From 0ae05e1865edc2b6ef4f2dd622b81ed794e1b2a6 Mon Sep 17 00:00:00 2001 From: Sergei Trofimov Date: Fri, 13 Sep 2024 15:13:18 +0100 Subject: [PATCH] feat: add debian "deployment" Add "debian" deployment that generates a .deb package that can be installed on Debian and Ubuntu systems. Signed-off-by: Sergei Trofimov --- Makefile | 10 ++ deployments/debian/Makefile | 17 +++ deployments/debian/README.md | 39 ++++++ deployments/debian/debian/control.template | 6 + deployments/debian/debian/postinst | 26 ++++ deployments/debian/debian/prerm | 17 +++ deployments/debian/deployment.cfg | 28 +++++ deployments/debian/deployment.sh | 136 +++++++++++++++++++++ 8 files changed, 279 insertions(+) create mode 100644 deployments/debian/Makefile create mode 100644 deployments/debian/README.md create mode 100644 deployments/debian/debian/control.template create mode 100644 deployments/debian/debian/postinst create mode 100644 deployments/debian/debian/prerm create mode 100644 deployments/debian/deployment.cfg create mode 100755 deployments/debian/deployment.sh diff --git a/Makefile b/Makefile index a72fd56a..aca3fa89 100644 --- a/Makefile +++ b/Makefile @@ -67,6 +67,7 @@ Available targets: bootstrap: install required dependencies (only works on Arch, Ubuntu, and MacOSX using homebrew) native-deploy: create and start the native deployment + deb: create .deb package for installation on Debian or Ubuntu endef export __MAKEFILE_HELP @@ -110,6 +111,7 @@ endif .PHONY: really-clean really-clean: make -C integration-tests really-clean + make -C deployments/debian really-clean make -C deployments/docker really-clean make -C deployments/native really-clean @@ -168,6 +170,14 @@ ifeq ($(filter native-deploy,$(MAKECMDGOALS)),native-deploy) __NO_RECURSE = true endif +.PHONY: deb +deb: + make -C deployments/debian deb + +ifeq ($(filter deb,$(MAKECMDGOALS)),deb) +__NO_RECURSE = true +endif + ifndef __NO_RECURSE include mk/subdir.mk endif diff --git a/deployments/debian/Makefile b/deployments/debian/Makefile new file mode 100644 index 00000000..d2406a91 --- /dev/null +++ b/deployments/debian/Makefile @@ -0,0 +1,17 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 +.DEFAULT_TARGET: deb + +SHELL = /bin/bash + +THIS_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + +PACKAGE_DEST ?= /tmp + +.PHONY: deb +deb: + $(THIS_DIR)/deployment.sh create-deb $(PACKAGE_DEST) + +.PHONY: really-clean +really-clean: + rm -rf $(PACKAGE_DEST)/veraison-deb-package diff --git a/deployments/debian/README.md b/deployments/debian/README.md new file mode 100644 index 00000000..19d3f81f --- /dev/null +++ b/deployments/debian/README.md @@ -0,0 +1,39 @@ +This directory contains scripts and other resources for creating .deb packages +for installation on Debian or Ubuntu systems. This involves first creating a +native deployment, and then packaging it up using `dpkg`. + +## Dependencies + +In addition to [dependencies for the native +deployment](../native/README.md#dependencies), `dpkg` must be installed. If you +are on a Debian or Ubuntu system, `dpkg` will already be present as it the +package manager for your system. If you are on Arch, you can install it via + +```sh +# on Arch +pacman -S dpkg +``` + +If you are on another system, you will need to find how to install `dpkg` on +your own (first check that it is not the package manager for the system, then +search the system's standard packages; if all else fails -- duckduckgo/brave is +your friend). + +## Building the package + +The location where the package will be built is specified with `PACKAGE_DEST` +environment variable. It will default to `/tmp` if not set. To build the +package simply do + +```sh +make deb +``` + +This will create +`${PACKAGE_DEST}/veraison_deb_package/veraison_VERSION_ARCH.deb`, where `VERSION` +is the Veraison version as reported by the +[`get-veraison-version`](../scripts/get-veraison-version) script, and `ARCH` is +the architecture of your system as reported by `dpkg --print-architecture`. + +Alongside the package, there will be a subdirectory with the same name but +without the .deb suffix that contains the "sources" used to build the package. diff --git a/deployments/debian/debian/control.template b/deployments/debian/debian/control.template new file mode 100644 index 00000000..ce0fa444 --- /dev/null +++ b/deployments/debian/debian/control.template @@ -0,0 +1,6 @@ +Package: veraison +Version: ${_VERAISON_VERSION} +Maintainer: Veraison Project +Architecture: amd64 +Homepage: https://github.com/veraison +Description: Attestation verification services diff --git a/deployments/debian/debian/postinst b/deployments/debian/debian/postinst new file mode 100644 index 00000000..83c5bba0 --- /dev/null +++ b/deployments/debian/debian/postinst @@ -0,0 +1,26 @@ +#!/bin/sh + +if [ "$1" = "configure" ]; then + [ -z "$VERAISON_USER" ] && VERAISON_USER=veraison + [ -z "$VERAISON_GROUP" ] && VERAISON_GROUP=veraison + + if [ ! "$(getent group "$VERAISON_GROUP")" ]; then + groupadd --system "$VERAISON_GROUP" + else + echo "Group $VERAISON_GROUP already exists." + fi + + if [ ! "$(getent passwd setrofim)" ]; then + useradd --system --gid "$VERAISON_GROUP" --no-create-home \ + --shell /bin/false "$VERAISON_USER" + else + echo "User $VERAISON_USER already exists." + fi + + chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/logs + chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/signing + chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/certs + chown -R "$VERAISON_USER":"$VERAISON_GROUP" /opt/veraison/stores + + /opt/veraison/bin/veraison -s start-services +fi diff --git a/deployments/debian/debian/prerm b/deployments/debian/debian/prerm new file mode 100644 index 00000000..bd5100c3 --- /dev/null +++ b/deployments/debian/debian/prerm @@ -0,0 +1,17 @@ +#!/bin/sh + +if [ "$1" = "remove" ]; then + [ -z "$VERAISON_USER" ] && VERAISON_USER=veraison + [ -z "$VERAISON_GROUP" ] && VERAISON_GROUP=veraison + + /opt/veraison/bin/veraison -s stop-services + /opt/veraison/bin/veraison -s disable-services + + rm -rf /opt/veraison/logs/* + + userdel "$VERAISON_USER" + + if [ "$(getent group "$VERAISON_GROUP")" ]; then + groupdel "$VERAISON_GROUP" + fi +fi diff --git a/deployments/debian/deployment.cfg b/deployments/debian/deployment.cfg new file mode 100644 index 00000000..e8a4ed93 --- /dev/null +++ b/deployments/debian/deployment.cfg @@ -0,0 +1,28 @@ +############################################################################## +# Veraison Deployment Configuration +# +# Note: this uses Bash syntax, however there is no need to export variables +# here, as this file will be sourced with set -a +############################################################################## +# shellcheck disable=SC2034 + +# The ports on which services will be listening. +VTS_PORT=${VTS_PORT:-50051} +PROVISIONING_PORT=${PROVISIONING_PORT:-8888} +VERIFICATION_PORT=${VERIFICATION_PORT:-8080} +MANAGEMENT_PORT=${MANAGEMENT_PORT:-8088} + +# The host the services will be running on. +VERAISON_HOST=${VERAISON_HOST:-localhost} + +# The user Veraison services will be run as by system systemd. +# (note: this will not be used when starting via start-tmux, start-term, or +# user systemd. In those cases, the services will aways run as $USER.) +VERAISON_USER=${VERAISON_USER:-veraison} + +# Location of certs to be used by veraison services; there must be a cert and +# corresponding key for each service (e.g. vts.crt and vts.key for +# vts-service), and a rootCA.crt that was used to sign the service certs. +VERAISON_CERTS=${VERAISON_CERTS:-} + +# vim: set ft=bash: diff --git a/deployments/debian/deployment.sh b/deployments/debian/deployment.sh new file mode 100755 index 00000000..c1aa3860 --- /dev/null +++ b/deployments/debian/deployment.sh @@ -0,0 +1,136 @@ +#!/bin/bash +set -eo pipefail + +_error='\e[0;31mERROR\e[0m' +_this_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +_deb_src=${_this_dir}/debian +_repo_root=$(realpath "${_this_dir}/../..") +_version=$("${_repo_root}/scripts/get-veraison-version") + + +function bootstrap() { + "${_repo_root}/deployments/native/deployment.sh" bootstrap + + case $( uname -s ) in + Linux) + # shellcheck disable=SC2002 + local distrib_id + distrib_id=$(head -n 1 /dev/null | \ + cut -f2 -d= | tr -d \") + + case $distrib_id in + Arch) sudo pacman -Syy dpkg ;; + Ubuntu) ;; + *) + echo -e "$_error: Boostrapping is currently only supported for Arch and Ubuntu." + exit + ;; + esac + ;; + Darwin) + if ! type brew > /dev/null; then + echo -e "$_error: homebrew (https://brew.sh) must be installed." + exit 1 + fi + brew install dpkg + ;; + *) + echo -e "$_error: Boostrapping is currently only supported for Arch, Ubuntu, and MacOSX (via homebrew)." + exit + ;; + esac +} + +function create_deb() { + _check_installed dpkg + _check_installed envsubst + + local work_dir=${1:-/tmp} + local arch; arch="$(dpkg --print-architecture)" + local pkg_dir=${work_dir}/veraison_${_version}_${arch} + + set -a + source "${_this_dir}/deployment.cfg" + set +a + + export VERAISON_ROOT=/opt/veraison + export DEPLOYMENT_DEST=${pkg_dir}${VERAISON_ROOT} + export VTS_HOST=$VERAISON_HOST + export PROVISIONING_HOST=$VERAISON_HOST + export VERIFICATION_HOST=$VERAISON_HOST + export MANAGEMENT_HOST=$VERAISON_HOST + + rm -rf "${pkg_dir}" + "${_repo_root}/deployments/native/deployment.sh" quick-init-all + + mkdir -p "${pkg_dir}/DEBIAN" + cp "${_deb_src}"/{postinst,prerm} "${pkg_dir}/DEBIAN/" + chmod 0775 "${pkg_dir}"/DEBIAN/{postinst,prerm} + export _VERAISON_VERSION=${_version} + envsubst < "${_deb_src}/control.template" > "${pkg_dir}/DEBIAN/control" + + dpkg --build "${pkg_dir}" + + echo "done." +} + +function help() { + set +e + local usage + read -r -d '' usage <<-EOF + Usage: deployment.sh [OPTIONS...] COMMAND [ARGS...] + + This script allows packaging a Veraison deployment as .deb package suitable + for installation on Debian and derivatives (such as Ubuntu). + + OPTIONS: + + Please note tht opitons MUST be specified before the command and arguments. + + -h show this message and exist + + COMMANDS: + + help + Show this message and exit. The same as -h option. + + bootstrap + Set up the enviroment for creating the deployment, installing any + necessary dependencies. + + create-deb [DIR] + Create a Debian package under DIR. If DIR is not specified, /tmp will be + used. Upon successful completion, it will contain the .deb package and a + subdirectory with the sources used to created the package. This command + relies on the "native" deployment to creates the package sources. + EOF + set -e + + echo "$usage" +} + +function _check_installed() { + local what=$1 + + if [[ "$(type -p "$what")" == "" ]]; then + echo -e "$_error: $what executable must be installed to use this command." + exit 1 + fi +} + +while getopts "h" opt; do + case "$opt" in + h) help; exit 0;; + *) break;; + esac +done + +_command=$1; shift +_command=$(echo "$_command" | tr -- _ -) +case $_command in + help) help;; + bootstrap) bootstrap;; + create-deb) create_deb "$1";; + *) echo -e "$_error: unexpected command: \"$_command\"";; +esac +# vim: set noet sts=8 sw=8: