From 0eff3a77c18179994544a2e60d4bdda57f88f0b0 Mon Sep 17 00:00:00 2001
From: Jacquin Antoine <antoine@arkel.fr>
Date: Sun, 1 Mar 2026 00:12:44 +0100
Subject: [PATCH] refactor(packaging): migrate from fpm to rpmbuild for RPM
 packaging

- Replace fpm with native rpmbuild in Dockerfile.package
- Setup proper rpmbuild directory structure (BUILD, RPMS, SOURCES, SPECS)
- Make spec file version dynamic via %{?build_version} macro
- Improve %post script with better systemd detection and error handling
- RPM now correctly uses VERSION build argument

Builds RPM packages for el8, el9, and el10 distributions.

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---
 Dockerfile.package             | 139 +++++++++------------------------
 packaging/rpm/ja4sentinel.spec |  22 +++---
 2 files changed, 49 insertions(+), 112 deletions(-)

diff --git a/Dockerfile.package b/Dockerfile.package
index 136b353..fd5afb0 100644
--- a/Dockerfile.package
+++ b/Dockerfile.package
@@ -46,7 +46,7 @@ RUN mkdir -p dist && \
     ./cmd/ja4sentinel
 
 # =============================================================================
-# Stage 2: RPM Builder - Build RPM pour CentOS 7, Rocky 8/9/10, AlmaLinux
+# Stage 2: RPM Builder - Build RPM pour Rocky 8/9/10, AlmaLinux using rpmbuild
 # =============================================================================
 FROM rockylinux:9 AS rpm-builder
 
@@ -55,122 +55,59 @@ WORKDIR /package
 # VERSION must be redeclared for each stage that needs it
 ARG VERSION=1.0.0
 
-# Install fpm and rpm tools (Rocky Linux 9)
-# fpm does not require libpcap - only needed for building the Go binary
+# Install rpm-build tools (Rocky Linux 9)
 RUN dnf install -y \
     rpm \
     rpm-build \
-    ruby \
-    rubygems \
     gcc \
     make \
-    && dnf clean all \
-    && gem install fpm -v 1.16.0 --no-document
+    && dnf clean all
 
-# Copy binary from Go builder
-COPY --from=builder /build/dist/ja4sentinel /tmp/pkgroot/usr/bin/ja4sentinel
-# Copy systemd service and config directly (not from builder)
-COPY packaging/systemd/ja4sentinel.service /tmp/pkgroot/usr/lib/systemd/system/ja4sentinel.service
-COPY packaging/systemd/config.yml /tmp/pkgroot/etc/ja4sentinel/config.yml.default
-COPY packaging/systemd/config.yml /tmp/pkgroot/usr/share/ja4sentinel/config.yml
-COPY packaging/rpm/postinst /tmp/scripts/postinst
-COPY packaging/rpm/prerm /tmp/scripts/prerm
-COPY packaging/rpm/postrm /tmp/scripts/postrm
+# Setup rpmbuild directory structure
+RUN mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
 
-# Create directories and set permissions
-RUN mkdir -p /tmp/pkgroot/var/lib/ja4sentinel && \
-    mkdir -p /tmp/pkgroot/var/log/ja4sentinel && \
-    mkdir -p /tmp/pkgroot/var/run/ja4sentinel && \
-    chmod 755 /tmp/pkgroot/usr/bin/ja4sentinel && \
-    chmod 644 /tmp/pkgroot/usr/lib/systemd/system/ja4sentinel.service && \
-    chmod 640 /tmp/pkgroot/etc/ja4sentinel/config.yml.default && \
-    chmod 640 /tmp/pkgroot/usr/share/ja4sentinel/config.yml && \
-    chmod 750 /tmp/pkgroot/var/lib/ja4sentinel && \
-    chmod 750 /tmp/pkgroot/var/log/ja4sentinel && \
-    chmod 750 /tmp/pkgroot/var/run/ja4sentinel && \
-    chmod 750 /tmp/pkgroot/etc/ja4sentinel && \
-    chmod 755 /tmp/scripts/*
+# Copy spec file
+COPY packaging/rpm/ja4sentinel.spec /root/rpmbuild/SPECS/ja4sentinel.spec
+
+# Copy binary from Go builder and other files to SOURCES
+COPY --from=builder /build/dist/ja4sentinel /root/rpmbuild/SOURCES/ja4sentinel
+COPY packaging/systemd/ja4sentinel.service /root/rpmbuild/SOURCES/ja4sentinel.service
+COPY packaging/systemd/config.yml /root/rpmbuild/SOURCES/config.yml
+
+# Set permissions
+RUN chmod 755 /root/rpmbuild/SOURCES/ja4sentinel && \
+    chmod 644 /root/rpmbuild/SOURCES/ja4sentinel.service && \
+    chmod 640 /root/rpmbuild/SOURCES/config.yml
 
 # Build RPM for Rocky Linux 8 (el8)
 # Note: Requires libpcap at runtime
-RUN mkdir -p /packages/rpm/el8 && \
-    fpm -s dir -t rpm \
-    -n ja4sentinel \
-    -v "${VERSION}" \
-    -C /tmp/pkgroot \
-    --architecture "x86_64" \
-    --rpm-dist el8 \
-    --description "JA4 TLS fingerprinting daemon for network monitoring" \
-    --url "https://github.com/your-repo/ja4sentinel" \
-    --license "MIT" \
-    --vendor "JA4Sentinel Team <team@example.com>" \
-    --depends "systemd" \
-    --depends "libpcap" \
-    --after-install /tmp/scripts/postinst \
-    --before-remove /tmp/scripts/prerm \
-    --after-remove /tmp/scripts/postrm \
-    -p /packages/rpm/el8/ja4sentinel-${VERSION}-1.el8.x86_64.rpm \
-    usr/bin/ja4sentinel \
-    usr/lib/systemd/system/ja4sentinel.service \
-    etc/ja4sentinel/config.yml.default \
-    usr/share/ja4sentinel/config.yml \
-    var/lib/ja4sentinel \
-    var/log/ja4sentinel \
-    var/run/ja4sentinel
+RUN rpmbuild --define "_topdir /root/rpmbuild" \
+             --define "dist .el8" \
+             --define "build_version ${VERSION}" \
+             --target x86_64 \
+             -bb /root/rpmbuild/SPECS/ja4sentinel.spec && \
+    mkdir -p /packages/rpm/el8 && \
+    cp /root/rpmbuild/RPMS/x86_64/*.el8.x86_64.rpm /packages/rpm/el8/
 
 # Build RPM for Rocky Linux 9 (el9)
 # Note: Requires libpcap at runtime
-RUN mkdir -p /packages/rpm/el9 && \
-    fpm -s dir -t rpm \
-    -n ja4sentinel \
-    -v "${VERSION}" \
-    -C /tmp/pkgroot \
-    --architecture "x86_64" \
-    --rpm-dist el9 \
-    --description "JA4 TLS fingerprinting daemon for network monitoring" \
-    --url "https://github.com/your-repo/ja4sentinel" \
-    --license "MIT" \
-    --vendor "JA4Sentinel Team <team@example.com>" \
-    --depends "systemd" \
-    --depends "libpcap" \
-    --after-install /tmp/scripts/postinst \
-    --before-remove /tmp/scripts/prerm \
-    --after-remove /tmp/scripts/postrm \
-    -p /packages/rpm/el9/ja4sentinel-${VERSION}-1.el9.x86_64.rpm \
-    usr/bin/ja4sentinel \
-    usr/lib/systemd/system/ja4sentinel.service \
-    etc/ja4sentinel/config.yml.default \
-    usr/share/ja4sentinel/config.yml \
-    var/lib/ja4sentinel \
-    var/log/ja4sentinel \
-    var/run/ja4sentinel
+RUN rpmbuild --define "_topdir /root/rpmbuild" \
+             --define "dist .el9" \
+             --define "build_version ${VERSION}" \
+             --target x86_64 \
+             -bb /root/rpmbuild/SPECS/ja4sentinel.spec && \
+    mkdir -p /packages/rpm/el9 && \
+    cp /root/rpmbuild/RPMS/x86_64/*.el9.x86_64.rpm /packages/rpm/el9/
 
 # Build RPM for AlmaLinux 10 (el10) - compatible with Rocky Linux 10
 # Note: Requires libpcap at runtime
-RUN mkdir -p /packages/rpm/el10 && \
-    fpm -s dir -t rpm \
-    -n ja4sentinel \
-    -v "${VERSION}" \
-    -C /tmp/pkgroot \
-    --architecture "x86_64" \
-    --rpm-dist el10 \
-    --description "JA4 TLS fingerprinting daemon for network monitoring" \
-    --url "https://github.com/your-repo/ja4sentinel" \
-    --license "MIT" \
-    --vendor "JA4Sentinel Team <team@example.com>" \
-    --depends "systemd" \
-    --depends "libpcap" \
-    --after-install /tmp/scripts/postinst \
-    --before-remove /tmp/scripts/prerm \
-    --after-remove /tmp/scripts/postrm \
-    -p /packages/rpm/el10/ja4sentinel-${VERSION}-1.el10.x86_64.rpm \
-    usr/bin/ja4sentinel \
-    usr/lib/systemd/system/ja4sentinel.service \
-    etc/ja4sentinel/config.yml.default \
-    usr/share/ja4sentinel/config.yml \
-    var/lib/ja4sentinel \
-    var/log/ja4sentinel \
-    var/run/ja4sentinel
+RUN rpmbuild --define "_topdir /root/rpmbuild" \
+             --define "dist .el10" \
+             --define "build_version ${VERSION}" \
+             --target x86_64 \
+             -bb /root/rpmbuild/SPECS/ja4sentinel.spec && \
+    mkdir -p /packages/rpm/el10 && \
+    cp /root/rpmbuild/RPMS/x86_64/*.el10.x86_64.rpm /packages/rpm/el10/
 
 # =============================================================================
 # Stage 3: Output - Image finale avec les packages RPM
diff --git a/packaging/rpm/ja4sentinel.spec b/packaging/rpm/ja4sentinel.spec
index e69a037..32887dd 100644
--- a/packaging/rpm/ja4sentinel.spec
+++ b/packaging/rpm/ja4sentinel.spec
@@ -1,5 +1,5 @@
 Name:           ja4sentinel
-Version:        1.0.2
+Version:        %{?build_version}%{!?build_version:1.0.0}
 Release:        1%{?dist}
 Summary:        JA4 TLS fingerprinting daemon for network monitoring
 License:        MIT
@@ -62,25 +62,25 @@ exit 0
 
 %post
 # Set proper ownership
-chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel
-chown -R ja4sentinel:ja4sentinel /var/run/ja4sentinel
-chown -R ja4sentinel:ja4sentinel /var/log/ja4sentinel
-chown -R ja4sentinel:ja4sentinel /etc/ja4sentinel
+chown -R ja4sentinel:ja4sentinel /var/lib/ja4sentinel 2>/dev/null || true
+chown -R ja4sentinel:ja4sentinel /var/run/ja4sentinel 2>/dev/null || true
+chown -R ja4sentinel:ja4sentinel /var/log/ja4sentinel 2>/dev/null || true
+chown -R ja4sentinel:ja4sentinel /etc/ja4sentinel 2>/dev/null || true
 
 # Set proper permissions
-chmod 750 /var/lib/ja4sentinel
-chmod 750 /var/log/ja4sentinel
-chmod 750 /etc/ja4sentinel
+chmod 750 /var/lib/ja4sentinel 2>/dev/null || true
+chmod 750 /var/log/ja4sentinel 2>/dev/null || true
+chmod 750 /etc/ja4sentinel 2>/dev/null || true
 
 # Install config if not exists
 if [ ! -f /etc/ja4sentinel/config.yml ]; then
     cp /usr/share/ja4sentinel/config.yml /etc/ja4sentinel/config.yml
-    chown ja4sentinel:ja4sentinel /etc/ja4sentinel/config.yml
+    chown ja4sentinel:ja4sentinel /etc/ja4sentinel/config.yml 2>/dev/null || true
     chmod 640 /etc/ja4sentinel/config.yml
 fi
 
-# Enable and start service (systemd macro for compatibility)
-if [ $1 -eq 1 ] && [ -x /bin/systemctl ]; then
+# Reload systemd and enable service (only if systemd is running)
+if [ -x /bin/systemctl ] && [ -d /run/systemd/system ]; then
     /bin/systemctl daemon-reload
     /bin/systemctl enable ja4sentinel.service 2>/dev/null || :
     /bin/systemctl start ja4sentinel.service 2>/dev/null || :