Sergey, thanks a lot for the review, I’ve added the checker as you suggested.

  
>Четверг, 9 апреля 2020, 17:55 +03:00 от Sergey Bronnikov <sergeyb@tarantool.org>:
> 
>Sasha, thanks for the patch!
>
>it would be useful to use 'set -uf -o pipefail' at the
>beginning of script in addition to 'set -e'.
>
>LGTM
>
>On 08:33 Thu 09 Apr , Alexander V. Tikhonov wrote:
>> Added ability to remove given in options package from S3. TO remove the
>> needed package need to set '-r=<package name with version>' option,
>> like:
>> ./tools/update_repo.sh -o=<OS> -d=<DIST> -b=<S3 repo> \
>> -r=tarantool-2.2.2.0
>> it will remove all found appropriate source and binaries packages from
>> the given S3 repository, also the meta files will be corrected there.
>>
>> Close #4839
>> ---
>>
>> Github:  https://github.com/tarantool/tarantool/tree/avtikhon/gh-4839-s3-script-full-ci
>> Issue:  https://github.com/tarantool/tarantool/issues/4839
>>
>> tools/update_repo.sh | 389 ++++++++++++++++++++++++++++++++++---------
>> 1 file changed, 309 insertions(+), 80 deletions(-)
>>
>> diff --git a/tools/update_repo.sh b/tools/update_repo.sh
>> index df94cd1ee..9459c2997 100755
>> --- a/tools/update_repo.sh
>> +++ b/tools/update_repo.sh
>> @@ -8,6 +8,7 @@ ws_prefix=/tmp/tarantool_repo_s3
>>
>> alloss='ubuntu debian el fedora'
>> product=tarantool
>> +remove=
>> force=
>> skip_errors=
>> # the path with binaries either repository
>> @@ -62,6 +63,9 @@ Usage for store package binaries from the given path:
>> Usage for mirroring Debian|Ubuntu OS repositories:
>> $0 -o=<OS name> -d=<OS distribuition> -b=<S3 bucket> [-p=<product>] <path to packages binaries>
>>
>> +Usage for removing specific package from S3 repository:
>> + $0 -o=<OS name> -d=<OS distribuition> -b=<S3 bucket> [-p=<product>] -r <package version> <path to packages binaries>
>> +
>> Arguments:
>> <path>
>> Path points to the directory with deb/prm packages to be used.
>> @@ -101,6 +105,24 @@ EOF
>> - for RPM packages:
>> # prepare local path with needed "tarantool-queue-*" packages only
>> ./$0 -b=s3://<target repository> -o=fedora -d=30 <local path>
>> + -r|--remove
>> + Remove package specified by version from S3 repository. It will remove
>> + all found appropriate source and binaries packages from the given S3
>> + repository, also the meta files will be corrected there.
>> + Example of usage on 'tarantool-2.2.2.0' version:
>> + ./tools/update_repo.sh -o=<OS> -d=<DIST> -b=<S3 repo> \\
>> + -r=tarantool-2.2.2.0
>> + It will search and try to remove packages:
>> + - for DEB repositories:
>> + tarantool-2.2.2.0-1_all.deb
>> + tarantool-2.2.2.0-1_amd64.deb
>> + tarantool-2.2.2.0-1.dsc
>> + tarantool-2.2.2.0-1.debian.tar.xz
>> + tarantool-2.2.2.0.orig.tar.xz
>> + - for RPM repositories:
>> + x86_64/tarantool-2.2.2.0-1.*.x86_64.rpm
>> + x86_64/tarantool-2.2.2.0-1.*.noarch.rpm
>> + SRPMS/tarantool-2.2.2.0--1.*.src.rpm
>> -f|--force
>> Force updating the remote package with the local one despite the checksum difference
>> -s|--skip_errors
>> @@ -134,6 +156,10 @@ case $i in
>> product="${i#*=}"
>> shift # past argument=value
>> ;;
>> + -r=*|--remove=*)
>> + remove="${i#*=}"
>> + shift # past argument=value
>> + ;;
>> -f|--force)
>> force=1
>> ;;
>> @@ -146,12 +172,15 @@ case $i in
>> ;;
>> *)
>> repo="${i#*=}"
>> - pushd $repo >/dev/null ; repo=$PWD ; popd >/dev/null
>> shift # past argument=value
>> ;;
>> esac
>> done
>>
>> +if [ "$remove" == "" ]; then
>> + pushd $repo >/dev/null ; repo=$PWD ; popd >/dev/null
>> +fi
>> +
>> # check that all needed options were set and correct
>> if [ "$bucket" == "" ]; then
>> echo "ERROR: need to set -b|--bucket bucket option, check usage"
>> @@ -195,7 +224,7 @@ function update_deb_packfile {
>>
>> # WORKAROUND: unknown why, but reprepro doesn`t save the Sources file,
>> # let`s recreate it manualy from it's zipped version
>> - [ ! -f $psources ] || gunzip -c $psources.gz >$psources
>> + gunzip -c $psources.gz >$psources
>>
>> # WORKAROUND: unknown why, but reprepro creates paths w/o distribution in
>> # it and no solution using configuration setup neither options
>> @@ -226,6 +255,8 @@ function update_deb_metadata {
>> touch $packpath.saved
>> fi
>>
>> + [ "$remove" == "" ] || cp $packpath.saved $packpath
>> +
>> if [ "$packtype" == "dsc" ]; then
>> # check if the DSC hash already exists in old Sources file from S3
>> # find the hash from the new Sources file
>> @@ -328,6 +359,135 @@ function update_deb_metadata {
>> cat $packpath >>$packpath.saved
>> }
>>
>> +function update_deb_dists {
>> + # 2(binaries). update Packages file archives
>> + for packpath in dists/$loop_dist/$component/binary-* ; do
>> + pushd $packpath
>> + if [ -f Packages ]; then
>> + sed -i '/./,$!d' Packages
>> + bzip2 -c Packages >Packages.bz2
>> + gzip -c Packages >Packages.gz
>> + fi
>> + popd
>> + done
>> +
>> + # 2(sources). update Sources file archives
>> + pushd dists/$loop_dist/$component/source
>> + if [ -f Sources ]; then
>> + sed -i '/./,$!d' Sources
>> + bzip2 -c Sources >Sources.bz2
>> + gzip -c Sources >Sources.gz
>> + fi
>> + popd
>> +
>> + # 3. update checksums entries of the Packages* files in *Release files
>> + # NOTE: it is stable structure of the *Release files when the checksum
>> + # entries in it in the following way:
>> + # MD5Sum:
>> + # <checksum> <size> <file orig>
>> + # <checksum> <size> <file debian>
>> + # SHA1:
>> + # <checksum> <size> <file orig>
>> + # <checksum> <size> <file debian>
>> + # SHA256:
>> + # <checksum> <size> <file orig>
>> + # <checksum> <size> <file debian>
>> + # The script bellow puts 'md5' value at the 1st found file entry,
>> + # 'sha1' - at the 2nd and 'sha256' at the 3rd
>> + pushd dists/$loop_dist
>> + for file in $(grep " $component/" Release | awk '{print $3}' | sort -u) ; do
>> + [ -f $file ] || continue
>> + sz=$(stat -c "%s" $file)
>> + md5=$(md5sum $file | awk '{print $1}')
>> + sha1=$(sha1sum $file | awk '{print $1}')
>> + sha256=$(sha256sum $file | awk '{print $1}')
>> + awk 'BEGIN{c = 0} ; {
>> + if ($3 == p) {
>> + c = c + 1
>> + if (c == 1) {print " " md " " s " " p}
>> + if (c == 2) {print " " sh1 " " s " " p}
>> + if (c == 3) {print " " sh2 " " s " " p}
>> + } else {print $0}
>> + }' p="$file" s="$sz" md="$md5" sh1="$sha1" sh2="$sha256" \
>> + Release >Release.new
>> + mv Release.new Release
>> + done
>> + # resign the selfsigned InRelease file
>> + $rm_file InRelease
>> + gpg --clearsign -o InRelease Release
>> + # resign the Release file
>> + $rm_file Release.gpg
>> + gpg -u $GPG_SIGN_KEY -abs -o Release.gpg Release
>> + popd
>> +
>> + # 4. sync the latest distribution path changes to S3
>> + $aws_sync_public dists/$loop_dist "$bucket_path/dists/$loop_dist"
>> +}
>> +
>> +function remove_deb {
>> + pushd $ws
>> +
>> + # get Release file
>> + relpath=dists/$option_dist
>> + $mk_dir $relpath
>> + $aws cp $bucket_path/$relpath/Release $relpath/
>> +
>> + # get Packages files
>> + for bindirs in $($aws ls $bucket_path/dists/$option_dist/$component/ \
>> + | awk '{print $2}' | grep -v 'source/' | sed 's#/##g') ; do
>> + packpath=$relpath/$component/$bindirs
>> + $mk_dir $packpath
>> + pushd $packpath
>> + $aws cp $bucket_path/$packpath/Packages .
>> +
>> + hashes_old=$(grep -e "^Filename: " -e "^SHA256: " Packages | \
>> + grep -A1 "$remove" | grep "^SHA256: " | awk '{print $2}')
>> + # NOTE: for the single file name may exists more than one
>> + # entry in damaged file, to fix it all found entries
>> + # of this file need to be removed
>> + # find and remove all package blocks for the bad hashes
>> + for hash_rm in $hashes_old ; do
>> + echo "Removing from Packages file old hash: $hash_rm"
>> + sed -i '1s/^/\n/' Packages
>> + pcregrep -Mi -v "(?s)Package: (\N+\n)+(?=SHA256: ${hash_rm}).*?^__BODY_HTML_PLACEHOLDER__quot; \
>> + Packages >Packages.new
>> + mv Packages.new Packages
>> + done
>> + popd
>> + done
>> +
>> + # get Sources file
>> + packpath=$relpath/$component/source
>> + $mk_dir $packpath
>> + pushd $packpath
>> + $aws cp $bucket_path/$packpath/Sources .
>> +
>> + hashes_old=$(grep '^Checksums-Sha256:' -A3 Sources | \
>> + grep " .* .* $remove" | awk '{print $1}')
>> + # NOTE: for the single file name may exists more than one
>> + # entry in damaged file, to fix it all found entries
>> + # of this file need to be removed
>> + # find and remove all package blocks for the bad hashes
>> + for hash_rm in $hashes_old ; do
>> + echo "Removing from Sources file old hash: $hash_rm"
>> + sed -i '1s/^/\n/' Sources
>> + pcregrep -Mi -v "(?s)Package: (\N+\n)+(?=^ ${hash_rm}).*?^__BODY_HTML_PLACEHOLDER__quot; \
>> + Sources >Sources.new
>> + mv Sources.new Sources
>> + done
>> + popd
>> +
>> + # call DEB dists path updater
>> + loop_dist=$option_dist
>> + update_deb_dists
>> +
>> + # remove all found file by the given pattern in options
>> + for suffix in '-1_all.deb' '-1_amd64.deb' '-1.dsc' '-1.debian.tar.xz' '.orig.tar.xz' ; do
>> + $aws ls "$bucket_path/$poolpath/${remove}$suffix" || continue
>> + $aws rm "$bucket_path/$poolpath/${remove}$suffix"
>> + done
>> +}
>> +
>> # The 'pack_deb' function especialy created for DEB packages. It works
>> # with DEB packing OS like Ubuntu, Debian. It is based on globally known
>> # tool 'reprepro' from:
>> @@ -339,18 +499,7 @@ function update_deb_metadata {
>> #  https://www.tarantool.io/en/download/os-installation/debian/
>> #  https://www.tarantool.io/en/download/os-installation/ubuntu/
>> function pack_deb {
>> - # we need to push packages into 'main' repository only
>> - component=main
>> -
>> - # debian has special directory 'pool' for packages
>> - debdir=pool
>> -
>> - # set the subpath with binaries based on literal character of the product name
>> - proddir=$(echo $product | head -c 1)
>> -
>> # copy single distribution with binaries packages
>> - repopath=$ws/pool/${option_dist}/$component/$proddir/$product
>> - $mk_dir ${repopath}
>> file_found=0
>> for file in $repo/*.deb $repo/*.dsc $repo/*.tar.*z ; do
>> [ -f $file ] || continue
>> @@ -450,68 +599,8 @@ EOF
>> mv $sources.saved $sources
>> fi
>>
>> - # 2(binaries). update Packages file archives
>> - for packpath in dists/$loop_dist/$component/binary-* ; do
>> - pushd $packpath
>> - if [ -f Packages ]; then
>> - sed -i '/./,$!d' Packages
>> - bzip2 -c Packages >Packages.bz2
>> - gzip -c Packages >Packages.gz
>> - fi
>> - popd
>> - done
>> -
>> - # 2(sources). update Sources file archives
>> - pushd dists/$loop_dist/$component/source
>> - if [ -f Sources ]; then
>> - sed -i '/./,$!d' Sources
>> - bzip2 -c Sources >Sources.bz2
>> - gzip -c Sources >Sources.gz
>> - fi
>> - popd
>> -
>> - # 3. update checksums entries of the Packages* files in *Release files
>> - # NOTE: it is stable structure of the *Release files when the checksum
>> - # entries in it in the following way:
>> - # MD5Sum:
>> - # <checksum> <size> <file orig>
>> - # <checksum> <size> <file debian>
>> - # SHA1:
>> - # <checksum> <size> <file orig>
>> - # <checksum> <size> <file debian>
>> - # SHA256:
>> - # <checksum> <size> <file orig>
>> - # <checksum> <size> <file debian>
>> - # The script bellow puts 'md5' value at the 1st found file entry,
>> - # 'sha1' - at the 2nd and 'sha256' at the 3rd
>> - pushd dists/$loop_dist
>> - for file in $(grep " $component/" Release | awk '{print $3}' | sort -u) ; do
>> - [ -f $file ] || continue
>> - sz=$(stat -c "%s" $file)
>> - md5=$(md5sum $file | awk '{print $1}')
>> - sha1=$(sha1sum $file | awk '{print $1}')
>> - sha256=$(sha256sum $file | awk '{print $1}')
>> - awk 'BEGIN{c = 0} ; {
>> - if ($3 == p) {
>> - c = c + 1
>> - if (c == 1) {print " " md " " s " " p}
>> - if (c == 2) {print " " sh1 " " s " " p}
>> - if (c == 3) {print " " sh2 " " s " " p}
>> - } else {print $0}
>> - }' p="$file" s="$sz" md="$md5" sh1="$sha1" sh2="$sha256" \
>> - Release >Release.new
>> - mv Release.new Release
>> - done
>> - # resign the selfsigned InRelease file
>> - $rm_file InRelease
>> - gpg --clearsign -o InRelease Release
>> - # resign the Release file
>> - $rm_file Release.gpg
>> - gpg -u $GPG_SIGN_KEY -abs -o Release.gpg Release
>> - popd
>> -
>> - # 4. sync the latest distribution path changes to S3
>> - $aws_sync_public dists/$loop_dist "$bucket_path/dists/$loop_dist"
>> + # call DEB dists path updater
>> + update_deb_dists
>> done
>> }
>>
>> @@ -525,6 +614,7 @@ EOF
>> # at the Tarantool web site:
>> #  https://www.tarantool.io/en/download/os-installation/rhel-centos/
>> #  https://www.tarantool.io/en/download/os-installation/fedora/
>> +
>> function pack_rpm {
>> pack_subdir=$1
>> pack_patterns=$2
>> @@ -631,12 +721,12 @@ function pack_rpm {
>> packs_rm=$(($packs_rm+1))
>> done
>> # reduce number of packages in metafile counter
>> - gunzip ${metafile}.xml.gz
>> + gunzip -f ${metafile}.xml.gz
>> packs=$(($(grep " packages=" ${metafile}.xml | \
>> sed 's#.* packages="\([0-9]*\)".*#\1#g')-${packs_rm}))
>> sed "s# packages=\"[0-9]*\"# packages=\"${packs}\"#g" \
>> -i ${metafile}.xml
>> - gzip ${metafile}.xml
>> + gzip -f ${metafile}.xml
>> done
>> fi
>> done
>> @@ -711,10 +801,141 @@ EOF
>> $aws_sync_public repodata "$bucket_path/$repopath/repodata"
>> }
>>
>> +function remove_rpm {
>> + pack_subdir=$1
>> + pack_patterns=$2
>> +
>> + pushd $ws
>> +
>> + # set the paths
>> + repopath=$option_dist/$pack_subdir
>> + rpmpath=Packages
>> + packpath=$repopath/$rpmpath
>> +
>> + # prepare local repository with packages
>> + $mk_dir $packpath
>> + cd $repopath
>> +
>> + # copy the current metadata files from S3
>> + mkdir repodata
>> + pushd repodata
>> + for file in $($aws ls $bucket_path/$repopath/repodata/ | awk '{print $NF}') ; do
>> + $aws ls $bucket_path/$repopath/repodata/$file || continue
>> + $aws cp $bucket_path/$repopath/repodata/$file $file
>> + [[ ! $file =~ .*.gz ]] || gunzip $file
>> + done
>> +
>> + updated_rpms=0
>> + # loop by the new hashes from the new meta file
>> + for hash in $(grep "<package pkgid=" other.xml | awk -F'"' '{print $2}') ; do
>> + updated_rpm=0
>> + file_exists=''
>> + name=$(grep "<package pkgid=\"$hash\"" other.xml | awk -F'"' '{print $4}')
>> + file=$(grep -e "<checksum type=" -e "<location href=" primary.xml | \
>> + grep "$hash" -A1 | grep "<location href=" | \
>> + awk -F'"' '{print $2}')
>> + for pack_pattern in $pack_patterns ; do
>> + [[ $file =~ Packages/$remove$pack_pattern ]] || continue
>> +
>> + # check if the file already exists in S3
>> + ! $aws ls "$bucket_path/$repopath/$file" || \
>> + $aws rm "$bucket_path/$repopath/$file"
>> +
>> + # search the new hash in the old meta file from S3
>> + grep "pkgid=\"$hash\"" filelists.xml | grep "name=\"$name\"" || continue
>> + updated_rpms=1
>> + hashes_old=$(grep -e "<checksum type=" -e "<location href=" primary.xml | \
>> + grep -B1 "$file" | grep "<checksum type=" | \
>> + awk -F'>' '{print $2}' | sed 's#<.*##g')
>> + # NOTE: for the single file name may exists more than one
>> + # entry in damaged file, to fix it all found entries
>> + # of this file need to be removed
>> + for metafile in other filelists primary ; do
>> + up_lines=''
>> + if [ "$metafile" == "primary" ]; then
>> + up_full_lines='(\N+\n)*'
>> + fi
>> + packs_rm=0
>> + # find and remove all <package> tags for the bad hashes
>> + for hash_rm in $hashes_old ; do
>> + echo "Removing from ${metafile}.xml file old hash: $hash_rm"
>> + sed -i '1s/^/\n/' ${metafile}.xml
>> + pcregrep -Mi -v "(?s)<package ${up_full_lines}\N+(?=${hash_rm}).*?package>" \
>> + ${metafile}.xml >${metafile}_new.xml
>> + mv ${metafile}_new.xml ${metafile}.xml
>> + packs_rm=$(($packs_rm+1))
>> + done
>> + # reduce number of packages in metafile counter
>> + packs=$(($(grep " packages=" ${metafile}.xml | \
>> + sed 's#.* packages="\([0-9]*\)".*#\1#g')-${packs_rm}))
>> + sed "s# packages=\"[0-9]*\"# packages=\"${packs}\"#g" \
>> + -i ${metafile}.xml
>> + done
>> + done
>> + done
>> +
>> + # check if any RPM files were newly registered
>> + [ "$updated_rpms" == "0" ] && \
>> + return || echo "Updating dists"
>> +
>> + # merge metadata files
>> + mv repomd.xml repomd_saved.xml
>> + head -n 2 repomd_saved.xml >repomd.xml
>> + for file in filelists.xml other.xml primary.xml ; do
>> + # get the new data
>> + chsnew=$(sha256sum $file | awk '{print $1}')
>> + sz=$(stat --printf="%s" $file)
>> + gzip $file
>> + chsgznew=$(sha256sum $file.gz | awk '{print $1}')
>> + szgz=$(stat --printf="%s" $file.gz)
>> + timestamp=$(date +%s -r $file.gz)
>> +
>> + # add info to repomd.xml file
>> + name=$(echo $file | sed 's#\.xml$##g')
>> + cat <<EOF >>repomd.xml
>> +<data type="$name">
>> + <checksum type="sha256">$chsgznew</checksum>
>> + <open-checksum type="sha256">$chsnew</open-checksum>
>> + <location href="repodata/$file.gz"/>
>> + <timestamp>$timestamp</timestamp>
>> + <size>$szgz</size>
>> + <open-size>$sz</open-size>
>> +</data>"
>> +EOF
>> + done
>> + tail -n 1 repomd_saved.xml >>repomd.xml
>> + rm -f repomd_saved.xml repomd.xml.asc
>> + popd
>> + gpg --detach-sign --armor repodata/repomd.xml
>> +
>> + # update the metadata at the S3
>> + $aws_sync_public repodata "$bucket_path/$repopath/repodata"
>> +}
>> +
>> if [ "$os" == "ubuntu" -o "$os" == "debian" ]; then
>> # prepare the workspace
>> prepare_ws ${os}
>> - pack_deb
>> +
>> + # we need to push packages into 'main' repository only
>> + component=main
>> +
>> + # debian has special directory 'pool' for packages
>> + debdir=pool
>> +
>> + # set the subpath with binaries based on literal character of the product name
>> + proddir=$(echo $product | head -c 1)
>> +
>> + # copy single distribution with binaries packages
>> + poolpath=pool/${option_dist}/$component/$proddir/$product
>> + repopath=$ws/$poolpath
>> + $mk_dir ${repopath}
>> +
>> + if [ "$remove" != "" ]; then
>> + remove_deb
>> + else
>> + pack_deb
>> + fi
>> +
>> # unlock the publishing
>> $rm_file $ws_lockfile
>> popd
>> @@ -726,14 +947,22 @@ elif [ "$os" == "el" -o "$os" == "fedora" ]; then
>>
>> # prepare the workspace
>> prepare_ws ${os}_${option_dist}
>> - pack_rpm x86_64 "*.x86_64.rpm *.noarch.rpm"
>> + if [ "$remove" != "" ]; then
>> + remove_rpm x86_64 "-1.*.x86_64.rpm -1.*.noarch.rpm"
>> + else
>> + pack_rpm x86_64 "*.x86_64.rpm *.noarch.rpm"
>> + fi
>> # unlock the publishing
>> $rm_file $ws_lockfile
>> popd
>>
>> # prepare the workspace
>> prepare_ws ${os}_${option_dist}
>> - pack_rpm SRPMS "*.src.rpm"
>> + if [ "$remove" != "" ]; then
>> + remove_rpm SRPMS "-1.*.src.rpm"
>> + else
>> + pack_rpm SRPMS "*.src.rpm"
>> + fi
>> # unlock the publishing
>> $rm_file $ws_lockfile
>> popd
>> --
>> 2.17.1
>>
>--
>sergeyb@ 
 
 
--
Alexander Tikhonov