-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debian: Cleanup build process using more debhelper features #223
debian: Cleanup build process using more debhelper features #223
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #223 +/- ##
==========================================
- Coverage 87.07% 87.01% -0.07%
==========================================
Files 64 64
Lines 4891 4891
==========================================
- Hits 4259 4256 -3
- Misses 440 442 +2
- Partials 192 193 +1 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn’t look at the content of the diff itself, only read the description. There are 2 things we shouldn’t do IMHO:
Remove generated files from the debian tarball.
I know this is the common thing in the go ecosystem, but ideally debian package sources should contain no generated code
This is a big no no. We tested with generated code, our all CI is relying on generator code and the go ecosystem and potential dependencies are relying on those generated code. We are not going to compile code with a different version of protoc and grpc bindings than what we validated before releasing in the package.
This is already what we do in other packages we maintain and what other debian packages like kubernetes are doing. Follow the language paradigm and on what upstream put their quality seal on, don’t ship code that were not acknowledge and qualified by them.
This is the same reason we are using vendored dependencies.
Add authd-example-broker binary package providing the example broker and related configurations (systemd service, dbus config...)
I don’t think we shouild ship it.This is really an example source code which doesn’t track state and options. This can open security issues and we don’t want to be responsible for this. Please let’s not ship that binary and keep it as it is, example code (and not even a reference implementation)
Well, I can revert that part, it's not a the main point of the PR, but I indeed wanted to be sure that thing can be generated at build time. Also, while I do understand that we trust such code upstream, at distro level that's not the best thing to do IMHO, a that's not the policy in debian (even though that's accepted when it's hard to do otherwise). Reason why However, I'll drop the changes related to this, but I still feel that it's not the best for having builds that are reproducible in the same environment (e.g. we do test things upstream now, but once we update our CI, then it's hard to know how things are generated at a specific point of the project history, when we target a specific ubuntu release). |
Ah, regarding the example broker... How do you think we could handle that otherwise? Ideally we want it having available for autopkgtests, IMHO, having a separate binary can't be a security issue as really if you can make it load through So per se I feel it's just a test tool that once enabled in specific environments will make integration testing easier that is quite common (for example, even the fingerprint daemon comes with test devices enabled by default, but unless you've the power to setup some env variables on the process, then there's no way to give you access to those). |
Maybe we should revisit the approach and having it as a real separate binary that could be built into CI and is subprocessed. That way, this will be more an end to end test using the whole stack, including the config file discovery and external dbus communication. |
Yeah, that's fine for upstream, but my point is more for autopkgtests, where I'd like to install the various components as in distro and test the outcome. I don't think there's another option than this, or running the daemon in a special mode... |
I mean, in the autopkgtests, we build the example broker separately and prepare the "config" on disk with our packaged authd. Then, we run the integration tests with this setup. |
Yeah, that seems a viable option. |
What about for manual-testing? I would at least like to have a ppa where we have this setup so that once we've to verify some cases, we have the broker setup ready for (indeed it's not hard to just run manually authd, but it would not imply testing a next-to-real setup). |
That one is a valid argument. I suggest then that if we ship the additional binary package, then, I suggest that we don’t ship a configuration file nor the systemd service to start it. Instead, we have a command to "set it up" in the CLI, which installs the config file. That will force to run the example broker manually. This one will create the file, and on teardown, will remove it. That way, it’s not autostarted and we are sure running it was intentional. Then, in our manual (and even automated/autokgtests setup), then, we have first to run it explciitely. What do you think? |
1d050c5
to
b5edc1b
Compare
That's good, but why not just relying on systemd for that? I think we can trust it :) So, we ship the service as masked by default, in this way there's no way to start it, unless you explicitly systemctl start it. We need to modify a bit the daemon to not list it either in such case but it's an easy change. |
BTW... I've dropped the generation changes from this branch, and also the example broker for now, but given this discussion I see if re-adding them 😋 |
Let’s split the concerns and see in a separate PR for the second binary package. I still think we shouldn’t have it as a service as we will never want it to autostart (or maybe for some integration tests with reboot, but we need to discuss this first). Btw, please add the GOTOOLCHAIN exported variable with its comments to |
Ok fair enough!
I did only that on tests, because it's already on by default in dh-golang. |
Excellent, if this is in noble! I tried it few months ago and it wasn’t! |
It's on 1.60 so it should have been there also in mantic.. 🤔 |
It was definitively broken, should we give it a try? |
b5edc1b
to
64d013b
Compare
It works so far here... I actually would like to have the workflow for this setup too, but while my old pr #130 code still works fine, we can't build using the common ones yet. Btw... Branch rebased, removing the extra stuff... And I'll open another PR for that. In theory I could split this even in 3 (one with fixes for the generation phase), but I'd say to keep it as it is :) |
Try to set the toolchain stenza to 1.22.3 for instance and see if the package builds. |
I feel it's more a problem of |
Just please try it :) And no, this was not an issue when building, but in CI, using mantic at the time. |
Tested, it does fail:
Full logs_163.zip attached of this action running on https://github.com/3v1n0/authd/commits/f561080c3793af902f1fc983bcbbade5adc79b1f And note that the builder had full internet access during the source build. |
see, so for some reason, the dh-cargo thingy doesn’t work. Try now to export the variable as we do in wsl-pro-service |
So that running `go generate ./...` will also recreate this file
This works for now as /sbin is linked to /usr/sbin but let's set it correctly
If building with `DEB_BUILD_OPTIONS=nocheck`, we don't need to run dbus-daemon at all, so mark it as such.
8f4cf16
to
27b8048
Compare
Install can be used as an advanced "mv" that makes directories too, so do it so that we don't have to repeat the file names on target.
27b8048
to
6f51dbe
Compare
This is something we were forcing at package build level only but it's better to do it all the times
We should not depend on developers environment when building a pacakge so use a temporary CARGO_HOME, unless a different one is specified
This is what dh-cargo does by default, so follow it
The latter was the legacy name
Installing outside /usr is something that debian is deprecating
It allows more fine-grained control on what goes in the install path and avoids missing files
It handles upgrades and removal properly, keeping track of the service state.
It makes things easier to catch and at the same time we can enforce more things such as disable internet access and force using local go toolchain
authd is not a program that is meant to be ran by user, so there's no point for it being in PATH, as it's systemd running it. So move it where most daemons stay these daysystemd, debian: Install authd in /usr/libexec authd is not a program that is meant to be ran by user, so there's no point for it being in PATH, as it's systemd running it. So move it where most daemons stay these days
This is something that also dh-golang does but for some reason it's not picked up during build and so we may fail if bumping the toolchain
c00f7ef
to
87985bd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Denis for reviewing my comments and Marco for fixing! :)
refactor quite a bit the
debian/*
code so that we are less dependent on our scripts, but instead we use debian tooling more.In particular:
dh-cargo
tools more, reducing duplication/usr/libexec
instead of/usr/sbin
(there's no need for them to be in$PATH
)Closes: #218
UDENG-2342