From 5ef0e911a966d39166a3779ddf2d6d845a5d6dd4 Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Mon, 21 Mar 2022 11:22:08 -0400 Subject: [PATCH] Resolves: rhbz#2066829 Changes: - Rename -validate-nonlinux subpackage to -validate-redistributable - Add static Linux binaries to -redistributable - Fix macro invocation in comment - Avoid kernel lockdown on VMware when running with secure boot - Update rpmlintrc --- ignition.rpmlintrc | 14 ++++++- ignition.spec | 40 +++++++++++++++---- ...info-quickfix-to-skip-performing-iop.patch | 40 +++++++++++++++++++ 3 files changed, 86 insertions(+), 8 deletions(-) create mode 100644 vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch diff --git a/ignition.rpmlintrc b/ignition.rpmlintrc index ebc7ba8..18e5612 100644 --- a/ignition.rpmlintrc +++ b/ignition.rpmlintrc @@ -1,2 +1,14 @@ # Suppress hardcoded library path warning -addFilter("hardcoded-library-path in %{_prefix}/lib/dracut") \ No newline at end of file +addFilter("hardcoded-library-path in %{_prefix}/lib/dracut") + +# Ignition sources have duplicate files because of how spec versioning is +# implemented +addFilter("ignition-debugsource.x86_64: W: files-duplicate") + +# -validate-redistributable is supposed to have binaries in it +addFilter("ignition-validate-redistributable.noarch: E: arch-independent-package-contains-binary-or-object") + +# This is documented as optional +# https://fedoraproject.org/wiki/Upgrade_paths_%E2%80%94_renaming_or_splitting_packages#Do_I_need_to_Provide_my_old_package_names.3F +addFilter("ignition.x86_64: W: obsolete-not-provided ignition-dracut") +addFilter("ignition-validate-redistributable.noarch: W: obsolete-not-provided ignition-validate-nonlinux") diff --git a/ignition.spec b/ignition.spec index 2c42301..dcbcc94 100644 --- a/ignition.spec +++ b/ignition.spec @@ -2,7 +2,7 @@ %if 0%{?fedora} %bcond_without check %else -# %gocheck isn't currently provided on CentOS/RHEL +# %%gocheck isn't currently provided on CentOS/RHEL # https://bugzilla.redhat.com/show_bug.cgi?id=1982298 %bcond_with check %endif @@ -19,7 +19,7 @@ Version: 2.13.0 %global dracutlibdir %{_prefix}/lib/dracut Name: ignition -Release: 1%{?dist} +Release: 2%{?dist} Summary: First boot installer and configuration tool # Upstream license specification: Apache-2.0 @@ -28,6 +28,9 @@ URL: %{gourl} Source0: %{gosource} # https://github.com/coreos/ignition/pull/1307 Patch0: luks-volume-reuse.patch +# vmware: kernel_lockdown breaks guestinfo fetching +# https://github.com/coreos/ignition/issues/1092 +Patch1: vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch BuildRequires: libblkid-devel @@ -217,18 +220,22 @@ the configuration. This package contains a tool for validating Ignition configurations. -############## validate-nonlinux subpackage ############## +############## validate-redistributable subpackage ############## %if 0%{?fedora} -%package validate-nonlinux +%package validate-redistributable -Summary: Validation tool for Ignition configs for macOS and Windows +Summary: Statically linked validation tool for Ignition configs License: ASL 2.0 BuildArch: noarch Conflicts: ignition < 0.31.0-3 -%description validate-nonlinux +# In case someone has this subpackage installed, obsolete the old name +# Drop in Fedora 38 +Obsoletes: ignition-validate-nonlinux < 2.13.0-4 + +%description validate-redistributable This package contains macOS and Windows ignition-validate binaries built through cross-compilation. Do not install it. It is only used for building binaries to sign by Fedora release engineering and include on the @@ -260,6 +267,11 @@ echo "Building ignition-validate..." %global gocrossbuild go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %if 0%{?fedora} +echo "Building statically-linked Linux ignition-validate..." +CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go +CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go +CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go +CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go echo "Building macOS ignition-validate..." GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go @@ -278,8 +290,12 @@ install -p -m 0755 ./ignition-validate %{buildroot}%{_bindir} %if 0%{?fedora} install -d -p %{buildroot}%{_datadir}/ignition +install -p -m 0644 ./ignition-validate-aarch64-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition +install -p -m 0644 ./ignition-validate-ppc64le-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition +install -p -m 0644 ./ignition-validate-s390x-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition install -p -m 0644 ./ignition-validate-x86_64-apple-darwin %{buildroot}%{_datadir}/ignition install -p -m 0644 ./ignition-validate-x86_64-pc-windows-gnu.exe %{buildroot}%{_datadir}/ignition +install -p -m 0644 ./ignition-validate-x86_64-unknown-linux-gnu-static %{buildroot}%{_datadir}/ignition %endif # The ignition binary is only for dracut, and is dangerous to run from @@ -303,14 +319,24 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition %{_bindir}/ignition-validate %if 0%{?fedora} -%files validate-nonlinux +%files validate-redistributable %license %{golicenses} %dir %{_datadir}/ignition +%{_datadir}/ignition/ignition-validate-aarch64-unknown-linux-gnu-static +%{_datadir}/ignition/ignition-validate-ppc64le-unknown-linux-gnu-static +%{_datadir}/ignition/ignition-validate-s390x-unknown-linux-gnu-static %{_datadir}/ignition/ignition-validate-x86_64-apple-darwin %{_datadir}/ignition/ignition-validate-x86_64-pc-windows-gnu.exe +%{_datadir}/ignition/ignition-validate-x86_64-unknown-linux-gnu-static %endif %changelog +* Mon Mar 21 2022 Sohan Kunkerkar - 2.13.0-2 +- Rename -validate-nonlinux subpackage to -validate-redistributable +- Add static Linux binaries to -redistributable +- Fix macro invocation in comment +- Avoid kernel lockdown on VMware when running with secure boot + * Thu Jan 20 2022 Benjamin Gilbert - 2.13.0-1 - New release - Fix LUKS volume reuse diff --git a/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch b/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch new file mode 100644 index 0000000..6d43fe9 --- /dev/null +++ b/vendor-vmw-guestinfo-quickfix-to-skip-performing-iop.patch @@ -0,0 +1,40 @@ +From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001 +From: Luca BRUNO +Date: Thu, 17 Sep 2020 16:07:59 +0000 +Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl + +This is a quickfix to avoid performing an `iopl`, which is blocked by +kernel_lockdown under SecureBoot. + +Refs: + * https://bugzilla.redhat.com/show_bug.cgi?id=1877995 + * https://github.com/lucab/vmw_backdoor-rs/issues/6 + * https://github.com/coreos/ignition/issues/1092 +--- + .../vmware/vmw-guestinfo/vmcheck/vmcheck.go | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go +index c46cc5e4..ffd866c0 100644 +--- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go ++++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go +@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) { + + // hypervisorPortCheck tests the availability of the HV port. + func hypervisorPortCheck() (bool, error) { +- // Privilege level 3 to access all ports above 0x3ff +- if err := openPortsAccess(); err != nil { +- return false, err +- } ++ // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092. ++ /* ++ // Privilege level 3 to access all ports above 0x3ff ++ if err := openPortsAccess(); err != nil { ++ return false, err ++ } ++ */ + + p := &bdoor.BackdoorProto{} + +-- +2.21.1