Packaging the configs into RPM #174
Conversation
|
awesome! can you add a test plan for this? |
|
so i got this working with a slight tweak .. step 6 i had to run
|
|
i'd like to improve the automation story here.. and publish the docker image to quay as part of this ticket. |
Means you did it from another directory I guess :) |
There was a problem hiding this comment.
Blocked by #172; should be rebased on top of master after #172 is merged. Doing so will account for:
- fixing CI flake8 errors
- ensuring the new updater logic is present in the package
We also need docs on the build process, and ideally a script or Makefile target to keep the process on the rails for maintenance going forward.
That reminds me, like all the other places, I am going to exclude |
|
#172 has been merged, so ready for rebase and improvements here. |
kushaldas
force-pushed
the
packaging
branch
3 times, most recently
from
a3f4548 to
d8a5488
Compare
kushaldas
force-pushed
the
packaging
branch
2 times, most recently
from
3475cc0 to
3f146e9
Compare
Sure, works for me. It should be runnable locally as well as in CI, same as the flake8 checks. Then should be fine. Open a ticket with a dev-env tag, that'll be an easy one to knock out soon. |
|
I am testing the rpm on And it works :D |
|
@kushaldas Those 6 steps you've listed in the testing instructions should be scripted, and referenced in the top-level Makefile. Otherwise, after merge, we'll have to dig out this PR in order to reproduce the build. cc @heartsucker |
For now @msheiny tested out the steps, that will also require pushing a container image and other steps. |
I can tackle either in this PR or another ticket? preference? |
|
@msheiny go ahead and add the Dockerfile config to https://github.com/freedomofpress/containers, then we can add the scripting steps here to pull from that once it's pushed |
okay! @conorsch can you clarify who |
|
@msheiny Good call; please add the steps directly to this PR, then I can use those scripts to test the RPM build! |
msheiny
force-pushed
the
packaging
branch
2 times, most recently
from
6c9882e to
a666dbc
Compare
|
@conorsch ping for re-review |
There was a problem hiding this comment.
After building the rpms several times, I always get different hashes for the .rpms. Am I missing something locally to make the build completely reproducible?
I also get the same behavior while doing python3 setup.py sdist: the tarball created has a different hash.
Given the contents of the package is it something that is doable in this case?
scripts/rpmbuilder.Dockerfile
Outdated
| @@ -0,0 +1,13 @@ | |||
| ARG RPM_VER | |||
| FROM quay.io/freedomofpress/rpmbuilder:${RPM_VER} | |||
There was a problem hiding this comment.
Could we also pin the hash of the image?
|
Ready for review! I've rewritten the test plan, to reflect the current state of the changes as presented. The RPM built by this process is not currently hosted for direct installation, but merge of this PR will unblock that follow-up work. Would appreciate re-review by @kushaldas, as well as fresh eyes from @emkll and perhaps @rmol. |
conorsch
dismissed
their stale review
Made many edits, requesting review from another team member
|
Will review it this week. |
Now one can use `python3 setup.py sdist` to create a tarball
Also updates the .gitignore file for adding spec files. Before publishing the actual RPM, we will have to fix #173
Also adds Makefile to the final package
This probably could use some tests :)
Very preliminary and needs tests.
For securiteh.
The RPM dom0 package work was left unmerged for several months, so it lagged behind master branch changes, including the the conversion of sd-journalist -> sd-proxy. Fixes a few small issues: * Python 3.5.4 showed a unicode error on README * Example JSON config file wasn't named correctly
Rather than sprinkle in numerous volume mounts into the build container, let's mount the entire git repo, and copy artifacts within the container to locations as necessary.
By default, new Saltstack .top files (the config files that map tasks to target hosts/VMs) will be skipped. We must explicitly enable them for the salt runs via qubesctl to include the logic shipped in the package. Let's port the find/enable logic from the Makefile and place that in the RPM spec, under the `%post` macro, which is the equivalent of a `postinst` script in a Debian package.
The catch-all name "securedrop-workstation" can refer to many different things, including the entirety of the workstation setup. The RPM package containing the VM config logic for setting up the various application components is specific to dom0 (in Qubes parlance), so we'll include dom0 in the package name, to be consistent with e.g. `qubes-gpg-split-dom0`.
Disables networking on the container image. We're using Fedora-25, which is EOL, and the build process doesn't require network, so let's disable it. Also moves the pinned container hash into the build script, since it didn't need to be in the Makefile.
Updates the Makefile targets to enable testing of the manually installed dom0 RPM package for salt configs. Previously, the `make all` action would clobber salt files with the contents of the locally cloned git dir. Now, the `prep-salt` action is a bit more conservative: it will only copy in the secrets (which are not handled by the RPM), and ignore the salt dirs if the target dir already exist. If `make clean` is run before `make all`, then local files will be copied over. Also updated the `make clean` logic to purge scripts and uninstall the dom0 config RPM if it's present.
| find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | ||
| | xargs -n1 basename \ | ||
| | sed -e 's/\.top$$//g' \ | ||
| | xargs qubesctl top.enable > /dev/null |
There was a problem hiding this comment.
@conorsch Isn't this step will take too much time?
There was a problem hiding this comment.
@kushaldas Try running it:
[user@dom0 securedrop-workstation]$ time { sudo find /srv/salt -maxdepth 1 -type f -iname '*.top' \
> | xargs -n1 basename \
> | sed -e 's/\.top$//g' \
> | xargs sudo qubesctl top.enable ; }
On my machine, it takes about 4s:
real 0m4.380s
user 0m1.651s
sys 0m2.443s
Even if it takes much longer, we must mark those top files as "enabled," otherwise they'll be disregarded by qubesctl actions for enforcing configurations.
There was a problem hiding this comment.
Finally, this is approved from my side. But, as I created the original PR, Github will not allow me to approve my own PR. @conorsch or @redshiftzero or @emkll please approve this one in the UI.
🦄 👍
There was a problem hiding this comment.
@kushaldas and I collaborated on this PR, and we're both satisfied with the work. Approving formally to unblock merge.
Fixes #171.
We can now create a source tar ball using
python3 setup.py sdistcommand.And then use the given spec file to build a RPM.
How to test?
sd-dev(or other dev AppVM): runmake dom0-rpmto create the RPM package.make cloneto fetch latest dir, including freshly built RPMmake cleanto remove any prior dev env state.sudo dnf install ./rpm-build/RPMS/noarch/securedrop-workstation-0.0.1-1.fc25.noarch.rpmmake all.echo $?should show0.make testand confirm no errors.