-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debian: run as a daemon, ask informed consent #162
Conversation
Should it perhaps be called |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for your excellent work in making a Debian package! I am super happy that we can soon proceed with a new package 🥳!
I have a bunch of requests for changes, which are mainly focused around updating the package to the way in which ooniprobe 3.1.0 works.
In the meanwhile, I'll spin up a Vagrant box and test more thoroughly.
🎸
[Unit] | ||
Description=OONI CLI Probe | ||
Documentation=man:ooniprobe-cli | ||
#Documentation=file:///usr/share/doc/ooniprobe-cli/html/index.html |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#Documentation=file:///usr/share/doc/ooniprobe-cli/html/index.html |
WorkingDirectory=/var/lib/ooniprobe | ||
|
||
# Sandboxing | ||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be the empty set of capabilities? (AFAIK we don't bind any privileged port)
ReadWriteDirectories=-/proc | ||
ReadWriteDirectories=-/var/log/ooniprobe | ||
ReadWriteDirectories=-/var/lib/ooniprobe | ||
ReadWriteDirectories=-/var/run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My systemd-fu is such that I don't understand the -
here. The manual to which I have access reads:
Paths in ReadOnlyDirectories= and InaccessibleDirectories= may be prefixed with "-", in which case they will be ignored when they do not exist. Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
I'm clearly missing some knowledge here, please help :-).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If those directories are missing for any reason, the systemd unit file will not break. E.g. /var/log/ooniprobe is not being created and that's ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What confuses me is that the manual page that I linked to explicitly states that this behaviour is only occurring for ReadOnlyDirectories and InaccessibleDirectories, but above it's used for ReadWriteDirectories. It seems the Debian manual page for that topic says that also ReadWriteDirectories can be used along with the -
modifier.
Co-authored-by: Simone Basso <bassosimone@gmail.com>
Co-authored-by: Simone Basso <bassosimone@gmail.com>
Co-authored-by: Simone Basso <bassosimone@gmail.com>
Otherwise there's no way for us to test :^).
Thanks again @FedericoCeratto! I am going to merge when all the CIs are green. There are future improvements we can work on, including maybe finding a way to unify the stable and the testing builds file, whose diff is currently very limited. This diff being so limited, though, gives me confidence that the stable build is okay. For the records this is the diff: % diff -u .github/workflows/linux-debian-packages{,-release}.yml
--- .github/workflows/linux-debian-packages.yml 2020-12-15 12:23:21.000000000 +0100
+++ .github/workflows/linux-debian-packages-release.yml 2020-12-15 12:21:54.000000000 +0100
@@ -1,10 +1,10 @@
-# Build a Debian package and publish on a test/internal archive
+# Build a Debian package only when a relase tag is applied
+# and publish it on the public/release archive
name: linux-debian-packages
on:
- pull_request:
push:
- branches:
- - master
+ tags:
+ - '*'
jobs:
build:
runs-on: "ubuntu-20.04"
@@ -18,11 +18,10 @@
- run: find . -name ooniprobe -type f -executable
- run: sudo apt-get update -q
- run: sudo apt-get build-dep -y --no-install-recommends .
- # Use <probe version>~<github build number> as package version
+ # Use probe version as package version
- run: |
- VER=$(./CLI/linux/amd64/ooniprobe version)
- DVER="${VER}~${GITHUB_RUN_NUMBER}"
- dch -v $DVER "test version"
+ DVER=$(./CLI/linux/amd64/ooniprobe version)
+ dch -v $DVER "New release"
dpkg-buildpackage -us -uc -b
find ../ -name "*.deb" -type f
DEB="../ooniprobe-cli_${DVER}_amd64.deb"
@@ -35,4 +34,4 @@
BT_APIUSER: federicoceratto
BT_ORG: ooni
BT_PKGNAME: ooniprobe
- BT_REPO: ooniprobe-debian-test
+ BT_REPO: ooniprobe-debian |
* Set verbose mode, depend on adduser * Run as daemon * Generate manpage * Implement informed consent * Set version * Switch format to native * Set environment * Update packaging * Create test and release pipelines * Update debian/ooniprobe-cli.service Co-authored-by: Simone Basso <bassosimone@gmail.com> * Update debian/ooniprobe-cli.service Co-authored-by: Simone Basso <bassosimone@gmail.com> * Update debian/ooniprobe.conf.disabled Co-authored-by: Simone Basso <bassosimone@gmail.com> * fix(linux-debian-packages): build also on pull requests Otherwise there's no way for us to test :^). * fix(debian/control): ubuntu 20.04 has debhelper 12 See https://packages.ubuntu.com/focal/debhelper * fix(debian/control): debhelper-compat relations doesn't work the way I thought * Update debian/ooniprobe-cli.timer Co-authored-by: Simone Basso <bassosimone@gmail.com>
The PR also add 2 different GH Action pipelines for tagged/public releases and for PRs using 2 different bintray archives