#!/usr/bin/env bash
# Copyright (c) 2021, NVIDIA CORPORATION. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
function assert_usage() {
echo "Incorrect arguments: $*"
echo "$(basename ${BASH_SOURCE[0]}) PACKAGE_REPO_ROOT [SHA]"
echo "\tPACKAGE_REPO_ROOT: The path to the libnvidia-container repository"
echo "\tSHA: The SHA / reference to release. [Default: HEAD]"
exit 1
}
set -e
SCRIPTS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )"/../scripts && pwd )"
PROJECT_ROOT="$( cd ${SCRIPTS_DIR}/.. && pwd )"
if [[ $# -lt 1 || $# -gt 2 ]]; then
assert_usage $*
fi
source "${SCRIPTS_DIR}"/utils.sh
PACKAGE_REPO_ROOT=$1
if [[ ! -d ${PACKAGE_REPO_ROOT} ]]; then
echo "The specified PACKAGE_REPO_ROOT '${PACKAGE_REPO_ROOT}' must exist"
exit 1
fi
: ${REFERENCE:="HEAD"}
if [[ $# -ge 2 ]]; then
REFERENCE=$2
fi
SHA=$(git rev-parse --short=8 ${REFERENCE})
IMAGE_NAME="ghcr.io/nvidia/container-toolkit"
IMAGE_TAG=${SHA}-packaging
: ${VERSION:="$(get_version_from_image ${IMAGE_NAME}:${IMAGE_TAG} ${SHA})"}
REPO="experimental"
if [[ ${VERSION/rc./} == ${VERSION} ]]; then
REPO="stable"
fi
PACKAGE_CACHE=release-${VERSION}-${REPO}
echo "Fetching packages with SHA '${SHA}' as tag '${VERSION}' to ${PACKAGE_CACHE}"
${SCRIPTS_DIR}/../hack/pull-packages.sh \
${IMAGE_NAME}:${IMAGE_TAG} \
${PACKAGE_CACHE}
: ${ALL_RPMS:="$(find ${PACKAGE_CACHE} -name "*.rpm" -exec basename {} \; | sort | uniq)"}
: ${ALL_DEBS:="$(find ${PACKAGE_CACHE} -name "*.deb" -exec basename {} \; | sort | uniq)"}
PACKAGE_REPO_ROOT=$(cd "${PACKAGE_REPO_ROOT}" && pwd)
echo "Updating ${REPO} repo at ${PACKAGE_REPO_ROOT}"
docker build \
-t nvidia/toolkit-deb-pkg-signer \
-f ${SCRIPTS_DIR}/Dockerfile.sign.deb \
${SCRIPTS_DIR}
docker build \
-t nvidia/toolkit-rpm-pkg-signer \
-f ${SCRIPTS_DIR}/Dockerfile.sign.rpm \
${SCRIPTS_DIR}
function sync() {
local target=$1
local src_root=$2
local dst_root=$3
local by_package_type=$4
local src_dist=${target%-*}
local dst_dist=${src_dist/amazonlinux/amzn}
local pkg_type=unknown
local arch=${target##*-}
local dst_arch=${arch}
case ${src_dist} in
amazonlinux*) pkg_type=rpm
;;
centos*) pkg_type=rpm
;;
debian*) pkg_type=deb
;;
fedora*) pkg_type=rpm
;;
opensuse-leap*) pkg_type=rpm
;;
ubuntu*) pkg_type=deb
dst_arch=${arch//ppc64le/ppc64el}
;;
*) echo "ERROR: unexpected distribution ${src_dist}"
exit 1
;;
esac
if [[ x"${by_package_type}" == x"true" ]]; then
dst_dist=${pkg_type}
fi
local src=${src_root}/${src_dist}/${arch}
local dst=${dst_root}/${dst_dist}/${dst_arch}
if [[ ! -d ${src} || -z $(ls ${src}/*.${pkg_type}) ]]; then
echo "Skipping ${src}"
return
fi
mkdir -p ${dst}
for f in $(ls ${src}/libnvidia-container*.${pkg_type} ${src}/nvidia-container-toolkit*.${pkg_type}); do
# We never release nvidia-container-toolkit-operator-extensions packages
if [[ "${f/"nvidia-container-toolkit-operator-extensions"/}" != "${f}" ]]; then
echo "Skipping ${f}"
continue
fi
df=${dst}/$(basename ${f})
df_stable=${df//"/experimental/"/"/stable/"}
if [[ -f "${df}" ]]; then
echo "${df} already exists; skipping"
elif [[ ${REPO} == "experimental" && -f ${df_stable} ]]; then
echo "${df_stable} already exists; skipping"
else
cp ${f} ${df}
fi
done
}
targets=${all[@]}
_current_branch=$(git -C ${PACKAGE_REPO_ROOT} rev-parse --abbrev-ref HEAD)
if [[ x"${_current_branch}" != x"gh-pages" ]]; then
echo "It is expected that the gh-pages branch be checked out"
exit 1
fi
: ${UPSTREAM_REMOTE:="origin"}
: ${UPSTREAM_REFERENCE:="${UPSTREAM_REMOTE}/gh-pages"}
git -C ${PACKAGE_REPO_ROOT} reset --hard ${UPSTREAM_REFERENCE}
git -C ${PACKAGE_REPO_ROOT} clean -fdx ${REPO}
for target in ${targets[@]}; do
echo "checking target=${target}"
by_package_type=
case ${target} in
ubuntu18.04-* | centos7-*)
by_package_type="true"
;;
centos8-ppc64le)
by_package_type="false"
;;
*)
echo "Skipping target ${target}"
continue
;;
esac
sync ${target} ${PACKAGE_CACHE}/packages ${PACKAGE_REPO_ROOT}/${REPO} ${by_package_type}
done
git -C ${PACKAGE_REPO_ROOT} add ${REPO}
# Experimental / release candidate release
git -C ${PACKAGE_REPO_ROOT} commit -s -F- <<EOF
Add packages for NVIDIA Container Toolkit ${VERSION} ${REPO} release
These include:
* libnvidia-container* ${LIBNVIDIA_CONTAINER_PACKAGE_VERSION}
* nvidia-container-toolkit ${NVIDIA_CONTAINER_TOOLKIT_PACKAGE_VERSION}
EOF
: ${MASTER_KEY_PATH:? Path to master key MASTER_KEY_PATH must be set}
: ${SUB_KEY_PATH:? Path to sub key SUB_KEY_PATH must be set}
: ${GPG_LOCAL_USER:? GPG_LOCAL_USER must be set}
: ${GNUPG_CONF:=$(mktemp -d -t nvidia-container-toolkit-package-XXXXXXXXXX)}
function sign() {
local pkg_type=$1
docker run -it --rm \
-e ALL_DEBS="${ALL_DEBS}" \
-e ALL_RPMS="${ALL_RPMS}" \
-e GPG_LOCAL_USER="${GPG_LOCAL_USER}" \
-e TARGETS="${targets}" \
-v ${PACKAGE_REPO_ROOT}/${REPO}:/sign-packages \
-v ${MASTER_KEY_PATH}:/keys/master.key:ro \
-v ${SUB_KEY_PATH}:/keys/sub.key:ro \
-v ${SCRIPTS_DIR}:/helpers \
-w /sign-packages \
nvidia/toolkit-${pkg_type}-pkg-signer \
bash -x -c "
export GPG_TTY=\$(tty);
gpg --import /keys/master.key;
gpg --import /keys/sub.key;
/helpers/packages-sign-all.sh;
"
}
sign deb
git -C ${PACKAGE_REPO_ROOT} add ${REPO}
git -C ${PACKAGE_REPO_ROOT} commit -s -m "fixup! Add packages for NVIDIA Container Toolkit ${VERSION} ${REPO} release"
sign rpm
git -C ${PACKAGE_REPO_ROOT} add ${REPO}
git -C ${PACKAGE_REPO_ROOT} commit -s -m "fixup! Add packages for NVIDIA Container Toolkit ${VERSION} ${REPO} release"
echo "To publish changes, go to ${PACKAGE_REPO_ROOT} and run:"
echo " git rebase -i ${UPSTREAM_REFERENCE}"