update patch handling and instructions

This commit is contained in:
Andreas Gerstmayr 2021-10-08 16:53:45 +02:00
parent c29ffffe46
commit b3f6907658
7 changed files with 55 additions and 40 deletions

View File

@ -8,10 +8,17 @@ SOURCE_TAR := $(NAME)-$(VERSION).tar.gz
VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz
WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz
ALL_PATCHES := $(sort $(wildcard *.patch))
VENDOR_PATCHES := $(sort $(wildcard *.vendor.patch))
COND_PATCHES := $(sort $(wildcard *.cond.patch))
REGULAR_PATCHES := $(filter-out $(VENDOR_PATCHES) $(COND_PATCHES),$(ALL_PATCHES))
# patches which must be applied before creating the vendor tarball, for example:
# - changes in dependency versions
# - changes in Go module imports (which affect the vendored Go modules)
PATCHES_PRE_VENDOR := \
005-remove-unused-dependencies.patch \
008-remove-unused-frontend-crypto.patch
# patches which must be applied before creating the webpack, for example:
# - changes in Node.js sources or vendored dependencies
PATCHES_PRE_WEBPACK :=
all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR)
@ -19,11 +26,12 @@ $(SOURCE_TAR):
spectool -g $(RPM_NAME).spec
$(VENDOR_TAR): $(SOURCE_TAR)
# start with a clean state
rm -rf $(SOURCE_DIR)
tar xf $(SOURCE_TAR)
# Patches to apply before vendoring
for patch in $(REGULAR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
# Go
cd $(SOURCE_DIR) && go mod vendor -v
@ -46,15 +54,20 @@ $(VENDOR_TAR): $(SOURCE_TAR)
rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples
./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest
# Patches to apply after vendoring
for patch in $(VENDOR_PATCHES); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
# Create tarball
XZ_OPT=-9 time -p tar cJf $@ \
$(SOURCE_DIR)/vendor \
$$(find $(SOURCE_DIR) -type d -name "node_modules" -prune)
$(WEBPACK_TAR): $(VENDOR_TAR)
# start with a clean state
rm -rf $(SOURCE_DIR)
tar xf $(SOURCE_TAR)
tar xf $(VENDOR_TAR)
# Patches to apply before creating the webpack
for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
cd $(SOURCE_DIR) && \
../build_frontend.sh

View File

@ -14,19 +14,26 @@ The grafana package
* upload new source tarballs: `fedpkg new-sources *.tar.gz *.tar.xz`
* commit new `sources` file
## Backporting
## Patches
* create the patch
* declare and apply (`%prep`) the patch in the specfile
* if the patch affects Go or Node.js dependencies, or the webpack
* add the patch to `PATCHES_PRE_VENDOR` or `PATCHES_PRE_WEBPACK` in the Makefile
* create new tarballs
* update the specfile with new tarball path and contents of the `.manifest` file
* update the specfile with new tarball name and contents of the `.manifest` file
Note: the Makefile automatically applies patches before creating the tarballs
### General guidelines
* aim to apply all patches in the specfile
* avoid rebuilding the tarballs
## Patches
* `*.patch`: regular patches applied to the source, applied in the Makefile before vendoring and in the specfile (e.g. updating dependencies)
* `*.vendor.patch`: patches applied to the vendor tarball (e.g. patching vendored sources before generating a webpack)
* `*.cond.patch`: conditionally applied patches in the specfile
Patches fall in several categories:
* modify dependency versions
* modify both sources and vendored dependencies (e.g. CVEs)
* modify the Node.js source (i.e. affect the webpack)
* some patches are conditional (e.g. FIPS)
Patches cannot be applied twice.
It is not possible to unconditionally apply all patches in the Makefile, and great care must be taken to include the required patches at the correct stage of the build.
## Verification
* compare the list of files with the upstream RPM at https://grafana.com/grafana/download

View File

@ -85,11 +85,11 @@ Patch8: 008-remove-unused-frontend-crypto.patch
# The Makefile removes a few files with crypto implementations
# from the vendor tarball, which are not used in Grafana.
# This patch removes all references to the deleted files.
Patch9: 009-patch-unused-backend-crypto.vendor.patch
Patch9: 009-patch-unused-backend-crypto.patch
# This patch modifies the x/crypto/pbkdf2 function to use OpenSSL
# if FIPS mode is enabled.
Patch10: 010-fips.cond.patch
Patch10: 010-fips.patch
# Intersection of go_arches and nodejs_arches
ExclusiveArch: %{grafana_arches}
@ -488,6 +488,7 @@ rm -r plugins-bundled
%patch5 -p1
%patch6 -p1
%patch8 -p1
%patch9 -p1
%if %{enable_fips_mode}
%patch10 -p1
%endif

17
recreate_tarballs.sh Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash -eu
#
# create vendor and webpack tarballs inside a container for reproducibility
#
cat <<EOF | podman build -t grafana-build -f - .
FROM fedora:34
RUN dnf install -y rpmdevtools time python3-packaging make golang nodejs yarnpkg
RUN useradd builder
USER builder
WORKDIR /home/builder
COPY Makefile grafana.spec *.patch build_frontend.sh list_bundled_nodejs_packages.py .
RUN make
EOF

View File

@ -1,23 +0,0 @@
#!/bin/bash -eu
[ $# -lt 1 ] && echo "Usage: $0 fedora-version" && exit 1
FEDORA_VERSION="$1"
if [ -d deps ]; then
INSTALL_UNPUBLISHED_DEPENDENCIES=$'COPY deps/ /deps\nRUN cd /deps && dnf -y install *.rpm'
else
INSTALL_UNPUBLISHED_DEPENDENCIES=""
fi
cat <<EOF | podman build -f - .
FROM fedora:${FEDORA_VERSION}
RUN dnf install -y rpkg
RUN mkdir /grafana /deps
${INSTALL_UNPUBLISHED_DEPENDENCIES}
COPY grafana.spec *.patch grafana-*.tar.gz distro-defaults.ini Makefile create_webpack_manifest.py /grafana
WORKDIR /grafana
RUN dnf -y builddep grafana.spec
RUN rpkg local
EOF