feat: update redis and nginx

Update redis to 6.2.1 and add openssl 1.1.1k
Update nginx to use openssl 1.1.1k

Author: jameshartig

BUILD/.gitignore

@@ -3,17 +3,15 @@
 Our rpmbuild repo for rpms we have built. You can check out all the options for
 rpms to be built in the `SPECS` folder, and build any of them by doing:
 
+```shell
+docker run --rm -it -v ${PWD}:/root/rpmbuild centos:7 /bin/bash
+# From inside docker image
+yum update -y
+yum groupinstall -y 'Development Tools'
+yum install -y rpmdevtools yum-utils centos-release-scl
+cd /root/rpmbuild
+spectool -g -C ./SOURCES SPECS/whatever.spec
+yum-builddep -y SPECS/whatever.spec
+rm -rf /tmp/rpmbuild
+rpmbuild --define "_topdir `pwd`" --define "_builddir /tmp/rpmbuild/build" --define "_buildrootdir /tmp/rpmbuild/buildroot" -ba SPECS/whatever.spec
 ```
-vagrant up
-vagrant ssh
-# From inside the vagrant box
-cd rpmbuild
-cp -Rf /vagrant/* .
-rm -rf BUILD/*
-rm -rf SOURCES/*.gz
-spectool -g -R SPECS/whatever.spec
-rpmbuild -ba SPECS/whatever.spec
-```
-
-`vagrant provision` should download all required source files and install all
-build dependencies. If any source versions change you'll have to re-run `vagrant provision`.

BUILDROOT/.gitignore

@@ -3,7 +3,8 @@ Description=Redis persistent key-value database
 After=network.target
 
 [Service]
-ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --daemonize no
+ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --daemonize no --supervised systemd
+Type=notify
 User=redis
 Group=redis
 

README.md

@@ -1,16 +1,15 @@
-#
 %define nginx_home %{_localstatedir}/cache/nginx
 %define nginx_user nginx
 %define nginx_group nginx
 
 %define main_version 1.18.0
-%define main_release 1%{?dist}.levenlabs
+%define main_release 2%{?dist}.levenlabs
 
-%define openssl_version 1.1.1g
+%define openssl_version 1.1.1k
 %define pcre_version 8.44
 %define zlib_version 1.2.11
-
 %define nginx_more_headers_version 0.33
+
 %define WITH_CC_OPT $(echo %{optflags} $(pcre-config --cflags)) -fPIC
 %define WITH_LD_OPT -Wl,-z,relro -Wl,-z,now -pie
 %define bdir %{_builddir}/%{name}-%{main_version}
@@ -51,17 +50,17 @@ nginx [engine x] is an HTTP and reverse proxy server
 
 %prep
 %setup -q
-tar xf %{SOURCE90} -C $RPM_BUILD_DIR
+tar xf %{SOURCE90} -C %{_builddir}
 
-git clone https://github.com/vozlt/nginx-module-vts $RPM_BUILD_DIR/nginx-module-vts
-cd $RPM_BUILD_DIR/nginx-module-vts && git submodule update --init
+git clone https://github.com/vozlt/nginx-module-vts %{_builddir}/nginx-module-vts
+cd %{_builddir}/nginx-module-vts && git submodule update --init
 
-git clone https://github.com/google/ngx_brotli $RPM_BUILD_DIR/ngx_brotli
-cd $RPM_BUILD_DIR/ngx_brotli && git submodule update --init
+git clone https://github.com/google/ngx_brotli %{_builddir}/ngx_brotli
+cd %{_builddir}/ngx_brotli && git submodule update --init
 
-mkdir $RPM_BUILD_DIR/openssl && tar zxf %{SOURCE100} -C $RPM_BUILD_DIR/openssl --strip-components 1
-mkdir $RPM_BUILD_DIR/pcre && tar zxf %{SOURCE101} -C $RPM_BUILD_DIR/pcre --strip-components 1
-mkdir $RPM_BUILD_DIR/zlib && tar zxf %{SOURCE102} -C $RPM_BUILD_DIR/zlib --strip-components 1
+mkdir %{_builddir}/openssl && tar zxf %{SOURCE100} -C %{_builddir}/openssl --strip-components 1
+mkdir %{_builddir}/pcre && tar zxf %{SOURCE101} -C %{_builddir}/pcre --strip-components 1
+mkdir %{_builddir}/zlib && tar zxf %{SOURCE102} -C %{_builddir}/zlib --strip-components 1
 
 %build
 ./configure \
@@ -106,71 +105,71 @@ mkdir $RPM_BUILD_DIR/zlib && tar zxf %{SOURCE102} -C $RPM_BUILD_DIR/zlib --strip
     --with-pcre-jit \
     --with-stream \
     --with-stream_ssl_module \
-    --with-openssl=$RPM_BUILD_DIR/openssl --with-openssl-opt=enable-tls1_3 \
+    --with-openssl=%{_builddir}/openssl --with-openssl-opt=enable-tls1_3 \
     --with-stream_ssl_preread_module \
-    --with-pcre=$RPM_BUILD_DIR/pcre \
+    --with-pcre=%{_builddir}/pcre \
     --with-pcre-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' \
-    --with-zlib=$RPM_BUILD_DIR/zlib \
+    --with-zlib=%{_builddir}/zlib \
     --with-zlib-opt='-g -Ofast -fPIC -m64 -march=native -fstack-protector-strong -D_FORTIFY_SOURCE=2' \
-    --add-module=$RPM_BUILD_DIR/nginx-module-vts \
+    --add-module=%{_builddir}/nginx-module-vts \
     --with-cc-opt="%{WITH_CC_OPT}" \
     --with-ld-opt="%{WITH_LD_OPT}" \
-    --add-module=$RPM_BUILD_DIR/headers-more-nginx-module-%{nginx_more_headers_version} \
-    --add-module=$RPM_BUILD_DIR/ngx_brotli \
+    --add-module=%{_builddir}/headers-more-nginx-module-%{nginx_more_headers_version} \
+    --add-module=%{_builddir}/ngx_brotli \
 
 make %{?_smp_mflags}
 
 %install
-%{__rm} -rf $RPM_BUILD_ROOT
-%{__make} DESTDIR=$RPM_BUILD_ROOT install
+%{__rm} -rf %{buildroot}
+%{__make} DESTDIR=%{buildroot} install
 
-%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/nginx
-%{__mv} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/html $RPM_BUILD_ROOT%{_datadir}/nginx/
+%{__mkdir} -p %{buildroot}%{_datadir}/nginx
+%{__mv} %{buildroot}%{_sysconfdir}/nginx/html %{buildroot}%{_datadir}/nginx/
 
-%{__rm} -f $RPM_BUILD_ROOT%{_sysconfdir}/nginx/*.default
-%{__rm} -f $RPM_BUILD_ROOT%{_sysconfdir}/nginx/fastcgi.conf
+%{__rm} -f %{buildroot}%{_sysconfdir}/nginx/*.default
+%{__rm} -f %{buildroot}%{_sysconfdir}/nginx/fastcgi.conf
 
-%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/log/nginx
-%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/run/nginx
-%{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/cache/nginx
-%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/nginx/modules
-cd $RPM_BUILD_ROOT%{_sysconfdir}/nginx && \
+%{__mkdir} -p %{buildroot}%{_localstatedir}/log/nginx
+%{__mkdir} -p %{buildroot}%{_localstatedir}/run/nginx
+%{__mkdir} -p %{buildroot}%{_localstatedir}/cache/nginx
+%{__mkdir} -p %{buildroot}%{_datadir}/nginx/modules
+cd %{buildroot}%{_sysconfdir}/nginx && \
     %{__ln_s} ../..%{_libdir}/nginx/modules modules && cd -
 
-%{__mkdir} -p $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-%{main_version}
+%{__mkdir} -p %{buildroot}%{_datadir}/doc/%{name}-%{main_version}
 %{__install} -m 644 -p LICENSE \
-    $RPM_BUILD_ROOT%{_datadir}/doc/%{name}-%{main_version}/COPYRIGHT
+    %{buildroot}%{_datadir}/doc/%{name}-%{main_version}/COPYRIGHT
 
-%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/nginx/conf.d
-%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/nginx/nginx.conf
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/nginx/conf.d
+%{__rm} %{buildroot}%{_sysconfdir}/nginx/nginx.conf
 %{__install} -m 644 -p %{SOURCE4} \
-    $RPM_BUILD_ROOT%{_sysconfdir}/nginx/nginx.conf
+    %{buildroot}%{_sysconfdir}/nginx/nginx.conf
 # we don't need default.conf
 # %{__install} -m 644 -p %{SOURCE5} \
-#    $RPM_BUILD_ROOT%{_sysconfdir}/nginx/conf.d/default.conf
+#    %{buildroot}%{_sysconfdir}/nginx/conf.d/default.conf
 
-%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/sysconfig
 %{__install} -m 644 -p %{SOURCE3} \
-    $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/nginx
+    %{buildroot}%{_sysconfdir}/sysconfig/nginx
 
 %{__install} -p -D -m 0644 %{bdir}/objs/nginx.8 \
-    $RPM_BUILD_ROOT%{_mandir}/man8/nginx.8
+    %{buildroot}%{_mandir}/man8/nginx.8
 
 # install log rotation stuff
-%{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
+%{__mkdir} -p %{buildroot}%{_sysconfdir}/logrotate.d
 %{__install} -m 644 -p %{SOURCE1} \
-   $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/nginx
+   %{buildroot}%{_sysconfdir}/logrotate.d/nginx
 
 # install systemd-specific files
-%{__mkdir} -p $RPM_BUILD_ROOT%{_unitdir}
+%{__mkdir} -p %{buildroot}%{_unitdir}
 %{__install} -m644 %SOURCE8 \
-    $RPM_BUILD_ROOT%{_unitdir}/nginx.service
+    %{buildroot}%{_unitdir}/nginx.service
 
 %check
-%{__rm} -rf $RPM_BUILD_ROOT/usr/src
+%{__rm} -rf %{buildroot}/usr/src
 
 %clean
-%{__rm} -rf $RPM_BUILD_ROOT
+%{__rm} -rf %{buildroot}
 
 %files
 %defattr(-,root,root)

SOURCES/redis.service

@@ -1,52 +1,100 @@
-Packager: Joe Admin <[email protected]>
+%define openssl_version 1.1.1k
 
 Name: redis
-Version: 4.0.6
-Release: 0%{dist}
-
-Summary: levenlab's redis 3.2.3 compilation
-
+Version: 6.2.1
+Release: 1%{dist}
+Summary: A persistent key-value database
 License: BSD
+URL: http://redis.io
 
 Source: http://download.redis.io/releases/%{name}-%{version}.tar.gz
 Source1: redis.service
+Source100: https://www.openssl.org/source/openssl-%{openssl_version}.tar.gz
 
+BuildRequires: gcc
+BuildRequires: devtoolset-8-toolchain
+BuildRequires: devtoolset-8-libatomic-devel
+BuildRequires: procps-ng
 BuildRequires: tcl
-
-%define installprefix /usr
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: systemd
+BuildRequires: which
+Requires(postun): systemd
 
 %description
+redis is an advanced key-value store
 
 %prep
 %setup -q -n redis-%{version}
 
+sed -i -e 's|^dir .*$|dir %{_sharedstatedir}/redis|g' %{_builddir}/redis-%{version}/redis.conf
+
+mkdir %{_builddir}/openssl && tar zxf %{SOURCE100} -C %{_builddir}/openssl --strip-components 1 && cd %{_builddir}/openssl && ./config --prefix=%{_builddir}/redis-%{version}/deps/openssl no-shared no-threads enable-tls1_3 && make && make install_sw LIBDIR=lib
+
+sed -i 's;-lssl;%{_builddir}/redis-%{version}/deps/openssl/lib/libssl.a;g' %{_builddir}/redis-%{version}/src/Makefile
+sed -i 's;-lcrypto;%{_builddir}/redis-%{version}/deps/openssl/lib/libcrypto.a;g' %{_builddir}/redis-%{version}/src/Makefile
+
+%global make_flags LDFLAGS="%{?__global_ldflags} -I%{_builddir}/redis-%{version}/deps/openssl/lib" CFLAGS+="%{optflags} -fPIC -I%{_builddir}/redis-%{version}/deps/openssl/include" INSTALL="install -p" PREFIX=%{buildroot}%{_prefix} BUILD_TLS=yes USE_SYSTEMD=yes
+: %{make_flags}
+
+
 %build
-make
+source /opt/rh/devtoolset-8/enable
+make %{make_flags}
 
 %install
-make PREFIX=$RPM_BUILD_ROOT%{installprefix} install
+source /opt/rh/devtoolset-8/enable
+make %{make_flags} install
+
+install -d %{buildroot}%{_sysconfdir}/redis
+install -d %{buildroot}%{_unitdir}
+install -d %{buildroot}%{_libdir}/redis
+install -d %{buildroot}%{_libdir}/redis/modules
+install -d %{buildroot}%{_sharedstatedir}/redis
+install -d %{buildroot}%{_localstatedir}/run/redis
+install -d %{buildroot}%{_includedir}
+install -m 0644 redis.conf %{buildroot}%{_sysconfdir}/redis/redis.conf
+install -m 0644 sentinel.conf %{buildroot}%{_sysconfdir}/redis/sentinel.conf
+install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/redis.service
+install -m 0644 src/redismodule.h %{buildroot}%{_includedir}/redismodule.h
 
-install -d $RPM_BUILD_ROOT/etc/redis
-install -d $RPM_BUILD_ROOT/usr/lib/systemd/system
-install -d $RPM_BUILD_ROOT/var/lib/redis
-install -d $RPM_BUILD_ROOT/var/run/redis
-install -m 0644 redis.conf $RPM_BUILD_ROOT/etc/redis/redis.conf
-install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/systemd/system/redis.service
-install -m 0644 sentinel.conf $RPM_BUILD_ROOT/etc/redis/sentinel.conf
-install -m 0755 src/redis-trib.rb $RPM_BUILD_ROOT/usr/bin/redis-trib.rb
+chmod 755 %{buildroot}%{_bindir}/redis-*
+
+%check
+# https://github.com/redis/redis/issues/1417
+taskset -c 1 make %{make_flags} test
+make %{make_flags} test-sentinel
 
 %files
 %defattr(-,root,root)
-/etc/redis
-/usr/lib/systemd/system/redis.service
-/var/lib/redis
-/var/run/redis
-%{installprefix}/bin/*
+%dir %{_sysconfdir}/redis
+%config(noreplace) %{_sysconfdir}/redis/redis.conf
+%config(noreplace) %{_sysconfdir}/redis/sentinel.conf
+%{_unitdir}/redis.service
+%dir %{_libdir}/redis
+%dir %{_libdir}/redis/modules
+%dir %{_sharedstatedir}/redis
+%dir %{_localstatedir}/run/redis
+%{_bindir}/redis-*
+%{_includedir}/redismodule.h
 
 %clean
+%{__rm} -rf %{buildroot}
+
+%pre
+getent group redis >/dev/null || groupadd -r redis
+getent passwd redis >/dev/null || \
+    useradd -r -g redis -s /sbin/nologin \
+    -d %{_sharedstatedir}/redis -c "redis user" redis
+exit 0
 
 %post
-useradd -M -r -s /bin/false redis
-chown redis:redis /var/lib/redis
-chown redis:redis /var/run/redis
-systemctl daemon-reload
+chown redis:redis %{_sharedstatedir}/redis
+chown redis:redis %{_localstatedir}/run/redis
+chown redis:redis %{_libdir}/redis
+chown redis:redis %{_libdir}/redis/modules
+
+%postun
+if [ $1 -eq 2 ]; then
+    systemctl daemon-reload >/dev/null 2>&1
+fi