#!/usr/bin/make -f # -*- makefile -*- # # These rules should work for any debian-ish distro that uses systemd # as init. That does _not_ include Ubuntu 14.04 ("trusty"); look for # its own special rule file. # # Please keep the diff between that and this relatively small, even if # it means having suboptimal code; these need to be kept in sync by # sentient bags of meat. #export DH_VERBOSE=1 export DH_OPTIONS export DH_GOPKG := github.com/snapcore/snapd #export DEB_BUILD_OPTIONS=nocheck export DH_GOLANG_EXCLUDES=tests # skip Go generate, all source code should have been committed export DH_GOLANG_GO_GENERATE=0 export PATH:=${PATH}:${CURDIR} # GOCACHE is needed by go-1.13+ export GOCACHE:=/tmp/go-build include /etc/os-release # On 18.04 the released version of apt (1.6.1) has a bug that causes # problem on "apt purge snapd". To ensure this won't happen add the # right dependency on 18.04. ifeq (${VERSION_ID},"18.04") SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.6.3)" endif # Same as above for 18.10 just a different version. ifeq (${VERSION_ID},"18.10") SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)" endif # this is overridden in the ubuntu/14.04 release branch SYSTEMD_UNITS_DESTDIR="$(shell pkg-config --variable=systemdsystemunitdir systemd)" # The go tool does not fully support vendoring with gccgo, but we can # work around that by constructing the appropriate -I flag by hand. GCCGO := $(shell go tool dist env > /dev/null 2>&1 && echo no || echo yes) # Disable -buildmode=pie mode on i386 as can panics in spectacular # ways (LP: #1711052). # See also https://forum.snapcraft.io/t/artful-i386-panics/ # Note while the panic is only on artful, that's because artful # detects it; the issue potentially there on older things. BUILDFLAGS:=-pkgdir=$(CURDIR)/_build/std ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),i386) BUILDFLAGS+= -buildmode=pie endif GCCGOFLAGS= ifeq ($(GCCGO),yes) GOARCH := $(shell go env GOARCH) GOOS := $(shell go env GOOS) BUILDFLAGS:= GCCGOFLAGS=-gccgoflags="-I $(CURDIR)/_build/pkg/gccgo_$(GOOS)_$(GOARCH)/$(DH_GOPKG)/vendor" export DH_GOLANG_GO_GENERATE=0 # workaround for https://github.com/golang/go/issues/23721 export GOMAXPROCS=2 endif # check if we need to include the testkeys in the binary # TAGS are the go build tags for all binaries, SNAP_TAGS are for snap # build only. TAGS=nosecboot SNAP_TAGS=nosecboot nomanagers ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS))) TAGS+= withtestkeys SNAP_TAGS+= withtestkeys endif DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) BUILT_USING_PACKAGES= # export DEB_BUILD_MAINT_OPTIONS = hardening=+all # DPKG_EXPORT_BUILDFLAGS = 1 # include /usr/share/dpkg/buildflags.mk # Currently, we enable confinement for Ubuntu only, not for derivatives, # because derivatives may have different kernels that don't support all the # required confinement features and we don't to mislead anyone about the # security of the system. Discuss a proper approach to this for downstreams # if and when they approach us. ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) # On Ubuntu 16.04 we need to produce a build that can be used on wide # variety of systems. As such we prefer static linking over dynamic linking # for stability, predicability and easy of deployment. We need to link some # things dynamically though: udev has no stable IPC protocol between # libudev and udevd so we need to link with it dynamically. VENDOR_ARGS=--enable-nvidia-multiarch --enable-static-libcap --enable-static-libapparmor --enable-static-libseccomp --with-host-arch-triplet=$(DEB_HOST_MULTIARCH) ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),amd64) VENDOR_ARGS+= --with-host-arch-32bit-triplet=$(shell dpkg-architecture -f -ai386 -qDEB_HOST_MULTIARCH) endif BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev else ifeq ($(shell dpkg-vendor --query Vendor),Debian) VENDOR_ARGS=--enable-nvidia-multiarch BUILT_USING_PACKAGES=libcap-dev else VENDOR_ARGS=--disable-apparmor endif endif BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES)) %: dh $@ --buildsystem=golang --with=golang --builddirectory=_build override_dh_fixperms: dh_fixperms -Xusr/lib/snapd/snap-confine # The .real profile is a workaround for a bug in dpkg LP: #1673247 that causes # ubiquity to crash. It allows us to "move" the snap-confine profile from # snap-confine into snapd in a way that works with old dpkg that is in the live # CD image. # # Because both the usual and the .real profile describe the same binary the # .real profile takes priority (as it is loaded later). override_dh_installdeb: dh_apparmor --profile-name=usr.lib.snapd.snap-confine.real -psnapd dh_installdeb override_dh_clean: dh_clean $(MAKE) -C data clean # XXX: hacky $(MAKE) -C cmd distclean || true override_dh_auto_build: # usually done via `go generate` but that is not supported on powerpc GO_GENERATE_BUILDDIR=_build/src/$(DH_GOPKG) GO111MODULE=off GOPATH=$$(pwd)/_build ./mkversion.sh # Build golang bits mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/ cp -a bootloader/assets/data _build/src/$(DH_GOPKG)/bootloader/assets # exclude certain parts that won't be used by debian find _build/src/$(DH_GOPKG)/cmd/snap-bootstrap -name "*.go" | xargs rm -f find _build/src/$(DH_GOPKG)/cmd/snap-fde-keymgr -name "*.go" | xargs rm -f find _build/src/$(DH_GOPKG)/gadget/install -name "*.go" | grep -vE '(params\.go|install_dummy\.go|kernel\.go)'| xargs rm -f # XXX: once dh-golang understands go build tags this would not be needed find _build/src/$(DH_GOPKG)/secboot/ -name "*.go" | grep -E '(.*_sb(_test)?\.go|.*_tpm(_test)?\.go|secboot_hooks.go|keymgr/)' | xargs rm -f find _build/src/$(DH_GOPKG)/boot/ -name "*.go" | grep -E '(.*_sb(_test)?\.go)' | xargs rm -f # and build, we cannot use modules as packaging on Debian requires us to use # dependencies from the distro, and this would require further updates to the # go.mod file GO111MODULE=off dh_auto_build -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) (cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. go build $(BUILDFLAGS) $(GCCGOFLAGS) -tags "$(SNAP_TAGS)" $(DH_GOPKG)/cmd/snap) # (static linking on powerpc with cgo is broken) ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc) # Generate static snap-exec, snapctl and snap-update-ns - it somehow includes CGO so # we must force a static build here. We need a static snap-{exec,update-ns} # inside the core snap because not all bases will have a libc (cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. CGO_ENABLED=0 go build -tags "$(TAGS)" $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-exec) (cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. CGO_ENABLED=0 go build -tags "$(TAGS)" $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snapctl) (cd _build/bin && GO111MODULE=off GOPATH=$$(pwd)/.. go build -tags "$(TAGS)" --ldflags '-extldflags "-static"' $(GCCGOFLAGS) -pkgdir=$$(pwd)/std $(DH_GOPKG)/cmd/snap-update-ns) # ensure we generated a static build $(shell if ldd _build/bin/snap-exec; then false "need static build"; fi) $(shell if ldd _build/bin/snap-update-ns; then false "need static build"; fi) $(shell if ldd _build/bin/snapctl; then false "need static build"; fi) endif # ensure snap-seccomp is build with a static libseccomp on Ubuntu ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) # (static linking on powerpc with cgo is broken) ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc) sed -i "s|#cgo LDFLAGS:|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go (cd _build/bin && GOPATH=$$(pwd)/.. CGO_LDFLAGS_ALLOW="/.*/libseccomp.a" go build -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-seccomp) # ensure that libseccomp is not dynamically linked ldd _build/bin/snap-seccomp test "$$(ldd _build/bin/snap-seccomp | grep libseccomp)" = "" # revert again so that the subsequent tests work sed -i "s|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|#cgo LDFLAGS:|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go endif endif # Build C bits, sadly manually cd cmd && ( autoreconf -i -f ) cd cmd && ( ./configure --prefix=/usr --libexecdir=/usr/lib/snapd $(VENDOR_ARGS)) $(MAKE) -C cmd all # Generate the real systemd/dbus/env config files $(MAKE) -C data all override_dh_auto_test: LANG=C.utf-8 SNAPD_SKIP_SLOW_TESTS=true GO111MODULE=off dh_auto_test -- $(BUILDFLAGS) -tags "$(TAGS)" $(GCCGOFLAGS) $(DH_GOPKG)/... # a tested default (production) build should have no test keys ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) # check that only the main trusted account-keys are included [ $$(strings _build/bin/snapd|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 2 ] strings _build/bin/snapd|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" strings _build/bin/snapd|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$" # same for snap-repair [ $$(strings _build/bin/snap-repair|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 3 ] # common with snapd strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$" # repair-root strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: nttW6NfBXI_E-00u38W-KH6eiksfQNXuI7IiumoV49_zkbhM0sYTzSnFlwZC-W4t$$" endif ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) # run the snap-confine tests $(MAKE) -C cmd check endif override_dh_install-indep: # we do not need this in the package, its just needed during build rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go # toolbelt is not shippable rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt # we do not like /usr/bin/snappy anymore rm -f ${CURDIR}/debian/tmp/usr/bin/snappy # chrorder generator rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder # bootloader assets generator rm -f ${CURDIR}/debian/tmp/usr/bin/genasset # asserts/info rm -f ${CURDIR}/debian/tmp/usr/bin/info # docs generator rm -f ${CURDIR}/debian/tmp/usr/bin/docs dh_install override_dh_install-arch: # we do not need this in the package, its just needed during build rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go # toolbelt is not shippable rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt # we do not like /usr/bin/snappy anymore rm -f ${CURDIR}/debian/tmp/usr/bin/snappy # i18n stuff mkdir -p debian/snapd/usr/share if [ -d share/locale ]; then \ cp -R share/locale debian/snapd/usr/share; \ fi # chrorder generator rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder # bootloader assets generator rm -f ${CURDIR}/debian/tmp/usr/bin/genasset # asserts/info rm -f ${CURDIR}/debian/tmp/usr/bin/info # docs generator rm -f ${CURDIR}/debian/tmp/usr/bin/docs # Install snapd's systemd units / upstart jobs, done # here instead of debian/snapd.install because the # ubuntu/14.04 release branch adds/changes bits here $(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \ SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR) # We called this apps-bin-path.sh instead of snapd.sh, and # it's a conf file so we're stuck with it mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh $(MAKE) -C cmd install DESTDIR=$(CURDIR)/debian/tmp # Rename the apparmor profile, see dh_apparmor call above for an explanation. mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real # Ouside of core we don't need to install the following files: rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.autoimport.service rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.core-fixup.service rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.failure.service rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.service rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.snap-repair.timer rm $(CURDIR)/debian/snapd/$(SYSTEMD_UNITS_DESTDIR)/snapd.system-shutdown.service rm $(CURDIR)/debian/snapd/usr/lib/snapd/snapd.run-from-snap dh_install override_dh_auto_install: snap.8 dh_auto_install -O--buildsystem=golang snap.8: TZ=UTC $(CURDIR)/_build/bin/snap help --man > $@ override_dh_auto_clean: dh_auto_clean -O--buildsystem=golang rm -vf snap.8 override_dh_gencontrol: dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)"