From 6b252b14e57f5a510573b4fff4a5021320bf688f Mon Sep 17 00:00:00 2001
From: Nirman Narang <narang@us.ibm.com>
Date: Tue, 1 Feb 2022 14:48:56 +0000
Subject: [PATCH] Added support for Rhel 8 and SLES 15 for s390x

Added Dockerfile for rhel-8 and sles-15. Added spec files rpm/SPECS/checkpolicy.spec, rpm/SPECS/policycoreutils.spec for sles-15 support. Modified rpm/SPECS/docker-ce.spec for adding support for sles-15 with btrfs support. Modified rpm/Makefile to add support for sles-15 and rhel-8.

Signed-off-by: Nirman Narang <narang@us.ibm.com>
---
 rpm/Makefile                     | 34 ++++++++++++++++++++---
 rpm/SPECS/checkpolicy.spec       | 30 +++++++++++++++++++++
 rpm/SPECS/docker-ce.spec         | 16 ++++++++++-
 rpm/SPECS/policycoreutils.spec   | 41 ++++++++++++++++++++++++++++
 rpm/SPECS/sles_dependencies.spec | 36 +++++++++++++++++++++++++
 rpm/rhel-8/Dockerfile            | 35 ++++++++++++++++++++++++
 rpm/sles-15/Dockerfile           | 46 ++++++++++++++++++++++++++++++++
 7 files changed, 233 insertions(+), 5 deletions(-)
 create mode 100644 rpm/SPECS/checkpolicy.spec
 create mode 100644 rpm/SPECS/policycoreutils.spec
 create mode 100644 rpm/SPECS/sles_dependencies.spec
 create mode 100644 rpm/rhel-8/Dockerfile
 create mode 100644 rpm/sles-15/Dockerfile

diff --git a/rpm/Makefile b/rpm/Makefile
index 064c9594f7..7fab33e3cb 100644
--- a/rpm/Makefile
+++ b/rpm/Makefile
@@ -10,7 +10,7 @@ ENGINE_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/docke
 SCAN_GITCOMMIT?=$(shell cd $(realpath $(CURDIR)/../src/github.com/docker/scan-cli-plugin) && git rev-parse --short HEAD)
 
 ifdef BUILD_IMAGE
-	BUILD_IMAGE_FLAG=--build-arg $(BUILD_IMAGE)
+	BUILD_IMAGE_FLAG=--build-arg BUILD_IMAGE=$(BUILD_IMAGE)
 endif
 BUILD?=DOCKER_BUILDKIT=1 \
 	docker build \
@@ -42,6 +42,14 @@ RPMBUILD_FLAGS?=-ba\
 
 # Additional flags may be necessary at some point
 RUN_FLAGS=
+RUN_SLES?=docker run --rm \
+	-e PLATFORM \
+	-v $(CURDIR)/rpmbuild/SOURCES:/usr/src/packages/SOURCES:ro \
+	-v $(CURDIR)/rpmbuild/$@/RPMS:/usr/src/packages/RPMS \
+	-v $(CURDIR)/rpmbuild/$@/SRPMS:/usr/src/packages/SRPMS \
+	$(RUN_FLAGS) \
+	rpmbuild-$@/$(ARCH) $(RPMBUILD_FLAGS)
+
 RUN?=docker run --rm \
 	-e PLATFORM \
 	-v $(CURDIR)/rpmbuild/SOURCES:/root/rpmbuild/SOURCES:ro \
@@ -50,15 +58,19 @@ RUN?=docker run --rm \
 	$(RUN_FLAGS) \
 	rpmbuild-$@/$(ARCH) $(RPMBUILD_FLAGS)
 
-FEDORA_RELEASES ?= fedora-34 fedora-33
+FEDORA_RELEASES ?= fedora-35 fedora-34 fedora-33
 CENTOS_RELEASES ?= centos-7 centos-8
 ifeq ($(ARCH),s390x)
-RHEL_RELEASES ?= rhel-7
+RHEL_RELEASES ?= rhel-7 rhel-8
+SLES_RELEASES ?= sles-15
 else
 RHEL_RELEASES ?=
+SLES_RELEASES ?=
 endif
 
+
 DISTROS := $(FEDORA_RELEASES) $(CENTOS_RELEASES) $(RHEL_RELEASES)
+
 BUNDLES := $(patsubst %,rpmbuild/bundles-ce-%-$(DPKG_ARCH).tar.gz,$(DISTROS))
 
 .PHONY: help
@@ -72,7 +84,7 @@ clean: ## remove build artifacts
 	-docker builder prune -f --filter until=24h
 
 .PHONY: rpm
-rpm: fedora centos ## build all rpm packages
+rpm: fedora centos rhel sles ## build all rpm packages
 
 .PHONY: fedora
 fedora: $(FEDORA_RELEASES) ## build all fedora rpm packages
@@ -83,9 +95,15 @@ centos-8: RPMBUILD_EXTRA_FLAGS=--define '_without_btrfs 1'
 .PHONY: centos
 centos: $(CENTOS_RELEASES) ## build all centos rpm packages
 
+.PHONY: rhel-8
+rhel-8: RPMBUILD_EXTRA_FLAGS=--define '_without_btrfs 1'
+
 .PHONY: rhel
 rhel: $(RHEL_RELEASES) ## build all rhel rpm packages
 
+.PHONY: sles
+sles: $(SLES_RELEASES) ## build all sles rpm packages
+
 .PHONY: $(DISTROS)
 $(DISTROS): rpmbuild/SOURCES/engine.tgz rpmbuild/SOURCES/cli.tgz rpmbuild/SOURCES/scan-cli-plugin.tgz rpmbuild/SOURCES/plugin-installers.tgz
 	@echo "== Building packages for $@ =="
@@ -94,6 +112,14 @@ $(DISTROS): rpmbuild/SOURCES/engine.tgz rpmbuild/SOURCES/cli.tgz rpmbuild/SOURCE
 	$(RUN)
 	$(CHOWN) -R $(shell id -u):$(shell id -g) "rpmbuild/$@"
 
+.PHONY: $(SLES_RELEASES)
+$(SLES_RELEASES): rpmbuild/SOURCES/engine.tgz rpmbuild/SOURCES/cli.tgz rpmbuild/SOURCES/scan-cli-plugin.tgz rpmbuild/SOURCES/plugin-installers.tgz
+	@echo "== Building packages for $@ =="
+	mkdir -p "rpmbuild/$@"
+	$(BUILD)
+	$(RUN_SLES)
+	$(CHOWN) -R $(shell id -u):$(shell id -g) "rpmbuild/$@"
+
 rpmbuild/SOURCES/engine.tgz:
 	mkdir -p $(@D)
 	docker run --rm -w /v \
diff --git a/rpm/SPECS/checkpolicy.spec b/rpm/SPECS/checkpolicy.spec
new file mode 100644
index 0000000000..b2c485b7f4
--- /dev/null
+++ b/rpm/SPECS/checkpolicy.spec
@@ -0,0 +1,30 @@
+Name:           checkpolicy
+Version:        3.3.62.2
+Release:        1%{?dist}
+Group:          System Environment/Base
+Summary:        SELinux policy compiler
+License:        GPLv2
+%description
+
+BuildRequires: wget
+BuildRequires: tar
+BuildRequires: gcc7
+BuildRequires: make
+BuildRequires: gzip
+BuildRequires: bison
+BuildRequires: libsepol-devel
+BuildRequires: flex
+
+%configure
+
+%install
+wget https://github.com/SELinuxProject/selinux/releases/download/3.3/libsepol-3.3.tar.gz
+tar -xvf libsepol-3.3.tar.gz
+cd libsepol-3.3
+make CC=gcc
+cd ..
+wget https://github.com/SELinuxProject/selinux/releases/download/3.3/checkpolicy-3.3.tar.gz
+tar -xvf checkpolicy-3.3.tar.gz
+cd checkpolicy-3.3
+make CC=gcc
+%files
diff --git a/rpm/SPECS/docker-ce.spec b/rpm/SPECS/docker-ce.spec
index 71d924a9ee..b1f8c07f7d 100644
--- a/rpm/SPECS/docker-ce.spec
+++ b/rpm/SPECS/docker-ce.spec
@@ -18,24 +18,38 @@ Packager: Docker <support@docker.com>
 Requires: /usr/sbin/groupadd
 Requires: docker-ce-cli
 Requires: docker-ce-rootless-extras
+%if 0%{?suse_version}
+Requires: container-selinux
+Requires: libseccomp2
+Requires: libcgroup-devel
+%else
 Requires: container-selinux >= 2:2.74
 Requires: libseccomp >= 2.3
+Requires: libcgroup
+%endif
 Requires: systemd
 Requires: iptables
-Requires: libcgroup
 Requires: containerd.io >= 1.4.1
 Requires: tar
 Requires: xz
 
 BuildRequires: bash
+%if 0%{?suse_version}
+BuildRequires: btrfsprogs
+%else
 %{?_with_btrfs:BuildRequires: btrfs-progs-devel}
+%endif
 BuildRequires: ca-certificates
 BuildRequires: cmake
 BuildRequires: device-mapper-devel
 BuildRequires: gcc
 BuildRequires: git
 BuildRequires: glibc-static
+%if 0%{?suse_version}
+BuildRequires: libarchive13
+%else
 BuildRequires: libarchive
+%endif
 BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
 BuildRequires: libtool
diff --git a/rpm/SPECS/policycoreutils.spec b/rpm/SPECS/policycoreutils.spec
new file mode 100644
index 0000000000..71174d2ae8
--- /dev/null
+++ b/rpm/SPECS/policycoreutils.spec
@@ -0,0 +1,41 @@
+Name:           policycoreutils
+Version:        3.3
+Release:        1%{?dist}
+Group:          System Environment/Base
+Summary:        SELinux policy core utilities
+License:        GPLv2
+%description
+
+%configure
+
+BuildRequires: gzip
+BuildRequires: make
+BuildRequires: gcc7
+BuildRequires: flex
+BuildRequires: libbz2-devel
+BuildRequires: libsemanage-devel
+BuildRequires: gettext
+BuildRequires: bison
+BuildRequires: wget
+BuildRequires: tar
+
+%install
+wget https://github.com/SELinuxProject/selinux/releases/download/3.3/libsepol-3.3.tar.gz
+update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 7
+tar -xvf libsepol-3.3.tar.gz
+cd libsepol-3.3
+make CC=gcc
+make install
+cd ..
+wget https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
+tar -xvf libselinux-3.3.tar.gz
+cd libselinux-3.3
+make CC=gcc
+make install
+cd ..
+wget https://github.com/SELinuxProject/selinux/releases/download/3.3/policycoreutils-3.3.tar.gz
+tar -xvf policycoreutils-3.3.tar.gz
+cd policycoreutils-3.3
+make CC=gcc
+make install
+%files
diff --git a/rpm/SPECS/sles_dependencies.spec b/rpm/SPECS/sles_dependencies.spec
new file mode 100644
index 0000000000..a072635859
--- /dev/null
+++ b/rpm/SPECS/sles_dependencies.spec
@@ -0,0 +1,36 @@
+Name:       SLES_Dependencies
+Version:    %{_version}
+License:    GPLv2
+Release:    1%{?dist}
+Summary:    SLES Dependencies
+
+%description
+The file lists the dependencies required for building the rpmbuild-sles-15
+
+BuildRequires: rpm-build
+BuildRequires: rpmlint
+BuildRequires: pkg-config
+BuildRequires: libsystemd0
+BuildRequires: systemd-devel
+BuildRequires: selinux-tools
+BuildRequires: wget
+BuildRequires: cmake
+BuildRequires: device-mapper-devel
+BuildRequires: git
+BuildRequires: glibc-devel-static
+BuildRequires: libseccomp-devel
+BuildRequires: libtool
+BuildRequires: libarchive-devel
+BuildRequires: btrfsprogs
+BuildRequires: libbtrfs-devel
+BuildRequires: lsb-release
+BuildRequires: gzip
+BuildRequires: make
+BuildRequires: gcc7
+BuildRequires: flex
+BuildRequires: libbz2-devel
+BuildRequires: libsemanage-devel
+BuildRequires: libsepol-devel
+BuildRequires: gettext
+BuildRequires: bison
+BuildRequires: tar
diff --git a/rpm/rhel-8/Dockerfile b/rpm/rhel-8/Dockerfile
new file mode 100644
index 0000000000..2dcb242ebf
--- /dev/null
+++ b/rpm/rhel-8/Dockerfile
@@ -0,0 +1,35 @@
+ARG GO_IMAGE
+ARG DISTRO=rhel
+ARG SUITE=8
+ARG BUILD_IMAGE=dockereng/${DISTRO}:${SUITE}-s390x
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=direct
+ENV GO111MODULE=off
+ENV GOPATH=/go
+ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH 1
+ENV DOCKER_BUILDTAGS seccomp selinux exclude_graphdriver_btrfs
+ENV RUNC_BUILDTAGS seccomp selinux
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV CC=gcc
+
+RUN yum install -y rpm-build rpmlint libarchive yum-utils
+COPY SPECS /root/rpmbuild/SPECS
+
+# TODO change once we support scan-plugin on other architectures
+RUN \
+  if [ "$(uname -m)" = "x86_64" ]; then \
+    yum-builddep -y /root/rpmbuild/SPECS/*.spec; \
+  else \
+    yum-builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/docker-c*.spec; \
+  fi
+
+COPY --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]
diff --git a/rpm/sles-15/Dockerfile b/rpm/sles-15/Dockerfile
new file mode 100644
index 0000000000..30b89fd273
--- /dev/null
+++ b/rpm/sles-15/Dockerfile
@@ -0,0 +1,46 @@
+ARG GO_IMAGE
+ARG DISTRO=sles
+ARG SUITE=15
+ARG BUILD_IMAGE=dockereng/${DISTRO}:${SUITE}-s390x
+
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=direct
+ENV GO111MODULE=off
+ENV GOPATH=/go
+ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH 1
+ENV DOCKER_BUILDTAGS seccomp selinux
+ENV RUNC_BUILDTAGS seccomp selinux
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+ENV CC=gcc
+USER root
+
+COPY SPECS /usr/src/packages/SPECS
+COPY rpmbuild/SOURCES/ /usr/src/packages/SOURCES/
+RUN zypper -n install $(rpmspec --parse /usr/src/packages/SPECS/sles_dependencies.spec | grep BuildRequires | cut -d' ' -f2 | xargs)
+RUN rpmbuild -bb /usr/src/packages/SPECS/policycoreutils.spec
+RUN rpmbuild -bb /usr/src/packages/SPECS/checkpolicy.spec 
+RUN rpm -i /usr/src/packages/RPMS/s390x/policycoreutils-3.3-1.s390x.rpm && rpm -i /usr/src/packages/RPMS/s390x/checkpolicy-3.3.62.2-1.s390x.rpm \
+&& sles_version=$(lsb_release -r | rev | cut -c1) \
+&& opensuse_repo="https://download.opensuse.org/repositories/security:SELinux/SLE_15_SP$sles_version/security:SELinux.repo" \
+&& zypper addrepo $opensuse_repo \
+&& zypper --gpg-auto-import-keys refresh && zypper install -y selinux-policy selinux-policy-devel \
+&& mkdir -p /root/rpmbuild/ && cp -r /usr/src/packages/* /root/rpmbuild/
+
+# TODO change once we support scan-plugin on other architectures
+RUN \
+  if [ "$(uname -m)" = "x86" ]; then \
+    rpmbuild /root/rpmbuild/SPECS/*.spec; \
+  else \
+     rpmbuild /usr/src/packages/SPECS/docker-c*.spec; \
+  fi
+
+COPY --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/usr/bin/rpmbuild"]