From 4a5fd6c0f9014456e70a369c5b31e3edb3b8d5a1 Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Tue, 2 Jun 2015 14:01:00 -0700 Subject: [PATCH 1/2] add tianon's suites.sh file Signed-off-by: Jessica Frazelle --- contrib/reprepro/suites.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100755 contrib/reprepro/suites.sh diff --git a/contrib/reprepro/suites.sh b/contrib/reprepro/suites.sh new file mode 100755 index 0000000000..efeeca0ce1 --- /dev/null +++ b/contrib/reprepro/suites.sh @@ -0,0 +1,11 @@ +#!/bin/bash +set -e + +cd "$(dirname "$BASH_SOURCE")/../.." + +targets_from() { + git fetch -q https://github.com/docker/docker.git "$1" + git ls-tree -r --name-only origin/master contrib/builder/deb | grep '/Dockerfile$' | sed -r 's!^contrib/builder/deb/|-debootstrap|/Dockerfile$!!g' +} + +{ targets_from master; targets_from release; } | sort -u From c850e97c84abffc71509692ab1accd38408fa51b Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Mon, 1 Jun 2015 17:21:09 -0700 Subject: [PATCH 2/2] Add release-deb & release-rpm scripts. These will create the apt & yum repos for the deb/rpms generated by build-deb and build-rpm. Adds sign-repo script which signs the repo metadata with a gpg key. Signed-off-by: Jessica Frazelle --- Dockerfile | 1 + hack/make/release-deb | 68 +++++++++++++++++++++++++++++++++++++++ hack/make/release-rpm | 74 +++++++++++++++++++++++++++++++++++++++++++ hack/make/sign-repos | 50 +++++++++++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100755 hack/make/release-deb create mode 100755 hack/make/release-rpm create mode 100755 hack/make/sign-repos diff --git a/Dockerfile b/Dockerfile index eddeefc67d..43df5b6e3f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,6 +37,7 @@ RUN apt-get update && apt-get install -y \ bash-completion \ btrfs-tools \ build-essential \ + createrepo \ curl \ dpkg-sig \ git \ diff --git a/hack/make/release-deb b/hack/make/release-deb new file mode 100755 index 0000000000..1832b5b3f1 --- /dev/null +++ b/hack/make/release-deb @@ -0,0 +1,68 @@ +#!/bin/bash +set -e + +# This script creates the apt repos for the .deb files generated by hack/make/build-deb +# +# The following can then be used as apt sources: +# deb http://apt.dockerproject.org/repo $distro-$release $version +# +# For example: +# deb http://apt.dockerproject.org/repo ubuntu-trusy main +# deb http://apt.dockerproject.org/repo ubuntu-vivid testing +# deb http://apt.dockerproject.org/repo debian-wheezy experimental +# deb http://apt.dockerproject.org/repo debian-jessie main +# +# ... and so on and so forth for the builds created by hack/make/build-deb + +: ${DOCKER_RELEASE_DIR:=$DEST} +APTDIR=$DOCKER_RELEASE_DIR/apt/repo + +# setup the apt repo (if it does not exist) +mkdir -p "$APTDIR/conf" "$APTDIR/db" + +# create/update distributions file +for suite in $(exec contrib/reprepro/suites.sh); do + cat <<-EOF + Origin: Docker + Suite: $suite + Codename: $suite + Architectures: amd64 i386 + Components: main testing experimental + Description: Docker APT Repository + + EOF +done > "$APTDIR/conf/distributions" + +# set the component and priority for the version being released +component="main" +priority=700 + +if [[ "$VERSION" == *-rc* ]]; then + component="testing" + priority=650 +fi + +if [ $DOCKER_EXPERIMENTAL ] || [[ "$VERSION" == *-dev ]] || [ -n "$(git status --porcelain)" ]; then + component="experimental" + priority=600 +fi + +# release the debs +for dir in contrib/builder/deb/*/; do + version="$(basename "$dir")" + codename="${version//debootstrap-}" + + # add the deb for each component for the distro version with reprepro + DEBFILE=( "bundles/$VERSION/build-deb/$version/docker-engine"*.deb ) + + # if we have a $GPG_PASSPHRASE we may as well + # dpkg-sign before reprepro + if [ ! -z "$GPG_PASSPHRASE" ]; then + dpkg-sig -g "--passphrase $GPG_PASSPHRASE" \ + -k releasedocker --sign builder "${DEBFILE[@]}" + fi + + reprepro -v --keepunreferencedfiles \ + -S docker-engine -P "$priority" -C "$component" \ + -b "$APTDIR" includedeb "$codename" "${DEBFILE[@]}" +done diff --git a/hack/make/release-rpm b/hack/make/release-rpm new file mode 100755 index 0000000000..406e28a84d --- /dev/null +++ b/hack/make/release-rpm @@ -0,0 +1,74 @@ +#!/bin/bash +set -e + +# This script creates the yum repos for the .rpm files generated by hack/make/build-rpm +# +# The following can then be used as a yum repo: +# http://yum.dockerproject.org/repo/$release/$distro/$distro-version +# +# For example: +# http://yum.dockerproject.org/repo/main/fedora/22 +# http://yum.dockerproject.org/repo/testing/centos/6 +# http://yum.dockerproject.org/repo/experimental/fedora/21 +# http://yum.dockerproject.org/repo/main/centos/7 +# +# ... and so on and so forth for the builds created by hack/make/build-rpm + +: ${DOCKER_RELEASE_DIR:=$DEST} +YUMDIR=$DOCKER_RELEASE_DIR/yum/repo + +# manage the repos for each distribution seperately +distros=( fedora centos oraclelinux ) + +# get the release +release="main" + +if [[ "$VERSION" == *-rc* ]]; then + release="testing" +fi + +if [ $DOCKER_EXPERIMENTAL ] || [[ "$VERSION" == *-dev ]] || [ -n "$(git status --porcelain)" ]; then + release="experimental" +fi + +for distro in "${distros[@]}"; do + # Setup the yum repo + REPO=$YUMDIR/$release/$distro + + for dir in contrib/builder/rpm/$distro-*/; do + version="$(basename "$dir")" + suite="${version##*-}" + + # if the directory does not exist, intialize the yum repo + if [[ ! -d $REPO/$suite/Packages ]]; then + mkdir -p "$REPO/$suite/Packages" + + createrepo --pretty "$REPO/$suite" + fi + + # path to rpms + RPMFILE=( "bundles/$VERSION/build-rpm/$version/RPMS/x86_64/docker-engine"*.rpm "bundles/$VERSION/build-rpm/$version/SRPMS/docker-engine"*.rpm ) + + # if we have a $GPG_PASSPHRASE we may as well + # sign the rpms before adding to repo + if [ ! -z $GPG_PASSPHRASE ]; then + # export our key to rpm import + gpg --armor --export releasedocker > /tmp/gpg + rpm --import /tmp/gpg + + # sign the rpms + rpm \ + --define '_gpg_name releasedocker' \ + --define '_signature gpg' \ + --define '__gpg_check_password_cmd /bin/true' \ + --define '__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}' \ + --resign "${RPMFILE[@]}" + fi + + # copy the rpms to the packages folder + cp "$RPMFILE" "$REPO/$suite/Packages" + + # update the repo + createrepo --pretty --update "$REPO/$suite" + done +done diff --git a/hack/make/sign-repos b/hack/make/sign-repos new file mode 100755 index 0000000000..de227535e1 --- /dev/null +++ b/hack/make/sign-repos @@ -0,0 +1,50 @@ +#!/bin/bash + +# This script signs the deliverables from release-deb and release-rpm +# with a designated GPG key. + +: ${DOCKER_RELEASE_DIR:=$DEST} +APTDIR=$DOCKER_RELEASE_DIR/apt/repo +YUMDIR=$DOCKER_RELEASE_DIR/yum/repo + +if [ -z "$GPG_PASSPHRASE" ]; then + echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts' + exit 1 +fi + +if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then + echo >&2 'release-rpm or release-deb must be run before sign-repos' + exit 1 +fi + +sign_packages(){ + # sign apt repo metadata + if [ -d $APTDIR ]; then + # create file with public key + gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/apt/gpg" + + # sign the repo metadata + for F in $(find $APTDIR -name Release); do + gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \ + --armor --sign --detach-sign \ + --batch --yes \ + --output "$F.gpg" "$F" + done + fi + + # sign yum repo metadata + if [ -d $YUMDIR ]; then + # create file with public key + gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/yum/gpg" + + # sign the repo metadata + for F in $(find $YUMDIR -name repomd.xml ); do + gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \ + --armor --sign --detach-sign \ + --batch --yes \ + --output "$F.asc" "$F" + done + fi +} + +sign_packages