Merge pull request #5465 from freedomofpress/focal_package_build

Adds package builds for Focal
freedomofpress · Sep 3, 2020 · 6013c5e · 6013c5e
2 parents da6aed8 + c4d69c9
commit 6013c5e
Show file tree

Hide file tree

Showing 21 changed files with 101 additions and 662 deletions.
diff --git a/Makefile b/Makefile
@@ -318,23 +318,28 @@ update-user-guides:  ## Run the page layout tests to regenerate screenshots.
 ###########
 
 .PHONY: build-debs
-build-debs: ## Build and test SecureDrop Debian packages.
-	@echo "Building SecureDrop Debian packages..."
+build-debs: ## Build and test SecureDrop Debian packages (for Xenial)
+	@echo "Building SecureDrop Debian packages for Xenial..."
 	@$(SDROOT)/devops/scripts/build-debs.sh
 	@echo
 
 .PHONY: build-debs-notest
-build-debs-notest: ## Build SecureDrop Debian packages without running tests.
-	@echo "Building SecureDrop Debian packages; skipping tests..."
+build-debs-notest: ## Build SecureDrop Debian packages (for Xenial) without running tests.
+	@echo "Building SecureDrop Debian packages for Xenial; skipping tests..."
 	@$(SDROOT)/devops/scripts/build-debs.sh notest
 	@echo
 
 .PHONY: build-debs-focal
-build-debs-focal: ## Build and test SecureDrop Debian packages.
-	@echo "Building SecureDrop Debian packages..."
-	@$(SDROOT)/devops/scripts/build-debs.sh notest focal
+build-debs-focal: ## Build and test SecureDrop Debian packages (for Focal)
+	@echo "Building SecureDrop Debian packages for Focal..."
+	@$(SDROOT)/devops/scripts/build-debs.sh test focal
 	@echo
 
+.PHONY: build-debs-notest-focal
+build-debs-notest-focal: ## Build SecureDrop Debian packages (for Focal) without running tests.
+	@echo "Building SecureDrop Debian packages for Focal; skipping tests..."
+	@$(SDROOT)/devops/scripts/build-debs.sh notest focal
+	@echo
 
 
 ########################

diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-ossec-deb-pkg/defaults/main.yml
@@ -1,5 +1,7 @@
 ---
-build_ossec_deb_pkg_dependencies: ['libevent1-dev','libpcre2-dev']
+build_ossec_deb_pkg_dependencies:
+  - "libpcre2-dev"
+  - "{{ 'libevent-dev' if securedrop_build_focal_support else 'libevent1-dev' }}"
 
 ossec_server_hostname: ossec-server
 ossec_version: 3.6.0
@@ -23,3 +25,8 @@ ossec_build_rsync_ansible_hack_opt:
   - "--rsync-path='sudo rsync'"
 
 ossec_source_checksum: sha256:653828a19137b8a7e98af65e873318f7bb48137fe1e61b80577e13c316e04708
+
+# Default is xenial.
+securedrop_build_focal_support: False
+securedrop_package_dist: "{{ 'focal' if securedrop_build_focal_support else 'xenial' }}"
+
diff --git a/...les/securedrop-ossec-agent/DEBIAN/control → ...s/build-ossec-deb-pkg/files/control-focal b/...les/securedrop-ossec-agent/DEBIAN/control → ...s/build-ossec-deb-pkg/files/control-focal
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/templates/agent_control.j2 b/install_files/ansible-base/roles/build-ossec-deb-pkg/templates/agent_control.j2
@@ -6,6 +6,10 @@ Homepage: http://ossec.net
 Package: ossec-agent
 Version: {{ ossec_version }}
 Architecture: amd64
+{% if securedrop_build_focal_support %}
+Depends: libc6,libssl1.1,expect,inotify-tools,adduser
+{% else %}
 Depends: libc6,libssl1.0.0,expect,inotify-tools,adduser
+{% endif %}
 Conflicts: ossec-server
 Description: Installs the generic ossec agent
diff --git a/install_files/ansible-base/roles/build-ossec-deb-pkg/templates/server_control.j2 b/install_files/ansible-base/roles/build-ossec-deb-pkg/templates/server_control.j2
@@ -6,6 +6,10 @@ Homepage: http://ossec.net
 Package: ossec-server
 Version: {{ ossec_version }}
 Architecture: amd64
+{% if securedrop_build_focal_support %}
+Depends: libc6 (>=2.7),libssl1.1,adduser,expect,inotify-tools
+{% else %}
 Depends: libc6,libssl1.0.0,adduser,expect,libc6 (>= 2.7),inotify-tools
+{% endif %}
 Conflicts: ossec-agent
 Description: Installs generic OSSEC server
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
@@ -8,11 +8,6 @@ securedrop_code_filtered: "{{ securedrop_app_code_prep_dir }}/var/www/securedrop
 
 securedrop_pip_requirements: "{{ securedrop_code_filtered }}/requirements/python3/securedrop-app-code-requirements.txt"
 
-# SecureDrop virtualenv location
-securedrop_venv: "/opt/venvs/securedrop-app-code"
-securedrop_venv_bin: "{{ securedrop_venv }}/bin"
-securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
-
 # SecureDrop code installation directory
 securedrop_code: /var/www/securedrop
 
@@ -45,4 +40,16 @@ securedrop_app_rsync_opts:
 
 securedrop_local_build: "../../build"
 
-securedrop_package_dist: xenial
+# Default is xenial.
+securedrop_build_focal_support: False
+securedrop_package_dist: "{{ 'focal' if securedrop_build_focal_support else 'xenial' }}"
+
+# SecureDrop virtualenv location
+securedrop_venv: "/opt/venvs/securedrop-app-code"
+securedrop_venv_bin: "{{ securedrop_venv }}/bin"
+securedrop_python_version: "{{ '3.8' if securedrop_build_focal_support else '3.5' }}"
+securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python{{ securedrop_python_version }}/site-packages"
+
+securedrop_app_focal_files:
+  - src: securedrop-app-code.triggers-focal
+    dest: "{{ securedrop_app_code_prep_dir }}/debian/securedrop-app-code.triggers"
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
@@ -0,0 +1,5 @@
+securedrop-app-code (1.6.0~rc1+focal) focal; urgency=medium
+
+  * 
+
+ -- SecureDrop Team <[email protected]>  Thu, 18 Jun 2020 21:58:23 +0000
diff --git a/...ble-base/roles/build-securedrop-app-code-deb-pkg/files/securedrop-app-code.triggers-focal b/...ble-base/roles/build-securedrop-app-code-deb-pkg/files/securedrop-app-code.triggers-focal
@@ -0,0 +1,7 @@
+# Register interest in Python interpreter changes; and
+# don't make the Python package dependent on the virtualenv package
+# processing (noawait)
+interest-noawait /usr/bin/python3.8
+
+# Also provide a symbolic trigger for all dh-virtualenv packages
+interest dh-virtualenv-interpreter-update
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
@@ -70,6 +70,7 @@
   /etc/magic r,
   /etc/mime.types r,
   /etc/python3.5/sitecustomize.py r,
+  /etc/python3.8/sitecustomize.py r,
   /etc/services r,
   /etc/timezone r,
   /lib/x86_64-linux-gnu/libbz2.so.* mr,
@@ -87,6 +88,7 @@
   /run/apache2/wsgi.*.sock rw,
   /run/lock/apache2/rewrite-map.* rw,
   /run/lock/apache2/ssl-cache.* rwk,
+  /run/systemd/userdb/io.systemd.DynamicUser r,
   /run/shm rw,
   /sbin/ldconfig rix,
   /sbin/ldconfig.real rix,
@@ -107,6 +109,9 @@
   /opt/venvs/securedrop-app-code/bin/python3 r,
   /opt/venvs/securedrop-app-code/lib/python3.5/ r,
   /opt/venvs/securedrop-app-code/lib/python3.5/** rm,
+  /opt/venvs/securedrop-app-code/lib/python3.8/ r,
+  /opt/venvs/securedrop-app-code/lib/python3.8/** rm,
+  /opt/venvs/securedrop-app-code/pyvenv.cfg r,
   /var/lib/securedrop/ r,
   /var/lib/securedrop/db.sqlite kw,
   /var/lib/securedrop/db.sqlite rwk,

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -57,6 +57,18 @@
     src: "changelog-{{ securedrop_package_dist }}"
     dest: "{{ securedrop_app_code_prep_dir }}/debian/changelog"
 
+- name: Replace the files required for focal package
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items: "{{ securedrop_app_focal_files }}"
+  when: securedrop_build_focal_support
+
+- name: Create the control file based on distribution
+  template:
+    src: "control.j2"
+    dest: "{{ securedrop_app_code_prep_dir }}/debian/control"
+
 - name: Create lib/systemd/services directory in prep directory
   file:
     state: directory
@@ -107,7 +119,7 @@
   environment:
     DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
     DH_UPGRADE_SETUPTOOLS: "46.0.0"
-    DH_VIRTUALENV_ARGUMENTS: "--python=/usr/bin/python3.5 --setuptools"
+    DH_VIRTUALENV_ARGUMENTS: "{{  '--python=/usr/bin/python3.8 --setuptools  46.0.0' if securedrop_build_focal_support else '--python=/usr/bin/python3.5 --setuptools' }}"
     DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
 
 - name: Find newly built Debian package

diff --git a/..._files/securedrop-app-code/debian/control → ...rop-app-code-deb-pkg/templates/control.j2 b/..._files/securedrop-app-code/debian/control → ...rop-app-code-deb-pkg/templates/control.j2
@@ -5,11 +5,14 @@ Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv
 Standards-Version: 3.9.8
-X-Python3-Version: >= 3.5
 
 Package: securedrop-app-code
 Architecture: amd64
 Conflicts: libapache2-mod-wsgi,supervisor
 Replaces: libapache2-mod-wsgi,supervisor
+{% if securedrop_build_focal_support %}
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
+{% else %}
 Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3
+{% endif %}
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control.j2 b/install_files/securedrop-ossec-agent/DEBIAN/control.j2
@@ -0,0 +1,18 @@
+Source: ossec.net
+Section: web
+Priority: optional
+Maintainer: SecureDrop Team <securedrop@freedom.press>
+Homepage: https://securedrop.org
+Package: securedrop-ossec-agent
+Version: 3.6.0+1.6.0~rc1
+Architecture: amd64
+{% if securedrop_build_focal_support %}
+Depends: libevent-2.1.7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
+{% else %}
+Depends: libevent-1.4-2,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
+{% endif %}
+Replaces: ossec-agent
+Conflicts: securedrop-ossec-server
+Description: Installs the securedrop pre-configured OSSEC agent
+  This package installs an OSSEC agent pre-configured for the
+  SecureDrop app server.
diff --git a/...es/securedrop-ossec-server/DEBIAN/control → ...securedrop-ossec-server/DEBIAN/control.j2 b/...es/securedrop-ossec-server/DEBIAN/control → ...securedrop-ossec-server/DEBIAN/control.j2
@@ -6,7 +6,11 @@ Homepage: https://securedrop.org
 Package: securedrop-ossec-server
 Version: 3.6.0+1.6.0~rc1
 Architecture: amd64
+{% if securedrop_build_focal_support %}
+Depends: libevent-2.1.7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
+{% else %}
 Depends: libevent-1.4-2,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
+{% endif %}
 Replaces: ossec-server
 Conflicts: securedrop-ossec-agent
 Description: Installs the pre-packaged OSSEC server

diff --git a/molecule/builder-focal/molecule.yml b/molecule/builder-focal/molecule.yml
@@ -74,6 +74,8 @@ verifier:
     n: auto
   env:
     SECUREDROP_TARGET_PLATFORM: focal
-  directory: tests/
+    SECUREDROP_PYTHON_VERSION: "3.8"
+  # Reuse the same test suite for all packages
+  directory: ../builder-xenial/tests/
   lint:
     name: flake8
diff --git a/molecule/builder-focal/tests/conftest.py b/molecule/builder-focal/tests/conftest.py
diff --git a/molecule/builder-focal/tests/test_build_dependencies.py b/molecule/builder-focal/tests/test_build_dependencies.py
diff --git a/molecule/builder-focal/tests/test_legacy_paths.py b/molecule/builder-focal/tests/test_legacy_paths.py