ood_packaging 0.0.1.r2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: '08137cd4ccfc377bfd70ad3ef9f10b1af265f873397323848fab54c546ae0e5e'
+  data.tar.gz: d180ca4601d18558d9d37e607fb1ac5c27406d893709bd2cd1c837565140c834
+SHA512:
+  metadata.gz: 37002fb96167b8310a3cb42bd6a3d4980ba0410d96b8eb3921e44de456a481c2f6c07f6dfda1b02da960043e12bfa0b474eac4fc2dda89021c9f0ff04610e7ed
+  data.tar.gz: e93b9c5b83b07637220354dedf9b17acdabaee8f53c2b9225ff9ac4adf7034c4b10c94ed2497a468f516a7c393094d04df6ff5b4091802648597fa4948241f4a

data/bin/ood_packaging

@@ -0,0 +1,81 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'optparse'
+libdir = File.expand_path(File.join(__dir__, '../lib'))
+$LOAD_PATH.unshift(libdir) if Dir.exist?(libdir)
+require 'ood_packaging'
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = 'Usage: ood_packaging [options] package'
+
+  opts.on('-w', '--work=DIR', String, 'Work directory path') do |v|
+    options[:work_dir] = v
+  end
+
+  opts.on('-o', '--output=DIR', String, 'Output directory path') do |v|
+    options[:output_dir] = v
+  end
+
+  opts.on('-d', '--dist=DIST', String, 'Distribution to build') do |v|
+    options[:dist] = v
+  end
+
+  opts.on('-V', '--version=VERSION', String, 'Version of package to build') do |v|
+    options[:version] = v
+  end
+
+  opts.on('-T', '--tar', 'Create tar archive for package') do
+    options[:tar] = true
+  end
+
+  opts.on('-t', '--tar-only', 'Only create tar archive') do
+    options[:tar_only] = true
+  end
+
+  opts.on('-G', '--gpg-name', String, 'GPG key name') do |v|
+    options[:gpg_name] = v
+  end
+
+  opts.on('-g', '--gpg-pubkey', String, 'GPG public key path') do |v|
+    options[:gpg_pubkey] = v
+  end
+
+  opts.on('-S', '--skip-gpg', 'Skip GPG signing') do
+    options[:gpg_sign] = false
+  end
+
+  opts.on('--skip-clean-output', 'Skip clean up of output directory') do
+    options[:clean_output_dir] = false
+  end
+
+  opts.on('--skip-clean-work', 'Skip clean up of work directory') do
+    options[:clean_work_dir] = false
+  end
+
+  opts.on('-s', '--skip-download', 'Skip source download') do
+    options[:skip_download] = true
+  end
+
+  opts.on('-A', '--attach', 'Attach to build box after build') do
+    options[:attach] = true
+  end
+
+  opts.on('--debug', 'Show debug output') do
+    options[:debug] = true
+  end
+
+  opts.on('-h', '--help', 'Show this help message') do
+    puts opts
+    exit
+  end
+end.parse!(ARGV)
+
+if ARGV.size != 1
+  puts 'ERROR: Must provide package path'.red
+  exit 1
+end
+options[:package] = ARGV[0]
+
+OodPackaging::Package.new(options).run!

data/lib/ood_packaging/build.rb

@@ -0,0 +1,329 @@
+# frozen_string_literal: true
+
+require 'ood_packaging/utils'
+require 'ood_packaging/string_ext'
+require 'English'
+require 'rake'
+require 'rake/file_utils'
+require 'yaml'
+
+# Class to handle builds of packages from within buildbox container
+class OodPackaging::Build
+  include OodPackaging::Utils
+  include FileUtils
+
+  attr_accessor :build_box
+
+  def initialize
+    @build_box = OodPackaging::BuildBox.new(dist: ENV['DIST'])
+  end
+
+  def config
+    @config ||= begin
+      c = packaging_config
+      c.merge!(c[build_box.dist]) if c.key?(build_box.dist)
+      c.transform_keys(&:to_sym)
+    end
+  end
+
+  def package
+    ENV['PACKAGE']
+  end
+
+  def debug?
+    ENV['DEBUG'] == 'true'
+  end
+
+  def gpg_sign?
+    ENV['GPG_SIGN'] == 'true'
+  end
+
+  def version
+    ENV['VERSION']
+  end
+
+  def rpm_version
+    version.gsub(/^v/, '').split('-', 2)[0]
+  end
+
+  def rpm_release
+    v = version.split('-', 2)
+    return '1' if v.size < 2
+
+    v[1].gsub('-', '.')
+  end
+
+  def deb_version
+    version.gsub(/^v/, '').gsub('-', '.')
+  end
+
+  def rpm_defines
+    defines = ["--define 'git_tag #{version}'"]
+    defines.concat ["--define 'package_version #{rpm_version}'"]
+    defines.concat ["--define 'package_release #{rpm_release}'"]
+    defines.concat ["--define 'scl #{config[:scl]}'"] if config[:scl]
+    defines
+  end
+
+  def cmd_suffix
+    return '' if debug?
+
+    ' 2>/dev/null 1>/dev/null'
+  end
+
+  def spec_dir
+    @spec_dir ||= if Dir.exist?('/package/rpm')
+                    '/package/rpm'
+                  elsif Dir.exist?('/package/packaging/rpm')
+                    '/package/packaging/rpm'
+                  elsif Dir.exist?('/package/packaging')
+                    '/package/packaging'
+                  else
+                    '/package'
+                  end
+  end
+
+  def deb_build_dir
+    @deb_build_dir ||= if Dir.exist?('/package/deb/build')
+                         '/package/deb/build'
+                       else
+                         '/package/build'
+                       end
+  end
+
+  def debian_dir
+    @debian_dir ||= if Dir.exist?('/package/deb/debian')
+                      '/package/deb/debian'
+                    elsif Dir.exist?('/package/packaging/deb')
+                      '/package/packaging/deb'
+                    else
+                      '/package/debian'
+                    end
+  end
+
+  def deb_work_dir
+    File.join(work_dir, deb_name)
+  end
+
+  def spec_file
+    @spec_file ||= Dir["#{spec_dir}/*.spec"][0]
+  end
+
+  def output_dir
+    File.join('/output', build_box.dist)
+  end
+
+  def work_dir
+    File.join('/work', build_box.dist)
+  end
+
+  def packaging_config
+    @packaging_config ||= begin
+      path = File.join(spec_dir, 'packaging.yaml')
+      path = File.join(debian_dir, 'packaging.yaml') if build_box.deb?
+      if File.exist?(path)
+        YAML.load_file(path)
+      else
+        {}
+      end
+    end
+  end
+
+  def deb_name
+    "#{package}-#{deb_version}"
+  end
+
+  def rpms
+    @rpms ||= Dir["#{output_dir}/*.rpm"].grep_v(/.src.rpm$/)
+  end
+
+  def run!
+    fix_env!
+    env_dump! if debug?
+    bootstrap_rpm! if build_box.rpm?
+    bootstrap_deb! if build_box.deb?
+    install_dependencies!
+    rpmbuild! if build_box.rpm?
+    debuild! if build_box.deb?
+    copy_output!
+    gpg_sign! if build_box.rpm? && gpg_sign?
+    sanity!
+  end
+
+  def fix_env!
+    ENV.delete('GEM_PATH')
+  end
+
+  def env_dump!
+    ENV.sort.to_h.each_pair do |k, v|
+      puts "#{k}=#{v}"
+    end
+  end
+
+  def bootstrap_rpm!
+    puts '== Bootstrap RPM =='.blue
+    bootstrap_gpg! if gpg_sign?
+    if podman_runtime?
+      puts "\tBootstrap /root".blue
+      sh "cp -r #{ctr_rpmmacros} #{ctr_gpg_dir} /root/"
+      sh "sed -i 's|/home/ood|/root|g' /root/.rpmmacros"
+    end
+    puts "\tBootstrap work dir".blue
+    sh "mkdir -p #{work_dir}/{RPMS,SRPMS,SOURCES,SPECS,rpmbuild/BUILD}"
+    bootstrap_copy_source!
+    bootstrap_get_source!
+  end
+
+  def bootstrap_gpg!
+    puts "\tBootstrap GPG".blue
+    sh "sed -i 's|@GPG_NAME@|#{ENV['GPG_NAME']}|g' #{ctr_rpmmacros}"
+    sh "gpg --batch --passphrase-file #{gpg_passphrase} --import #{gpg_private_key}#{cmd_suffix}"
+    sh "sudo rpm --import #{ENV['GPG_PUBKEY']}#{cmd_suffix}" if ENV['GPG_PUBKEY']
+  end
+
+  def bootstrap_copy_source!
+    puts "\tCopy sources".blue
+    if build_box.rpm?
+      sh "find #{spec_dir} -maxdepth 1 -type f -exec cp {} #{work_dir}/SOURCES/ \\;"
+      sh "find #{spec_dir} -maxdepth 1 -mindepth 1 -type d -exec cp -r {} #{work_dir}/SOURCES/ \\;"
+    elsif build_box.deb?
+      sh "cp -a #{deb_build_dir}/* #{work_dir}/"
+    end
+  end
+
+  def bootstrap_get_source!
+    if ENV['SKIP_DOWNLOAD'] == 'true'
+      puts "\tSKIP_DOWNLOAD detected, skipping download sources".blue
+      return
+    end
+    output = `spectool #{rpm_defines.join(' ')} -l -R -S #{spec_file} 2>&1 | grep 'Source0:'`.strip
+    exit_code = $CHILD_STATUS.exitstatus
+    if exit_code.zero?
+      source = File.join(work_dir, 'SOURCES', File.basename(output))
+      tar = File.join(work_dir, 'SOURCES', ENV['TAR_NAME'])
+      sh "mv #{tar} #{source}" if !File.exist?(source) && File.exist?(tar)
+    end
+    puts "\tDownloading sources defined in #{spec_file}".blue
+    sh "spectool #{rpm_defines.join(' ')} -g -R -S #{spec_file}#{cmd_suffix}"
+  end
+
+  def bootstrap_deb!
+    puts '== Bootstrap DEB =='.blue
+    unless Dir.exist?(work_dir)
+      puts "\tCreating #{work_dir}".blue
+      sh "mkdir -p #{work_dir}"
+    end
+    bootstrap_copy_source!
+    puts "\tExtract source".blue
+    Dir.chdir(work_dir) do
+      sh "tar -xf #{deb_name}.tar.gz"
+    end
+    puts "\tBootstrap debian build files".blue
+    Dir.chdir(deb_work_dir) do
+      sh "dh_make -s -y --createorig -f ../#{deb_name}.tar.gz#{cmd_suffix} || true"
+      sh "dch -b -v #{deb_version} --controlmaint 'Release #{deb_version}'#{cmd_suffix}"
+    end
+  end
+
+  def install_dependencies!
+    puts '== Install Dependencies =='.blue
+    if build_box.rpm?
+      install_rpm_dependencies!
+    elsif build_box.deb?
+      install_deb_dependencies!
+    end
+  end
+
+  def install_rpm_dependencies!
+    cmd = ['sudo']
+    cmd.concat [build_box.package_manager, 'builddep'] if build_box.dnf?
+    cmd.concat ['yum-builddep'] if build_box.package_manager == 'yum'
+    cmd.concat ['-y']
+    cmd.concat rpm_defines
+    cmd.concat ['--spec'] if build_box.dnf?
+    cmd.concat [spec_file]
+    sh "#{cmd.join(' ')}#{cmd_suffix}"
+  end
+
+  def install_deb_dependencies!
+    sh "sudo apt update -y#{cmd_suffix}"
+    tool = [
+      'DEBIAN_FRONTEND=noninteractive apt-cudf-get --solver aspcud',
+      '-o APT::Get::Assume-Yes=1 -o APT::Get::Allow-Downgrades=1',
+      '-o Debug::pkgProblemResolver=0 -o APT::Install-Recommends=0'
+    ]
+    cmd = [
+      'mk-build-deps --install --remove --root-cmd sudo',
+      "--tool='#{tool.join(' ')}'"
+    ]
+    Dir.chdir(deb_work_dir) do
+      sh "#{cmd.join(' ')}#{cmd_suffix}"
+    end
+  end
+
+  def rpmbuild!
+    puts "== RPM build spec=#{spec_file} ==".blue
+    cmd = ['rpmbuild', '-ba']
+    cmd.concat rpm_defines
+    cmd.concat [spec_file]
+    sh "#{cmd.join(' ')}#{cmd_suffix}"
+  end
+
+  def debuild!
+    puts "== DEB build package=#{deb_work_dir} ==".blue
+    prepend_path = ''
+    prepend_path = "--prepend-path=#{config[:prepend_path]}" if config[:prepend_path]
+    Dir.chdir(deb_work_dir) do
+      sh "debuild --no-lintian --preserve-env #{prepend_path}#{cmd_suffix}"
+    end
+  end
+
+  def copy_output!
+    puts '== Copy output =='.blue
+    unless Dir.exist?(output_dir)
+      puts "\tCreating #{output_dir}".blue
+      sh "mkdir -p #{output_dir}"
+    end
+    if build_box.rpm?
+      puts "\tcopy #{work_dir}/**/*.rpm -> #{output_dir}/".blue
+      sh "find #{work_dir} -type f -name '*.rpm' -exec cp {} #{output_dir}/ \\;"
+    elsif build_box.deb?
+      puts "\tcopy #{work_dir}/*.deb #{output_dir}/".blue
+      sh "cp #{work_dir}/*.deb #{output_dir}/"
+    end
+  end
+
+  def gpg_sign!
+    puts '== GPG sign RPMs =='.blue
+    rpms.each do |rpm|
+      puts "\tGPG signing #{rpm}".blue
+      cmd = []
+      # Work around differences in RHEL
+      cmd.concat ['cat /dev/null | setsid'] unless build_box.dnf?
+      cmd.concat ['rpmsign', '--addsign', rpm]
+      sh "#{cmd.join(' ')}#{cmd_suffix}"
+    end
+  end
+
+  def sanity!
+    puts '== Sanity tests =='.blue
+    failure = false
+    if build_box.rpm? && gpg_sign?
+      rpms.each do |rpm|
+        puts "\tTest GPG signing #{rpm}".blue
+        output = `rpm -K #{rpm} 2>&1`
+        exit_code = $CHILD_STATUS.exitstatus
+        puts output if debug?
+        if exit_code != 0
+          puts "\tGPG check failure: exit code #{exit_code}".red
+          failure = true
+        end
+        if output !~ /(pgp|OK)/
+          puts "\tRPM not GPG signed".red
+          failure = true
+        end
+      end
+    end
+    exit 1 if failure
+  end
+end

data/lib/ood_packaging/build_box/docker-image/Dockerfile.erb

@@ -0,0 +1,39 @@
+FROM <%= base_image %>
+MAINTAINER Trey Dockendorf <tdockendorf@osc.edu>
+ENV LANG=en_US.UTF-8
+ENV LC_CTYPE=en_US.UTF-8
+ENV USER=<%= ctr_user %>
+ENV GEM_PATH=<%= ctr_gems_dir %>:
+<% if scl? -%>
+RUN yum update -y && yum clean all && rm -rf /var/cache/yum/*
+RUN yum install -y yum-utils epel-release centos-release-scl && yum clean all && rm -rf /var/cache/yum/*
+RUN yum install -y <%= scl_ruby %>-ruby sudo which wget @buildsys-build \
+    rpm-build rpmdevtools rpm-sign scl-utils-build && \
+    yum clean all && rm -rf /var/cache/yum/*
+RUN rm -f /etc/yum.repos.d/CentOS-Vault.repo /etc/yum.repos.d/CentOS-Sources.repo
+RUN head -n 13 /etc/yum.repos.d/CentOS-SCLo-scl.repo > /etc/yum.repos.d/CentOS-SCLo.repo
+RUN head -n 13 /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo >> /etc/yum.repos.d/CentOS-SCLo.repo
+RUN rm -f /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo /etc/yum.repos.d/CentOS-SCLo-scl.repo
+<% elsif dnf? -%>
+RUN dnf update -y && dnf clean all && rm -rf /var/cache/dnf/*
+RUN dnf install -y dnf-utils epel-release langpacks-en glibc-all-langpacks && dnf clean all && rm -rf /var/cache/dnf/*
+RUN dnf config-manager --set-enabled powertools && dnf clean all && rm -rf /var/cache/dnf/*
+RUN dnf module enable -y ruby:<%= ruby_version %> nodejs:<%= nodejs_version %> && dnf clean all && rm -rf /var/cache/dnf/*
+RUN dnf install -y systemd ruby nodejs sudo which wget \
+    gcc-c++ gcc make patch \
+    rpm-build rpmdevtools rpm-sign scl-utils-build && \
+    dnf clean all && rm -rf /var/cache/dnf/*
+<% elsif deb? -%>
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt update -y && apt upgrade -y && apt clean all -y
+RUN apt update -y && apt install -y locales && locale-gen $LANG && \
+    apt clean all -y
+RUN apt update -y && apt install -y apt-transport-https ca-certificates \
+    init debhelper devscripts dh-make build-essential apt-cudf lintian equivs \
+    sudo rake wget curl ruby bundler && \
+    apt clean all -y
+RUN echo "deb https://deb.nodesource.com/node_<%= nodejs_version %>.x <%= codename %> main" > /etc/apt/sources.list.d/nodesource.list
+RUN curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nodesource.gpg
+<% end -%>
+COPY . /build
+RUN /bin/bash /build/install.sh

data/lib/ood_packaging/build_box/docker-image/RPM-GPG-KEY-ondemand

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBFqB7y4BCADA2233uSAJC9EG3MM2EmmDjKCDy8Q9w3D1g48/roBUvONLveac
+sx+rCSbP9Oc6sRJdxkQwppKKxKTwP5zGUGZto3wacaw2hTVfA7xFUfgcfZn3b0Az
+fSTR2FlTnJ35THO1MkVNv/55D+qBOoEhrAGeUdB7TMGp9y+A6eHRYa0UdxY/rccY
+xvz2oQOD6BH2s7IzLNUVLOifiu9Nrk213dghKOZjYwWERrpXj/EryuLm7wpKN349
+pixk6zP4SIKj0L4HTwMqEcTCAxBKfidmUQ+JILvTRlTCItFPTcXJxqSI6jVA6Iu0
+sZlO3XolEVdeGXL0MVjHVIpNZrV7vnTUFWPrABEBAAG0L09uRGVtYW5kIFJlbGVh
+c2UgU2lnbmluZyBLZXkgPHBhY2thZ2VzQG9zYy5lZHU+iQE5BBMBAgAjBQJage8u
+AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQS3L+K5LTF1UQzgf5AQ8Q
+Fy6JhxYaa56FHALiYCKJn+YHSbI4uZE6umpnV/14lU2Timw/xwNiH2ndlnl3a8be
+NcYPYkX+7T5nWQty7YK3aIEEMeMY/I8Cb0RKaCoJwETbu9u4dKguAy19fj0h0jGC
+v0lrBHNWfv572pr+TOcdVP2CFyfHybl6MvWFshM5mUxSeMItSa8KDVaWfZiPHzQe
+YrL4ZcWvqLfBK/m8alvggg9zaOIyDKM30lbil66pY/rbveQyGW7SbpxiUh1rNsV4
+aQOAVJRQC+uJn44OeTuB9nRR5nFLA70i+MtPbQNd3QiOHxuZN7c4sLkvmQslf1HZ
+7XoiYp0GlWMoI+YVXrkBDQRage8uAQgAut5ko4fkPkBfldawTCvTxnxnoa14RVwy
+3PcKxhaPmvHzdSjqquYYktgHIIGs8/UOrsFNPdHU6x02v0psaMwL8JX6JqFypPri
+YltdXNU/NqlImzfBOkHnAhDiIEI/j34LkEpXhUCmJzeTGAu8wXS3tgx4cHgbfycg
+MjmX7QBNghDzC3S+3Kt7wG4pNRlwyFd8r46CL5Yc6+UE9oNvnHdCy3W6OwCYCgXd
+919Bsf2Lpy1jGWV3YEiFgYv+pmF0T56vD1Rz+KbIhDEzQ4f/Q0dBZpcjZzQtSJQR
+Wh5LX/8JzK0l3PrWOrVmW1GmKQ1DPIkAT2iR35ydgEbi/wuk+izeyQARAQABiQEf
+BBgBAgAJBQJage8uAhsMAAoJEEty/iuS0xdVPtUH/16Kd1xX3PSGzOFatNJvfOR5
+5oCuVqMLm4sFXdrp0Spnn2B7Dx58jL0slwtWMh6xdtD/CKH/ihnM/um3h5JT0EvE
+9XTBfXwOkKgtdxgrHVeoT8gYNaw/0/kIlPavK5QviSNA64qUdFUvtg01FeyKmZ/R
+jaRKJZUy+orHYZLo41uj7iGA5Op4gL70ydTnnYFcCb/eLOuGKci1yUzchjxY6YAa
+9/ZHhpAqcKsIqZWpzLimLTTH2E43YYVbRcyP9Csfm7qFG8m7RwjXdbquzfkMkujq
+weYYi8Av2oajeR3NLoVvCPP2R3yT1YtDCuMRP8Pe4q9gmh7WKwdr38f6/an4VSI=
+=uztj
+-----END PGP PUBLIC KEY BLOCK-----

data/lib/ood_packaging/build_box/docker-image/Rakefile

@@ -0,0 +1,3 @@
+require 'ood_packaging/tasks'
+
+task :default => 'ood_packaging:package:build'

data/lib/ood_packaging/build_box/docker-image/inituidgid.sh.erb

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Changes the '<%= ctr_user %>' user's UID and GID to the values specified
+# in $OOD_UID and $OOD_GID.
+set -e
+set -o pipefail
+if [[ "$DEBUG" == "true" ]]; then
+  set -x
+fi
+
+chown -R "$OOD_UID:$OOD_GID" <%= ctr_home %>
+groupmod -o -g "$OOD_GID" <%= ctr_user %>
+usermod -o -u "$OOD_UID" -g "$OOD_GID" <%= ctr_user %> 2>/dev/null 1>/dev/null
+
+set +e
+SCL_SOURCE="$(command -v scl_source)"
+[[ "${SCL_SOURCE}" ]] && source "${SCL_SOURCE}" enable "<%= scl_ruby %>" &> /dev/null
+set -e
+
+if [[ $# -gt 0 ]]; then
+	exec "$@"
+fi

data/lib/ood_packaging/build_box/docker-image/install.sh.erb

@@ -0,0 +1,88 @@
+#!/bin/bash
+set -e
+
+function header()
+{
+	echo
+	echo "----- $@ -----"
+}
+
+function run()
+{
+	echo "+ $@"
+	"$@"
+}
+
+export HOME=/root
+
+<% if rpm? -%>
+header "Add OnDemand build repo"
+cat > /etc/yum.repos.d/ondemand-web.repo <<EOF
+[ondemand-web]
+name=Open OnDemand Web Repo
+baseurl=https://yum.osc.edu/ondemand/build/<%= ondemand_repo_version %>/web/el\$releasever/\$basearch/
+enabled=1
+gpgcheck=0
+EOF
+run rpm --import /build/RPM-GPG-KEY-ondemand
+<% end -%>
+
+header "Creating users"
+run groupadd <%= ctr_user %>
+run useradd --home-dir <%= ctr_home %> --create-home --gid <%= ctr_user %> --password '<%= ctr_user %>' <%= ctr_user %>
+
+header "Add sudo"
+cat > /etc/sudoers.d/ood <<EOF
+Defaults:<%= ctr_user %> !requiretty, !authenticate
+%<%= ctr_user %> ALL=NOPASSWD:ALL
+EOF
+run chmod 440 /etc/sudoers.d/ood
+
+<% if rpm? -%>
+header "Setup RPM env"
+sudo -u <%= ctr_user %> -H cat > <%= ctr_rpmmacros %> <<EOF
+%_topdir /work/<%= dist %>
+<%- # Workaround to weird issue with debuginfo stripping -%>
+<% if dist == 'el7' -%>
+%_builddir %{_topdir}/rpmbuild/BUILD
+<% end -%>
+%_signature gpg
+%_gpg_path <%= ctr_gpg_dir %>
+%_gpg /usr/bin/gpg
+%_gpg_name @GPG_NAME@
+# Modified macro from /usr/lib/rpm/macros to add pinentry-mode and passphrase-file
+# pinentry-mode only needed on EL8
+%__gpg_check_password_cmd       %{__gpg} \\
+        gpg --batch --no-verbose --passphrase-file <%= gpg_passphrase %> -u "%{_gpg_name}" -so -
+%__gpg_sign_cmd %{__gpg} \\
+        gpg --no-verbose --no-armor --batch \\
+<%- if dnf? -%>
+        --pinentry-mode loopback \\
+<%- end -%>
+        --passphrase-file <%= gpg_passphrase %> \\
+        %{?_gpg_sign_cmd_extra_args:%{_gpg_sign_cmd_extra_args}} \\
+        %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \\
+	      --no-secmem-warning \\
+        -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}
+EOF
+<% end -%>
+<%- if dnf? -%>
+run install -d -m 0700 -o ood -g ood <%= ctr_gpg_dir %>
+echo "allow-loopback-pinentry" >> <%= ctr_gpg_dir %>/gpg-agent.conf
+<%- end -%>
+
+header "Install ood_packaging gem"
+<%- if scl? -%>
+run scl enable <%= scl_ruby %> -- gem install --no-doc --bindir <%= ctr_scripts_dir %> --install-dir <%= ctr_gems_dir %> /build/*.gem
+<%- else -%>
+run gem install --no-doc --bindir <%= ctr_scripts_dir %> --install-dir <%= ctr_gems_dir %> /build/*.gem
+<%- end -%>
+
+header "Copy in launch scripts"
+run mkdir -p <%= ctr_scripts_dir %>
+run install -m 0755 /build/inituidgid.sh <%= ctr_scripts_dir %>/
+run install -m 0755 /build/setuser.rb <%= ctr_scripts_dir %>/
+run install -m 0644 /build/Rakefile <%= ctr_scripts_dir %>/
+
+header "Cleaning up"
+run rm -rf /build

data/lib/ood_packaging/build_box/docker-image/setuser.rb

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'etc'
+
+username = ARGV[0]
+user = Etc.getpwnam(username)
+
+Process.initgroups(username, user.gid)
+Process::Sys.setgid(user.gid)
+Process::Sys.setuid(user.uid)
+
+ENV['USER'] = user.name
+ENV['HOME'] = user.dir
+
+exec(ARGV.drop(1).join(' '))