Resolves: rhbz#2066829

Changes: - Rename -validate-nonlinux subpackage to -validate-redistributable - Add static Linux binaries to -redistributable - Fix macro invocation in comment - Avoid kernel lockdown on VMware when running with secure boot - Update rpmlintrc
2022-03-21 11:22:08 -04:00 · 2022-03-21 11:22:08 -04:00 · 5ef0e911a9
parent 387b3776f4
commit 5ef0e911a9
3 changed files with 86 additions and 8 deletions
--- a/ignition.rpmlintrc
+++ b/ignition.rpmlintrc
@ -1,2 +1,14 @@
 # Suppress hardcoded library path warning
-addFilter("hardcoded-library-path in %{_prefix}/lib/dracut")
+addFilter("hardcoded-library-path in %{_prefix}/lib/dracut")
+
+# Ignition sources have duplicate files because of how spec versioning is
+# implemented
+addFilter("ignition-debugsource.x86_64: W: files-duplicate")
+
+# -validate-redistributable is supposed to have binaries in it
+addFilter("ignition-validate-redistributable.noarch: E: arch-independent-package-contains-binary-or-object")
+
+# This is documented as optional
+# https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F
+addFilter("ignition.x86_64: W: obsolete-not-provided ignition-dracut")
+addFilter("ignition-validate-redistributable.noarch: W: obsolete-not-provided ignition-validate-nonlinux")
--- a/ignition.spec
+++ b/ignition.spec
@ -2,7 +2,7 @@
 %if 0%{?fedora}
 %bcond_without check
 %else
-# %gocheck isn't currently provided on CentOS/RHEL
+# %%gocheck isn't currently provided on CentOS/RHEL
 # https://bugzilla.redhat.com/show_bug.cgi?id=1982298
 %bcond_with check
 %endif
@ -19,7 +19,7 @@ Version:                2.13.0
 %global dracutlibdir %{_prefix}/lib/dracut

 Name:           ignition
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        First boot installer and configuration tool

 # Upstream license specification: Apache-2.0
@ -28,6 +28,9 @@ URL:            %{gourl}
 Source0:        %{gosource}
 # https://github.com/coreos/ignition/pull/1307
 Patch0:         luks-volume-reuse.patch
+# vmware: kernel_lockdown breaks guestinfo fetching
+# https://github.com/coreos/ignition/issues/1092
+Patch1:         vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch

 BuildRequires: libblkid-devel

@ -217,18 +220,22 @@ the configuration.

 This package contains a tool for validating Ignition configurations.

-############## validate-nonlinux subpackage ##############
+############## validate-redistributable subpackage ##############

 %if 0%{?fedora}
-%package validate-nonlinux
+%package validate-redistributable

-Summary:   Validation tool for Ignition configs for macOS and Windows
+Summary:   Statically linked validation tool for Ignition configs
 License:   ASL 2.0
 BuildArch: noarch

 Conflicts: ignition < 0.31.0-3

-%description validate-nonlinux
+# In case someone has this subpackage installed, obsolete the old name
+# Drop in Fedora 38
+Obsoletes:     ignition-validate-nonlinux < 2.13.0-4 
+
+%description validate-redistributable
 This package contains macOS and Windows ignition-validate binaries built
 through cross-compilation. Do not install it. It is only used for
 building binaries to sign by Fedora release engineering and include on the
@ -260,6 +267,11 @@ echo "Building ignition-validate..."
 %global gocrossbuild go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x

 %if 0%{?fedora}
+echo "Building statically-linked Linux ignition-validate..."
+CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go
+CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go
+CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go
+CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go 
 echo "Building macOS ignition-validate..."
 GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go

@ -278,8 +290,12 @@ install -p -m 0755 ./ignition-validate %{buildroot}%{_bindir}

 %if 0%{?fedora}
 install -d -p %{buildroot}%{_datadir}/ignition
+install -p -m 0644 ./ignition-validate-aarch64-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition
+install -p -m 0644 ./ignition-validate-ppc64le-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition
+install -p -m 0644 ./ignition-validate-s390x-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition 
 install -p -m 0644 ./ignition-validate-x86_64-apple-darwin %{buildroot}%{_datadir}/ignition
 install -p -m 0644 ./ignition-validate-x86_64-pc-windows-gnu.exe %{buildroot}%{_datadir}/ignition
+install -p -m 0644 ./ignition-validate-x86_64-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition
 %endif

 # The ignition binary is only for dracut, and is dangerous to run from
@ -303,14 +319,24 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition
 %{_bindir}/ignition-validate

 %if 0%{?fedora}
-%files validate-nonlinux
+%files validate-redistributable
 %license %{golicenses}
 %dir %{_datadir}/ignition
+%{_datadir}/ignition/ignition-validate-aarch64-unknown-linux-gnu-static
+%{_datadir}/ignition/ignition-validate-ppc64le-unknown-linux-gnu-static
+%{_datadir}/ignition/ignition-validate-s390x-unknown-linux-gnu-static 
 %{_datadir}/ignition/ignition-validate-x86_64-apple-darwin
 %{_datadir}/ignition/ignition-validate-x86_64-pc-windows-gnu.exe
+%{_datadir}/ignition/ignition-validate-x86_64-unknown-linux-gnu-static
 %endif

 %changelog
+* Mon Mar 21 2022 Sohan Kunkerkar <skunkerk@redhat.com> - 2.13.0-2
+- Rename -validate-nonlinux subpackage to -validate-redistributable
+- Add static Linux binaries to -redistributable
+- Fix macro invocation in comment
+- Avoid kernel lockdown on VMware when running with secure boot
+
 * Thu Jan 20 2022 Benjamin Gilbert <bgilbert@redhat.com> - 2.13.0-1
 - New release
 - Fix LUKS volume reuse
--- a/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch
+++ b/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch
@ -0,0 +1,40 @@
+From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001
+From: Luca BRUNO <luca.bruno@coreos.com>
+Date: Thu, 17 Sep 2020 16:07:59 +0000
+Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl
+
+This is a quickfix to avoid performing an `iopl`, which is blocked by
+kernel_lockdown under SecureBoot.
+
+Refs:
+ * https://bugzilla.redhat.com/show_bug.cgi?id=1877995
+ * https://github.com/lucab/vmw_backdoor-rs/issues/6
+ * https://github.com/coreos/ignition/issues/1092
+---
+ .../vmware/vmw-guestinfo/vmcheck/vmcheck.go           | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
+index c46cc5e4..ffd866c0 100644
+--- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
+++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
+@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) {
+ 
+ // hypervisorPortCheck tests the availability of the HV port.
+ func hypervisorPortCheck() (bool, error) {
+-	// Privilege level 3 to access all ports above 0x3ff
+-	if err := openPortsAccess(); err != nil {
+-		return false, err
+-	}
+       // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092.
+       /*
+               // Privilege level 3 to access all ports above 0x3ff
+               if err := openPortsAccess(); err != nil {
+                       return false, err
+               }
+       */
+ 
+ 	p := &bdoor.BackdoorProto{}
+ 
+-- 
+2.21.1