Adds RHEL 8 and RHEL 9 support for s390x

[nirmannarang]

Added Dockerfile for rhel-8 and sles-15. Added spec files rpm/SPECS/checkpolicy.spec, rpm/SPECS/policycoreutils.spec for sles-15 support. Modified rpm/SPECS/docker-ce.spec for adding support for sles-15 with btrfs support. Modified rpm/Makefile to add support for sles-15 and rhel-8.

Signed-off-by: Nirman Narang [email protected]

[thaJeztah]

I'm a bit lost in the woods currently on the SELinux issue for SLES on s390x. It's a bit hard for me to check all versions, because I don't have a SLES subscription/license, but AFAICS, the current situation is;

• for containerd, there's an exception for SLES, and container-selinux is removed as dependency: https://github.com/docker/containerd-packaging/blob/8c11ccb8295aba8a65d55c7fa53b146ba103d67a/rpm/containerd.spec#L55-L59
• for docker engine, we don't have this exception https://github.com/docker/docker-ce-packaging/blob/950efb4c0bdf714fc32cc7017df811cd2633e180/rpm/SPECS/docker-ce.spec#L21
• to provide (the specified version of) the container-selinux package, we instruct users to enabled the openSUSE repository (as the SLES repo only has an older version (?)) https://download.opensuse.org/repositories/security:/SELinux/SLE_15_SP3/noarch/

This works, because the container-selinux package is a noarch package, but it has policycoreutils and selinux-tools as dependency;

curl -O https://ftp.gwdg.de/pub/opensuse/repositories/security:/SELinux/SLE_15_SP3/noarch/container-selinux-2.164.2-16.15.noarch.rpm
rpm -qpR ./container-selinux-2.164.2-16.15.noarch.rpm
warning: ./container-selinux-2.164.2-16.15.noarch.rpm: Header V3 DSA/SHA1 Signature, key ID 93b832ee: NOKEY
/bin/sh
/bin/sh
/bin/sh
/bin/sh
/usr/bin/sed
policycoreutils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
selinux-policy >= 20210716-112.1
selinux-policy-base >= 20210716
selinux-policy-targeted >= 20210716
selinux-tools

And, while the openSUSE repository does provide packages for x86 and ppc64le, it does not support s390x; https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/

You mention:

We need policycoreutils rpm while building as well as while installing the docker-ce binaries. Since the version required is not available in repo, we have to build it from source.

• Do you know where that version requirement is set? (the container-selinux package doesn't look to define a specific (minimum) version)
• or is policycoreutils not available at all in the default SLES repositories (for s390x)? This page describes packages for s390x, so I think they're available, but perhaps older versions only? https://www.suse.com/support/update/announcement/2019/suse-ru-20191417-1/

I'm "comfortable" with installing a newer version of container-selinux, as provided (and maintained) by the openSUSE packagers, but less so with the entire SELinux toolset (besides the GPL Licensing issue). IIUC, this means we'll be upgrading those tools to a version that's not maintained by SUSE (who may be maintaining patches specific to the distro), and will be upgrading to a version that's not supported by them. Upgrading those tools may have more impact than just for their use for containers, and I don't know if running such versions will invalidate support contracts with SUSE (?).

At least it would probably be better to build from the openSUSE source packages (including the patches), instead of directly from upstream, that way the package would match the things we install from the opensuse repository.

Do we know why the openSUSE repository has ppc64le but not s390x ? Is it because they don't have the hardware for s390x?

[anujajakhade]

Hi @thaJeztah,

The version issue is observed when we try to install selinux-policy. We need policycoreutils >= 3.2 & checkpolicy >= 3.2 for installing selinux-policy. policycoreutils is available in the default SLES repositories (for s390x), but that is of lower version.

• Attaching the log for reference

#10 340.8 Building repository 'SELinux (SLE_15_SP2)' cache [....done]
#10 340.9 All repositories have been refreshed.
#10 341.2 Refreshing service 'container-suseconnect-zypp'.
#10 341.4 Problem retrieving the repository index file for service 'container-suseconnect-zypp':
#10 341.4 [container-suseconnect-zypp|file:/usr/lib/zypp/plugins/services/container-suseconnect-zypp]
#10 341.4 Warning: Skipping service 'container-suseconnect-zypp' because of the above error.
#10 341.4 Loading repository data...
#10 341.6 Reading installed packages...
#10 341.8 Resolving package dependencies...
#10 341.9 2 Problems:
#10 341.9 Problem: nothing provides 'policycoreutils >= 3.2' needed by the to be installed selinux-policy-20210716-110.1.noarch
#10 341.9 Problem: nothing provides 'checkpolicy >= 3.2' needed by the to be installed selinux-policy-devel-20210716-110.1.noarch
#10 341.9
#10 341.9 Problem: nothing provides 'policycoreutils >= 3.2' needed by the to be installed selinux-policy-20210716-110.1.noarch
#10 341.9  Solution 1: do not install selinux-policy-20210716-110.1.noarch
#10 341.9  Solution 2: break selinux-policy-20210716-110.1.noarch by ignoring some of its dependencies
#10 341.9
#10 341.9 Choose from above solutions by number or skip, retry or cancel [1/2/s/r/c/d/?] (c): c

Am not aware why the openSUSE repository doesn't have support for s390x.

[prabhav-thali]

Hi @thaJeztah , I have updated the PR with latest changes. Could you please review the same?

[prabhav-thali]

Hi @thaJeztah , I have updated the PR with latest changes, Which includes updated spec file for policycoreutils-3.4 and also added Dockerfile for RHEL 9. Could you please review?

[prabhav-thali]

Hi @thaJeztah, I have made the required changes by removing the SLES changes from PR as decided. Could you please review?