From 75a79e38e08ec9768cdeef1b301db615c73aa38c Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:15:15 -0500 Subject: [PATCH 1/9] Added RedHat 10 platform support Ticket: ENT-13016 Changelog: title --- build-scripts/labels.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-scripts/labels.txt b/build-scripts/labels.txt index 06fa3d72a..38a10171b 100644 --- a/build-scripts/labels.txt +++ b/build-scripts/labels.txt @@ -8,6 +8,8 @@ PACKAGES_HUB_arm_64_linux_debian_12 PACKAGES_HUB_x86_64_linux_redhat_7 PACKAGES_HUB_x86_64_linux_redhat_8 PACKAGES_HUB_x86_64_linux_redhat_9 +PACKAGES_HUB_x86_64_linux_redhat_10 +PACKAGES_HUB_arm_64_linux_redhat_10 PACKAGES_HUB_x86_64_linux_ubuntu_20 PACKAGES_HUB_x86_64_linux_ubuntu_22 @@ -23,6 +25,8 @@ PACKAGES_arm_64_linux_debian_12 PACKAGES_x86_64_linux_redhat_7 PACKAGES_x86_64_linux_redhat_8 PACKAGES_x86_64_linux_redhat_9 +PACKAGES_x86_64_linux_redhat_10 +PACKAGES_arm_64_linux_redhat_10 PACKAGES_x86_64_linux_suse_12 PACKAGES_x86_64_linux_suse_15 From 614f9dc0954258b39eb79dc5c2476f8f00013b91 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:25:57 -0500 Subject: [PATCH 2/9] Adjusted apache patch spec file for newer Patch N style Ticket: ENT-13016 Changelog: none --- deps-packaging/apache/cfbuild-apache.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index 1a743e508..f404c8972 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -8,6 +8,7 @@ Release: 1 Source0: httpd-%{apache_version}.tar.gz Source1: httpd.conf Patch0: apachectl.patch +Patch1: fixed-implicit-decl-gettid.patch License: MIT Group: Other Url: https://cfengine.com @@ -21,7 +22,8 @@ AutoReqProv: no mkdir -p %{_builddir} %setup -q -n httpd-%{apache_version} -%patch0 -p0 +%patch -P 0 +%patch -P 1 -p1 CPPFLAGS=-I%{buildprefix}/include From 6fc52e4db4a61a754d0450963c8b1b11ed941107 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:26:29 -0500 Subject: [PATCH 3/9] Removed not needed libtool control la files in dependencies Ticket: ENT-13016 Changelog: none --- deps-packaging/leech/cfbuild-leech.spec | 3 +-- deps-packaging/librsync/cfbuild-librsync.spec | 3 +-- deps-packaging/libyaml/cfbuild-libyaml.spec | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/deps-packaging/leech/cfbuild-leech.spec b/deps-packaging/leech/cfbuild-leech.spec index 4f1aa72dd..a437def74 100644 --- a/deps-packaging/leech/cfbuild-leech.spec +++ b/deps-packaging/leech/cfbuild-leech.spec @@ -21,7 +21,6 @@ mkdir -p %{_builddir} ./configure --prefix=%{prefix} --enable-shared --disable-static rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/libleech.a -rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/libleech.la %build @@ -31,6 +30,7 @@ make rm -rf ${RPM_BUILD_ROOT} make install DESTDIR=${RPM_BUILD_ROOT} +rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/libleech.la %clean rm -rf $RPM_BUILD_ROOT @@ -59,6 +59,5 @@ CFEngine Build Automation -- leech -- development files %{prefix}/include/*.h %dir %{prefix}/lib -%{prefix}/lib/*.la %changelog diff --git a/deps-packaging/librsync/cfbuild-librsync.spec b/deps-packaging/librsync/cfbuild-librsync.spec index e3be8bc21..534d828d9 100644 --- a/deps-packaging/librsync/cfbuild-librsync.spec +++ b/deps-packaging/librsync/cfbuild-librsync.spec @@ -53,7 +53,6 @@ touch -t 0001010102 ar-lib ./configure --prefix=%{prefix} --enable-shared --disable-static rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/librsync.a -rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/librsync.la %build @@ -63,6 +62,7 @@ make rm -rf ${RPM_BUILD_ROOT} make install DESTDIR=${RPM_BUILD_ROOT} +rm -f ${RPM_BUILD_ROOT}%{prefix}/lib/librsync.la %clean rm -rf $RPM_BUILD_ROOT @@ -91,7 +91,6 @@ CFEngine Build Automation -- librsync -- development files %{prefix}/include/*.h %dir %{prefix}/lib -%{prefix}/lib/*.la %{prefix}/lib/pkgconfig %changelog diff --git a/deps-packaging/libyaml/cfbuild-libyaml.spec b/deps-packaging/libyaml/cfbuild-libyaml.spec index b2de6669f..8ad3ebe70 100644 --- a/deps-packaging/libyaml/cfbuild-libyaml.spec +++ b/deps-packaging/libyaml/cfbuild-libyaml.spec @@ -33,6 +33,7 @@ $MAKE %install rm -rf ${RPM_BUILD_ROOT} $MAKE DESTDIR=${RPM_BUILD_ROOT} install +rm -rf ${RPM_BUILD_ROOT}%{prefix}/lib/libyaml.la %clean rm -rf $RPM_BUILD_ROOT @@ -65,7 +66,6 @@ CFEngine Build Automation -- lmdb -- development files %dir %{prefix}/lib %{prefix}/lib/pkgconfig %{prefix}/lib/*.a -%{prefix}/lib/*.la %changelog From 920d7391da65a2fbeca1472a11fa731af565227d Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 24 Oct 2025 13:27:35 -0500 Subject: [PATCH 4/9] Adjusted rpm deps and packaging to allow /var/cfengine/lib as an RPATH entry Adjusted rpm packaging to allow empty manifest lists such as debug symbols Some dependencies don't generate symbols even when BUILD_TYPE=DEBUG aka with_debugsym 0 and __strip /bin/true as options to rpmbuild. Ticket: ENT-13016 Changelog: none --- build-scripts/package | 2 ++ deps-packaging/pkg-build-rpm | 14 ++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/build-scripts/package b/build-scripts/package index 71252da14..f156b8ac7 100755 --- a/build-scripts/package +++ b/build-scripts/package @@ -225,6 +225,8 @@ rpm | lpp) # eval is needed to preserve spaces in arguments within quotes # Example: --define 'with_expansion 1' needs to be passed as two args log_debug "Building RPM package with rpmbuild" + # rhel-10 rpmbuild is more picky about /var/cfengine/lib RPATH we need + export QA_RPATHS=2 # this is a set of bit flags, we just want 0x0002 here eval rpmbuild -bb \ --define "'_topdir $BASEDIR/$PKG'" \ --define "'buildprefix $BUILDPREFIX'" \ diff --git a/deps-packaging/pkg-build-rpm b/deps-packaging/pkg-build-rpm index 2039562aa..72b4d2d6e 100755 --- a/deps-packaging/pkg-build-rpm +++ b/deps-packaging/pkg-build-rpm @@ -76,11 +76,15 @@ if [ $TARGET != native ]; then exit 42 fi +# deps packages may result in binaries without debug symbols even when debugsym=yes aka BUILD_TYPE=DEBUG +# to avoid rpmbuild errors when this occurs, allow empties +RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define '_empty_manifest_terminate_build 0'" + case "$TESTS" in no) - RPMBUILD_OPTIONS="--define 'with_testsuite 0'";; + RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 0'";; yes) - RPMBUILD_OPTIONS="--define 'with_testsuite 1'";; + RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 1'";; *) fatal "Unknown tests option: $TESTS";; esac @@ -112,6 +116,12 @@ fi # example cmd --define 'a b': # - argv[1] = --define # - argv[2] = a b + +# We have /var/cfengine/lib in RPATHS which should be OK +# We asked in https://github.com/rpm-software-management/rpm/issues/3982, and it seems allowing this is OK +# 0x0002 - contains an invalid RPATH - in our case /var/cfengine/lib is OK so allow it as an exception +# Here we only want to specify this one flag: 0x0002. Sadly these scripts run on POSIX shell (especially e.g. aix71 runs as /bin/sh which is ksh) so no bitwise operators. Add them together manually to a decimal integer. +export QA_RPATHS=2 # 0x0002 all by itself, no &(ands) eval rpmbuild -bb \ --define "'_topdir $BASEDIR/$PKGNAME'" \ --define "'version $VERSION'" \ From 15f0d5e11504e29ce38ca500f516f86e1ae06abf Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 28 Oct 2025 15:11:44 -0500 Subject: [PATCH 5/9] Adjusted CFEngine package script to allow /var/cfengine/lib RPATH in binaries Setting QA_RPATHS=$(( 0x0002 )) is our best way of working around this with newer rpmbuild versions since rhel-10. Ticket: ENT-13016 Changelog: none From 203ab33c0b691ae664680cbc629dd55b195a6359 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 28 Oct 2025 17:18:54 -0500 Subject: [PATCH 6/9] Added a smidge of Rocky Linux support here Just enough to get started with a build. No official support intended (yet). Ticket: ENT-13016 Changelog: none --- build-scripts/detect-environment | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-scripts/detect-environment b/build-scripts/detect-environment index 81d0831a7..dff3f597c 100644 --- a/build-scripts/detect-environment +++ b/build-scripts/detect-environment @@ -129,7 +129,7 @@ detect_distribution() { # CentOS Linux release 7.6.1810 (Core) OS=centos ;; - "Red Hat Enterprise Linux "*) + "Red Hat Enterprise Linux "*|"Rocky Linux release "*) # Example output for RHEL: # Red Hat Enterprise Linux release 8.10 (Ootpa) OS=rhel From 400b3cf1478bba5282d312c738253f5c4682d9d5 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 29 Oct 2025 13:59:19 -0500 Subject: [PATCH 7/9] Added Debian 13 platform support Ticket: ENT-13164 Changelog: title --- build-scripts/labels.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/build-scripts/labels.txt b/build-scripts/labels.txt index 38a10171b..dfcff7b10 100644 --- a/build-scripts/labels.txt +++ b/build-scripts/labels.txt @@ -4,6 +4,8 @@ PACKAGES_HUB_x86_64_linux_debian_11 PACKAGES_HUB_arm_64_linux_debian_11 PACKAGES_HUB_x86_64_linux_debian_12 PACKAGES_HUB_arm_64_linux_debian_12 +PACKAGES_HUB_x86_64_linux_debian_13 +PACKAGES_HUB_arm_64_linux_debian_13 PACKAGES_HUB_x86_64_linux_redhat_7 PACKAGES_HUB_x86_64_linux_redhat_8 @@ -21,6 +23,8 @@ PACKAGES_x86_64_linux_debian_11 PACKAGES_arm_64_linux_debian_11 PACKAGES_x86_64_linux_debian_12 PACKAGES_arm_64_linux_debian_12 +PACKAGES_x86_64_linux_debian_13 +PACKAGES_arm_64_linux_debian_13 PACKAGES_x86_64_linux_redhat_7 PACKAGES_x86_64_linux_redhat_8 From a085c95d64a2df1f4849ba7aba19c6512d0fa4a7 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Sat, 1 Nov 2025 18:00:22 -0500 Subject: [PATCH 8/9] Fixed small shellcheck nit in ci/setup-cfengine-build-host.sh script Ticket: none Changelog: none --- ci/setup-cfengine-build-host.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/setup-cfengine-build-host.sh b/ci/setup-cfengine-build-host.sh index 610c26b34..36c2da242 100755 --- a/ci/setup-cfengine-build-host.sh +++ b/ci/setup-cfengine-build-host.sh @@ -30,7 +30,7 @@ elif [ -f /etc/os-release ]; then fi fi if [ "$ID" = "ubuntu" ]; then - _version=$(echo "$VERSION_ID" | cut -d. -f1) + _version="$(echo "$VERSION_ID" | cut -d. -f1)" if [ "$_version" -lt "16" ]; then echo "Platform $ID $VERSION_ID is too old." exit 9 From 4818babb340a8ae6a19d02124ac711e6a3e35edd Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Sat, 1 Nov 2025 16:59:06 -0500 Subject: [PATCH 9/9] Fixed packaging to handle cf-php-fpm sysvinit script properly for client and hub /etc/init.d/cf-php-fpm script is always installed via core but causes trouble during packaging on redhat-7 and should be removed for all client packages. Ticket: ENT-13319 Changelog: none (cherry picked from commit 9fa6875d7d39f2bd02be9d273c83313548a6d6d5) --- .../cfengine-community/cfengine-community.spec.in | 10 ++++++---- .../cfengine-nova-hub/cfengine-nova-hub.spec.in | 12 ++++++++---- packaging/cfengine-nova/cfengine-nova.spec.aix.in | 3 +++ packaging/cfengine-nova/cfengine-nova.spec.in | 3 +++ packaging/cfengine-nova/debian/rules | 3 ++- 5 files changed, 22 insertions(+), 9 deletions(-) diff --git a/packaging/cfengine-community/cfengine-community.spec.in b/packaging/cfengine-community/cfengine-community.spec.in index 55a1b2eda..293d8d2ad 100644 --- a/packaging/cfengine-community/cfengine-community.spec.in +++ b/packaging/cfengine-community/cfengine-community.spec.in @@ -63,10 +63,11 @@ rm -f $RPM_BUILD_ROOT%{prefix}/bin/curl rm -f $RPM_BUILD_ROOT%{prefix}/bin/wcurl rm -rf $RPM_BUILD_ROOT%{prefix}/ssl -# For el9+ and suse-15+ we started seeing issues from other packages not expecting init scripts -%if %{?rhel}%{!?rhel:0} >= 9 || %{?suse_version}%{!?suse_version:0} >= 1500 +# For el8+ and suse-15+ we started seeing issues from other packages not expecting init scripts +%if %{?rhel}%{!?rhel:0} >= 8 || %{?suse_version}%{!?suse_version:0} >= 1500 rm -f $RPM_BUILD_ROOT/etc/sysconfig/cfengine3 rm -f $RPM_BUILD_ROOT/etc/init.d/cfengine3 +rm -f $RPM_BUILD_ROOT/etc/init.d/cf-php-fpm rm -f $RPM_BUILD_ROOT/etc/profile.d/cfengine3.sh %endif @@ -149,12 +150,13 @@ done %endif # Globally installed configs, scripts -%if %{?rhel}%{!?rhel:0} < 9 && %{?suse_version}%{!?suse_version:0} < 1500 +%if %{?rhel}%{!?rhel:0} < 8 && %{?suse_version}%{!?suse_version:0} < 1500 %attr(644,root,root) /etc/sysconfig/cfengine3 %attr(755,root,root) /etc/profile.d/cfengine3.sh # ENT-11901 -# For el9+ and suse15+ we started seeing issues from other packages not expecting init scripts +# For el8+ and suse15+ we started seeing issues from other packages not expecting init scripts %attr(755,root,root) /etc/init.d/cfengine3 +%attr(755,root,root) /etc/init.d/cf-php-fpm %endif # Systemd units diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 74ace020d..0a95de657 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -82,10 +82,12 @@ cp -a %{prefix}/* $RPM_BUILD_ROOT%{prefix} cp -a %{_basedir}/cfengine/dist/* $RPM_BUILD_ROOT # ENT-11901 -# For el9+ we started seeing issues from other packages not expecting init scripts -%if %{?rhel}%{!?rhel:0} >= 9 +# For el8+ we started seeing issues from other packages not expecting init scripts +# If sysvinit scripts other than cfengine3 are present, such as cf-php-fpm, they will fail with systemctl operations due to not supporting chkconfig. +%if %{?rhel}%{!?rhel:0} >= 8 rm -f $RPM_BUILD_ROOT/etc/sysconfig/cfengine3 rm -f $RPM_BUILD_ROOT/etc/init.d/cfengine3 +rm -f $RPM_BUILD_ROOT/etc/init.d/cf-php-fpm rm -f $RPM_BUILD_ROOT/etc/profile.d/cfengine.sh %endif # Remove useless stuff @@ -347,9 +349,11 @@ exit 0 # Initscript, other configuration %defattr(755,root,root,755) # ENT-11901 -# For el9+ we started seeing issues from other packages not expecting init scripts -%if %{?rhel}%{!?rhel:0} < 9 +# For el8+ we started seeing issues from other packages not expecting init scripts +# ENT-13319 we found that rhel-8 also exhibited this behavior so adjusted el9+ to el8+ +%if %{?rhel}%{!?rhel:0} < 8 /etc/init.d/cfengine3 +/etc/init.d/cf-php-fpm /etc/profile.d/cfengine.sh %attr(644,root,root) /etc/sysconfig/cfengine3 %endif diff --git a/packaging/cfengine-nova/cfengine-nova.spec.aix.in b/packaging/cfengine-nova/cfengine-nova.spec.aix.in index aff7e6fd0..1fae9f57d 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.aix.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.aix.in @@ -42,6 +42,9 @@ rm -f $RPM_BUILD_ROOT%{prefix}/bin/openssl rm -f $RPM_BUILD_ROOT%{prefix}/bin/curl rm -rf $RPM_BUILD_ROOT%{prefix}/ssl +# For client we never want hub-specific things +rm -f $RPM_BUILD_ROOT/init.d/cf-php-fpm + %clean rm -rf $RPM_BUILD_ROOT diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index c6bd7fc16..94bb72cf6 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -57,6 +57,9 @@ mkdir -p $RPM_BUILD_ROOT%{prefix} cp -a %{prefix}/* $RPM_BUILD_ROOT%{prefix} cp -a %{_basedir}/cfengine/dist/* $RPM_BUILD_ROOT +# for cfengine-nova (client) we never want cf-php-fpm service, that is only for cfengine-nova-hub +rm -f $RPM_BUILD_ROOT/etc/init.d/cf-php-fpm + # ENT-11901 # For el9+ and suse-15+ we started seeing issues from other packages not expecting init scripts %if %{?rhel}%{!?rhel:0} >= 9 || %{?suse_version}%{!?suse_version:0} >= 1500 diff --git a/packaging/cfengine-nova/debian/rules b/packaging/cfengine-nova/debian/rules index f6b777cc9..ff362457d 100755 --- a/packaging/cfengine-nova/debian/rules +++ b/packaging/cfengine-nova/debian/rules @@ -38,7 +38,8 @@ install: build rm -f $(CURDIR)/debian/tmp$(PREFIX)/bin/openssl rm -f $(CURDIR)/debian/tmp$(PREFIX)/bin/curl rm -rf $(CURDIR)/debian/tmp$(PREFIX)/ssl - +# remove hub-specific files + rm -f $(CURDIR)/debian/tmp/etc/init.d/cf-php-fpm # Debian is different