Software on the gnome.org servers

As much as possible, software on the gnome.org servers should be packaged (as rpms, debs, or whatever is appropriate for the servers distribution.) And as much as possible, the packaged software should be standard packages for the distribution.

Most of the gnome.org servers are currently installed with RHEL5. In addition to the basic RHEL 5 packages, we also consider packages from EPEL to be "standard" packages.

Local Packages

However, sometimes we need software that isn't in a standard package. This might be because the software just isn't packaged for the relevant distro, or it might be because the software is too old. (Currently there are random packages from different 3rd party repos installed on some of the servers with little reproducibility. The below is what we are doing moving forward.)

Warning: If we install a local package, WE WILL NOT GET AUTOMATIC SECURITY UPDATES.

Policy: no third-party binary packages. We should not configure any external repositories in the yum configuration for the server,even if they are relatively trusted. We should not download and install binary packages from 3rd party repositories, even relatively trusted ones. Any non-standard packages need to be rebuilt from source.

We have a yum repo for locally built packages at http://container-back/cobbler/repo_mirror/gnome-el5-$basearch. On machines where we are managing the local config through /Puppet, this repo is added to the machines configuration, and you can reference the packages from the puppet configuration. On other machines, you can install packages manually out of /home/admin/pkgs. (Eventually, we want all machines to be puppet managed.)

How to build

For our RHEL machines. Assuming you you know a fair bit about RPM packaging.

  • By preference, start with the latest packages from Fedora, or upgrade the package from RHEL.
  • Build on container.gnome.org for i386 and fixed.gnome.org for x86_64

  • Build in your home directory. Create a ~/.rpmmacros file as follows, then create the ~/src/redhat/{SRPMS,RPMS,{/i386,/x86_64}},SPECS,SOURCES,BUILD structure in your home directory 

%_topdir            /home/users/otaylor/src/redhat
%packager John Doe <john@example.com>
  • Build with: 

rpmbuild -ba mypackage.spec --define 'dist el5.gnome'

  • Copy the resulting SRPM and binary packages to /home/admin/pkgs/el/{<arch>,SRPMS}

  • On container.gnome.org, run 'cobbler reposync' as root to regenerate the yum repo.

TODO

  • Move to building in mock. Building on a production server is bad for reproducibility. It would be good to have mock setup for x86_64 and i386 builds on a single server.
  • Version control. Would be nice to version control the spec files we use to build local packages.
  • Figure out some way to index our set of local packages against announced security vulnerabilities and flag where we need action.

Infrastructure/Archive/Software (last edited 2020-11-04 13:57:35 by AndreaVeri)