Trouble creating a release RPM from puppetlabs/puppet source repo

[Matt Larson]

I'm trying to create an RPM from source on a stock RHEL6-based (CentOS6) instance, but I'm seeing errors.  I also posted in https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/

The output actually gets pretty far along, but stops at with this error: "install: cannot stat ext/redhat/puppet.conf: no such file or directory". If I fix that problem by manually editing the SPEC file, I just get more errors, so clearly there is no need to go down a rabbit hole since this must work for someone else, right?

I'm also posted in https://ask.puppet.com/question/26388/trouble-creating-a-release-rpm-from-puppetlabspuppet-source-repo/

Ideas?

Thanks in Advance,
Matt

[Dan White]

First Silly Question: Why ?

What do you need to do that cannot be done with the RPM's from a Puppetlabs repo ?

Dan White | d_e_...@icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d532582-be4b-4e58-813e-0e3519043a3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stefan Heijmans]

Have you tried using the source RPMs from here;

https://yum.puppetlabs.com/el/6/PC1/SRPMS/

[jcbollinger]

On Friday, June 3, 2016 at 1:51:10 PM UTC-5, LinuxDan wrote:

First Silly Question: Why ?

What do you need to do that cannot be done with the RPM's from a Puppetlabs repo ?

If I were undertaking the exercise, it would be to avoid the AIO structure.  I may one day undertake that exercise, but until now I have instead just avoided upgrading to Puppet 4.


John

[Matt Larson]

Sorry for not getting back soon, Dan.

Good question.

I work for a draconian company that only allows installing FOSS after our infosec team has vetted the source code and then built from source; an impossible hand-waving exercise, I know... but it is what it is.

[Matt Larson]

Thanks for helping with this, Stefan!

I tried this, but where are the puppet-agent source RPMs ?

[Matt Larson]

I did try installing via the PC1 (AIO) repo, and it worked ok for me at home.  But like I said, can't do that at work.

What is your main concern with AIO?  I don't wanna make a bad step here.   At first, AIO sounded scary to me... like some alternative to rpm/yum (in case of rhel-based distros), but it's still the same packaging mechanism, just dedicated repos per collective release, yes?

Thanks for your input,

Matt

[Stefan Heijmans]

On Wednesday, June 8, 2016 at 11:03:09 AM UTC+2, Matt Larson wrote:

I tried this, but where are the puppet-agent source RPMs ?

Indeed they are not there anymore as discussed in [1] and [2] .

[1] https://tickets.puppetlabs.com/browse/CPR-191

[2] https://groups.google.com/forum/#!topic/puppet-users/VdcIu56irMU

[Rob Nelson]

I believe most reason for concern with AIO is that it installs a separate version of ruby, openssl, and other applications and libraries on your system. These need upgrading, just like your system apps/libs, and Puppet may both expose you to different vulnerabilities, since their versions are likely different from your system's, and they may not patch in a timely fashion. If you're on something like Arch Linux, probably a very sensible concern. As you are stuck using EL6 still, it's probably more sensible to use AIO than relying on end-of-support versions of everything from the system, particularly ruby 1.8.7. IMO, your security posture can only improve by using AIO, regardless of what your infosec ninnies say :)

[jcbollinger]

On Wednesday, June 8, 2016 at 4:06:10 AM UTC-5, Matt Larson wrote:

I did try installing via the PC1 (AIO) repo, and it worked ok for me at home.  But like I said, can't do that at work.

What is your main concern with AIO?  I don't wanna make a bad step here.   At first, AIO sounded scary to me... like some alternative to rpm/yum (in case of rhel-based distros), but it's still the same packaging mechanism, just dedicated repos per collective release, yes?

No, AIO is quite a different beast from a separate repo per release.  It is Puppet software plus private copies of substantially all dependencies, all in a single package.  It is true that the packages in question are of the target machines' native package type, but that's not the point.  I have both philosophical and practical objections to the practice, without regard to the details of Puppet's AIO packages specifically.  Your Infosec people are going to hate it more specifically and intensely, and it is possible that you will even run into a policy that forbids (third party) AIO packages altogether.  If they undertake the required review, then expect it to take a long time, because they will need to review every component included in the AIO.


John

[Eric Sorenson]

Matt, I would like to understand this better and help you adopt Puppet into your environment.

This is not a rhetorical question, but it might sound like one: Do you rebuild your linux distribution from source RPMs? Because that is very similar to what the AIO Puppet agent bundle is: a mini distribution with the dependencies ending up in one artifact.

People outside Puppet can (and have) successfully rebuilt AIO, and there are also sucessful packaging efforts that take JUST the Puppet 4 source and build a standalone RPM from it in the manner of the puppet 3 packages:

puppet-4.2.1-3.fc24.src.rpm

But our recommendation is to use the all-in-one obviously; it's what's tested extensively and what ships in puppet enterprise. 

--eric

[Rob Nelson]

Eric

Sidebar question I've always had. There's the puppet gem that is commonly used for rspec-puppet. Could that gem (plus its deps, facter, hiera, etc.) suffice for some or all use cases?

Rob Nelson
rnel...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/07f2aed4-eb2b-4d32-aebb-e05dd0377817%40googlegroups.com.

[Matt Larson]

Eric et al,

Thanks again for your help with this!  I realize how crazy it may seem to want to rebuild from source.  My company has become so paranoid of open source software due to recent events, that the infosec team now requires us to vet (as if that's feasible) FOSS source code before bringing in.  Since starting this post, however, I was able to convince the team to bring in the PC1 repo.

As someone else has suggested to me, I will have to revisit with Vanagon and/or the src RPM in the future.   I would like to know how to build these though, so I'll revisit one day for sure.

Cheers,
Matt

[jcbollinger]

On Monday, June 13, 2016 at 7:45:12 AM UTC-5, Matt Larson wrote:

Eric et al,

Thanks again for your help with this!  I realize how crazy it may seem to want to rebuild from source.  My company has become so paranoid of open source software due to recent events,

At the risk of taking this a bit off-topic, which "recent events" are they that make your company hypervigilant about open-source software?

More on-topic: perhaps your company would prefer to license Puppet PE over devoting resources to vetting the open-source release.  I mean, when they pay for OS X, surely they don't perform a source-level review of the underlying BSD-licensed kernel and utilities.  Similarly with all the devices they buy that have Linux inside.  And of course, there can be no question of demanding to review the source of the many closed-source applications they use.  So if the distinguishing characteristic determining whether they want to review is whether they've spent money, then I'm confident that Puppet, Inc. would be pleased to help solve your problem by accepting money in exchange for PE.  It's a win-win!

John

[Matthew Gyurgyik]

I have successfully built the AIO package using the puppetlabs/puppet-agent [1] repository from source. I did this because I needed ppc64le packages which puppetlabs does not provide. This isn't the easiest process, but not terribly difficult if you are comfortable building software.

I wanted to give a presentation about this issue at puppetconf, but my proposal was rejected. Anyways, I'd be glad to share more specifics if you are interested.


[1] https://github.com/puppetlabs/puppet-agent

[Andrew]

Matt, take the src rpm that suits your needs.

`mkdir -p rpm/{RPMS/x86_64,RPMS/noarch,SRPMS,SPECS,SOURCES,BUILD,BUILDROOT}`

rpmbuild --rebuild puppet[whatever].srpm

hit ctrl-c before it finishes. This will leave the .spec file and the source tarball in the SPECS and SOURCES dirs respectively.

cd SPECS

edit the puppet.spec file to suit (remove ruby-rgen, add rubygems-rgen, whatever)

rpmbuild -bb puppet.spec

# watch magic happen.

fish the built rpm files out of RPMS/noarch dir

Although I think it's kinda silly exercise from a secutiry pov, because the security nazis dont understand the code anyway ...

I do hear what you are saying about having to go thru this exercise.

Cheers,

Andrew.

[Eric Sorenson]

On Thu, 9 Jun 2016, Rob Nelson wrote:

> Eric
>
> Sidebar question I've always had. There's the puppet gem that is commonly
> used for rspec-puppet. Could that gem (plus its deps, facter, hiera, etc.)
> suffice for some or all use cases?

Sure, there are definitely people who run the whole stack from gems. (There
are other people who call those people crazy, but that's a different
conversation)

This becomes weirder with Facter 3 due to the C++ components; right now the
puppet Gemfile specifies facter-2.4.4, which works fine but at some point
there may be divergence between that gem and the latest mainline C++-facter.


Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

[Andreas Zuber]

On 06/22/2016 11:54 PM, Eric Sorenson wrote:
>
> Sure, there are definitely people who run the whole stack from gems.
> (There are other people who call those people crazy, but that's a
> different conversation)
>
> This becomes weirder with Facter 3 due to the C++ components; right
> now the puppet Gemfile specifies facter-2.4.4, which works fine but at
> some point there may be divergence between that gem and the latest
> mainline C++-facter.
>

May I ask what the general idea is Puppet (the company) has for those
tools in the future? In my opinion tools like rspec-puppet and friends
are really a requirement when developing modules and currently it is
very easy to use them with just a Gemfile in the module root.

Is there any plan in place to enable the module developers to keep this
convenient way which also makes it very easy to automatically test
against a whole mix of different versions of puppet and facter?

[Michal Strnad]

Hi Matthew,

I would really appreciate your experience with such build. I'm currently facing the same need to build the Puppet AIO package for ppc64le SLES 12.

Therefore I would kindly ask you to share some more details about the process.

Thank you.

Dne úterý 14. června 2016 21:45:16 UTC+2 Matthew Gyurgyik napsal(a):