Browse code
Merge pull request #15916 from mikedougherty/release-flexibility
Improve flexibility of release scripts
Jess Frazelle authored on 2015/09/26 03:26:18Showing 4 changed files
| ... | ... |
@@ -15,6 +15,7 @@ set -e |
| 15 | 15 |
# ... and so on and so forth for the builds created by hack/make/build-deb |
| 16 | 16 |
|
| 17 | 17 |
: ${DOCKER_RELEASE_DIR:=$DEST}
|
| 18 |
+: ${GPG_KEYID:=releasedocker}
|
|
| 18 | 19 |
APTDIR=$DOCKER_RELEASE_DIR/apt/repo |
| 19 | 20 |
|
| 20 | 21 |
# setup the apt repo (if it does not exist) |
| ... | ... |
@@ -111,7 +112,7 @@ for dir in contrib/builder/deb/*/; do |
| 111 | 111 |
# dpkg-sign before copying the deb into the pool |
| 112 | 112 |
if [ ! -z "$GPG_PASSPHRASE" ]; then |
| 113 | 113 |
dpkg-sig -g "--passphrase $GPG_PASSPHRASE" \ |
| 114 |
- -k releasedocker --sign builder "${DEBFILE[@]}"
|
|
| 114 |
+ -k "$GPG_KEYID" --sign builder "${DEBFILE[@]}"
|
|
| 115 | 115 |
fi |
| 116 | 116 |
|
| 117 | 117 |
# add the deb for each component for the distro version into the pool |
| ... | ... |
@@ -16,6 +16,7 @@ set -e |
| 16 | 16 |
|
| 17 | 17 |
: ${DOCKER_RELEASE_DIR:=$DEST}
|
| 18 | 18 |
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo |
| 19 |
+: ${GPG_KEYID:=releasedocker}
|
|
| 19 | 20 |
|
| 20 | 21 |
# manage the repos for each distribution separately |
| 21 | 22 |
distros=( fedora centos opensuse oraclelinux ) |
| ... | ... |
@@ -53,15 +54,15 @@ for distro in "${distros[@]}"; do
|
| 53 | 53 |
# sign the rpms before adding to repo |
| 54 | 54 |
if [ ! -z $GPG_PASSPHRASE ]; then |
| 55 | 55 |
# export our key to rpm import |
| 56 |
- gpg --armor --export releasedocker > /tmp/gpg |
|
| 56 |
+ gpg --armor --export "$GPG_KEYID" > /tmp/gpg |
|
| 57 | 57 |
rpm --import /tmp/gpg |
| 58 | 58 |
|
| 59 | 59 |
# sign the rpms |
| 60 | 60 |
echo "yes" | setsid rpm \ |
| 61 |
- --define '_gpg_name releasedocker' \ |
|
| 62 |
- --define '_signature gpg' \ |
|
| 63 |
- --define '__gpg_check_password_cmd /bin/true' \ |
|
| 64 |
- --define '__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u "%{_gpg_name}" --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}' \
|
|
| 61 |
+ --define "_gpg_name $GPG_KEYID" \ |
|
| 62 |
+ --define "_signature gpg" \ |
|
| 63 |
+ --define "__gpg_check_password_cmd /bin/true" \ |
|
| 64 |
+ --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
|
|
| 65 | 65 |
--resign "${RPMFILE[@]}"
|
| 66 | 66 |
fi |
| 67 | 67 |
|
| ... | ... |
@@ -4,6 +4,7 @@ |
| 4 | 4 |
# with a designated GPG key. |
| 5 | 5 |
|
| 6 | 6 |
: ${DOCKER_RELEASE_DIR:=$DEST}
|
| 7 |
+: ${GPG_KEYID:=releasedocker}
|
|
| 7 | 8 |
APTDIR=$DOCKER_RELEASE_DIR/apt/repo |
| 8 | 9 |
YUMDIR=$DOCKER_RELEASE_DIR/yum/repo |
| 9 | 10 |
|
| ... | ... |
@@ -21,12 +22,12 @@ sign_packages(){
|
| 21 | 21 |
# sign apt repo metadata |
| 22 | 22 |
if [ -d $APTDIR ]; then |
| 23 | 23 |
# create file with public key |
| 24 |
- gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/apt/gpg" |
|
| 24 |
+ gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/apt/gpg" |
|
| 25 | 25 |
|
| 26 | 26 |
# sign the repo metadata |
| 27 | 27 |
for F in $(find $APTDIR -name Release); do |
| 28 | 28 |
if test "$F" -nt "$F.gpg" ; then |
| 29 |
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \ |
|
| 29 |
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ |
|
| 30 | 30 |
--armor --sign --detach-sign \ |
| 31 | 31 |
--batch --yes \ |
| 32 | 32 |
--output "$F.gpg" "$F" |
| ... | ... |
@@ -37,12 +38,12 @@ sign_packages(){
|
| 37 | 37 |
# sign yum repo metadata |
| 38 | 38 |
if [ -d $YUMDIR ]; then |
| 39 | 39 |
# create file with public key |
| 40 |
- gpg --armor --export releasedocker > "$DOCKER_RELEASE_DIR/yum/gpg" |
|
| 40 |
+ gpg --armor --export "$GPG_KEYID" > "$DOCKER_RELEASE_DIR/yum/gpg" |
|
| 41 | 41 |
|
| 42 | 42 |
# sign the repo metadata |
| 43 | 43 |
for F in $(find $YUMDIR -name repomd.xml); do |
| 44 | 44 |
if test "$F" -nt "$F.asc" ; then |
| 45 |
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \ |
|
| 45 |
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ |
|
| 46 | 46 |
--armor --sign --detach-sign \ |
| 47 | 47 |
--batch --yes \ |
| 48 | 48 |
--output "$F.asc" "$F" |
| ... | ... |
@@ -18,12 +18,13 @@ usage() {
|
| 18 | 18 |
To run, I need: |
| 19 | 19 |
- to be in a container generated by the Dockerfile at the top of the Docker |
| 20 | 20 |
repository; |
| 21 |
-- to be provided with the name of an S3 bucket, in environment variable |
|
| 22 |
- AWS_S3_BUCKET; |
|
| 21 |
+- to be provided with the location of an S3 bucket and path, in |
|
| 22 |
+ environment variables AWS_S3_BUCKET and AWS_S3_BUCKET_PATH (default: ''); |
|
| 23 | 23 |
- to be provided with AWS credentials for this S3 bucket, in environment |
| 24 | 24 |
variables AWS_ACCESS_KEY and AWS_SECRET_KEY; |
| 25 |
-- the passphrase to unlock the GPG key which will sign the deb packages |
|
| 26 |
- (passed as environment variable GPG_PASSPHRASE); |
|
| 25 |
+- the passphrase to unlock the GPG key specified by the optional environment |
|
| 26 |
+ variable GPG_KEYID (default: releasedocker) which will sign the deb |
|
| 27 |
+ packages (passed as environment variable GPG_PASSPHRASE); |
|
| 27 | 28 |
- a generous amount of good will and nice manners. |
| 28 | 29 |
The canonical way to run me is to run the image produced by the Dockerfile: e.g.:" |
| 29 | 30 |
|
| ... | ... |
@@ -62,6 +63,8 @@ fi |
| 62 | 62 |
|
| 63 | 63 |
VERSION=$(< VERSION) |
| 64 | 64 |
BUCKET=$AWS_S3_BUCKET |
| 65 |
+BUCKET_PATH=$BUCKET |
|
| 66 |
+[[ -n "$AWS_S3_BUCKET_PATH" ]] && BUCKET_PATH+=/$AWS_S3_BUCKET_PATH |
|
| 65 | 67 |
|
| 66 | 68 |
if command -v git &> /dev/null && git rev-parse &> /dev/null; then |
| 67 | 69 |
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then |
| ... | ... |
@@ -101,10 +104,15 @@ write_to_s3() {
|
| 101 | 101 |
s3_url() {
|
| 102 | 102 |
case "$BUCKET" in |
| 103 | 103 |
get.docker.com|test.docker.com|experimental.docker.com) |
| 104 |
- echo "https://$BUCKET" |
|
| 104 |
+ echo "https://$BUCKET_PATH" |
|
| 105 | 105 |
;; |
| 106 | 106 |
*) |
| 107 |
- s3cmd ws-info s3://$BUCKET | awk -v 'FS=: +' '/http:\/\/'$BUCKET'/ { gsub(/\/+$/, "", $2); print $2 }'
|
|
| 107 |
+ BASE_URL=$( s3cmd ws-info s3://$BUCKET | awk -v 'FS=: +' '/http:\/\/'$BUCKET'/ { gsub(/\/+$/, "", $2); print $2 }' )
|
|
| 108 |
+ if [[ -n "$AWS_S3_BUCKET_PATH" ]] ; then |
|
| 109 |
+ echo "$BASE_URL/$AWS_S3_BUCKET_PATH" |
|
| 110 |
+ else |
|
| 111 |
+ echo "$BASE_URL" |
|
| 112 |
+ fi |
|
| 108 | 113 |
;; |
| 109 | 114 |
esac |
| 110 | 115 |
} |
| ... | ... |
@@ -231,7 +239,7 @@ release_build() {
|
| 231 | 231 |
;; |
| 232 | 232 |
esac |
| 233 | 233 |
|
| 234 |
- s3Dir=s3://$BUCKET/builds/$s3Os/$s3Arch |
|
| 234 |
+ s3Dir="s3://$BUCKET_PATH/builds/$s3Os/$s3Arch" |
|
| 235 | 235 |
latest= |
| 236 | 236 |
latestTgz= |
| 237 | 237 |
if [ "$latestBase" ]; then |
| ... | ... |
@@ -265,7 +273,7 @@ release_ubuntu() {
|
| 265 | 265 |
local debfiles=( "bundles/$VERSION/ubuntu/"*.deb ) |
| 266 | 266 |
|
| 267 | 267 |
# Sign our packages |
| 268 |
- dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k releasedocker --sign builder "${debfiles[@]}"
|
|
| 268 |
+ dpkg-sig -g "--passphrase $GPG_PASSPHRASE" -k "$GPG_KEYID" --sign builder "${debfiles[@]}"
|
|
| 269 | 269 |
|
| 270 | 270 |
# Setup the APT repo |
| 271 | 271 |
APTDIR=bundles/$VERSION/ubuntu/apt |
| ... | ... |
@@ -282,14 +290,14 @@ EOF |
| 282 | 282 |
|
| 283 | 283 |
# Sign |
| 284 | 284 |
for F in $(find $APTDIR -name Release); do |
| 285 |
- gpg -u releasedocker --passphrase "$GPG_PASSPHRASE" \ |
|
| 285 |
+ gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \ |
|
| 286 | 286 |
--armor --sign --detach-sign \ |
| 287 | 287 |
--output "$F.gpg" "$F" |
| 288 | 288 |
done |
| 289 | 289 |
|
| 290 | 290 |
# Upload keys |
| 291 | 291 |
s3cmd sync "$HOME/.gnupg/" "s3://$BUCKET/ubuntu/.gnupg/" |
| 292 |
- gpg --armor --export releasedocker > "bundles/$VERSION/ubuntu/gpg" |
|
| 292 |
+ gpg --armor --export "$GPG_KEYID" > "bundles/$VERSION/ubuntu/gpg" |
|
| 293 | 293 |
s3cmd --acl-public put "bundles/$VERSION/ubuntu/gpg" "s3://$BUCKET/gpg" |
| 294 | 294 |
|
| 295 | 295 |
local gpgFingerprint=36A1D7869245C8950F966E92D8576A8BA88D21E9 |
| ... | ... |
@@ -330,7 +338,7 @@ release_binaries() {
|
| 330 | 330 |
|
| 331 | 331 |
# TODO create redirect from builds/*/i686 to builds/*/i386 |
| 332 | 332 |
|
| 333 |
- cat <<EOF | write_to_s3 s3://$BUCKET/builds/index |
|
| 333 |
+ cat <<EOF | write_to_s3 s3://$BUCKET_PATH/builds/index |
|
| 334 | 334 |
# To install, run the following command as root: |
| 335 | 335 |
curl -sSL -O $(s3_url)/builds/Linux/x86_64/docker-$VERSION && chmod +x docker-$VERSION && sudo mv docker-$VERSION /usr/local/bin/docker |
| 336 | 336 |
# Then start docker in daemon mode: |
| ... | ... |
@@ -339,24 +347,24 @@ EOF |
| 339 | 339 |
|
| 340 | 340 |
# Add redirect at /builds/info for URL-backwards-compatibility |
| 341 | 341 |
rm -rf /tmp/emptyfile && touch /tmp/emptyfile |
| 342 |
- s3cmd --acl-public --add-header='x-amz-website-redirect-location:/builds/' --mime-type='text/plain' put /tmp/emptyfile "s3://$BUCKET/builds/info" |
|
| 342 |
+ s3cmd --acl-public --add-header='x-amz-website-redirect-location:/builds/' --mime-type='text/plain' put /tmp/emptyfile "s3://$BUCKET_PATH/builds/info" |
|
| 343 | 343 |
|
| 344 | 344 |
if [ -z "$NOLATEST" ]; then |
| 345 |
- echo "Advertising $VERSION on $BUCKET as most recent version" |
|
| 346 |
- echo "$VERSION" | write_to_s3 "s3://$BUCKET/latest" |
|
| 345 |
+ echo "Advertising $VERSION on $BUCKET_PATH as most recent version" |
|
| 346 |
+ echo "$VERSION" | write_to_s3 "s3://$BUCKET_PATH/latest" |
|
| 347 | 347 |
fi |
| 348 | 348 |
} |
| 349 | 349 |
|
| 350 | 350 |
# Upload the index script |
| 351 | 351 |
release_index() {
|
| 352 | 352 |
echo "Releasing index" |
| 353 |
- sed "s,url='https://get.docker.com/',url='$(s3_url)/'," hack/install.sh | write_to_s3 "s3://$BUCKET/index" |
|
| 353 |
+ sed "s,url='https://get.docker.com/',url='$(s3_url)/'," hack/install.sh | write_to_s3 "s3://$BUCKET_PATH/index" |
|
| 354 | 354 |
} |
| 355 | 355 |
|
| 356 | 356 |
release_test() {
|
| 357 | 357 |
echo "Releasing tests" |
| 358 | 358 |
if [ -e "bundles/$VERSION/test" ]; then |
| 359 |
- s3cmd --acl-public sync "bundles/$VERSION/test/" "s3://$BUCKET/test/" |
|
| 359 |
+ s3cmd --acl-public sync "bundles/$VERSION/test/" "s3://$BUCKET_PATH/test/" |
|
| 360 | 360 |
fi |
| 361 | 361 |
} |
| 362 | 362 |
|
| ... | ... |
@@ -365,14 +373,14 @@ setup_gpg() {
|
| 365 | 365 |
# Make sure that we have our keys |
| 366 | 366 |
mkdir -p "$HOME/.gnupg/" |
| 367 | 367 |
s3cmd sync "s3://$BUCKET/ubuntu/.gnupg/" "$HOME/.gnupg/" || true |
| 368 |
- gpg --list-keys releasedocker >/dev/null || {
|
|
| 368 |
+ gpg --list-keys "$GPG_KEYID" >/dev/null || {
|
|
| 369 | 369 |
gpg --gen-key --batch <<EOF |
| 370 | 370 |
Key-Type: RSA |
| 371 | 371 |
Key-Length: 4096 |
| 372 | 372 |
Passphrase: $GPG_PASSPHRASE |
| 373 | 373 |
Name-Real: Docker Release Tool |
| 374 | 374 |
Name-Email: docker@docker.com |
| 375 |
-Name-Comment: releasedocker |
|
| 375 |
+Name-Comment: $GPG_KEYID |
|
| 376 | 376 |
Expire-Date: 0 |
| 377 | 377 |
%commit |
| 378 | 378 |
EOF |