From e7f3971649208ac97c137e0834d311cfb7e15fbc Mon Sep 17 00:00:00 2001 From: xenago Date: Thu, 30 May 2024 23:18:40 -0400 Subject: [PATCH] Add conf-files statement to Cargo.toml to preserve configuration on upgrades for deb package; switch to SPDX license definition; add RPM build; add build.sh for local containerized builds; add support for glibc 2.17; add support for Ubuntu/RHEL update README; bump version to 1.1.0 --- .github/workflows/ci.yaml | 34 ++++++++++++++++---- Cargo.lock | 22 ++++++------- Cargo.toml | 21 +++++++++--- LICENSE | 2 +- README.md | 68 +++++++++++++++++++++++++++++++-------- build.sh | 29 +++++++++++++++++ changelog/CHANGELOG.txt | 16 ++++++++- 7 files changed, 153 insertions(+), 39 deletions(-) create mode 100644 build.sh diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 15d0238..fed2681 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,8 +10,13 @@ jobs: build_release: name: build and release runs-on: ubuntu-20.04 # Build on Debian-based distro + container: quay.io/pypa/manylinux2014_x86_64 # Use a container with glibc 2.17 steps: - - name: Checkout + + - name: Show GLIBC # Confirm glibc version + run: ldd --version + + - name: Checkout # Clone repository uses: actions/checkout@v2 with: fetch-depth: 0 @@ -21,22 +26,37 @@ jobs: export VERSION=${{github.ref_name}} sed -i "s/0.0.0/$VERSION/g" Cargo.toml - - name: Cargo build + - name: Install stable toolchain # Install Rust + uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + override: true + + - name: Cargo build # Release build run: | cargo build --release --verbose ls -lah target/release - - name: Cargo deb + - name: Cargo deb # deb package run: | cargo install --version 1.44.1 cargo-deb cargo deb --verbose ls -lah target/debian - - name: Release + - name: Cargo rpm # RPM package + run: | + cargo install --version 0.14.0 cargo-generate-rpm + strip -s target/release/libnss_shim.so + cargo generate-rpm --payload-compress none + ls -lah target/generate-rpm + + - name: Release # Publish GitHub release uses: softprops/action-gh-release@v1 - if: startsWith(github.ref, 'refs/tags/') # Presumably redundant due to the [0-9] filter, but kept for safety + if: startsWith(github.ref, 'refs/tags/') # Presumably redundant due to the `on: push: tags:` filter, but kept for safety with: - body_path: ${{github.workspace}}/changelog/CHANGELOG.txt # Get the release notes from the changelog file - fail_on_unmatched_files: true + body_path: ${{github.workspace}}/changelog/CHANGELOG.txt # Add the release notes from the changelog file + fail_on_unmatched_files: true # Ensure all packages built, to avoid publishing an incomplete release files: | target/debian/*.deb + target/generate-rpm/*.rpm diff --git a/Cargo.lock b/Cargo.lock index 60c00a7..8f98f11 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -16,9 +16,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.152" +version = "0.2.155" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7" +checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c" [[package]] name = "libnss" @@ -38,7 +38,7 @@ dependencies = [ "lazy_static", "libc", "libnss", - "paste 1.0.14", + "paste 1.0.15", "serde", "serde_json", "shlex", @@ -56,9 +56,9 @@ dependencies = [ [[package]] name = "paste" -version = "1.0.14" +version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c" +checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" [[package]] name = "paste-impl" @@ -101,18 +101,18 @@ checksum = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" [[package]] name = "serde" -version = "1.0.195" +version = "1.0.203" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "63261df402c67811e9ac6def069e4786148c4563f4b50fd4bf30aa370d626b02" +checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.195" +version = "1.0.203" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46fe8f8603d81ba86327b23a2e9cdf49e1255fb94a4c5f297f6ee0547178ea2c" +checksum = "500cbc0ebeb6f46627f50f3f5811ccf6bf00643be300b4c3eabc0ef55dc5b5ba" dependencies = [ "proc-macro2", "quote", @@ -121,9 +121,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.111" +version = "1.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "176e46fa42316f18edd598015a5166857fc835ec732f5215eac6b7bdbf0a84f4" +checksum = "455182ea6142b14f93f4bc5320a2b31c1f266b66a4a5c858b013302a5d8cbfc3" dependencies = [ "itoa", "ryu", diff --git a/Cargo.toml b/Cargo.toml index 47459ab..a106c3e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -5,7 +5,7 @@ authors = ["Noah Kruiper"] edition = "2021" description = "NSS module shim to use custom sources for group/passwd/shadow lookups" readme = "README.md" -license-file = "LICENSE" +license = "GPL-3.0-or-later" repository = "https://github.com/xenago/libnss_shim" # Reduce size when building for release @@ -16,11 +16,11 @@ codegen-units = 1 # use a single thread [dependencies] lazy_static = "1.4.0" -libc = "0.2.152" +libc = "0.2.155" libnss = "0.4" -paste = "1.0.14" -serde = { version = "1.0.195", features = ["derive"] } -serde_json = "1.0.111" +paste = "1.0.15" +serde = { version = "1.0.203", features = ["derive"] } +serde_json = "1.0.117" shlex = "1.3.0" [lib] @@ -37,4 +37,15 @@ assets = [ ["default_config/config.json", "etc/libnss_shim/config.json", "640"], ["README.md", "usr/share/doc/libnss_shim/README", "644"], ] +conf-files = ["etc/libnss_shim/config.json"] maintainer-scripts = "debian" + +[package.metadata.generate-rpm] +summary = "A plugin for the Name Service Switch (NSS) framework that parses the output of commands to resolve queries." +assets = [ + { source = "target/release/libnss_shim.so", dest = "/lib64/libnss_shim.so.2", mode = "644", config = false, doc = false, user = "root", group = "root" }, + { source = "default_config/config.json", dest = "/etc/libnss_shim/config.json", mode = "640", config = true, doc = false, user = "root", group = "root" }, + { source = "README.md", dest = "/usr/share/doc/libnss_shim/README", mode = "644", config = false, doc = true, user = "root", group = "root" }, +] +post_install_script = "debian/postinst" +post_uninstall_script = "debian/postrm" diff --git a/LICENSE b/LICENSE index 6bc573f..88c386d 100644 --- a/LICENSE +++ b/LICENSE @@ -678,7 +678,7 @@ Public License instead of this License. But first, please read The following notice applies to all files in the package, unless a different copyright notice is defined within: libnss_shim -Copyright (c) 2023 Noah Kruiper +Copyright (c) 2024 Noah Kruiper This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/README.md b/README.md index 28282e2..1c4cecd 100755 --- a/README.md +++ b/README.md @@ -31,28 +31,45 @@ can print to `stdout` in a supported format to be used with NSS. ### Compatibility notes -- Tested on Debian-based GNU/Linux distributions +- Tested on: + - CentOS 7 + - AlmaLinux 8 + - AlmaLinux 9 + - Debian 11 + - Debian 12 + - Ubuntu 20.04 + - Ubuntu 22.04 + - Ubuntu 24.04 - Builds for `amd64` architecture -- If `.deb` packages are not supported on the desired target platform, `libnss_shim` might be usable if the `assets` as - described in `Cargo.toml` are installed prior to running the `debian/postinst` script, but this has not been tested +- Packaged in `.deb` and `.rpm` formats +- If available packages do not work on a target platform, `libnss_shim` might be usable if the `assets` are installed + as described in `Cargo.toml` prior to running the `debian/postinst` script, but this has not been tested extensively. - To request support for a different configuration, please create a GitHub Issue ### Installation steps 1. Prepare the commands/software that will be triggered by `libnss_shim` (see the Commands section for details). -2. Download the latest release produced by GitHub Actions: +2. Download the latest release produced by GitHub Actions. + + **deb:** + ``` + wget https://github.com/xenago/libnss_shim/releases/download/1.1.0/libnss_shim_1.1.0_amd64.deb ``` - wget https://github.com/xenago/libnss_shim/releases/download/1.0.5/libnss_shim_1.0.5_amd64.deb + **RPM:** ``` + wget https://github.com/xenago/libnss_shim/releases/download/1.1.0/libnss_shim-1.1.0-1.x86_64.rpm + ``` + +3. Install it directly `dpkg` or `rpm`. -3. Install it directly with `dpkg` or through `apt`: + **deb:** ``` - sudo dpkg -i libnss_shim_1.0.5_amd64.deb + sudo dpkg -i libnss_shim_1.1.0_amd64.deb ``` - or + **RPM:** ``` - sudo apt install ./libnss_shim_1.0.5_amd64.deb + sudo rpm -i ./libnss_shim-1.1.0-1.x86_64.rpm ``` 4. Configure the shim by importing a custom `config.json`: @@ -328,11 +345,34 @@ testing purposes. Environment variables are generally private, whereas commands/ Commands are not passed through a shell for execution. Although it is possible to run software like `bash` with `libnss_shim`, using a shell is not recommended as this comes with additional risks such as command injection. +## Development + +When building locally, using [`act`](https://github.com/nektos/act) can be helpful to run `.github/ci.yaml` directly. +Depending on your configuration, some tweaks may be required to enable it to build successfully. + +I generally find it easiest to run `build.sh` inside a temporary container: + +1. Ensure `Docker` is installed and available +2. Ensure `libnss_shim` is cloned: + + git clone https://github.com/xenago/libnss_shim.git + +3. Run the build script inside a temporary container, setting `LIBNSS_SHIM_VERSION` and the cloned repo path as desired: + + sudo docker run -e "LIBNSS_SHIM_VERSION=0.0.0" -v /path/to/cloned/libnss_shim:/libnss_shim --rm quay.io/pypa/manylinux2014_x86_64:latest bash /libnss_shim/build.sh + +4. The build script will output packages in the following subdirectories of the cloned repo: + + * `target/debian/*.deb` + * `target/generate-rpm/*.rpm` + ## Useful resources -- NSS Modules Interface +- *Building Rust binaries in CI that work with older GLIBC* + - Jakub Beránek, AKA Kobzol's [blog](https://kobzol.github.io/rust/ci/2021/05/07/building-rust-binaries-in-ci-that-work-with-older-glibc.html) +- *NSS Modules Interface* - The GNU C [library](https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html) -- Actions in the NSS configuration +- *Actions in the NSS configuration* - The GNU C [library](https://www.gnu.org/software/libc/manual/html_node/Actions-in-the-NSS-configuration.html) - Rust bindings for `libnss` - The `libnss` [crate](https://crates.io/crates/libnss) @@ -342,11 +382,11 @@ with `libnss_shim`, using a shell is not recommended as this comes with addition - The `nss-wiregarden` [crate](https://crates.io/crates/libnss-wiregarden) - Example of parsing `passwd` and `group` formats with Rust - The `parsswd` [crate](https://crates.io/crates/parsswd) -- Testing NSS modules in glibc +- *Testing NSS modules in glibc* - Geoffrey Thomas's [blog](https://ldpreload.com/blog/testing-glibc-nsswitch) -- NSS - Debathena (useful description of NSS and how it fits into their architecture) +- *NSS - Debathena* (useful description of NSS and how it fits into their architecture) - MIT Debathena [wiki](https://debathena.mit.edu/trac/wiki/NSS) -- Debathena hacks (links to more NSS-related code for their project) +- *Debathena hacks* (links to more NSS-related code for their project) - MIT Debathena [website](https://debathena.mit.edu/hacks) - Debathena NSS module source example - MIT Debathena [repository](https://debathena.mit.edu/packages/debathena/libnss-afspag/libnss-afspag-1.0/) diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..2c92d34 --- /dev/null +++ b/build.sh @@ -0,0 +1,29 @@ +#!/bin/sh +set -e + +cd /libnss_shim + +echo "BUILD: Setting version to $LIBNSS_SHIM_VERSION" +sed -i "s/0.0.0/$LIBNSS_SHIM_VERSION/g" Cargo.toml + +echo "BUILD: Installing Rust" +curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +. "$HOME/.cargo/env" + +echo "BUILD: Building for release" +cargo build --release --verbose +echo "BUILD: built for release" +ls -lah target/release + +echo "BUILD: Packaging deb" +cargo install --version 1.44.1 cargo-deb +cargo deb --verbose +echo "BUILD: deb packaged" +ls -lah target/debian + +echo "BUILD: Packaging RPM" +cargo install --version 0.14.0 cargo-generate-rpm +strip -s target/release/libnss_shim.so +cargo generate-rpm --payload-compress none +echo "BUILD: RPM packaged" +ls -lah target/generate-rpm diff --git a/changelog/CHANGELOG.txt b/changelog/CHANGELOG.txt index 8b13789..5f01a64 100644 --- a/changelog/CHANGELOG.txt +++ b/changelog/CHANGELOG.txt @@ -1 +1,15 @@ - +- Support EL distros with RPM package +- Define `conf-files` for deb package to preserve `config.json` on upgrades +- Switch build container to `quay.io/pypa/manylinux2014_x86_64` to support `glibc` version `2.17` +- Test `glibc 2.17` RPM build on CentOS 7, AlmaLinux 8, and AlmaLinux 9 +- Test `glibc 2.17` deb build on Debian 10, 11, and 12 +- Test `glibc 2.17` deb build on Ubuntu 20.04, 22.04, and 24.04 +- Define `conf-files` for deb package to preserve `config.json` on deb package upgrades +- Bump `libc` to `0.2.155` +- Bump `paste` to `1.0.15` +- Bump `serde` to `1.0.203` +- Bump `serde_json` to `1.0.117` +- Add local build script `build.sh` +- Add local build instructions to README.md +- Use SPDX format for license +- Update copyright year