Adds package builds for Focal #5465
Conversation
eloquence
changed the title
kushaldas
force-pushed
the
focal_package_build
branch
from
1f458c9 to
1b4f03b
Compare
There was a problem hiding this comment.
First pass on visual review, requesting some cleanup between the various build directories. Much of the work here is intentionally copy/pasted from the xenial dirs, and I appreciate the your caution in avoiding breaking xenial-specific logic, @kushaldas. See in-line for opportunities to consolidate, or if not, at least document explicitly what's different and why it's different under focal.
Although I should have suggested it in #5444, the "make build-debs-focal" target is skipping all tests, even though the tests are present (but failing). We should either fix the packaging tests to get them passing, or else update the makefile target to include the "notest" string for clarity.
| override_dh_virtualenv: | ||
| dh_virtualenv \ | ||
| --python=/usr/bin/python3.8 \ | ||
| --extra-pip-arg "--verbose" \ |
There was a problem hiding this comment.
The only changes I can find in the rules file between xenial & focal are:
- python3.5 vs. python3.8
- xenial contains
--setuptools, whereas focal does not
Ideally we'd have this file templated so the rest is the same, but for now, can you add a comment explaining why setuptools is required for xenial but not for focal?
There was a problem hiding this comment.
I will add the setuptools, that was a mistake. Also, I will try to make it a template.
There was a problem hiding this comment.
I did and then remembered why i don't need it. By default it will install latest setuptools and with --setuptools flag we can now specify a specific version.
There was a problem hiding this comment.
By default it will install
Does "it" refer to the dh-virtualenv package? Even if the --setuptools flag is truly not required for the build process—and I agree, it doesn't appear to be—we still have an entire file duplicated except for this one flag, so a comment should be added to explain why it's not necessary.
| Homepage: https://securedrop.org | ||
| Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv | ||
| Standards-Version: 3.9.8 | ||
| X-Python3-Version: >= 3.8 |
There was a problem hiding this comment.
Is the X-Python3-Version field actually required? A quick glance at the dh-virtualenv source indicates it's not really used anywhere.
| Architecture: amd64 | ||
| Conflicts: libapache2-mod-wsgi,supervisor | ||
| Replaces: libapache2-mod-wsgi,supervisor | ||
| Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3 |
There was a problem hiding this comment.
The "Depends" line differs only in 3.5 -> 3.8 for the python packages. Can we not use the same name "python3" for both? I realize you'd have to touch xenial files to make this work. What do you think would be easiest to maintain for the remainder of the LTS window?
There was a problem hiding this comment.
LTS releases are not supposed to upgrade Python version. That is why I wanted to go this (easy) way.
install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal
Outdated
Show resolved
Hide resolved
| Conflicts: securedrop-ossec-server | ||
| Description: Installs the securedrop pre-configured OSSEC agent | ||
| This package installs an OSSEC agent pre-configured for the | ||
| SecureDrop app server. |
There was a problem hiding this comment.
Solid approach to multi-distro support. 👍 However, elsewhere in the diff I see that install_files/securedrop-ossec-agent/DEBIAN/control → ...s/build-ossec-deb-pkg/files/control-focal. Given thecontrol.j2introduction here, it apepars thatbuild-ossec-deb-pkg/files/control-focal` is no longer necessary, and should be removed.
There was a problem hiding this comment.
@conorsch These are two different packages :) ossec-agent and securedrop-ossec-agent.
|
|
||
| -- SecureDrop Team <[email protected]> Tue, 12 May 2020 18:37:42 +0000 | ||
|
|
||
| securedrop-app-code (1.2.2+xenial) xenial; urgency=medium |
There was a problem hiding this comment.
Focal changelog should not include historical xenial versions. Remove those, and start with the current/latest version for the focal history. (We did the same when moving from trusty to xenial.)
kushaldas
force-pushed
the
focal_package_build
branch
from
771ac3c to
aaf9dcc
Compare
|
It would run a higher risk of breaking the existing Xenial packaging, of course, but would it be possible (or worth the effort) to isolate all the release-specific differences (package dependency lists, paths, whatever) into variable files, and have those included at a single point, instead of sprinkling the "if focal" throughout? |
There was a problem hiding this comment.
Thanks @kushaldas , I agree with what others have said here, and I am pleased to report the packages are now built successfully 🎉
As mentioned by a previous reviewer in #5465 (review), this will not run the testinfra tests for packages, which can be useful to guard against regressions when doing packaging logic changes. When running the focal builder with tests (build-debs.sh test focal), I am observing 22 failing tests.
We should address as part of this PR, or file a follow-up ticket (and track it in the epic). I would lean towards addressing the tests here to both ease review and prevent future regressions.
install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2-focal
Outdated
Show resolved
Hide resolved
kushaldas
force-pushed
the
focal_package_build
branch
from
aaf9dcc to
1b28043
Compare
I am not sure, also the plan was to keep as minimal change as possible for this PR. |
| @@ -1,5 +1,5 @@ | |||
| --- | |||
| build_ossec_deb_pkg_dependencies: ['libevent1-dev','libpcre2-dev'] | |||
| build_ossec_deb_pkg_dependencies: ['libevent-dev','libpcre2-dev'] | |||
There was a problem hiding this comment.
Why is this dependency changed?
There was a problem hiding this comment.
+1, if we don't have to change this dependency, let's not. @kushaldas can you check whether the libevent1-dev is sufficient for both platforms? If not, can you provide documentation that libevent-dev is correct for both?
There was a problem hiding this comment.
This has to updated based on Focal or Xenial.
install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
Outdated
Show resolved
Hide resolved
kushaldas
force-pushed
the
focal_package_build
branch
from
1b28043 to
57fca68
Compare
| Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, haveged, libapache2-mod-xsendfile, libpython3.5, paxctld, python3 (>= 3.5), python3 (<< 3.6), redis-server, securedrop-config, securedrop-keyring, sqlite3 | ||
| {% endif %} |
There was a problem hiding this comment.
Much improved! As discussed today in tech meeting, can we further consolidate the dependencies for libpython3.8 -> libpython3 for both platforms? Maybe that's not possible, but if it is, it'd greatly simplify the logic in play.
There was a problem hiding this comment.
It seems this can not be done.
# apt install libpython3
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libpython3
| @@ -6,7 +6,11 @@ Homepage: https://securedrop.org | |||
| Package: securedrop-ossec-server | |||
| Version: 3.6.0+1.6.0~rc1 | |||
| Architecture: amd64 | |||
| {% if securedrop_build_focal_support %} | |||
| Depends: libevent-2.1.7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config | |||
| {% else %} | |||
| Depends: libevent-1.4-2,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config | |||
There was a problem hiding this comment.
As above, perhaps we can standardize on a single libevent metapackage that would work well. Can you check whether that's possible and add if so?
There was a problem hiding this comment.
# apt install libevent
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package libevent
This is also not possible due to package naming.
|
Only very small changes remain, mostly cleaning up package names and preferring cross-distribution metapackage names where possible. It may not be possible everywhere, but let's reduce the number of times we're forced to say if/else in the build logic.
I took the liberty of re-enabling the tests, since recent changes by @kushaldas resulted in all of them passing for me locally. I noticed an apparently-unrelated test flake on the staging (xenial) job in CI, so bounced. After a few more package renames if possible, I think this is good to merge—then the next big item will be creating the staging env to use these new packages. |
kushaldas
force-pushed
the
focal_package_build
branch
from
e018a87 to
8a4d184
Compare
|
I plan to re-review this tomorrow, although it'd be grand to get #5477 in first, so we can be sure there are no regressions with the Xenial build logic. |
This is dependent on #5458
With different dependencies for Xenial and Focal
securedrop-app-code control file is now a template. We don't need --setuptools in rules file as by default virtualenv will install the latest setuptools. Also clean changelog for Focal. We are using single usr.sbin.apache2 for both distribution. Updates the tests var as we rebased against develop.
The testinfra suite for packages is fully passing for focal packages, but the test suite was being skipped. Updated the package build targets to be a bit more explicit about platforms.
libevent1-dev and libevent are two different package, libevent1 is being used in Xenial and libevent (which is the version 2) is being used in Focal.
The latest virtualenv in Focal needs `--setuptools version` in the command line, where as the old verison on Xenial will work with just `--setuptools`. This commit also uses the same build system from Xenial in Focal for building the securedrop-app-code package.
kushaldas
force-pushed
the
focal_package_build
branch
from
8a4d184 to
dd872db
Compare
The test suite for validating deb packages was duplicated between Xenial & Focal. That's going to run a risk of tests only being updated in a single location, as was done in #5477. We have the ability to customize behavior of the tests via env vars, so let's keep the same test suite for now.
There was a problem hiding this comment.
Looks great! The separation between distros is well done here. I suspect we may want to use platform-specific vars in the Ansible logic as continue to drive toward full Focal support, but that's best addressed as part of #5468 anyway.
I made one more change, de-duplicating the packaging tests between Xenial & Focal, to include the new tests we added in #5477. Both packaging targets and all the corresponding tests are passing for me locally, will merge once CI passes.
Status
Ready for review
Description of Changes
Fixes #5449
This PR contains the changes required for
securedrop-app-codeandossecpackagesto be built on Ubuntu Focal. This requires #5458 to be merged first, so that I can rebase.
Testing
make build-debs-focalshould create all the related packages for Focalmake build-debsbuilds packages for Xenial.Deployment
Any special considerations for deployment? Consider both:
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locallyIf you added or updated a code dependency:
Choose one of the following: