Merge pull request #47 from DrDaveD/more-fedora-comments

DrDaveD · web-flow · commit e57a862caa88 · 2025-08-15T10:15:43.000-05:00
respond to more fedora review comments
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -57,6 +57,20 @@ jobs:
           OS_VERSION: latest
         run: ./ci/docker-run
 
+  rpmbuild-fedora41:
+    name: rpmbuild-fedora41
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      # fetch tags as checkout@v2 doesn't do that by default
+      - run: git fetch --prune --unshallow --tags --force
+
+      - name: Build rpm under docker
+        env:
+          OS_TYPE: quay.io/fedora/fedora-bootc
+          OS_VERSION: 41
+        run: ./ci/docker-run
+
   rpmbuild-fedora42:
     name: rpmbuild-fedora42
     runs-on: ubuntu-latest
diff --git a/ci/docker-run b/ci/docker-run
@@ -12,7 +12,7 @@ DOCKER_CONTAINER_NAME="test_${OS_TYPE##*/}_${OS_VERSION//./_}"
 set -x
 
 # start the container running systemd
-docker run --privileged -d -it -v "$(pwd):/build/src:rw" -e OS_TYPE=$OS_TYPE \
+docker run --privileged -d -it -v "$(pwd):/build/src:rw" \
   --name "$DOCKER_CONTAINER_NAME" "$DOCKER_HUB_URI" /usr/sbin/init
 RET=$?
 # leave some time for systemd network setup and interesting logs
diff --git a/ci/rpm-build b/ci/rpm-build
@@ -3,11 +3,19 @@
 
 # install dependencies
 
-dnf -y install git gpg golang wget
-dnf install -y rpm-build
-if [[ "$OS_TYPE" = rocky* ]] || [[ "$OS_TYPE" = alma* ]]; then
-    dnf install -y epel-release
+dnf -y install git gpg golang wget rpm-build
+. /etc/os-release
+OS_VERSION="${VERSION_ID%.*}"
+if [ "$OS_VERSION" -le 9 ]; then
+  dnf install -y epel-release
+  if [ "$OS_VERSION" == 8 ]; then
     dnf install -y epel-rpm-macros
+  else
+    dnf install -y rpmautospec-rpm-macros
+  fi
+fi
+if [ "$OS_VERSION" != 8 ]; then
+  dnf install -y go-rpm-macros
 fi
 
 # switch to an unprivileged user
@@ -23,7 +31,7 @@ su testuser -c '
   tar czhf openbao-rpm-$VERSION.tar.gz --exclude ".git*" openbao-rpm-$VERSION/
   mv openbao-rpm-$VERSION.tar.gz src
   cd src
-  DISTURL="`sed -n "s/^Source1: //p" openbao.spec|sed -e "s/%{name}/openbao/g" -e "s/%{package_version}/$VERSION/g"`"
+  DISTURL="`sed -n "s/^Source0: //p" openbao.spec|sed -e "s/%{name}/openbao/g" -e "s/%{package_version}/$VERSION/g"`"
   wget "$DISTURL"
   GOVERSION="`sed -n "s/%global go_version //p" openbao.spec`"
   GOURL="`sed -n "s/^Source2: //p" openbao.spec|sed "s/%{go_version}/$GOVERSION/"`"
diff --git a/make-spec b/make-spec
@@ -32,7 +32,7 @@ while IFS='' read -r LINE; do
     if [[ "$LINE" = *"bundled provides" ]]; then
         awk '{if (index($1, "/") != 0 && ($1 != "//")) {print "Provides: bundled(golang("$1")) = "$2}}' $GOMOD | sed -e 's/-/_/g' | sort | uniq
     elif [[ "$LINE" = "License:"* ]]; then
-        DISTURL="$(sed -n "s/^Source1: //p" $PKG.spec.in|sed -e "s/%{name}/$PKG/g" -e "s/%{package_version}/$VERSION/g")"
+        DISTURL="$(sed -n "s/^Source0: //p" $PKG.spec.in|sed -e "s/%{name}/$PKG/g" -e "s/%{package_version}/$VERSION/g")"
         DISTBALL="$(basename $DISTURL)"
         DIST="$(echo $DISTBALL|sed 's/\.tar.*//')"
         if [ ! -f "$DISTBALL" ]; then
diff --git a/openbao.spec b/openbao.spec
@@ -12,13 +12,28 @@ Release: %autorelease
 Summary: A tool for securely accessing secrets
 # See LICENSE for primary license
 # See LICENSE_DEPENDENCIES.md for bundled dependencies
+# CC0-1.0 is normally not permissible for code in Fedora. Because the vendored Go package
+# github.com/zeebo/blake3 it applies to has been available in Fedora as golang-github-zeebo-blake3
+# since before the cutoff date 2022-08-01, the exception to use it also applies here.
 License: MPL-2.0 AND AFL-2.0 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND ISC AND MIT
-Source0: https://github.com/opensciencegrid/%{name}-rpm/releases/download/v%{package_version}/%{name}-rpm-%{package_version}.tar.gz
-Source1: https://github.com/openbao/%{name}/releases/download/v%{package_version}/%{name}-dist-%{package_version}.tar.xz
+Source0: https://github.com/openbao/%{name}/releases/download/v%{package_version}/%{name}-dist-%{package_version}.tar.xz
+# This includes extra files to include in the package and is used as a
+# single branch to track changes to them and a place where checks can be
+# automated using github actions.
+Source1: https://github.com/opensciencegrid/%{name}-rpm/releases/download/v%{package_version}/%{name}-rpm-%{package_version}.tar.gz
 Patch0: goversion.patch
 
 BuildRequires: golang-bin
 BuildRequires: systemd-rpm-macros
+%if 0%{?el8}
+BuildRequires: epel-rpm-macros
+%endif
+%if 0%{?el9}
+BuildRequires: rpmautospec-rpm-macros
+%endif
+%if ! 0%{?el8}
+BuildRequires: go-rpm-macros
+%endif
 URL: https://openbao.org
 
 Provides: bundled(golang(cel.dev/expr)) = v0.24.0
@@ -392,8 +407,8 @@ Provides a compatibility layer on top of OpenBao to emulate a Hashicorp
 Vault package.
 
 %prep
-%setup -q -n %{name}-rpm-%{package_version}
-%setup -q -T -b 1 -n %{name}-dist-%{package_version}
+%setup -q -T -b 1 -n %{name}-rpm-%{package_version}
+%setup -q -n %{name}-dist-%{package_version}
 %autopatch
 
 %build
@@ -402,32 +417,46 @@ Vault package.
 # this prevents it from complaining that ui assets are too old
 touch http/web_ui/index.html
 
-GO_BUILD_MODE="-buildmode pie"
-GO_BUILD_GCFLAGS=
-GO_BUILD_LDFLAGS="-X github.com/%{name}/%{name}/version.fullVersion=%{version}-%{release}"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.GitCommit="
+GO_BUILDTAGS="ui"
+GO_LDFLAGS="-X github.com/%{name}/%{name}/version.fullVersion=%{version}-%{release}"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.GitCommit="
 BUILD_DATE="$(date -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y-%m-%d)"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.BuildDate=${BUILD_DATE}"
-GO_BUILD_LDFLAGS+=" -B gobuildid"
-GO_BUILD_TAGS="ui"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.BuildDate=${BUILD_DATE}"
+
+%if 0%{?el8} || "%{?go_debug}" != ""
+# Define the %%gobuild macro on el8 because it is outdated and doesn't work.
+# Also redefine it if %%go_debug is set for now, until %%gobuild is updated
+# to accept setting -gcflags.
 
-# These are from the %%gobuild macro which we can't use because it doesn't
-# allow for extra tags (nor extra gcflags for debug mode).
-GO_BUILD_TAGS+=" rpm_crashtraceback libtrust_openssl"
-GO_BUILD_LDFLAGS+=" -linkmode=external -compressdwarf=false"
-GO_BUILD_LDFLAGS+=" -extldflags '%__global_ldflags'"
+GO_LDFLAGS+=" -B gobuildid"
+GO_BUILDTAGS+=" rpm_crashtraceback libtrust_openssl"
+GO_LDFLAGS+=" -linkmode=external -compressdwarf=false"
+GO_LDFLAGS+=" -extldflags '%__global_ldflags'"
 
+GO_BUILD_GCFLAGS=
 %if "%{?go_debug}" != ""
 # add debugging & testing flags
 GO_BUILD_GCFLAGS="all=-N -l"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.VersionMetadata=testonly"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.VersionMetadata=testonly"
 # openbao documentation says testonly should not be used for production builds
-GO_BUILD_TAGS+=" testonly"
+GO_BUILDTAGS+=" testonly"
 %endif
 
-# instructions from https://openbao.org/docs/contributing/packaging/#ui-release
-# The ui is pre-prepared in the source distribution tarball
-go build ${GO_BUILD_MODE} -gcflags "${GO_BUILD_GCFLAGS}" -ldflags "${GO_BUILD_LDFLAGS}" -buildvcs=false -o bin/bao -tags "${GO_BUILD_TAGS}"
+%define gobuild(o:) go build -compiler gc -buildmode pie -ldflags "${GO_LDFLAGS}" -gcflags "${GO_BUILD_GCFLAGS}" -tags "${GO_BUILDTAGS}" %{?**}
+
+%else
+# Use more modern gobuild macro, which (except for el9) defaults to not use
+# go modules.  Enable go modules because otherwise it fails to find even
+# the openbao/openbao source.
+%global gomodulesmode GO111MODULE=on
+
+%if 0%{?el9}
+# the el9 gobuild macro only accepts LDFLAGS
+LDFLAGS=${GO_LDFLAGS}
+%endif
+%endif
+
+%gobuild -o bin/bao
 
 %install
 # starts out in %%{name}-dist-%%{package_version} directory
@@ -455,10 +484,12 @@ mkdir -p %{buildroot}%{_sysusersdir}
 cp %{name}.conf %{buildroot}%{_sysusersdir}/%{name}.conf
 
 %pre
+%if 0%{?el8}
 getent group %{name} > /dev/null || groupadd -r %{name}
 getent passwd %{name} > /dev/null || \
     useradd -r -d %{_sharedstatedir}/%{name} -g %{name} \
     -s /sbin/nologin -c "%{name} secrets manager" %{name}
+%endif
 
 %post
 setcap cap_ipc_lock=+ep %{_bindir}/bao
diff --git a/openbao.spec.in b/openbao.spec.in
@@ -12,13 +12,28 @@ Release: %autorelease
 Summary: A tool for securely accessing secrets
 # See LICENSE for primary license
 # See LICENSE_DEPENDENCIES.md for bundled dependencies
+# CC0-1.0 is normally not permissible for code in Fedora. Because the vendored Go package
+# github.com/zeebo/blake3 it applies to has been available in Fedora as golang-github-zeebo-blake3
+# since before the cutoff date 2022-08-01, the exception to use it also applies here.
 License: MPL-2.0
-Source0: https://github.com/opensciencegrid/%{name}-rpm/releases/download/v%{package_version}/%{name}-rpm-%{package_version}.tar.gz
-Source1: https://github.com/openbao/%{name}/releases/download/v%{package_version}/%{name}-dist-%{package_version}.tar.xz
+Source0: https://github.com/openbao/%{name}/releases/download/v%{package_version}/%{name}-dist-%{package_version}.tar.xz
+# This includes extra files to include in the package and is used as a
+# single branch to track changes to them and a place where checks can be
+# automated using github actions.
+Source1: https://github.com/opensciencegrid/%{name}-rpm/releases/download/v%{package_version}/%{name}-rpm-%{package_version}.tar.gz
 Patch0: goversion.patch
 
 BuildRequires: golang-bin
 BuildRequires: systemd-rpm-macros
+%if 0%{?el8}
+BuildRequires: epel-rpm-macros
+%endif
+%if 0%{?el9}
+BuildRequires: rpmautospec-rpm-macros
+%endif
+%if ! 0%{?el8}
+BuildRequires: go-rpm-macros
+%endif
 URL: https://openbao.org
 
 # This line gets replaced by bundled provides
@@ -42,8 +57,8 @@ Provides a compatibility layer on top of OpenBao to emulate a Hashicorp
 Vault package.
 
 %prep
-%setup -q -n %{name}-rpm-%{package_version}
-%setup -q -T -b 1 -n %{name}-dist-%{package_version}
+%setup -q -T -b 1 -n %{name}-rpm-%{package_version}
+%setup -q -n %{name}-dist-%{package_version}
 %autopatch
 
 %build
@@ -52,32 +67,46 @@ Vault package.
 # this prevents it from complaining that ui assets are too old
 touch http/web_ui/index.html
 
-GO_BUILD_MODE="-buildmode pie"
-GO_BUILD_GCFLAGS=
-GO_BUILD_LDFLAGS="-X github.com/%{name}/%{name}/version.fullVersion=%{version}-%{release}"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.GitCommit="
+GO_BUILDTAGS="ui"
+GO_LDFLAGS="-X github.com/%{name}/%{name}/version.fullVersion=%{version}-%{release}"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.GitCommit="
 BUILD_DATE="$(date -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y-%m-%d)"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.BuildDate=${BUILD_DATE}"
-GO_BUILD_LDFLAGS+=" -B gobuildid"
-GO_BUILD_TAGS="ui"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.BuildDate=${BUILD_DATE}"
+
+%if 0%{?el8} || "%{?go_debug}" != ""
+# Define the %%gobuild macro on el8 because it is outdated and doesn't work.
+# Also redefine it if %%go_debug is set for now, until %%gobuild is updated
+# to accept setting -gcflags.
 
-# These are from the %%gobuild macro which we can't use because it doesn't
-# allow for extra tags (nor extra gcflags for debug mode).
-GO_BUILD_TAGS+=" rpm_crashtraceback libtrust_openssl"
-GO_BUILD_LDFLAGS+=" -linkmode=external -compressdwarf=false"
-GO_BUILD_LDFLAGS+=" -extldflags '%__global_ldflags'"
+GO_LDFLAGS+=" -B gobuildid"
+GO_BUILDTAGS+=" rpm_crashtraceback libtrust_openssl"
+GO_LDFLAGS+=" -linkmode=external -compressdwarf=false"
+GO_LDFLAGS+=" -extldflags '%__global_ldflags'"
 
+GO_BUILD_GCFLAGS=
 %if "%{?go_debug}" != ""
 # add debugging & testing flags
 GO_BUILD_GCFLAGS="all=-N -l"
-GO_BUILD_LDFLAGS+=" -X github.com/%{name}/%{name}/version.VersionMetadata=testonly"
+GO_LDFLAGS+=" -X github.com/%{name}/%{name}/version.VersionMetadata=testonly"
 # openbao documentation says testonly should not be used for production builds
-GO_BUILD_TAGS+=" testonly"
+GO_BUILDTAGS+=" testonly"
 %endif
 
-# instructions from https://openbao.org/docs/contributing/packaging/#ui-release
-# The ui is pre-prepared in the source distribution tarball
-go build ${GO_BUILD_MODE} -gcflags "${GO_BUILD_GCFLAGS}" -ldflags "${GO_BUILD_LDFLAGS}" -buildvcs=false -o bin/bao -tags "${GO_BUILD_TAGS}"
+%define gobuild(o:) go build -compiler gc -buildmode pie -ldflags "${GO_LDFLAGS}" -gcflags "${GO_BUILD_GCFLAGS}" -tags "${GO_BUILDTAGS}" %{?**}
+
+%else
+# Use more modern gobuild macro, which (except for el9) defaults to not use
+# go modules.  Enable go modules because otherwise it fails to find even
+# the openbao/openbao source.
+%global gomodulesmode GO111MODULE=on
+
+%if 0%{?el9}
+# the el9 gobuild macro only accepts LDFLAGS
+LDFLAGS=${GO_LDFLAGS}
+%endif
+%endif
+
+%gobuild -o bin/bao
 
 %install
 # starts out in %%{name}-dist-%%{package_version} directory
@@ -105,10 +134,12 @@ mkdir -p %{buildroot}%{_sysusersdir}
 cp %{name}.conf %{buildroot}%{_sysusersdir}/%{name}.conf
 
 %pre
+%if 0%{?el8}
 getent group %{name} > /dev/null || groupadd -r %{name}
 getent passwd %{name} > /dev/null || \
     useradd -r -d %{_sharedstatedir}/%{name} -g %{name} \
     -s /sbin/nologin -c "%{name} secrets manager" %{name}
+%endif
 
 %post
 setcap cap_ipc_lock=+ep %{_bindir}/bao
