Fix debian build path (#1331)

* Update CONTRIBUTORS
* Fix debian & ubuntu packaging
* Use standard way to install pam config
* Fix simple_pkg.sh & add pam nss instructions
* Merge ssh with unixd; update CI to build for multiple os versions; upload packages to artifacts

.github/workflows/debian_package_kanidm.yml

@@ -11,40 +11,69 @@ concurrency:
   cancel-in-progress: true
 jobs:
   build-deb-package:
-    runs-on: ubuntu-20.04
+    name: Build deb packages
+    strategy:
+      matrix:
+        image:
+         - ubuntu:22.04
+         - ubuntu:20.04
+         - ubuntu:18.04
+         - debian:11
+         - debian:10
+    runs-on: ubuntu-latest
+    container: 
+      image: ${{ matrix.image }}
+      env:
+        DEBIAN_FRONTEND: noninteractive
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-
+      - name: Update package manager
+        run: apt-get update
+      - name: Install dependencies
+        run: |
+          apt-get install -y \
+            lsb-release \
+            libpam0g-dev \
+            libudev-dev \
+            libssl-dev \
+            libsqlite3-dev \
+            pkg-config \
+            make \
+            curl \
+            sudo
       - name: Install Rust
         uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
           override: true
           default: true
-      - name: Update package manager
-        run: sudo apt-get update
-      - name: Install dependencies
-        run: |
-          sudo apt-get install -y \
-            libpam0g-dev \
-            libudev-dev \
-            libssl-dev \
-            libsqlite3-dev \
-            pkg-config \
-            make
-      - uses: jetli/wasm-pack-action@v0.4.0
-        with:
-          # Optional version of wasm-pack to install(eg. 'v0.9.1', 'latest')
-          version: 'latest'
       - name: "Doing the package build"
         run: |
           make -f platform/debian/Makefile debs/all
+      - name: Upload debs
+        uses: actions/upload-artifact@v3
+        with:
+          name: ubuntu-packages
+          path: |
+            target/*.deb
+  upload-to-releases:
+    name: Upload to releases
+    needs: build-deb-package
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download previously built debs
+        uses: actions/download-artifact@v3
+        with:
+          name: ubuntu-packages
+      - name: List packages
+        run: |
+          ls
       - uses: "marvinpinto/action-automatic-releases@latest"
         with:
           repo_token: "${{ secrets.GITHUB_TOKEN }}"
           automatic_release_tag: "latest"
           prerelease: true
-          title: "Ubuntu Packages (20.04)"
-          files: target/*.deb
+          title: "Ubuntu Packages"
+          files: "*.deb"
         if: ${{ github.ref == 'refs/heads/master' }}

CONTRIBUTORS.md

@@ -22,6 +22,7 @@
 - Florian Klink (flokli)
 - Kaleb Olson (kalebo)
 - Jan Christoph Ebersbach (jceb)
+- Yuxuan Lu (leoleoasd)
 
 ## Acknowledgements
 

examples/systemd/kanidm-unixd.service

@@ -1,5 +1,5 @@
 # You should not need to edit this file. Instead, use a drop-in file by running:
-#   systemctl edit kanidm-unixd-tasks.service
+#   systemctl edit kanidm-unixd.service
 
 [Unit]
 Description=Kanidm Local Client Resolver

examples/systemd/kanidmd.service

@@ -1,5 +1,5 @@
 # You should not need to edit this file. Instead, use a drop-in file by running:
-#   systemctl edit kanidm-unixd-tasks.service
+#   systemctl edit kanidmd.service
 
 [Unit]
 Description=Kanidm, the IDM for rustaceans

kanidm_book/src/packaging_debs.md

@@ -16,10 +16,8 @@ debs/kanidm:
 	 build a .deb for the Kanidm CLI
 debs/kanidmd:
 	 build a .deb for the Kanidm daemon
-debs/kanidm-ssh:
-	 build a .deb for the Kanidm SSH tools
 debs/kanidm-unixd:
-	 build a .deb for the Kanidm UNIX tools (PAM/NSS, unixd and related tools)
+	 build a .deb for the Kanidm UNIX tools (PAM/NSS, unixd and related tools) and SSH tools
 debs/all:
 	 build all the debs
 ```

platform/debian/Makefile

@@ -7,23 +7,18 @@ help:
 .PHONY: debs/kanidm
 debs/kanidm: ## Build the Kanidm CLI package - make sure you set the environment variable KANIDM_BUILD_PROFILE
 debs/kanidm:
-	./platform/debian/build_kanidm.sh kanidm
+	bash ./platform/debian/build_kanidm.sh kanidm
 
 .PHONY: debs/kanidmd
 debs/kanidmd: ## Build the Kanidmd package - make sure you set the environment variable KANIDM_BUILD_PROFILE
 debs/kanidmd:
-	./platform/debian/build_kanidm.sh kanidmd
-
-.PHONY: debs/kanidm-ssh
-debs/kanidm-ssh: ## Bbuild the Kanidm SSH package - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/kanidm-ssh:
-	./platform/debian/build_kanidm.sh kanidm-ssh
+	bash ./platform/debian/build_kanidm.sh kanidmd
 
 .PHONY: debs/kanidm-unixd
 debs/kanidm-unixd: ## Build the Kanidm UNIX tools package (PAM/NSS, unixd and related tools) - make sure you set the environment variable KANIDM_BUILD_PROFILE
 debs/kanidm-unixd:
-	./platform/debian/build_kanidm.sh kanidm-unixd
+	bash ./platform/debian/build_kanidm.sh kanidm-unixd
 
 .PHONY: debs/all
 debs/all: ## Build all the .deb packages - make sure you set the environment variable KANIDM_BUILD_PROFILE
-debs/all: debs/kanidmd debs/kanidm debs/kanidm-ssh debs/kanidm-unixd
+debs/all: debs/kanidmd debs/kanidm debs/kanidm-unixd

platform/debian/kanidm-ssh/control

@@ -1,14 +0,0 @@
-Source: kanidm-ssh
-Section: admin
-Priority: optional
-Maintainer: James Hodgkinson <james@terminaloutcomes.com>
-Build-Depends: debhelper (>=10), libpam0g-dev, libudev-dev, libssl-dev, libsqlite3-dev, pkg-config, cargo, make
-Standards-Version: 4.6.0
-Homepage: https://kanidm.com
-Vcs-Git: https://github.com/kanidm/kanidm/
-Rules-Requires-Root: no
-
-Package: kanidm-ssh
-Architecture: any
-Depends:
-Description: Kanidm Unix Tools

platform/debian/kanidm-ssh/postinst

@@ -1,34 +0,0 @@
-#!/bin/sh
-# postinst script for kanidm-ssh
-#
-# see: dh_installdeb(1)
-
-set -e
-
-
-case "$1" in
-    configure)
-        if [ ! -f /etc/kanidm/config ]; then
-            echo "============================="
-            echo "Thanks for installing Kanidm!"
-            echo "============================="
-            echo "Please ensure you create a configuration file at /etc/kanidm/config"
-            echo "An example is in /usr/share/kanidm-ssh/"
-        fi
-    ;;
-
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
-
-    *)
-        echo "postinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0

platform/debian/kanidm-ssh/rules

@@ -1,44 +0,0 @@
-#!/usr/bin/make -f
-# See debhelper(7) (uncomment to enable)
-
-# be REALLY noisy
-export DH_VERBOSE=1
-export DH_OPTIONS=-v
-
-export DEB_BUILD_OPTIONS=noautodbgsym
-PACKAGE=kanidm-ssh
-PKGDIR=debian/${PACKAGE}
-BINDIR=${PKGDIR}/usr/sbin/
-SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
-
-%:
-	dh $@
-
-override_dh_auto_clean:
-
-override_dh_autoreconf:
-
-override_dh_auto_build:
-	KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE}
-
-override_dh_auto_test:
-override_dh_shlibdeps:
-override_dh_strip:
-
-override_dh_auto_install:
-	mkdir -p ${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm_ssh_authorizedkeys \
-		${BINDIR}
-	install \
-		-g root -o root \
-		target/release/kanidm_ssh_authorizedkeys_direct \
-		${BINDIR}
-
-override_dh_installexamples:
-	mkdir -p ${SHARED_DIR}
-	install -D \
-		-g root -o root \
-		examples/kanidm \
-		${SHARED_DIR}/

platform/debian/kanidm-unixd/postinst

@@ -14,6 +14,8 @@ case "$1" in
             echo "============================="
             echo "Please ensure you create configuration files at /etc/kanidm/unixd and /etc/kanidm/config"
             echo "Examples are in /usr/share/kanidm-unixd/"
+            echo "To configure pam module, please run pam-auth-update and select Kanidm"
+            echo "To configure nsswitch, please follow instructions in https://kanidm.github.io/kanidm/master/integrations/pam_and_nsswitch.html"
         fi
     ;;
 

platform/debian/kanidm-unixd/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 # See debhelper(7) (uncomment to enable)
-
+include /usr/share/dpkg/architecture.mk
 # be REALLY noisy
 export DH_VERBOSE=1
 export DH_OPTIONS=-v
@@ -9,7 +9,12 @@ export DEB_BUILD_OPTIONS=noautodbgsym
 PACKAGE=kanidm-unixd
 PKGDIR=debian/${PACKAGE}
 BINDIR=${PKGDIR}/usr/sbin/
+LIBDIR=${PKGDIR}/lib/${DEB_HOST_MULTIARCH}
 SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
+DISTRIBUTOR_ID=$(shell lsb_release -is)
+DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
+DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
+DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version)
 
 %:
 	dh $@ --with systemd
@@ -19,7 +24,7 @@ override_dh_auto_clean:
 override_dh_autoreconf:
 
 override_dh_auto_build:
-	KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE}
+	KANIDM_BUILD_PROFILE=release_suse_generic dh_auto_build -- release/${PACKAGE} release/kanidm-ssh
 
 override_dh_auto_test:
 override_dh_shlibdeps:
@@ -28,24 +33,33 @@ override_dh_strip:
 # Do the systemd things
 override_dh_installinit:
 	install -g root -o root \
-		examples/systemd/${PACKAGE}.service \
+		platform/debian/systemd/${PACKAGE}.service \
 		debian/
 	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service
 	dh_installinit -p${PACKAGE} --no-start --noscripts
 	dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade
 
 	install -g root -o root \
-		examples/systemd/${PACKAGE}-tasks.service \
+		platform/debian/systemd/${PACKAGE}-tasks.service \
 		debian/
 	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE}-tasks ${PACKAGE}-tasks.service
-	dh_installinit -p${PACKAGE} --no-start --noscripts
-	dh_systemd_start -p${PACKAGE} --no-restart-on-upgrade
+	dh_installinit -p${PACKAGE} --name=${PACKAGE}-tasks --no-start --noscripts
+	dh_systemd_start -p${PACKAGE} --name=${PACKAGE}-tasks --no-restart-on-upgrade
 
 override_dh_systemd_start:
 	echo "Not running dh_systemd_start"
 
 override_dh_auto_install:
 	mkdir -p ${BINDIR}
+	mkdir -p ${LIBDIR}/security
+	install \
+		-g root -o root \
+		target/release/kanidm_ssh_authorizedkeys \
+		${BINDIR}
+	install \
+		-g root -o root \
+		target/release/kanidm_ssh_authorizedkeys_direct \
+		${BINDIR}
 	install \
 		-g root -o root \
 		target/release/kanidm_unixd \
@@ -66,6 +80,15 @@ override_dh_auto_install:
 		-g root -o root \
 		target/release/kanidm_cache_invalidate \
 		${BINDIR}
+	install \
+		-g root -o root \
+		target/release/libpam_kanidm.so \
+		${LIBDIR}/security/pam_kanidm.so
+	install \
+		-g root -o root \
+		target/release/libnss_kanidm.so \
+		${LIBDIR}/libnss_kanidm.so.2
+
 
 
 override_dh_installexamples:
@@ -76,5 +99,8 @@ override_dh_installexamples:
 		${SHARED_DIR}/
 	install -D \
 		-g root -o root \
-		examples/config \
+		examples/unixd \
 		${SHARED_DIR}/
+
+override_dh_builddeb:
+	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/kanidm/rules

@@ -1,6 +1,7 @@
 #!/usr/bin/make -f
 # See debhelper(7) (uncomment to enable)
 
+include /usr/share/dpkg/architecture.mk
 # be REALLY noisy
 export DH_VERBOSE=1
 export DH_OPTIONS=-v
@@ -10,6 +11,10 @@ PACKAGE=kanidm
 PKGDIR=debian/${PACKAGE}
 BINDIR=${PKGDIR}/usr/bin/
 SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
+DISTRIBUTOR_ID=$(shell lsb_release -is)
+DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
+DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
+DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version)
 
 %:
 	dh $@
@@ -42,3 +47,6 @@ override_dh_installexamples:
 		--mode 644 \
 		examples/config \
 		${SHARED_DIR}/kanidm
+
+override_dh_builddeb:
+	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/kanidmd/rules

@@ -1,6 +1,7 @@
 #!/usr/bin/make -f
 # See debhelper(7) (uncomment to enable)
 
+include /usr/share/dpkg/architecture.mk
 # be REALLY noisy
 export DH_VERBOSE=1
 export DH_OPTIONS=-v
@@ -12,6 +13,10 @@ PACKAGE=kanidmd
 PKGDIR=debian/${PACKAGE}
 BINDIR=${PKGDIR}/usr/sbin/
 SHARED_DIR=${PKGDIR}/usr/share/${PACKAGE}
+DISTRIBUTOR_ID=$(shell lsb_release -is)
+DISTRIBUTOR_RELEASE=$(shell lsb_release -rs)
+DISTRIBUTOR=$(DISTRIBUTOR_ID)_$(DISTRIBUTOR_RELEASE)
+DEB_VERSION_FULL=$(shell dpkg-parsechangelog --show-field Version)
 
 %:
 	dh $@ --with systemd
@@ -35,7 +40,7 @@ override_dh_strip:
 # Do the systemd things
 override_dh_installinit:
 	install -g root -o root \
-		examples/systemd/${PACKAGE}.service \
+		platform/debian/systemd/${PACKAGE}.service \
 		debian/
 	dh_systemd_enable -p${PACKAGE} --name=${PACKAGE} ${PACKAGE}.service
 	dh_installinit -p${PACKAGE} --no-start --noscripts
@@ -64,3 +69,6 @@ override_dh_installexamples:
 		--mode=644 \
 		examples/server.toml \
 		${SHARED_DIR}/
+
+override_dh_builddeb:
+	dh_builddeb --filename ${PACKAGE}_${DISTRIBUTOR}_${DEB_VERSION_FULL}_${DEB_HOST_GNU_CPU}.deb

platform/debian/simple_pkg.sh

@@ -13,7 +13,7 @@ rm -rf "$pkgdir"
 mkdir -p "$pkgdir"
 
 # build the project
-make release/kanidm release/kanidm-unixd
+make release/kanidm release/kanidm-unixd release/kanidm-ssh
 
 # enable the following block to include deployment specific configuration files
 if [ 1 -eq 0 ]; then
@@ -36,7 +36,7 @@ EOF
 fi 
 
 # This is for allowing login via PAM. It needs to be enabled using `pam-auth-update`
-install -Dm644  platform/debian/pam-config-kanidm "${pkgdir}/usr/share/pam-configs/kanidm"
+install -Dm644  platform/debian/kanidm-unixd/kanidm-unixd.pam "${pkgdir}/usr/share/pam-configs/kanidm-unixd"
 
 # Install kanidm cli
 install -Dm755 target/release/kanidm "${pkgdir}/usr/local/sbin/kanidm"

platform/debian/systemd/kanidm-unixd-tasks.service

@@ -0,0 +1,31 @@
+# You should not need to edit this file. Instead, use a drop-in file:
+#   systemctl edit kanidm-unixd-tasks.service
+
+[Unit]
+Description=Kanidm Local Tasks
+After=chronyd.service ntpd.service network-online.target kanidm-unixd.service
+
+[Service]
+User=root
+Type=simple
+ExecStart=/usr/sbin/kanidm_unixd_tasks
+
+ReadWritePaths=/home /var/run/kanidm-unixd
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+
+[Install]
+WantedBy=multi-user.target

platform/debian/systemd/kanidm-unixd.service

@@ -0,0 +1,18 @@
+# You should not need to edit this file. Instead, use a drop-in file by running:
+#   systemctl edit kanidm-unixd.service
+
+[Unit]
+Description=Kanidm Local Client Resolver
+After=chronyd.service ntpd.service network-online.target
+
+[Service]
+DynamicUser=yes
+Type=simple
+ExecStart=/usr/sbin/kanidm_unixd
+
+CacheDirectory=kanidm-unixd
+RuntimeDirectory=kanidm-unixd
+UMask=0027
+
+[Install]
+WantedBy=multi-user.target

platform/debian/systemd/kanidmd.service

@@ -0,0 +1,20 @@
+# You should not need to edit this file. Instead, use a drop-in file by running:
+#   systemctl edit kanidmd.service
+
+[Unit]
+Description=Kanidm, the IDM for rustaceans
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+
+ExecStart=/usr/sbin/kanidmd server --config=/etc/kanidm/server.toml
+Restart=on-failure
+RestartSec=15s
+WorkingDirectory=/var/lib/kanidm
+DynamicUser=yes
+StateDirectory=kanidm
+
+[Install]
+WantedBy=multi-user.target