packaging: Add kanidmd deb package, update documentation (#3506)

* packaging: Use cargo-deb multiarch support This allows building all platforms from one definition, assuming the --multiarch=foreign flag is used. * packaging: Use correct path naming for unixd service files While cargo-deb works around the mistake, better to name them as per the rules: https://github.com/kornelski/cargo-deb/blob/main/systemd.md#systemd-unit-file-naming * docs: Update book chapter on Debian packaging * packaging: Shift Debian builds to a separate build profile * packaging: Add deb for kanidmd
2025-04-17 15:55:40 +02:00 · 2025-03-18 04:10:42 +02:00 · 2025-03-18 04:10:42 +02:00 · 1e91f244a2
parent 23bb656c6b
commit 1e91f244a2
11 changed files with 153 additions and 69 deletions
--- a/book/src/packaging/debian_ubuntu_packaging.md
+++ b/book/src/packaging/debian_ubuntu_packaging.md
@ -5,57 +5,45 @@
 - Debian packaging is complex enough that it lives in a separate repository:
 [kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation).
 - While official packages are available at https://kanidm.github.io/kanidm_ppa/ these instructions will guide you
-through replicating the same process locally, using [cross](https://github.com/cross-rs/cross) & Docker to isolate the build process
-from your normal computer and allow building packages for multiple architectures.
+through replicating the same process locally, using Docker to isolate the build process from your normal computer.
+- Due to the complexity of crosscompilation, we no longer support it and recommend building natively,
+i.e. on the platform you're targeting.
 - While the examples below will use `aarch64-unknown-linux-gnu` aka `arm64`,
 the same process works for `x86_64-unknown-linux-gnu` aka `amd64` as well.

 1. Start in the root directory of the main [kanidm/kanidm](https://github.com/kanidm/kanidm) repository.
-1. Install cross:
-   ```shell
-   cargo install cross
-   ```
 1. Pull in the separate deb packaging submodule:
   ```shell
   git submodule update platform/debian/kanidm_ppa_automation
   ```
-1. Launch your desired crossbuild target. Do note the script assumes you use rustup!
-   ```shell
-   # See valid targets:
-   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh
-   # Launch a target:
-   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-aarch64-unknown-linux-gnu
-   # You can also specify multiple targets within the same distribution:
-   platform/debian/kanidm_ppa_automation/scripts/crossbuild.sh debian-12-{aarch64,x86_64}-unknown-linux-gnu
-   ```
-1. Go get a drink of your choice while the build completes.
 1. Create a sacrificial deb builder container to avoid changing your own system:
   ```shell
-   docker run --rm -it -e CI=true \
+   docker run --rm -it -e VERBOSE=true -e CI=true \
       --mount "type=bind,src=$PWD,target=/src" \
       --workdir /src \
       rust:bookworm
   ```
 1. In the container install dependencies with:
   ```shell
-   # The parameter given is which additional target debian architecture to enable (amd64, arm64, etc.)
-   # If your native platform is amd64, running with arm64 is enough to cover both archs.
-   platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh arm64
+   platform/debian/kanidm_ppa_automation/scripts/install_ci_build_dependencies.sh
   ```
-1. In the container launch the deb build:
+1. Launch your desired target build:
+   ```shell
+   platform/debian/kanidm_ppa_automation/scripts/build_native.sh aarch64-unknown-linux-gnu
+   ```
+1. Go get a drink of your choice while the build completes.
+1. Launch the deb build:
   ```shell
   platform/debian/kanidm_ppa_automation/scripts/build_debs.sh aarch64-unknown-linux-gnu
-   # Again, multiple targets also work:
-   platform/debian/kanidm_ppa_automation/scripts/build_debs.sh {aarch64,x86_64}-unknown-linux-gnu
   ```
 1. You can now exit the container, the package paths displayed at the end under `target` will
   persist.

 ## Adding or amending a deb package
-The rough overview of steps is:
+The rough overview of steps is as follows, see further down for details.
 1. Add cargo-deb specific metadata to the rust package and any static assets. Submit your changes as
   a PR.
-2. Add build instructions to the separate packaging repo. Submit your changes as a PR.
+2. Add build steps to the separate packaging repo. Submit your changes as a PR.
 3. Go back to the main repo to update the packaging submodule reference to aid running manual dev
   builds of the new package.

@ -72,8 +60,8 @@ an example, see `unix_integration/resolver/Cargo.toml`
 ### Configuration in the kanidm_ppa_automation repo
 - The repo is: [kanidm/kanidm_ppa_automation](https://github.com/kanidm/kanidm_ppa_automation)
 - Changes are needed if a new binary and/or package is added, or if build time dependencies change.
- Amend `scripts/crossbuild.sh` build rules to include new binaries or packages with shared
-libraries. Search for the lines starting with `cross build`.
+- Amend `scripts/build_native.sh` build rules to include new binaries or packages with shared
+libraries.
 - Add any new build time system dependencies to `scripts/install_ci_build_dependencies.sh`, be aware
  of any difference in package names between Debian & Ubuntu.
 - Add any new packages to `scripts/build_debs.sh`, search for the line starting with `for package in`.
--- a/libs/profiles/release_debian.toml
+++ b/libs/profiles/release_debian.toml
@ -0,0 +1,14 @@
+# The main difference from the release_linux profile is using
+# per-package shared directories for a clearer separation and 
+# thus more consistent install & sysadmin experience.
+
+# Don't set the value for autodetect
+# cpu_flags = "none"
+server_admin_bind_path = "/var/run/kanidmd/sock"
+server_ui_pkg_path = "/usr/share/kanidmd/static"
+server_config_path = "/etc/kanidmd/server.toml"
+client_config_path = "/etc/kanidm/config"
+# TODO: unixd should migrate to it's own config dir as part of the sparkled migration.
+# No point in doing two back to back migrations.
+resolver_config_path = "/etc/kanidm/unixd"
+resolver_unix_shell_path = "/bin/bash"
--- a/server/daemon/Cargo.toml
+++ b/server/daemon/Cargo.toml
@ -57,6 +57,31 @@ clap = { workspace = true, features = ["derive"] }
 clap_complete = { workspace = true }
 kanidm_build_profiles = { workspace = true }

+## Debian packaging
+[package.metadata.deb]
+name = "kanidmd"
+maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
+# Can't use $auto depends because the name of libssl3 varies by distro and version
+depends = [
+	"libc6",
+	"tpm-udev",
+	"libssl3 | libssl3t64",
+]
+section = "network"
+priority = "optional"
+changelog = "../../target/debian/changelog"  # Generated by platform/debian/build_debs.sh
+assets = [
+    [ "target/release/kanidmd", "usr/bin/", "755" ],
+  	[ "debian/group.conf", "usr/lib/sysusers.d/kandimd.conf", "644" ],
+    [ "debian/server.toml", "etc/kanidmd/server.toml", "640" ],
+    [ "../../examples/server.toml", "usr/share/kanidmd/", "444" ],
+    [ "../core/static/**/*", "usr/share/kanidmd/static", "444" ],
+]
+maintainer-scripts = "debian/"
+systemd-units = [
+	{ unit-name = "kanidmd", enable = false},  # Cannot start without manual config
+]
+

 [package.metadata.cargo-machete]
 ignored = ["clap_complete", "kanidm_build_profiles"]
--- a/server/daemon/debian/group.conf
+++ b/server/daemon/debian/group.conf
@ -0,0 +1,2 @@
+# This is a sysusers.d format config, please refer to man sysusers.d(5)
+g kanidmd -
--- a/server/daemon/debian/daemon.kanidmd.service
+++ b/server/daemon/debian/daemon.kanidmd.service
@ -10,13 +10,15 @@ Before=radiusd.service
 [Service]
 Type=notify
 DynamicUser=yes
-StateDirectory=kanidm
+User=kanidmd_dyn
+Group=kanidmd
+StateDirectory=kanidmd
 StateDirectoryMode=0750
 CacheDirectory=kanidmd
 CacheDirectoryMode=0750
 RuntimeDirectory=kanidmd
 RuntimeDirectoryMode=0755
-ExecStart=/usr/sbin/kanidmd server -c /etc/kanidm/server.toml
+ExecStart=/usr/bin/kanidmd server

 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
--- a/server/daemon/debian/postinst
+++ b/server/daemon/debian/postinst
@ -0,0 +1,38 @@
+#!/bin/sh
+# postinst script for kanidmd
+#
+# see: dh_installdeb(1)
+
+set -e
+
+
+case "$1" in
+    configure)
+        echo "Creating the kanidmd group for config & cert ownership..."
+        systemd-sysusers
+        echo "Fixing ownership of server configuration ..."
+        chown :kanidmd /etc/kanidmd/server.toml*
+
+        echo "============================="
+        echo "Thanks for installing Kanidm!"
+        echo "============================="
+        echo "Please ensure you modify the configuration file at /etc/kanidmd/server.toml"
+        echo "Only then: systemctl enable kanidmd.service"
+        echo "Full examples are in /usr/share/kanidmd/"
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- a/server/daemon/debian/server.toml
+++ b/server/daemon/debian/server.toml
@ -0,0 +1,51 @@
+# Kanidm server minimal configuration - /etc/kanidm/server.toml
+# For a full example and documentation, see /usr/share/kanidmd/server.toml
+# or `example/server.toml` in the source repository
+
+# NOTE: You must configure at least domain & origin below to allow the server to start!
+
+#   The webserver bind address. Requires TLS certificates.
+#   If the port is set to 443 you may require the
+#   NET_BIND_SERVICE capability.
+#   Defaults to "127.0.0.1:8443"
+bindaddress = "127.0.0.1:8443"
+
+#   The path to the kanidm database.
+#   The provided example uses systemd dynamic user pathing for security
+db_path = "/var/lib/private/kanidmd/kanidm.db"
+
+#   TLS chain and key in pem format. Both must be present.
+#   If the server receives a SIGHUP, these files will be
+#   re-read and reloaded if their content is valid.
+#   These should be owned by root:kanidmd to give the service access.
+tls_chain = "/etc/kanidmd/chain.pem"
+tls_key = "/etc/kanidmd/key.pem"
+
+log_level = "info"
+
+#   The DNS domain name of the server. This is used in a
+#   number of security-critical contexts
+#   such as webauthn, so it *must* match your DNS
+#
+#   ⚠️  WARNING ⚠️
+#
+#   Changing this value after first use WILL break many types of
+#   registered credentials for accounts including but not limited
+#   to: webauthn, oauth tokens, and more.
+#   If you change this value you *must* run
+#   `kanidmd domain rename` immediately after.
+# NOTE: You must set this value!
+#domain = "idm.example.com"
+#
+#   The origin for webauthn. This is the url to the server,
+#   with the port included if it is non-standard (any port
+#   except 443). This must match or be a descendent of the
+#   domain name you configure above. If these two items are
+#   not consistent, the server WILL refuse to start!
+#   origin = "https://idm.example.com"
+# NOTE: You must set this value!
+#origin = "https://idm.example.com:8443"
+
+[online_backup]
+path = "/var/lib/private/kanidmd/backups/"
+schedule = "00 22 * * *"
--- a/unix_integration/nss_kanidm/Cargo.toml
+++ b/unix_integration/nss_kanidm/Cargo.toml
@ -27,8 +27,6 @@ lazy_static = { workspace = true }
 cc = "^1.2.10"

 ## Debian packaging
-# The base metadata does **not** work to build a functioning package!
-# A target specific variant must be used to get the right multiarch path.
 [package.metadata.deb]
 name = "libnss-kanidm"
 maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
@ -36,27 +34,13 @@ depends = ""
 section = "network"
 priority = "optional"
 assets = [
-    # Empty on purpose
-]
-
-[package.metadata.deb.variants.aarch64-unknown-linux-gnu]
-merge-assets.append = [
    [
        "target/release/libnss_kanidm.so",
-        "usr/lib/aarch64-linux-gnu/libnss_kanidm.so.2",
+        # This is not the final path as cargo-deb needs to be run with --multiarch=foreign
+        "usr/lib/libnss_kanidm.so.2",
        "644",
    ],
 ]

-[package.metadata.deb.variants.x86_64-unknown-linux-gnu]
-merge-assets.append = [
-    [
-        "target/release/libnss_kanidm.so",
-        "usr/lib/x86_64-linux-gnu/libnss_kanidm.so.2",
-        "644",
-    ],
-]
-
-
 [package.metadata.cargo-machete]
 ignored = ["cc", "lazy_static"]
--- a/unix_integration/pam_kanidm/Cargo.toml
+++ b/unix_integration/pam_kanidm/Cargo.toml
@ -27,8 +27,6 @@ time = { workspace = true }
 pkg-config = { workspace = true }

 ## Debian packaging
-# The base metadata does **not** work to build a functioning package!
-# A target specific variant must be used to get the right multiarch path.
 [package.metadata.deb]
 name = "libpam-kanidm"
 maintainer = "James Hodgkinson <james@terminaloutcomes.com>"
@ -37,28 +35,10 @@ section = "network"
 priority = "optional"
 maintainer-scripts = "debian/"
 assets = [
-    # Empty on purpose
-]
-
-[package.metadata.deb.variants.aarch64-unknown-linux-gnu]
-merge-assets.append = [
    [
        "target/release/libpam_kanidm.so",
-        "usr/lib/aarch64-linux-gnu/security/pam_kanidm.so",
-        "644",
-    ],
-    [
-        "debian/kanidm.pam",
-        "usr/share/pam-configs/kanidm",
-        "644",
-    ],
-]
-
-[package.metadata.deb.variants.x86_64-unknown-linux-gnu]
-merge-assets.append = [
-    [
-        "target/release/libpam_kanidm.so",
-        "usr/lib/x86_64-linux-gnu/security/pam_kanidm.so",
+        # This is not the final path as cargo-deb needs to be run with --multiarch=foreign
+        "usr/lib/security/pam_kanidm.so",
        "644",
    ],
    [
--- a/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd-tasks.service
+++ b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd-tasks.service
--- a/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service
+++ b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service