Merge pull request #13680 from jfrazelle/new-apt-yum-repos

WIP: new apt yum repos for release scripts

Dockerfile

@@ -37,6 +37,7 @@ RUN apt-get update && apt-get install -y \
 	bash-completion \
 	btrfs-tools \
 	build-essential \
+	createrepo \
 	curl \
 	dpkg-sig \
 	git \

contrib/reprepro/suites.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+cd "$(dirname "$BASH_SOURCE")/../.."
+
+targets_from() {
+       git fetch -q https://github.com/docker/docker.git "$1"
+       git ls-tree -r --name-only origin/master contrib/builder/deb | grep '/Dockerfile$' | sed -r 's!^contrib/builder/deb/|-debootstrap|/Dockerfile$!!g'
+}
+
+{ targets_from master; targets_from release; } | sort -u

hack/make/release-deb

@@ -0,0 +1,68 @@
+#!/bin/bash
+set -e
+
+# This script creates the apt repos for the .deb files generated by hack/make/build-deb
+#
+# The following can then be used as apt sources:
+# 	deb http://apt.dockerproject.org/repo $distro-$release $version
+#
+# For example:
+#	deb http://apt.dockerproject.org/repo ubuntu-trusy main
+#	deb http://apt.dockerproject.org/repo ubuntu-vivid testing
+#	deb http://apt.dockerproject.org/repo debian-wheezy experimental
+#	deb http://apt.dockerproject.org/repo debian-jessie main
+#
+# ... and so on and so forth for the builds created by hack/make/build-deb
+
+: ${DOCKER_RELEASE_DIR:=$DEST}
+APTDIR=$DOCKER_RELEASE_DIR/apt/repo
+
+# setup the apt repo (if it does not exist)
+mkdir -p "$APTDIR/conf" "$APTDIR/db"
+
+# create/update distributions file
+for suite in $(exec contrib/reprepro/suites.sh); do
+	cat <<-EOF
+	Origin: Docker
+	Suite: $suite
+	Codename: $suite
+	Architectures: amd64 i386
+	Components: main testing experimental
+	Description: Docker APT Repository
+
+	EOF
+done > "$APTDIR/conf/distributions"
+
+# set the component and priority for the version being released
+component="main"
+priority=700
+
+if [[ "$VERSION" == *-rc* ]]; then
+	component="testing"
+	priority=650
+fi
+
+if [ $DOCKER_EXPERIMENTAL ] || [[ "$VERSION" == *-dev ]] || [ -n "$(git status --porcelain)" ]; then
+	component="experimental"
+	priority=600
+fi
+
+# release the debs
+for dir in contrib/builder/deb/*/; do
+	version="$(basename "$dir")"
+	codename="${version//debootstrap-}"
+
+	# add the deb for each component for the distro version with reprepro
+	DEBFILE=( "bundles/$VERSION/build-deb/$version/docker-engine"*.deb )
+
+	# if we have a $GPG_PASSPHRASE we may as well
+	# dpkg-sign before reprepro
+	if [ ! -z "$GPG_PASSPHRASE" ]; then
+		dpkg-sig -g "--passphrase $GPG_PASSPHRASE" \
+			-k releasedocker --sign builder "${DEBFILE[@]}"
+	fi
+
+	reprepro -v --keepunreferencedfiles \
+		-S docker-engine -P "$priority" -C "$component" \
+		-b "$APTDIR" includedeb "$codename" "${DEBFILE[@]}"
+done

hack/make/release-rpm

@@ -0,0 +1,74 @@
+#!/bin/bash
+set -e
+
+# This script creates the yum repos for the .rpm files generated by hack/make/build-rpm
+#
+# The following can then be used as a yum repo:
+# 	http://yum.dockerproject.org/repo/$release/$distro/$distro-version
+#
+# For example:
+# 	http://yum.dockerproject.org/repo/main/fedora/22
+# 	http://yum.dockerproject.org/repo/testing/centos/6
+# 	http://yum.dockerproject.org/repo/experimental/fedora/21
+# 	http://yum.dockerproject.org/repo/main/centos/7
+#
+# ... and so on and so forth for the builds created by hack/make/build-rpm
+
+: ${DOCKER_RELEASE_DIR:=$DEST}
+YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
+
+# manage the repos for each distribution seperately
+distros=( fedora centos oraclelinux )
+
+# get the release
+release="main"
+
+if [[ "$VERSION" == *-rc* ]]; then
+	release="testing"
+fi
+
+if [ $DOCKER_EXPERIMENTAL ] || [[ "$VERSION" == *-dev ]] || [ -n "$(git status --porcelain)" ]; then
+	release="experimental"
+fi
+
+for distro in "${distros[@]}"; do
+	# Setup the yum repo
+	REPO=$YUMDIR/$release/$distro
+
+	for dir in contrib/builder/rpm/$distro-*/; do
+		version="$(basename "$dir")"
+		suite="${version##*-}"
+
+		# if the directory does not exist, intialize the yum repo
+		if [[ ! -d $REPO/$suite/Packages ]]; then
+			mkdir -p "$REPO/$suite/Packages"
+
+			createrepo --pretty "$REPO/$suite"
+		fi
+
+		# path to rpms
+		RPMFILE=( "bundles/$VERSION/build-rpm/$version/RPMS/x86_64/docker-engine"*.rpm "bundles/$VERSION/build-rpm/$version/SRPMS/docker-engine"*.rpm )
+
+		# if we have a $GPG_PASSPHRASE we may as well
+		# sign the rpms before adding to repo
+		if [ ! -z $GPG_PASSPHRASE ]; then
+			# export our key to rpm import
+			gpg --armor --export releasedocker > /tmp/gpg
+			rpm --import /tmp/gpg
+
+			# sign the rpms
+			rpm \
+				--define '_gpg_name releasedocker' \
+				--define '_signature gpg' \
+				--define '__gpg_check_password_cmd /bin/true' \
+				--define '__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}' \
+				--resign "${RPMFILE[@]}"
+		fi
+
+		# copy the rpms to the packages folder
+		cp "$RPMFILE" "$REPO/$suite/Packages"
+
+		# update the repo
+		createrepo --pretty --update "$REPO/$suite"
+	done
+done

hack/make/sign-repos

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+# This script signs the deliverables from release-deb and release-rpm
+# with a designated GPG key.
+
+: ${DOCKER_RELEASE_DIR:=$DEST}
+APTDIR=$DOCKER_RELEASE_DIR/apt/repo
+YUMDIR=$DOCKER_RELEASE_DIR/yum/repo
+
+if [ -z "$GPG_PASSPHRASE" ]; then
+	echo >&2 'you need to set GPG_PASSPHRASE in order to sign artifacts'
+	exit 1
+fi
+
+if [ ! -d $APTDIR ] && [ ! -d $YUMDIR ]; then
+	echo >&2 'release-rpm or release-deb must be run before sign-repos'
+	exit 1
+fi
+
+sign_packages(){
+	# sign apt repo metadata
+	if [ -d $APTDIR ]; then
+		# create file with public key
+		gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/apt/gpg"
+
+		# sign the repo metadata
+		for F in $(find $APTDIR -name Release); do
+			gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+				--armor --sign --detach-sign \
+				--batch --yes \
+				--output "$F.gpg" "$F"
+		done
+	fi
+
+	# sign yum repo metadata
+	if [ -d $YUMDIR ]; then
+		# create file with public key
+		gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/yum/gpg"
+
+		# sign the repo metadata
+		for F in $(find $YUMDIR -name repomd.xml ); do
+			gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \
+				--armor --sign --detach-sign \
+				--batch --yes \
+				--output "$F.asc" "$F"
+		done
+	fi
+}
+
+sign_packages