This post is mostly to serve as a reminder to myself on how to build the subscription-manager RPMs for Oracle Linux using a clone of the upstream source repository from GitHub and the official Oracle Linux container images.

Oracle Linux 7

To verify the current release version of subscription-manager upstream, run

1
2
$ docker run --rm -it registry.access.redhat.com/ubi7/ubi repoquery --nvr subscription-manager
subscription-manager-1.24.45-1.el7_9

Run docker build -t build-rhsm:ol7 with the following Dockerfile:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
FROM oraclelinux:7-slim

RUN yum -y install oracle-epel-release-el7 oracle-nodejs-release-el7 \
    && yum -y --enablerepo=ol7_optional_latest install @buildsys-build tito rpm-build rpm-sign nodejs which expect \
    && rm -rf /var/cache/yum \
    && npm install -g yarn \
    && rpmdev-setuptree

COPY build-rhsm.sh rpm-sign.exp /
RUN chmod +x /build-rhsm.sh /rpm-sign.exp

CMD ["/build-rhsm.sh"]

Using the following build-rhsm.sh script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash

# Import GPG key and trust it
gpg --import --passphrase-file /gpg/passphrase < /gpg/key.asc
(echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets < /gpg/key.asc | awk '$1=="keyid:"{print$2;exit}')" trust

# Clone the git repo
cd /root || exit
git clone https://github.com/candlepin/subscription-manager.git

# Build the SRPM using tito
cd subscription-manager || exit
tito build --tag subscription-manager-1.24.45-1 --srpm --dist=.el7 --offline
cp /tmp/tito/*.src.rpm /root/rpmbuild/SRPMS/

# Build the binary RPMs
cd /root/rpmbuild || exit
yum-builddep -y --enablerepo=ol7_optional_latest SRPMS/subscription-manager-1.24.45-1.el7.src.rpm
rpmbuild --rebuild SRPMS/subscription-manager-1.24.45-1.el7.src.rpm

# Sign the binary RPMs
echo "%_gpg_name Avi Miller <me@dje.li>" >> /root/.rpmmacros
find /root/rpmbuild/RPMS -name '*.rpm' -exec /rpm-sign.exp {} \;

# Copy the RPMs to the output location
mkdir /output/oraclelinux7
cp -r /root/rpmbuild/RPMS/* /output/oraclelinux7/

And rpm-sign.exp script:

#!/usr/bin/expect -f
spawn rpmsign --addsign {*}$argv
expect -exact "Enter pass phrase: "
send -- "[read [open /gpg/passphrase r]]"
expect eof

Export and concatenate your private and public GPG keys into gpg/key.asc and put the passphrase in gpg/passphrase. Create an output/ folder as well.

Then, run a container using that image:

1
docker run --rm --it -v ${PWD}/gpg:/gpg -v ${PWD}/output:/output build-rhsm:ol7

If all goes well, output/oraclelinux7/ will contain signed binary RPMs.

Oracle Linux 8

To verify the current release version of subscription-manager upstream, run

1
2
$ docker run --rm -it registry.access.redhat.com/ubi8/ubi dnf --quiet repoquery --nvr subscription-manager
subscription-manager-1.27.16-1.el8

Run docker build -t build-rhsm:ol8 . with the following Dockerfile:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
FROM oraclelinux:8-slim

RUN microdnf install dnf dnf-plugins-core \
    && echo > /etc/dnf/vars/ociregion \
    && dnf config-manager --enable ol8_codeready_builder ol8_distro_builder \
    && dnf config-manager  --setopt=tsflags=nodocs --save \
    && dnf -y module install nodejs \
    && dnf -y install oracle-epel-release-el8 \
    && dnf -y groups install "Development Tools" \
    && dnf -y install tito which \
    && dnf -y remove java-1.8.0-openjdk-headless-1.8.0.275.b01-1.el8_3.x86_64 'urw*' \
    && dnf -y clean all \
    && npm install -g yarn \
    && rpmdev-setuptree

COPY build-rhsm.sh /
RUN chmod +x /build-rhsm.sh

CMD ["/build-rhsm.sh"]

Using this build-rhsm.sh script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/bash

# Import and trust the GPG key
gpg --import --pinentry-mode loopback --passphrase-file /gpg/passphrase < /gpg/key.asc
(echo 5; echo y; echo save) | gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(gpg --list-packets < /gpg/key.asc | awk '$1=="keyid:"{print$2;exit}')" trust

# Clone the repo
cd /root || exit
git clone https://github.com/candlepin/subscription-manager.git

# Use tito to build the source RPM
cd /root/subscription-manager || exit
tito build --tag=subscription-manager-1.27.16-1 --srpm --dist=.el8 --offline
cp /tmp/tito/*.src.rpm /root/rpmbuild/SRPMS/

# Use rpmbuild to build and sign the binary RPMs
cd /root/rpmbuild || exit
cat << EOF >> /root/.rpmmacros

%_gpg_sign_cmd_extra_args  --batch --pinentry-mode loopback --passphrase-file /gpg/passphrase
%_gpg_name Avi Miller <me@dje.li>
EOF

dnf builddep -y SRPMS/subscription-manager-1.27.16-1.el8.src.rpm
rpmbuild --rebuild --sign SRPMS/subscription-manager-1.27.16-1.el8.src.rpm

# Copy the RPMs to the output location
mkdir /output/oraclelinux8
cp -r /root/rpmbuild/RPMS/* /output/oraclelinux8/

Export your private and public GPG keys to gpg/key.asc and put the passphrase in gpg/passphrase. Create an output/ folder as well.

Then, run a container using that image:

1
docker run --rm --it -v ${PWD}/gpg:/gpg -v ${PWD}/output:/output build-rhsm:ol8

If all goes well, output/oraclelinux8/ should contain the binary RPMs signed with the GPG key.