diff --git a/.github/workflows/debian_package_kanidm.yml b/.github/workflows/debian_package_kanidm.yml index 161dd1e94..cc427a3a3 100644 --- a/.github/workflows/debian_package_kanidm.yml +++ b/.github/workflows/debian_package_kanidm.yml @@ -11,40 +11,69 @@ concurrency: cancel-in-progress: true jobs: build-deb-package: - runs-on: ubuntu-20.04 + name: Build deb packages + strategy: + matrix: + image: + - ubuntu:22.04 + - ubuntu:20.04 + - ubuntu:18.04 + - debian:11 + - debian:10 + runs-on: ubuntu-latest + container: + image: ${{ matrix.image }} + env: + DEBIAN_FRONTEND: noninteractive steps: - name: Checkout uses: actions/checkout@v3 - + - name: Update package manager + run: apt-get update + - name: Install dependencies + run: | + apt-get install -y \ + lsb-release \ + libpam0g-dev \ + libudev-dev \ + libssl-dev \ + libsqlite3-dev \ + pkg-config \ + make \ + curl \ + sudo - name: Install Rust uses: actions-rs/toolchain@v1 with: toolchain: stable override: true default: true - - name: Update package manager - run: sudo apt-get update - - name: Install dependencies - run: | - sudo apt-get install -y \ - libpam0g-dev \ - libudev-dev \ - libssl-dev \ - libsqlite3-dev \ - pkg-config \ - make - - uses: jetli/wasm-pack-action@v0.4.0 - with: - # Optional version of wasm-pack to install(eg. 'v0.9.1', 'latest') - version: 'latest' - name: "Doing the package build" run: | make -f platform/debian/Makefile debs/all + - name: Upload debs + uses: actions/upload-artifact@v3 + with: + name: ubuntu-packages + path: | + target/*.deb + upload-to-releases: + name: Upload to releases + needs: build-deb-package + runs-on: ubuntu-latest + steps: + - name: Download previously built debs + uses: actions/download-artifact@v3 + with: + name: ubuntu-packages + - name: List packages + run: | + ls - uses: "marvinpinto/action-automatic-releases@latest" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" automatic_release_tag: "latest" prerelease: true - title: "Ubuntu Packages (20.04)" - files: target/*.deb + title: "Ubuntu Packages" + files: "*.deb" if: ${{ github.ref == 'refs/heads/master' }} diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index db3ba72ae..a94287866 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -22,6 +22,7 @@ - Florian Klink (flokli) - Kaleb Olson (kalebo) - Jan Christoph Ebersbach (jceb) +- Yuxuan Lu (leoleoasd) ## Acknowledgements diff --git a/examples/systemd/kanidm-unixd.service b/examples/systemd/kanidm-unixd.service index 229d427ea..eeafab3f4 100644 --- a/examples/systemd/kanidm-unixd.service +++ b/examples/systemd/kanidm-unixd.service @@ -1,5 +1,5 @@ # You should not need to edit this file. Instead, use a drop-in file by running: -# systemctl edit kanidm-unixd-tasks.service +# systemctl edit kanidm-unixd.service [Unit] Description=Kanidm Local Client Resolver diff --git a/examples/systemd/kanidmd.service b/examples/systemd/kanidmd.service index f65b2890b..5c56594f7 100644 --- a/examples/systemd/kanidmd.service +++ b/examples/systemd/kanidmd.service @@ -1,5 +1,5 @@ # You should not need to edit this file. Instead, use a drop-in file by running: -# systemctl edit kanidm-unixd-tasks.service +# systemctl edit kanidmd.service [Unit] Description=Kanidm, the IDM for rustaceans diff --git a/kanidm_book/src/packaging_debs.md b/kanidm_book/src/packaging_debs.md index 3ef50e46c..f762d439c 100644 --- a/kanidm_book/src/packaging_debs.md +++ b/kanidm_book/src/packaging_debs.md @@ -16,10 +16,8 @@ debs/kanidm: build a .deb for the Kanidm CLI debs/kanidmd: build a .deb for the Kanidm daemon -debs/kanidm-ssh: - build a .deb for the Kanidm SSH tools debs/kanidm-unixd: - build a .deb for the Kanidm UNIX tools (PAM/NSS, unixd and related tools) + build a .deb for the Kanidm UNIX tools (PAM/NSS, unixd and related tools) and SSH tools debs/all: build all the debs ``` diff --git a/platform/debian/Makefile b/platform/debian/Makefile index 1b67ac383..e2fedeb7e 100644 --- a/platform/debian/Makefile +++ b/platform/debian/Makefile @@ -7,23 +7,18 @@ help: .PHONY: debs/kanidm debs/kanidm: ## Build the Kanidm CLI package - make sure you set the environment variable KANIDM_BUILD_PROFILE debs/kanidm: - ./platform/debian/build_kanidm.sh kanidm + bash ./platform/debian/build_kanidm.sh kanidm .PHONY: debs/kanidmd debs/kanidmd: ## Build the Kanidmd package - make sure you set the environment variable KANIDM_BUILD_PROFILE debs/kanidmd: - ./platform/debian/build_kanidm.sh kanidmd - -.PHONY: debs/kanidm-ssh -debs/kanidm-ssh: ## Bbuild the Kanidm SSH package - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/kanidm-ssh: - ./platform/debian/build_kanidm.sh kanidm-ssh + bash ./platform/debian/build_kanidm.sh kanidmd .PHONY: debs/kanidm-unixd debs/kanidm-unixd: ## Build the Kanidm UNIX tools package (PAM/NSS, unixd and related tools) - make sure you set the environment variable KANIDM_BUILD_PROFILE debs/kanidm-unixd: - ./platform/debian/build_kanidm.sh kanidm-unixd + bash ./platform/debian/build_kanidm.sh kanidm-unixd .PHONY: debs/all debs/all: ## Build all the .deb packages - make sure you set the environment variable KANIDM_BUILD_PROFILE -debs/all: debs/kanidmd debs/kanidm debs/kanidm-ssh debs/kanidm-unixd +debs/all: debs/kanidmd debs/kanidm debs/kanidm-unixd diff --git a/platform/debian/kanidm-ssh/control b/platform/debian/kanidm-ssh/control deleted file mode 100644 index 062b1d52d..000000000 --- a/platform/debian/kanidm-ssh/control +++ /dev/null @@ -1,14 +0,0 @@ -Source: kanidm-ssh -Section: admin -Priority: optional -Maintainer: James Hodgkinson -Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, libsqlite3-dev, pkg-config, cargo, make -Standards-Version: 4.6.0 -Homepage: https://kanidm.com -Vcs-Git: https://github.com/kanidm/kanidm/ -Rules-Requires-Root: no - -Package: kanidm-ssh -Architecture: any -Depends: -Description: Kanidm Unix Tools diff --git a/platform/debian/kanidm-ssh/postinst b/platform/debian/kanidm-ssh/postinst deleted file mode 100644 index ce3c124cb..000000000 --- a/platform/debian/kanidm-ssh/postinst +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# postinst script for kanidm-ssh -# -# see: dh_installdeb(1) - -set -e - - -case "$1" in - configure) - if [ ! -f /etc/kanidm/config ]; then - echo "=============================" - echo "Thanks for installing Kanidm!" - echo "=============================" - echo "Please ensure you create a configuration file at /etc/kanidm/config" - echo "An example is in /usr/share/kanidm-ssh/" - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/platform/debian/kanidm-ssh/rules b/platform/debian/kanidm-ssh/rules deleted file mode 100755 index 977f2aabb..000000000 --- a/platform/debian/kanidm-ssh/rules +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) - -# be REALLY noisy -export DH_VERBOSE=1 -export DH_OPTIONS=-v - -export DEB_BUILD_OPTIONS=noautodbgsym -PACKAGE=kanidm-ssh -PKGDIR=debian/${PACKAGE} -BINDIR=${PKGDIR}/usr/sbin/ -SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} - -%: - dh $@ - -override_dh_auto_clean: - -override_dh_autoreconf: - -override_dh_auto_build: - KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE} - -override_dh_auto_test: -override_dh_shlibdeps: -override_dh_strip: - -override_dh_auto_install: - mkdir -p ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm_ssh_authorizedkeys \ - ${BINDIR} - install \ - -g root -o root \ - target/release/kanidm_ssh_authorizedkeys_direct \ - ${BINDIR} - -override_dh_installexamples: - mkdir -p ${SHARED_DIR} - install -D \ - -g root -o root \ - examples/kanidm \ - ${SHARED_DIR}/ diff --git a/platform/debian/pam-config-kanidm b/platform/debian/kanidm-unixd/kanidm-unixd.pam similarity index 100% rename from platform/debian/pam-config-kanidm rename to platform/debian/kanidm-unixd/kanidm-unixd.pam diff --git a/platform/debian/kanidm-unixd/postinst b/platform/debian/kanidm-unixd/postinst index d78b483ae..d8fb8b9a9 100644 --- a/platform/debian/kanidm-unixd/postinst +++ b/platform/debian/kanidm-unixd/postinst @@ -14,6 +14,8 @@ case "$1" in echo "=============================" echo "Please ensure you create configuration files at /etc/kanidm/unixd and /etc/kanidm/config" echo "Examples are in /usr/share/kanidm-unixd/" + echo "To configure pam module, please run pam-auth-update and select Kanidm" + echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html" fi ;; diff --git a/platform/debian/kanidm-unixd/rules b/platform/debian/kanidm-unixd/rules index 22bd97758..62d77b427 100755 --- a/platform/debian/kanidm-unixd/rules +++ b/platform/debian/kanidm-unixd/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f # See debhelper(7) (uncomment to enable) - +include /usr/share/dpkg/architecture.mk # be REALLY noisy export DH_VERBOSE=1 export DH_OPTIONS=-v @@ -9,7 +9,12 @@ export DEB_BUILD_OPTIONS=noautodbgsym PACKAGE=kanidm-unixd PKGDIR=debian/${PACKAGE} BINDIR=${PKGDIR}/usr/sbin/ +LIBDIR=${PKGDIR}/lib/${DEB_HOST_MULTIARCH} SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} +DISTRIBUTOR_ID=$(shell lsb_release -is) +DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) +DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) +DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version) %: dh $@ --with systemd @@ -19,7 +24,7 @@ override_dh_auto_clean: override_dh_autoreconf: override_dh_auto_build: - KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE} + KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE} release/kanidm-ssh override_dh_auto_test: override_dh_shlibdeps: @@ -28,24 +33,33 @@ override_dh_strip: # Do the systemd things override_dh_installinit: install -g root -o root \ - examples/systemd/${PACKAGE}.service \ + platform/debian/systemd/${PACKAGE}.service \ debian/ dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service dh_installinit -p${PACKAGE} --no-start --noscripts dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade install -g root -o root \ - examples/systemd/${PACKAGE}-tasks.service \ + platform/debian/systemd/${PACKAGE}-tasks.service \ debian/ dh_systemd_enable -p${PACKAGE} --name=${PACKAGE}-tasks ${PACKAGE}-tasks.service - dh_installinit -p${PACKAGE} --no-start --noscripts - dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade + dh_installinit -p${PACKAGE} --name=${PACKAGE}-tasks --no-start --noscripts + dh_systemd_start -p${PACKAGE} --name=${PACKAGE}-tasks --no-restart-on-upgrade override_dh_systemd_start: echo "Not running dh_systemd_start" override_dh_auto_install: mkdir -p ${BINDIR} + mkdir -p ${LIBDIR}/security + install \ + -g root -o root \ + target/release/kanidm_ssh_authorizedkeys \ + ${BINDIR} + install \ + -g root -o root \ + target/release/kanidm_ssh_authorizedkeys_direct \ + ${BINDIR} install \ -g root -o root \ target/release/kanidm_unixd \ @@ -66,6 +80,15 @@ override_dh_auto_install: -g root -o root \ target/release/kanidm_cache_invalidate \ ${BINDIR} + install \ + -g root -o root \ + target/release/libpam_kanidm.so \ + ${LIBDIR}/security/pam_kanidm.so + install \ + -g root -o root \ + target/release/libnss_kanidm.so \ + ${LIBDIR}/libnss_kanidm.so.2 + override_dh_installexamples: @@ -76,5 +99,8 @@ override_dh_installexamples: ${SHARED_DIR}/ install -D \ -g root -o root \ - examples/config \ + examples/unixd \ ${SHARED_DIR}/ + +override_dh_builddeb: + dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/kanidm/rules b/platform/debian/kanidm/rules index 002b45b1a..ee0c3f6b7 100755 --- a/platform/debian/kanidm/rules +++ b/platform/debian/kanidm/rules @@ -1,6 +1,7 @@ #!/usr/bin/make -f # See debhelper(7) (uncomment to enable) +include /usr/share/dpkg/architecture.mk # be REALLY noisy export DH_VERBOSE=1 export DH_OPTIONS=-v @@ -10,6 +11,10 @@ PACKAGE=kanidm PKGDIR=debian/${PACKAGE} BINDIR=${PKGDIR}/usr/bin/ SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} +DISTRIBUTOR_ID=$(shell lsb_release -is) +DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) +DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) +DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version) %: dh $@ @@ -42,3 +47,6 @@ override_dh_installexamples: --mode 644 \ examples/config \ ${SHARED_DIR}/kanidm + +override_dh_builddeb: + dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/kanidmd/rules b/platform/debian/kanidmd/rules index d16eabf49..1ae0fae79 100755 --- a/platform/debian/kanidmd/rules +++ b/platform/debian/kanidmd/rules @@ -1,6 +1,7 @@ #!/usr/bin/make -f # See debhelper(7) (uncomment to enable) +include /usr/share/dpkg/architecture.mk # be REALLY noisy export DH_VERBOSE=1 export DH_OPTIONS=-v @@ -12,6 +13,10 @@ PACKAGE=kanidmd PKGDIR=debian/${PACKAGE} BINDIR=${PKGDIR}/usr/sbin/ SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE} +DISTRIBUTOR_ID=$(shell lsb_release -is) +DISTRIBUTOR_RELEASE=$(shell lsb_release -rs) +DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE) +DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version) %: dh $@ --with systemd @@ -35,7 +40,7 @@ override_dh_strip: # Do the systemd things override_dh_installinit: install -g root -o root \ - examples/systemd/${PACKAGE}.service \ + platform/debian/systemd/${PACKAGE}.service \ debian/ dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service dh_installinit -p${PACKAGE} --no-start --noscripts @@ -64,3 +69,6 @@ override_dh_installexamples: --mode=644 \ examples/server.toml \ ${SHARED_DIR}/ + +override_dh_builddeb: + dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb diff --git a/platform/debian/simple_pkg.sh b/platform/debian/simple_pkg.sh index 27c16d648..acf54ed20 100755 --- a/platform/debian/simple_pkg.sh +++ b/platform/debian/simple_pkg.sh @@ -13,7 +13,7 @@ rm -rf "$pkgdir" mkdir -p "$pkgdir" # build the project -make release/kanidm release/kanidm-unixd +make release/kanidm release/kanidm-unixd release/kanidm-ssh # enable the following block to include deployment specific configuration files if [ 1 -eq 0 ]; then @@ -36,7 +36,7 @@ EOF fi # This is for allowing login via PAM. It needs to be enabled using `pam-auth-update` -install -Dm644 platform/debian/pam-config-kanidm "${pkgdir}/usr/share/pam-configs/kanidm" +install -Dm644 platform/debian/kanidm-unixd/kanidm-unixd.pam "${pkgdir}/usr/share/pam-configs/kanidm-unixd" # Install kanidm cli install -Dm755 target/release/kanidm "${pkgdir}/usr/local/sbin/kanidm" diff --git a/platform/debian/systemd/kanidm-unixd-tasks.service b/platform/debian/systemd/kanidm-unixd-tasks.service new file mode 100644 index 000000000..352d9ebf5 --- /dev/null +++ b/platform/debian/systemd/kanidm-unixd-tasks.service @@ -0,0 +1,31 @@ +# You should not need to edit this file. Instead, use a drop-in file: +# systemctl edit kanidm-unixd-tasks.service + +[Unit] +Description=Kanidm Local Tasks +After=chronyd.service ntpd.service network-online.target kanidm-unixd.service + +[Service] +User=root +Type=simple +ExecStart=/usr/sbin/kanidm_unixd_tasks + +ReadWritePaths=/home /var/run/kanidm-unixd + +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateNetwork=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX + +[Install] +WantedBy=multi-user.target diff --git a/platform/debian/systemd/kanidm-unixd.service b/platform/debian/systemd/kanidm-unixd.service new file mode 100644 index 000000000..76ce71f9c --- /dev/null +++ b/platform/debian/systemd/kanidm-unixd.service @@ -0,0 +1,18 @@ +# You should not need to edit this file. Instead, use a drop-in file by running: +# systemctl edit kanidm-unixd.service + +[Unit] +Description=Kanidm Local Client Resolver +After=chronyd.service ntpd.service network-online.target + +[Service] +DynamicUser=yes +Type=simple +ExecStart=/usr/sbin/kanidm_unixd + +CacheDirectory=kanidm-unixd +RuntimeDirectory=kanidm-unixd +UMask=0027 + +[Install] +WantedBy=multi-user.target diff --git a/platform/debian/systemd/kanidmd.service b/platform/debian/systemd/kanidmd.service new file mode 100644 index 000000000..c212b85ec --- /dev/null +++ b/platform/debian/systemd/kanidmd.service @@ -0,0 +1,20 @@ +# You should not need to edit this file. Instead, use a drop-in file by running: +# systemctl edit kanidmd.service + +[Unit] +Description=Kanidm, the IDM for rustaceans +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple + +ExecStart=/usr/sbin/kanidmd server --config=/etc/kanidm/server.toml +Restart=on-failure +RestartSec=15s +WorkingDirectory=/var/lib/kanidm +DynamicUser=yes +StateDirectory=kanidm + +[Install] +WantedBy=multi-user.target