token2/snapd
0
0
Fork 0
mirror of https://github.com/token2/snapd.git synced 2026-03-13 11:15:47 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
snapd/packaging/debian-sid/rules
Maciej Borzecki f6530b9f21 packaging/debian-sid: remove secboot related files from boot 
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
2024-06-10 08:38:49 +02:00

291 lines
13 KiB
Makefile
Executable File
Raw Permalink Blame History

#!/usr/bin/make -f
# -*- makefile -*-
#
# These rules should work for any debian-ish distro that uses systemd
# as init. That does _not_ include Ubuntu 14.04 ("trusty"); look for
# its own special rule file.
#
# Please keep the diff between that and this relatively small, even if
# it means having suboptimal code; these need to be kept in sync by
# sentient bags of meat.
#export DH_VERBOSE=1
export DH_OPTIONS
export DH_GOPKG := github.com/snapcore/snapd
#export DEB_BUILD_OPTIONS=nocheck
export DH_GOLANG_EXCLUDES=tests
# skip Go generate, all source code should have been committed
export DH_GOLANG_GO_GENERATE=0
export PATH:=${PATH}:${CURDIR}
# GOCACHE is needed by go-1.13+
export GOCACHE:=/tmp/go-build
include /etc/os-release
# On 18.04 the released version of apt (1.6.1) has a bug that causes
# problem on "apt purge snapd". To ensure this won't happen add the
# right dependency on 18.04.
ifeq (${VERSION_ID},"18.04")
SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)"
endif
# Same as above for 18.10 just a different version.
ifeq (${VERSION_ID},"18.10")
SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)"
endif
# this is overridden in the ubuntu/14.04 release branch
SYSTEMD_UNITS_DESTDIR="lib/systemd/system/"
# The go tool does not fully support vendoring with gccgo, but we can
# work around that by constructing the appropriate -I flag by hand.
GCCGO := $(shell go tool dist env > /dev/null 2>&1 && echo no || echo yes)
# Disable -buildmode=pie mode on i386 as can panics in spectacular
# ways (LP: #1711052).
# See also https://forum.snapcraft.io/t/artful-i386-panics/
# Note while the panic is only on artful, that's because artful
# detects it; the issue potentially there on older things.
BUILDFLAGS:=-pkgdir=$(CURDIR)/_build/std
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),i386)
BUILDFLAGS+= -buildmode=pie
endif
GCCGOFLAGS=
ifeq ($(GCCGO),yes)
GOARCH := $(shell go env GOARCH)
GOOS := $(shell go env GOOS)
BUILDFLAGS:=
GCCGOFLAGS=-gccgoflags="-I $(CURDIR)/_build/pkg/gccgo_$(GOOS)_$(GOARCH)/$(DH_GOPKG)/vendor"
export DH_GOLANG_GO_GENERATE=0
# workaround for https://github.com/golang/go/issues/23721
export GOMAXPROCS=2
endif
# check if we need to include the testkeys in the binary
# TAGS are the go build tags for all binaries, SNAP_TAGS are for snap
# build only.
TAGS=nosecboot
SNAP_TAGS=nosecboot nomanagers
ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS)))
TAGS+= withtestkeys
SNAP_TAGS+= withtestkeys
endif
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
BUILT_USING_PACKAGES=
# export DEB_BUILD_MAINT_OPTIONS = hardening=+all
# DPKG_EXPORT_BUILDFLAGS = 1
# include /usr/share/dpkg/buildflags.mk
# Currently, we enable confinement for Ubuntu only, not for derivatives,
# because derivatives may have different kernels that don't support all the
# required confinement features and we don't to mislead anyone about the
# security of the system. Discuss a proper approach to this for downstreams
# if and when they approach us.
ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu)
# On Ubuntu 16.04 we need to produce a build that can be used on wide
# variety of systems. As such we prefer static linking over dynamic linking
# for stability, predicability and easy of deployment. We need to link some
# things dynamically though: udev has no stable IPC protocol between
# libudev and udevd so we need to link with it dynamically.
VENDOR_ARGS=--enable-nvidia-multiarch --enable-static-libcap --enable-static-libapparmor --enable-static-libseccomp --with-host-arch-triplet=$(DEB_HOST_MULTIARCH)
ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),amd64)
VENDOR_ARGS+= --with-host-arch-32bit-triplet=$(shell dpkg-architecture -f -ai386 -qDEB_HOST_MULTIARCH)
endif
BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev
else
ifeq ($(shell dpkg-vendor --query Vendor),Debian)
VENDOR_ARGS=--enable-nvidia-multiarch
BUILT_USING_PACKAGES=libcap-dev
else
VENDOR_ARGS=--disable-apparmor
endif
endif
BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES))
%:
dh $@ --buildsystem=golang --with=golang --fail-missing --with systemd --builddirectory=_build
override_dh_fixperms:
dh_fixperms -Xusr/lib/snapd/snap-confine
# The .real profile is a workaround for a bug in dpkg LP: #1673247 that causes
# ubiquity to crash. It allows us to "move" the snap-confine profile from
# snap-confine into snapd in a way that works with old dpkg that is in the live
# CD image.
#
# Because both the usual and the .real profile describe the same binary the
# .real profile takes priority (as it is loaded later).
override_dh_installdeb:
dh_apparmor --profile-name=usr.lib.snapd.snap-confine.real -psnapd
dh_installdeb
override_dh_clean:
dh_clean
$(MAKE) -C data clean
# XXX: hacky
$(MAKE) -C cmd distclean || true
override_dh_auto_build:
# usually done via `go generate` but that is not supported on powerpc
GO_GENERATE_BUILDDIR=_build/src/$(DH_GOPKG) GO111MODULE=off GOPATH=$$(pwd)/_build ./mkversion.sh
# Build golang bits
mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data
cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
cp -a bootloader/assets/data _build/src/$(DH_GOPKG)/bootloader/assets
# exclude certain parts that won't be used by debian
find _build/src/$(DH_GOPKG)/cmd/snap-bootstrap -name "*.go" | xargs rm -f
find _build/src/$(DH_GOPKG)/cmd/snap-fde-keymgr -name "*.go" | xargs rm -f
find _build/src/$(DH_GOPKG)/gadget/install -name "*.go" | grep -vE '(params\.go|install_dummy\.go|kernel\.go)'| xargs rm -f
# XXX: once dh-golang understands go build tags this would not be needed
find _build/src/$(DH_GOPKG)/secboot/ -name "*.go" | grep -E '(.*_sb(_test)?\.go|.*_tpm(_test)?\.go|secboot_hooks.go|keymgr/)' | xargs rm -f
find _build/src/$(DH_GOPKG)/boot/ -name "*.go" | grep -E '(.*_sb(_test)?\.go)' | xargs rm -f
# and build, we cannot use modules as packaging on Debian requires us to use
# dependencies from the distro, and this would require further updates to the
# go.mod file
GO111MODULE=off dh_auto_build -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS)
(cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. go build $(BUILDFLAGS) $(GCCGOFLAGS) -tags "$(SNAP_TAGS)" $(DH_GOPKG)/cmd/snap)
# (static linking on powerpc with cgo is broken)
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
# Generate static snap-exec, snapctl and snap-update-ns - it somehow includes CGO so
# we must force a static build here. We need a static snap-{exec,update-ns}
# inside the core snap because not all bases will have a libc
(cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. CGO_ENABLED=0 go build -tags "$(TAGS)" $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-exec)
(cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. CGO_ENABLED=0 go build -tags "$(TAGS)" $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snapctl)
(cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. go build -tags "$(TAGS)" --ldflags '-extldflags "-static"' $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-update-ns)
# ensure we generated a static build
$(shell if ldd _build/bin/snap-exec; then false "need static build"; fi)
$(shell if ldd _build/bin/snap-update-ns; then false "need static build"; fi)
$(shell if ldd _build/bin/snapctl; then false "need static build"; fi)
endif
# ensure snap-seccomp is build with a static libseccomp on Ubuntu
ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu)
# (static linking on powerpc with cgo is broken)
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
sed -i "s|#cgo LDFLAGS:|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go
(cd _build/bin && GOPATH=$$(pwd)/.. CGO_LDFLAGS_ALLOW="/.*/libseccomp.a" go build -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-seccomp)
# ensure that libseccomp is not dynamically linked
ldd _build/bin/snap-seccomp
test "$$(ldd _build/bin/snap-seccomp | grep libseccomp)" = ""
# revert again so that the subsequent tests work
sed -i "s|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|#cgo LDFLAGS:|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go
endif
endif
# Build C bits, sadly manually
cd cmd && ( autoreconf -i -f )
cd cmd && ( ./configure --prefix=/usr --libexecdir=/usr/lib/snapd $(VENDOR_ARGS))
$(MAKE) -C cmd all
# Generate the real systemd/dbus/env config files
$(MAKE) -C data all
override_dh_auto_test:
GO111MODULE=off dh_auto_test -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/...
# a tested default (production) build should have no test keys
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
# check that only the main trusted account-keys are included
[ $$(strings _build/bin/snapd|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 2 ]
strings _build/bin/snapd|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$"
strings _build/bin/snapd|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$"
# same for snap-repair
[ $$(strings _build/bin/snap-repair|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 3 ]
# common with snapd
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$"
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$"
# repair-root
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: nttW6NfBXI_E-00u38W-KH6eiksfQNXuI7IiumoV49_zkbhM0sYTzSnFlwZC-W4t$$"
endif
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
# run the snap-confine tests
$(MAKE) -C cmd check
endif
override_dh_install-indep:
# we do not need this in the package, its just needed during build
rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go
# toolbelt is not shippable
rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt
# we do not like /usr/bin/snappy anymore
rm -f ${CURDIR}/debian/tmp/usr/bin/snappy
# chrorder generator
rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
# bootloader assets generator
rm -f ${CURDIR}/debian/tmp/usr/bin/genasset
# asserts/info
rm -f ${CURDIR}/debian/tmp/usr/bin/info
# docs generator
rm -f ${CURDIR}/debian/tmp/usr/bin/docs
dh_install
override_dh_install-arch:
# we do not need this in the package, its just needed during build
rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go
# toolbelt is not shippable
rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt
# we do not like /usr/bin/snappy anymore
rm -f ${CURDIR}/debian/tmp/usr/bin/snappy
# i18n stuff
mkdir -p debian/snapd/usr/share
if [ -d share/locale ]; then \
cp -R share/locale debian/snapd/usr/share; \
fi
# chrorder generator
rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
# bootloader assets generator
rm -f ${CURDIR}/debian/tmp/usr/bin/genasset
# asserts/info
rm -f ${CURDIR}/debian/tmp/usr/bin/info
# docs generator
rm -f ${CURDIR}/debian/tmp/usr/bin/docs
# Install snapd's systemd units / upstart jobs, done
# here instead of debian/snapd.install because the
# ubuntu/14.04 release branch adds/changes bits here
$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
# We called this apps-bin-path.sh instead of snapd.sh, and
# it's a conf file so we're stuck with it
mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
$(MAKE) -C cmd install DESTDIR=$(CURDIR)/debian/tmp
# Rename the apparmor profile, see dh_apparmor call above for an explanation.
mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real
# Ouside of core we don't need to install the following files:
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.autoimport.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.core-fixup.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.failure.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.timer
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.system-shutdown.service
rm $(CURDIR)/debian/snapd/usr/lib/snapd/snapd.run-from-snap
dh_install
override_dh_auto_install: snap.8
dh_auto_install -O--buildsystem=golang
snap.8:
# fix reproducible builds as reported by:
# https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/snapd.html
# once golang-go-flags is fixed we can remove the "sed" expression
$(CURDIR)/_build/bin/snap help --man | sed '1 s/^.*/.TH snap 8 "$(shell date --reference=debian/changelog +"%d %B %Y")"/' > $@
override_dh_auto_clean:
dh_auto_clean -O--buildsystem=golang
rm -vf snap.8
override_dh_gencontrol:
dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"
Reference in New Issue View Git Blame Copy Permalink