1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
#!/usr/bin/make -f
# -*- makefile -*-
#
# These rules should work for any debian-ish distro that uses systemd
# as init. That does _not_ include Ubuntu 14.04 ("trusty"); look for
# its own special rule file.
#
# Please keep the diff between that and this relatively small, even if
# it means having suboptimal code; these need to be kept in sync by
# sentient bags of meat.
#export DH_VERBOSE=1
export DH_OPTIONS
export DH_GOPKG := github.com/snapcore/snapd
#export DEB_BUILD_OPTIONS=nocheck
export DH_GOLANG_EXCLUDES=tests
export DH_GOLANG_GO_GENERATE=1
export PATH:=${PATH}:${CURDIR}
# make sure that correct go version is found on trusty
export PATH:=/usr/lib/go-1.6/bin:${PATH}
include /etc/os-release
# On 18.04 the released version of apt (1.6.1) has a bug that causes
# problem on "apt purge snapd". To ensure this won't happen add the
# right dependency on 18.04.
ifeq (${VERSION_ID},"18.04")
SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)"
endif
# Same as above for 18.10 just a different version.
ifeq (${VERSION_ID},"18.10")
SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)"
endif
# this is overridden in the ubuntu/14.04 release branch
SYSTEMD_UNITS_DESTDIR="lib/systemd/system/"
# The go tool does not fully support vendoring with gccgo, but we can
# work around that by constructing the appropriate -I flag by hand.
GCCGO := $(shell go tool dist env > /dev/null 2>&1 && echo no || echo yes)
# Disable -buildmode=pie mode on i386 as can panics in spectacular
# ways (LP: #1711052).
# See also https://forum.snapcraft.io/t/artful-i386-panics/
# Note while the panic is only on artful, that's because artful
# detects it; the issue potentially there on older things.
BUILDFLAGS:=-pkgdir=$(CURDIR)/_build/std
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),i386)
BUILDFLAGS+= -buildmode=pie
endif
GCCGOFLAGS=
ifeq ($(GCCGO),yes)
GOARCH := $(shell go env GOARCH)
GOOS := $(shell go env GOOS)
BUILDFLAGS:=
GCCGOFLAGS=-gccgoflags="-I $(CURDIR)/_build/pkg/gccgo_$(GOOS)_$(GOARCH)/$(DH_GOPKG)/vendor"
export DH_GOLANG_GO_GENERATE=0
# workaround for https://github.com/golang/go/issues/23721
export GOMAXPROCS=2
endif
# check if we need to include the testkeys in the binary
TAGS=
ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS)))
TAGS=-tags withtestkeys
endif
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
BUILT_USING_PACKAGES=
# export DEB_BUILD_MAINT_OPTIONS = hardening=+all
# DPKG_EXPORT_BUILDFLAGS = 1
# include /usr/share/dpkg/buildflags.mk
# Currently, we enable confinement for Ubuntu only, not for derivatives,
# because derivatives may have different kernels that don't support all the
# required confinement features and we don't to mislead anyone about the
# security of the system. Discuss a proper approach to this for downstreams
# if and when they approach us.
ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu)
# On Ubuntu 16.04 we need to produce a build that can be used on wide
# variety of systems. As such we prefer static linking over dynamic linking
# for stability, predicability and easy of deployment. We need to link some
# things dynamically though: udev has no stable IPC protocol between
# libudev and udevd so we need to link with it dynamically.
VENDOR_ARGS=--enable-nvidia-multiarch --enable-static-libcap --enable-static-libapparmor --enable-static-libseccomp --with-host-arch-triplet=$(DEB_HOST_MULTIARCH)
ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),amd64)
VENDOR_ARGS+= --with-host-arch-32bit-triplet=$(shell dpkg-architecture -f -ai386 -qDEB_HOST_MULTIARCH)
endif
BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev
else
ifeq ($(shell dpkg-vendor --query Vendor),Debian)
VENDOR_ARGS=--enable-nvidia-multiarch
BUILT_USING_PACKAGES=libcap-dev
else
VENDOR_ARGS=--disable-apparmor
endif
endif
BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES))
%:
dh $@ --buildsystem=golang --with=golang --fail-missing --with systemd --builddirectory=_build
override_dh_fixperms:
dh_fixperms -Xusr/lib/snapd/snap-confine
# The .real profile is a workaround for a bug in dpkg LP: #1673247 that causes
# ubiquity to crash. It allows us to "move" the snap-confine profile from
# snap-confine into snapd in a way that works with old dpkg that is in the live
# CD image.
#
# Because both the usual and the .real profile describe the same binary the
# .real profile takes priority (as it is loaded later).
override_dh_installdeb:
dh_apparmor --profile-name=usr.lib.snapd.snap-confine.real -psnapd
dh_installdeb
override_dh_clean:
ifneq (,$(TEST_GITHUB_AUTOPKGTEST))
# this will be set by the GITHUB webhook to trigger a autopkgtest
# we only need to run "govendor sync" here and then its ready
(export GOPATH="/tmp/go"; \
mkdir -p /tmp/go/src/github.com/snapcore/; \
cp -ar . /tmp/go/src/github.com/snapcore/snapd; \
go get -u github.com/kardianos/govendor; \
(cd /tmp/go/src/github.com/snapcore/snapd ; /tmp/go/bin/govendor sync); \
cp -ar /tmp/go/src/github.com/snapcore/snapd/vendor/ .; \
)
endif
dh_clean
$(MAKE) -C data clean
# XXX: hacky
$(MAKE) -C cmd distclean || true
override_dh_auto_build:
# usually done via `go generate` but that is not supported on powerpc
./mkversion.sh
# Build golang bits
mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data
cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/
dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS)
# (static linking on powerpc with cgo is broken)
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
# Generate static snap-exec and snap-update-ns - it somehow includes CGO so
# we must force a static build here. We need a static snap-{exec,update-ns}
# inside the core snap because not all bases will have a libc
(cd _build/bin && GOPATH=$$(pwd)/.. CGO_ENABLED=0 go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-exec)
(cd _build/bin && GOPATH=$$(pwd)/.. go build --ldflags '-extldflags "-static"' $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-update-ns)
# ensure we generated a static build
$(shell if ldd _build/bin/snap-exec; then false "need static build"; fi)
$(shell if ldd _build/bin/snap-update-ns; then false "need static build"; fi)
endif
# ensure snap-seccomp is build with a static libseccomp on Ubuntu
ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu)
# (static linking on powerpc with cgo is broken)
ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc)
sed -i "s|#cgo LDFLAGS:|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go
(cd _build/bin && GOPATH=$$(pwd)/.. CGO_LDFLAGS_ALLOW="/.*/libseccomp.a" go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-seccomp)
# ensure that libseccomp is not dynamically linked
ldd _build/bin/snap-seccomp
test "$$(ldd _build/bin/snap-seccomp | grep libseccomp)" = ""
# revert again so that the subsequent tests work
sed -i "s|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|#cgo LDFLAGS:|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go
endif
endif
# Build C bits, sadly manually
cd cmd && ( autoreconf -i -f )
cd cmd && ( ./configure --prefix=/usr --libexecdir=/usr/lib/snapd $(VENDOR_ARGS))
$(MAKE) -C cmd all
# Generate the real systemd/dbus/env config files
$(MAKE) -C data all
override_dh_auto_test:
dh_auto_test -- $(GCCGOFLAGS)
# a tested default (production) build should have no test keys
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
# check that only the main trusted account-keys are included
[ $$(strings _build/bin/snapd|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 2 ]
strings _build/bin/snapd|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$"
strings _build/bin/snapd|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$"
# same for snap-repair
[ $$(strings _build/bin/snap-repair|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 3 ]
# common with snapd
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$"
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$"
# repair-root
strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: nttW6NfBXI_E-00u38W-KH6eiksfQNXuI7IiumoV49_zkbhM0sYTzSnFlwZC-W4t$$"
endif
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
# run the snap-confine tests
$(MAKE) -C cmd check
endif
override_dh_install-indep:
# we do not need this in the package, its just needed during build
rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go
# toolbelt is not shippable
rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt
# we do not like /usr/bin/snappy anymore
rm -f ${CURDIR}/debian/tmp/usr/bin/snappy
# chrorder generator
rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
dh_install
override_dh_install-arch:
# we do not need this in the package, its just needed during build
rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go
# toolbelt is not shippable
rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt
# we do not like /usr/bin/snappy anymore
rm -f ${CURDIR}/debian/tmp/usr/bin/snappy
# i18n stuff
mkdir -p debian/snapd/usr/share
if [ -d share/locale ]; then \
cp -R share/locale debian/snapd/usr/share; \
fi
# chrorder generator
rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder
# Install snapd's systemd units / upstart jobs, done
# here instead of debian/snapd.install because the
# ubuntu/14.04 release branch adds/changes bits here
$(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \
SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR)
# We called this apps-bin-path.sh instead of snapd.sh, and
# it's a conf file so we're stuck with it
mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh
$(MAKE) -C cmd install DESTDIR=$(CURDIR)/debian/tmp
# Rename the apparmor profile, see dh_apparmor call above for an explanation.
mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real
# On Ubuntu and Debian we don't need to install the apparmor helper service.
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.apparmor.service
rm $(CURDIR)/debian/tmp/usr/lib/snapd/snapd-apparmor
# Ouside of core we don't need to install the following files:
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.autoimport.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.core-fixup.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.failure.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.service
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.timer
rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.system-shutdown.service
rm $(CURDIR)/debian/snapd/usr/lib/snapd/snapd.run-from-snap
dh_install
override_dh_auto_install: snap.8
dh_auto_install -O--buildsystem=golang
snap.8:
$(CURDIR)/_build/bin/snap help --man > $@
override_dh_auto_clean:
dh_auto_clean -O--buildsystem=golang
rm -vf snap.8
override_dh_gencontrol:
dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"
|
