-
Notifications
You must be signed in to change notification settings - Fork 1
/
build-nginx-openssl.yml
266 lines (264 loc) · 11 KB
/
build-nginx-openssl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
---
- hosts: all
vars_files:
- variables.yml
vars:
nginx_src_rpm: "nginx-{{ nginx_ver }}.el7.ngx.src.rpm"
tasks:
- name: Install EPEL Yum repo
yum: name=epel-release state=present
become: yes
become_user: root
- name: Install build tools from CentOS repos
yum: name={{ item }} state=present
become: yes
become_user: root
with_items:
- ca-certificates
- curl
- libcurl
- git
- glib2
- rsync
- make
- patch
- bzip2
- xz
- tar
- autoconf
- automake
- libtool
- zlib-devel
- glibc-devel
- libaio-devel
- pcre-devel
- nss-devel
- nss-softokn-devel
- nss-softokn-freebl-devel
- nspr-devel
- libgcrypt-devel
- libgpg-error-devel
- libatomic_ops-devel
- libxslt-devel
- gd-devel
- GeoIP-devel
- rpm-build
- redhat-rpm-config
- mock
- scl-utils
- centos-release-scl-rh
- sudo
- GeoIP-devel
- name: Install build tools from Devtoolset-6 repo
yum: name={{ item }} state=present
become: yes
become_user: root
with_items:
- devtoolset-6-make
- devtoolset-6-binutils
- devtoolset-6-gcc
- devtoolset-6-gcc-c++
- name: Create directory for signing keys
file: dest=~/keys state=directory
- name: Copy OpenSSL signing keys
copy: src=openssl_signers.asc dest=~/keys/openssl_signers.asc
- name: Copy Nginx signing key
copy: src=nginx_signing.key dest=~/keys/nginx_signing.key
- name: Import OpenSSL signing keys
command: gpg --import ~/keys/openssl_signers.asc
- name: Import Nginx signign key
command: sudo rpm --import ~/keys/nginx_signing.key
- name: Delete recursively old rpmbuild directory
file: dest=~/rpmbuild state=absent
- name: Create new rpmbuild directory
file: dest=~/rpmbuild/BUILD state=directory recurse=yes
- name: Download Nginx RPM source package
get_url:
url: http://nginx.org/packages/mainline/centos/7/SRPMS/{{ nginx_src_rpm }}
dest: ~/rpmbuild/nginx-src.rpm
- name: Verify Nginx RPM source package signature
command: rpmkeys -v -K ~/rpmbuild/nginx-src.rpm
- name: Extract Nginx RPM source package
shell: rpm -i ~/rpmbuild/nginx-src.rpm
- name: Download OpenSSL
get_url:
url: http://www.openssl.org/source/{{ openssl_src }}.tar.gz
dest: ~/rpmbuild/SOURCES/{{ openssl_src }}.tar.gz
- name: Download OpenSSL source package signature file
get_url:
url: http://www.openssl.org/source/{{ openssl_src }}.tar.gz.asc
dest: ~/rpmbuild/openssl.tar.gz.asc
- name: Verify OpenSSL source signature
command: gpgv --keyring pubring.gpg -v ~/rpmbuild/openssl.tar.gz.asc ~/rpmbuild/SOURCES/{{ openssl_src }}.tar.gz
- name: 'Modify RPM spec: remove openssl package dependencies'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Build)?Requires: (lib)?openssl[^\n]*\n'
- name: Download PCRE
get_url:
url: https://ftp.pcre.org/pub/pcre/pcre-{{ pcre_version }}.tar.bz2
dest: ~/rpmbuild/SOURCES/pcre-{{ pcre_version }}.tar.bz2
- name: 'Modify RPM spec: remove pcre package dependencies'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Build)?Requires: (lib)?pcre[^\n]*\n'
- name: 'Modify RPM spec: build with static PCRE library'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --with-pcre=../pcre-{{ pcre_version }}")'
backrefs: yes
- name: 'Modify RPM spec: add libatomic_ops-devel as a build requirement'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(BuildRequires: zlib-devel\n)'
replace: '\1BuildRequires: libatomic_ops-devel\n'
- name: 'Modify RPM spec: add CentOS SCL release as a build requirement'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '(if 0%\{\?rhel\} == .*\n)'
replace: '\1BuildRequires: centos-release-scl-rh\n'
- name: 'Modify RPM spec: add devtoolset-6 as a build requirement'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '(%if 0%\{\?rhel\} == .*\n)'
replace: '\1BuildRequires: devtoolset-6-gcc\nBuildRequires: devtoolset-6-gcc-c++\nBuildRequires: devtoolset-6-binutils\nBuildRequires: devtoolset-6-make\n'
- name: 'Modify RPM spec: use devtoolset-6'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '(^(?:\./configure|make) )'
replace: 'source /opt/rh/devtoolset-6/enable && \1'
- name: 'Modify RPM spec: enable PCRE JIT'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --with-pcre-jit")'
backrefs: yes
- name: 'Modify RPM spec: build PCRE with PIC option'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --with-pcre-opt=\"-fPIC\"")'
backrefs: yes
- name: 'Modify RPM spec: build with static OpenSSL library'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --with-openssl=../{{ openssl_src }}")'
backrefs: yes
- name: 'Modify RPM spec: build OpenSSL with custom options'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '(./configure %{BASE_CONFIGURE_ARGS} \\\n)( *--with-cc-opt="%{WITH_CC_OPT}" \\\n)'
replace: '\1 --with-openssl-opt="no-dtls" \\\n\2'
- name: 'Modify RPM spec: build with dynamic libatomic_ops'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --with-libatomic")'
backrefs: yes
- name: 'Modify RPM spec: add build identifier'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '(./configure %{BASE_CONFIGURE_ARGS} \\\n)( *--with-openssl-opt=[^\n]* \\\n)'
replace: '\1 --build="github.com/istenrot/centos-nginx-http2: SSE2, {{ openssl_src }}, PCRE JIT, TCP Fast Open" \\\n\2'
- name: 'Modify RPM spec: CC options'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define WITH_CC_OPT.*)$'
line: '\1 -mmmx -msse -msse2 -DTCP_FASTOPEN=23'
backrefs: yes
- name: 'Modify RPM spec: update release'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^%define main_release .*\.ngx$'
line: '%define main_release {{ rpm_release }}.el7.exove'
- name: 'Modify RPM spec: update package vendor'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^Vendor: .*$'
line: 'Vendor: Nginx, Inc. and Google, Inc.'
- name: 'Modify RPM spec: update package URL'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^URL: .*$'
line: 'URL: https://github.com/istenrot/centos-nginx-http2'
- name: 'Register last number of Source lines in RPM spec file'
shell: grep -P "^Source[0-9]+:" ~/rpmbuild/SPECS/nginx.spec | tail -n 1 | sed "s/^Source\([0-9]\+\):.*$/\1/"
register: num_sources
- name: 'Modify RPM spec: add OpenSSL sources to src rpm build'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Source\d+: [^\n]+\n)(^\n)'
replace: '\1Source{{ num_sources.stdout | int + 1 }}: http://www.openssl.org/source/{{ openssl_src }}.tar.gz\n\2'
- name: 'Modify RPM spec: add PCRE sources to src rpm build'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Source\d+: [^\n]+\n)(^\n)'
replace: '\1Source{{ num_sources.stdout | int + 2 }}: https://ftp.pcre.org/pub/pcre/pcre-{{ pcre_version }}.tar.bz2\n\2'
- name: 'Modify RPM spec: modify %prep macros to extract OpenSSL tar file'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%prep\n)(%setup -q\n)'
replace: '\1%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n\2'
- name: 'Modify RPM spec: modify %prep macros to extract PCRE tar file'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%prep\n%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n)'
replace: '\1%setup -q -T -D -n pcre-{{ pcre_version }} -b {{ num_sources.stdout | int + 2 }}\n'
- name: Download ngx_pagespeed
get_url:
url: https://github.com/pagespeed/ngx_pagespeed/archive/v{{ ngx_pagespeed_version }}-beta.tar.gz
dest: ~/rpmbuild/SOURCES/ngx_pagespeed-{{ ngx_pagespeed_version }}-beta.tar.gz
when: build_ngx_pagespeed_module
- name: Download PSOL library
get_url:
url: https://dl.google.com/dl/page-speed/psol/{{ ngx_pagespeed_version }}.tar.gz
dest: ~/rpmbuild/SOURCES/psol-{{ ngx_pagespeed_version }}.tar.gz
when: build_ngx_pagespeed_module
- name: 'Modify RPM spec: add nginx-module-pagespeed as a subpackage'
blockinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
marker: "\n"
block: |
%package module-pagespeed
Summary: ngx_pagespeed dynamic module for Nginx
Vendor: Google, Inc. and contributors
License: ASL 2.0
Provides: ngx_pagespeed-{{ ngx_pagespeed_version }}-beta
Requires: nginx = %{?epoch:%{epoch}:}%{main_version}-%{main_release}
%description module-pagespeed
ngx_pagespeed dynamic module for Nginx.
%files module-pagespeed
%defattr(-,root,root)
%attr(0755,root,root) %dir %{_libdir}/nginx
%attr(0755,root,root) %dir %{_libdir}/nginx/modules
%{_libdir}/nginx/modules/ngx_pagespeed.so
when: build_ngx_pagespeed_module
- name: 'Modify RPM spec: add ngx_pagespeed as dynamic module'
lineinfile:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%define BASE_CONFIGURE_ARGS.*)"\)$'
line: '\1 --add-dynamic-module=../ngx_pagespeed-{{ ngx_pagespeed_version }}-beta")'
backrefs: yes
when: build_ngx_pagespeed_module
- name: 'Modify RPM spec: add ngx_pagespeed sources to src rpm build'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Source\d+: [^\n]+\n)(^\n)'
replace: '\1Source{{ num_sources.stdout | int + 3 }}: ngx_pagespeed-{{ ngx_pagespeed_version }}-beta.tar.gz\n\2'
when: build_ngx_pagespeed_module
- name: 'Modify RPM spec: add PSOL sources to src rpm build'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(Source\d+: [^\n]+\n)(^\n)'
replace: '\1Source{{ num_sources.stdout | int + 4 }}: psol-{{ ngx_pagespeed_version }}.tar.gz\n\2'
when: build_ngx_pagespeed_module
- name: 'Modify RPM spec: modify %prep macros to extract ngx_pagespeed tar files'
replace:
dest: ~/rpmbuild/SPECS/nginx.spec
regexp: '^(%prep\n%setup -q -T -D -n {{ openssl_src }} -b {{ num_sources.stdout | int + 1 }}\nsource /opt/rh/devtoolset-6/enable && ./config\n)'
replace: '\1%setup -q -T -D -n ngx_pagespeed-{{ ngx_pagespeed_version }}-beta -b {{ num_sources.stdout | int + 3 }}\n%setup -q -T -D -n ngx_pagespeed-{{ ngx_pagespeed_version }}-beta -a {{ num_sources.stdout | int + 4 }}\n'
when: build_ngx_pagespeed_module
- name: Build RPM packages
shell: source /opt/rh/devtoolset-6/enable && rpmbuild -ba ~/rpmbuild/SPECS/nginx.spec