{"id":19607073,"url":"https://github.com/bookingcom/rules_rpmbuild","last_synced_at":"2026-03-19T10:46:27.946Z","repository":{"id":215094628,"uuid":"738087194","full_name":"bookingcom/rules_rpmbuild","owner":"bookingcom","description":null,"archived":false,"fork":false,"pushed_at":"2024-01-24T15:56:22.000Z","size":129,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-10-09T19:39:16.607Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Starlark","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bookingcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-02T11:45:12.000Z","updated_at":"2024-05-30T12:34:42.000Z","dependencies_parsed_at":"2025-01-10T08:45:44.843Z","dependency_job_id":null,"html_url":"https://github.com/bookingcom/rules_rpmbuild","commit_stats":null,"previous_names":["bookingcom/rules_rpmbuild"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bookingcom/rules_rpmbuild","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Frules_rpmbuild","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Frules_rpmbuild/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Frules_rpmbuild/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Frules_rpmbuild/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bookingcom","download_url":"https://codeload.github.com/bookingcom/rules_rpmbuild/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Frules_rpmbuild/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29490360,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T19:29:10.908Z","status":"ssl_error","status_checked_at":"2026-02-15T19:29:10.419Z","response_time":118,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T10:08:43.950Z","updated_at":"2026-02-15T22:04:47.363Z","avatar_url":"https://github.com/bookingcom.png","language":"Starlark","funding_links":[],"categories":[],"sub_categories":[],"readme":"# rules_rpmbuild\n\nComplete rules for rpmbuild packaging. This rules are insipired in the legacy mode\nof `rules_pkg` rpmbuild tooling, but with the added advantage of being able to handle\na fake container where rpmbuild gets called, allowing users of the rule to install\nextra packages required for each build file, isolating the build process from the\nhost where the build is happening.\n\n## Usage\n\nFor usage look into the `examples` directory.\n\n## Debugging\n\nSometimes a build fails and you want to debug, since bazel 7 by default `tmp` gets mapped\nand isolated from the host, which is great for builds, but kind of a pain for anyone trying\nto debug what's going on, if you enable `--noincompatible_sandbox_hermetic_tmp` flag on the\nbuild then `/tmp` doesn't get mapped and you can debug inside `/tmp/rpmbuild`.\n\nThe best approach to debug is to try to build your RPM with `--noincompatible_sandbox_hermetic_tmp`,\nwait for the build to fail, and then execute:\n\n```bash\nbazel run @rules_rpmbuild//cmd/fake-container -- /tmp/rpmbuild bash\ncd /rpmbuild\nrpmbuild --verbose -bb {spec-file}\n```\n\n{spec-file} is copied and not symlinked, so if you make changes in your host you need to\ncopy it into `/tmp/rpmbuild/rpmbuild` before running a new build.\n\n## How to use\n\nThe way this rules work are rather simple (even though it looks complex), first we make use\nof [bazeldnf](https://github.com/rmohr/bazeldnf) to manage the RPMs we put into the\nfake container, the _bazel bzlmod_ support we need from bazeldnf hasn't been\nmerged yet, that's why your `MODULE.bazel` needs a block like:\n\n```python\nBAZELDNF_COMMIT = \"8e110d32399ab1c3db08e18f015b3e7e092a27de\"\n\nbazel_dep(name = \"bazeldnf\", version = \"0.6.0\")\narchive_override(\n    module_name = \"bazeldnf\",\n    integrity = \"sha256-x1+AOKCknpmFjGfdPJ5cR6+lhjjKX0zh5vlVn2YYHuM=\",\n    strip_prefix = \"bazeldnf-%s\" % BAZELDNF_COMMIT,\n    urls = [\n        \"https://github.com/bookingcom/bazeldnf/archive/%s.tar.gz\" % BAZELDNF_COMMIT,\n    ],\n)\n```\n\nWe're working with the bazeldnf team to get bazeldnf merged. Once that's merged we will\nrelease to the bazel central registry as well.\n\n_bazeldnf_ is used to create a fake container that contains rpmbuild for your distribution,\nwe provide an example one for CentOS7 in the `rpmtree` directory, together with a\npublic rpm mirror configuration under `rpm-repos`.\n\nIn order to generate your distribution `rpm-build` rpm tree you will start by creating your\nown rpm repo yaml configuration file pointing to all the repositories you need.\n\nThen you can generate the rpm tree by running:\n\n```bash\nbazel run @rules_rpmbuild//rpmbuild:bazeldnf -- fetch --repofile {config.yaml}\n\n# on CentOS7 there's a special rpm called filesystem which creates\n# a working file system, with some symlinks, this one is hard to\n# run properly so we need to strip it out\nbazel run @rules_rpmbuild//rpmbuild:bazeldnf -- rpmtree \\\n    --repofile {config.yaml} \\\n    --arch {your-target-arch} \\\n    --basesystem {your-base-system for centos-release} \\\n    --bzlmod \\\n    --lock-file {path-to-your-filesystem-lockfile} \\\n    --name {your filesystem rpmtree name} \\\n    filesystem\n\nbazel run @rules_rpmbuild//rpmbuild:bazeldnf -- rpmtree \\\n    --repofile {config.yaml} \\\n    --arch {your-target-arch} \\\n    --basesystem {your-base-system for centos-release} \\\n    --bzlmod \\\n    --lock-file {path-to-your-rpm-build-lockfile} \\\n    --name{your rpm-build rpmtree name} \\\n    rpm-build\n```\n\nThen you need to create a `BUILD.bazel` with\n\n```python\nload(\"@{your filesystem rpmtree name}//:rpms.bzl\", _filesystem = \"RPMS\")\nload(\"@{your rpm-build rpmtree name}//:rpms.bzl\", \"RPMS\")\nload(\"@rules_rpmbuild//rpmbuild:bootstrap.bzl\", \"bootstrap\")\n\nbootstrap(\n    name = \"rpm-build\",\n    filesystem = _filesystem,\n    rpm_install_flags = [\n        # you may need a few flags to rpm --install, this are the ones we collected for CentOS7\n        \"--excludepath=/var/spool/mail\",\n        \"--excludepath=/usr/libexec/utempter\",\n        \"--excludepath=/usr/bin/write\",\n        \"--excludepath=/usr/libexec/dbus-1/dbus-daemon-launch-helper\",\n    ],\n    rpm_rpmtree = \"@{your rpm-build rpm tree name}//:rpms\",\n    rpms = RPMS,\n    visibility = [\"//visibility:public\"],\n)\n```\n\nOnce you have `rpm-build` available is time to build your spec file.\n\nMost likely you require extra dependencies, for that we will create\nanother rpm tree, for example to generate the one for `bash` we did:\n\n```bash\nbazel run @rules_rpmbuild//rpmbuild:bazeldnf -- rpmtree \\\n    --repofile ../../rpm-repos/centos7.yaml \\\n    --arch x86_64 \\\n    --basesystem centos-release \\\n    --bzlmod \\\n    --lock-file bash-rpm-deps.json \\\n    --name bash-rpm-deps \\\n    make texinfo bison ncurses-devel autoconf gettext gcc gcc-c++ coreutils\n```\n\n### Fake containers\n\nTo create a fake container without requiring a container runtime like `docker` we use\na setup based on Linux namespaces with overrides. The concept is not so hard,\nbut it's too complex to describe as part of this document, a good reference paper\n[is this one](https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces#)\nwe recommend you read it and try to grasp it.\n\nBasically we use namespaces to create a fake environment running with a regular user\nwhere inside the environment the system thinks it's running as root (with root\nmapped to the caller user), we isolate the network, and we chroot into the fake\ncontainer root. We also mount bind a few special files required for `rpm` and\n`rpmbuild` to work like `/dev/urandom`, `/dev/random` and `/dev/null`.\n\nThe build is not yet 100% reproducible, you need rpm-build \u003e= 4.13 which is not\navailable for all CentOS versions, once CentOS 7 is finally EOL we will do the\nfull change.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Frules_rpmbuild","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbookingcom%2Frules_rpmbuild","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Frules_rpmbuild/lists"}