feat: add debian "deployment"

Add "debian" deployment that generates a .deb package that can be
installed on Debian and Ubuntu systems.

Signed-off-by: Sergei Trofimov <[email protected]>

Makefile

@@ -67,6 +67,7 @@ Available targets:
 	bootstrap:     install required dependencies (only works on Arch, Ubuntu,
 	               and MacOSX using homebrew)
 	native-deploy: create and start the native deployment
+	deb:           create .deb package for installation on Debian or Ubuntu
 endef
 export __MAKEFILE_HELP
 
@@ -110,6 +111,7 @@ endif
 .PHONY: really-clean
 really-clean:
 	make -C integration-tests really-clean
+	make -C deployments/debian really-clean
 	make -C deployments/docker really-clean
 	make -C deployments/native really-clean
 
@@ -168,6 +170,14 @@ ifeq ($(filter native-deploy,$(MAKECMDGOALS)),native-deploy)
 __NO_RECURSE = true
 endif
 
+.PHONY: deb
+deb:
+	make -C deployments/debian deb
+
+ifeq ($(filter deb,$(MAKECMDGOALS)),deb)
+__NO_RECURSE = true
+endif
+
 ifndef __NO_RECURSE
 include mk/subdir.mk
 endif

deployments/debian/Makefile

@@ -0,0 +1,17 @@
+# Copyright 2024 Contributors to the Veraison project.
+# SPDX-License-Identifier: Apache-2.0
+.DEFAULT_TARGET: deb
+
+SHELL = /bin/bash
+
+THIS_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+
+PACKAGE_DEST ?= /tmp
+
+.PHONY: deb
+deb:
+	$(THIS_DIR)/deployment.sh create-deb $(PACKAGE_DEST)
+
+.PHONY: really-clean
+really-clean:
+	rm -rf $(PACKAGE_DEST)/veraison-deb-package

deployments/debian/README.md

@@ -0,0 +1,39 @@
+This directory contains scripts and other resources for creating .deb packages
+for installation on Debian or Ubuntu systems. This involves first creating a
+native deployment, and then packaging it up using `dpkg`.
+
+## Dependencies
+
+In addition to [dependencies for the native 
+deployment](../native/README.md#dependencies), `dpkg` must be installed. If you
+are on a Debian or Ubuntu system, `dpkg` will already be present as it the
+package manager for your system. If you are on Arch, you can install it via
+
+```sh
+# on Arch
+pacman -S dpkg
+```
+
+If you are on another system, you will need to find how to install `dpkg` on
+your own (first check that it is not the package manager for the system, then
+search the system's standard packages; if all else fails -- duckduckgo/brave is
+your friend).
+
+## Building the package
+
+The location where the package will be built is specified with `PACKAGE_DEST`
+environment variable. It will default to `/tmp` if not set. To build the
+package simply do
+
+```sh
+make deb
+```
+
+This will create
+`${PACKAGE_DEST}/veraison_deb_package/veraison_VERSION_ARCH.deb`, where `VERSION`
+is the Veraison version as reported by the
+[`get-veraison-version`](../scripts/get-veraison-version) script, and `ARCH` is
+the architecture of your system as reported by `dpkg --print-architecture`.
+
+Alongside the package, there will be a subdirectory with the same name but
+without the .deb suffix that contains the "sources" used to build the package.

deployments/debian/debian/control.template

@@ -0,0 +1,6 @@
+Package: veraison
+Version: ${_VERAISON_VERSION}
+Maintainer: Veraison Project <[email protected]>
+Architecture: amd64
+Homepage: https://github.com/veraison
+Description: Attestation verification services

deployments/debian/debian/postinst

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+if [ "$1" = "configure" ]; then
+	[ -z "$VERAISON_USER" ] && VERAISON_USER=veraison
+	[ -z "$VERAISON_GROUP" ] && VERAISON_GROUP=veraison
+
+	if [ ! "$(getent group "$VERAISON_GROUP")" ]; then
+		groupadd --system "$VERAISON_GROUP"
+	else
+		echo "Group $VERAISON_GROUP already exists."
+	fi
+
+	if [ ! "$(getent passwd setrofim)" ]; then
+		useradd --system --gid "$VERAISON_GROUP" --no-create-home \
+			--shell /bin/false "$VERAISON_USER"
+	else
+		echo "User $VERAISON_USER already exists."
+	fi
+
+	chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/logs
+	chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/signing
+	chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/certs
+	chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/stores
+
+	/opt/veraison/bin/veraison -s start-services
+fi

deployments/debian/debian/prerm

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+if [ "$1" = "remove" ]; then
+	[ -z "$VERAISON_USER" ] && VERAISON_USER=veraison
+	[ -z "$VERAISON_GROUP" ] && VERAISON_GROUP=veraison
+
+	/opt/veraison/bin/veraison -s stop-services
+	/opt/veraison/bin/veraison -s disable-services
+
+	rm -rf /opt/veraison/logs/*
+
+	userdel "$VERAISON_USER"
+
+	if [ "$(getent group "$VERAISON_GROUP")" ]; then
+		groupdel "$VERAISON_GROUP"
+	fi
+fi

deployments/debian/deployment.cfg

@@ -0,0 +1,28 @@
+##############################################################################
+# Veraison Deployment Configuration
+#
+# Note: this uses Bash syntax, however there is no need to export variables
+#       here, as this file will be sourced with set -a
+##############################################################################
+# shellcheck disable=SC2034
+
+# The ports on which services will be listening.
+VTS_PORT=${VTS_PORT:-50051}
+PROVISIONING_PORT=${PROVISIONING_PORT:-8888}
+VERIFICATION_PORT=${VERIFICATION_PORT:-8080}
+MANAGEMENT_PORT=${MANAGEMENT_PORT:-8088}
+
+# The host the services will be running on.
+VERAISON_HOST=${VERAISON_HOST:-localhost}
+
+# The user Veraison services will be run as by system systemd.
+# (note: this will not be used when starting via start-tmux, start-term, or
+# user systemd. In those cases, the services will aways run as $USER.)
+VERAISON_USER=${VERAISON_USER:-veraison}
+
+# Location of certs to be used by veraison services; there must be a cert and
+# corresponding key for each service (e.g. vts.crt and vts.key for
+# vts-service), and a rootCA.crt that was used to sign the service certs.
+VERAISON_CERTS=${VERAISON_CERTS:-}
+
+# vim: set ft=bash:

deployments/debian/deployment.sh

@@ -0,0 +1,136 @@
+#!/bin/bash
+set -eo pipefail
+
+_error='\e[0;31mERROR\e[0m'
+_this_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+_deb_src=${_this_dir}/debian
+_repo_root=$(realpath "${_this_dir}/../..")
+_version=$("${_repo_root}/scripts/get-veraison-version")
+
+
+function bootstrap() {
+	"${_repo_root}/deployments/native/deployment.sh" bootstrap
+
+	case $( uname -s ) in
+		Linux)
+			# shellcheck disable=SC2002
+			local distrib_id
+			distrib_id=$(head -n 1 </etc/lsb-release 2>/dev/null | \
+				     cut -f2 -d= | tr -d \")
+
+			case $distrib_id in
+			Arch) sudo pacman -Syy dpkg ;;
+			Ubuntu) ;;
+			*)
+				echo -e "$_error: Boostrapping is currently only supported for Arch and Ubuntu."
+				exit
+				;;
+			esac
+			;;
+		Darwin)
+			if ! type brew > /dev/null; then
+				echo -e "$_error: homebrew (https://brew.sh) must be installed."
+				exit 1
+			fi
+			brew install dpkg
+			;;
+		*)
+			echo -e "$_error: Boostrapping is currently only supported for Arch, Ubuntu, and MacOSX (via homebrew)."
+			exit
+			;;
+	esac
+}
+
+function create_deb() {
+	_check_installed dpkg
+	_check_installed envsubst
+
+	local work_dir=${1:-/tmp}
+	local arch; arch="$(dpkg --print-architecture)"
+	local pkg_dir=${work_dir}/veraison_${_version}_${arch}
+
+	set -a
+	source "${_this_dir}/deployment.cfg"
+	set +a
+
+	export VERAISON_ROOT=/opt/veraison
+	export DEPLOYMENT_DEST=${pkg_dir}${VERAISON_ROOT}
+	export VTS_HOST=$VERAISON_HOST
+	export PROVISIONING_HOST=$VERAISON_HOST
+	export VERIFICATION_HOST=$VERAISON_HOST
+	export MANAGEMENT_HOST=$VERAISON_HOST
+
+	rm -rf "${pkg_dir}"
+	"${_repo_root}/deployments/native/deployment.sh" quick-init-all
+
+	mkdir -p "${pkg_dir}/DEBIAN"
+	cp "${_deb_src}"/{postinst,prerm} "${pkg_dir}/DEBIAN/"
+	chmod 0775 "${pkg_dir}"/DEBIAN/{postinst,prerm}
+	export _VERAISON_VERSION=${_version}
+	envsubst < "${_deb_src}/control.template" > "${pkg_dir}/DEBIAN/control"
+
+	dpkg --build "${pkg_dir}"
+
+	echo "done."
+}
+
+function help() {
+	set +e
+	local usage
+	read -r -d '' usage <<-EOF
+	Usage: deployment.sh [OPTIONS...] COMMAND [ARGS...]
+
+	This script allows packaging a Veraison deployment as .deb package suitable
+	for installation on Debian and derivatives (such as Ubuntu). 
+
+	OPTIONS:
+
+	Please note tht opitons MUST be specified before the command and arguments.
+
+	  -h show this message and exist
+
+	COMMANDS:
+
+	help
+	    Show this message and exit. The same as -h option.
+
+        bootstrap
+            Set up the enviroment for creating the deployment, installing any
+            necessary dependencies.
+
+	create-deb [DIR]
+	    Create a Debian package under DIR. If DIR is not specified, /tmp will be
+            used. Upon successful completion, it will contain the .deb package and a 
+            subdirectory with the sources used to created the package. This command 
+            relies on the "native" deployment to creates the package sources.
+	EOF
+	set -e
+
+	echo "$usage"
+}
+
+function _check_installed() {
+	local what=$1
+
+	if [[ "$(type -p "$what")" == "" ]]; then
+		echo -e "$_error: $what executable must be installed to use this command."
+		exit 1
+	fi
+}
+
+while getopts "h" opt; do
+	case "$opt" in
+		h) help; exit 0;;
+		*) break;;
+	esac
+done
+
+_command=$1; shift
+_command=$(echo "$_command" | tr -- _ -)
+case $_command in 
+	help) help;;
+        bootstrap) bootstrap;;
+	create-deb) create_deb "$1";;
+	*) echo -e "$_error: unexpected command: \"$_command\"";;
+esac
+# vim: set noet sts=8 sw=8: