|
||||
RUN dnf install -y rpmdevtools time python3-packaging make golang nodejs yarnpkg
|
||||
|
||||
RUN useradd builder
|
||||
USER builder
|
||||
WORKDIR /home/builder
|
||||
|
||||
COPY Makefile grafana.spec *.patch build_frontend.sh list_bundled_nodejs_packages.py .
|
||||
RUN make
|
||||
EOF
|
@ -1,23 +0,0 @@
|
||||
#!/bin/bash -eu
|
||||
|
||||
[ $# -lt 1 ] && echo "Usage: $0 fedora-version" && exit 1
|
||||
FEDORA_VERSION="$1"
|
||||
|
||||
if [ -d deps ]; then
|
||||
INSTALL_UNPUBLISHED_DEPENDENCIES=$'COPY deps/ /deps\nRUN cd /deps && dnf -y install *.rpm'
|
||||
else
|
||||
INSTALL_UNPUBLISHED_DEPENDENCIES=""
|
||||
fi
|
||||
|
||||
cat <<EOF | podman build -f - .
|
||||
FROM fedora:${FEDORA_VERSION}
|
||||
RUN dnf install -y rpkg
|
||||
RUN mkdir /grafana /deps
|
||||
|
||||
${INSTALL_UNPUBLISHED_DEPENDENCIES}
|
||||
|
||||
COPY grafana.spec *.patch grafana-*.tar.gz distro-defaults.ini Makefile create_webpack_manifest.py /grafana
|
||||
WORKDIR /grafana
|
||||
RUN dnf -y builddep grafana.spec
|
||||
RUN rpkg local
|
||||
EOF
|
Loading…
Reference in New Issue
Block a user