github.com/stulluk/snapd@v0.0.0-20210611110309-f6d5d5bd24b0/packaging/ubuntu-16.04/rules (about) 1 #!/usr/bin/make -f 2 # -*- makefile -*- 3 # 4 # These rules should work for any debian-ish distro that uses systemd 5 # as init. That does _not_ include Ubuntu 14.04 ("trusty"); look for 6 # its own special rule file. 7 # 8 # Please keep the diff between that and this relatively small, even if 9 # it means having suboptimal code; these need to be kept in sync by 10 # sentient bags of meat. 11 12 #export DH_VERBOSE=1 13 export DH_OPTIONS 14 export DH_GOPKG := github.com/snapcore/snapd 15 #export DEB_BUILD_OPTIONS=nocheck 16 export DH_GOLANG_EXCLUDES=tests 17 export DH_GOLANG_GO_GENERATE=1 18 19 export PATH:=${PATH}:${CURDIR} 20 # make sure that correct go version is found on trusty 21 export PATH:=/usr/lib/go-1.10/bin:${PATH} 22 23 include /etc/os-release 24 25 # On 18.04 the released version of apt (1.6.1) has a bug that causes 26 # problem on "apt purge snapd". To ensure this won't happen add the 27 # right dependency on 18.04. 28 ifeq (${VERSION_ID},"18.04") 29 SUBSTVARS = -Vsnapd:Breaks="systemd (<< 237-3ubuntu10.24), apt (<< 1.6.3)" 30 endif 31 # Same as above for 18.10 just a different version. 32 ifeq (${VERSION_ID},"18.10") 33 SUBSTVARS = -Vsnapd:Breaks="apt (<< 1.7.0~alpha2)" 34 endif 35 36 # this is overridden in the ubuntu/14.04 release branch 37 SYSTEMD_UNITS_DESTDIR="lib/systemd/system/" 38 39 # The go tool does not fully support vendoring with gccgo, but we can 40 # work around that by constructing the appropriate -I flag by hand. 41 GCCGO := $(shell go tool dist env > /dev/null 2>&1 && echo no || echo yes) 42 43 BUILDFLAGS:=-pkgdir=$(CURDIR)/_build/std 44 # Disable -buildmode=pie mode on all our 32bit platforms 45 # (i386 and armhf). For i386 because of LP: #1711052 and for 46 # armhf because of LP: #1822738 47 ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH_BITS),64) 48 BUILDFLAGS+= -buildmode=pie 49 endif 50 51 GCCGOFLAGS= 52 ifeq ($(GCCGO),yes) 53 GOARCH := $(shell go env GOARCH) 54 GOOS := $(shell go env GOOS) 55 BUILDFLAGS:= 56 GCCGOFLAGS=-gccgoflags="-I $(CURDIR)/_build/pkg/gccgo_$(GOOS)_$(GOARCH)/$(DH_GOPKG)/vendor" 57 export DH_GOLANG_GO_GENERATE=0 58 # workaround for https://github.com/golang/go/issues/23721 59 export GOMAXPROCS=2 60 endif 61 62 # build with "tpm" support on ubuntu by default 63 # TAGS are the go build tags for all binaries, SNAP_TAGS are for snap and 64 # snap-bootstrap build only. 65 TAGS= 66 SNAP_TAGS= 67 # check if we need to include the testkeys in the binary 68 ifneq (,$(filter testkeys,$(DEB_BUILD_OPTIONS))) 69 # if enabled also enable bootloader assets testing 70 TAGS=-tags "withtestkeys withbootassetstesting" 71 SNAP_TAGS=-tags "nomanagers withtestkeys" 72 else 73 SNAP_TAGS=-tags nomanagers 74 endif 75 76 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) 77 78 BUILT_USING_PACKAGES= 79 # export DEB_BUILD_MAINT_OPTIONS = hardening=+all 80 # DPKG_EXPORT_BUILDFLAGS = 1 81 # include /usr/share/dpkg/buildflags.mk 82 83 # Currently, we enable confinement for Ubuntu only, not for derivatives, 84 # because derivatives may have different kernels that don't support all the 85 # required confinement features and we don't to mislead anyone about the 86 # security of the system. Discuss a proper approach to this for downstreams 87 # if and when they approach us. 88 ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) 89 # On Ubuntu 16.04 we need to produce a build that can be used on wide 90 # variety of systems. As such we prefer static linking over dynamic linking 91 # for stability, predicability and easy of deployment. We need to link some 92 # things dynamically though: udev has no stable IPC protocol between 93 # libudev and udevd so we need to link with it dynamically. 94 VENDOR_ARGS=--enable-nvidia-multiarch --enable-static-libcap --enable-static-libapparmor --with-host-arch-triplet=$(DEB_HOST_MULTIARCH) 95 ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),amd64) 96 VENDOR_ARGS+= --with-host-arch-32bit-triplet=$(shell dpkg-architecture -f -ai386 -qDEB_HOST_MULTIARCH) 97 endif 98 BUILT_USING_PACKAGES=libcap-dev libapparmor-dev libseccomp-dev 99 else 100 ifeq ($(shell dpkg-vendor --query Vendor),Debian) 101 BUILT_USING_PACKAGES=libcap-dev 102 else 103 VENDOR_ARGS=--disable-apparmor 104 endif 105 endif 106 BUILT_USING=$(shell dpkg-query -f '$${source:Package} (= $${source:Version}), ' -W $(BUILT_USING_PACKAGES)) 107 108 %: 109 ifneq ($(shell dpkg-architecture -qDEB_HOST_ARCH),powerpc) 110 dh $@ --buildsystem=golang --with=golang --fail-missing --with systemd --builddirectory=_build 111 else 112 # "powerpc" is not supported unfortunately, do nothing here 113 # See https://github.com/tianon/debian-runc/compare/70957b315f82170dc2ab7085d39c23835c0fa996...xenial for a more elaborate version of this idea. 114 # Note that snapd never really worked on powerpc (we never had a core 115 # snap there) so we don't need to show anything to the user 116 if [ "$@" = "clean" ]; then \ 117 rm -rf debian/snapd; \ 118 fi; \ 119 if [ "$@" = "binary" ] || [ "$@" = "binary-arch" ]; then \ 120 install -m755 -d debian/snapd/usr/share/doc/snapd/; \ 121 cp debian/README.powerpc debian/snapd/usr/share/doc/snapd/; \ 122 dh_installdeb; \ 123 dh_gencontrol; \ 124 dh_builddeb; \ 125 fi; 126 endif 127 128 override_dh_fixperms: 129 dh_fixperms -Xusr/lib/snapd/snap-confine 130 131 132 # The .real profile is a workaround for a bug in dpkg LP: #1673247 that causes 133 # ubiquity to crash. It allows us to "move" the snap-confine profile from 134 # snap-confine into snapd in a way that works with old dpkg that is in the live 135 # CD image. 136 # 137 # Because both the usual and the .real profile describe the same binary the 138 # .real profile takes priority (as it is loaded later). 139 # 140 # We need run dh_apparmor *before* dh_systemd_enable to ensure the postinst 141 # snippets are added in the right order (first the new apparmor profile 142 # is loaded, then we restart the service). 143 override_dh_systemd_enable: 144 dh_apparmor --profile-name=usr.lib.snapd.snap-confine.real -psnapd 145 dh_systemd_enable 146 147 override_dh_clean: 148 ifneq (,$(TEST_GITHUB_AUTOPKGTEST)) 149 # this will be set by the GITHUB webhook to trigger a autopkgtest 150 # we only need to run "govendor sync" here and then its ready 151 (export GOPATH="/tmp/go"; \ 152 mkdir -p /tmp/go/src/github.com/snapcore/; \ 153 cp -ar . /tmp/go/src/github.com/snapcore/snapd; \ 154 go get -u github.com/kardianos/govendor; \ 155 (cd /tmp/go/src/github.com/snapcore/snapd ; /tmp/go/bin/govendor sync); \ 156 cp -ar /tmp/go/src/github.com/snapcore/snapd/vendor/ .; \ 157 ) 158 endif 159 dh_clean 160 $(MAKE) -C data clean 161 # XXX: hacky 162 $(MAKE) -C cmd distclean || true 163 # XXX: hacky^2 164 (cd vendor/github.com/snapcore/squashfuse/src && rm -f snapfuse && make distclean || true ) 165 166 override_dh_auto_build: 167 # usually done via `go generate` but that is not supported on powerpc 168 ./mkversion.sh 169 # Build golang bits 170 mkdir -p _build/src/$(DH_GOPKG)/cmd/snap/test-data 171 cp -a cmd/snap/test-data/*.gpg _build/src/$(DH_GOPKG)/cmd/snap/test-data/ 172 cp -a bootloader/assets/data _build/src/$(DH_GOPKG)/bootloader/assets 173 174 # this is the main go build 175 SNAPD_VANILLA_GO=$$(which go) PATH="$$(pwd)/packaging/build-tools/:$$PATH" dh_auto_build -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS) 176 177 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build go build $(BUILDFLAGS) $(GCCGOFLAGS) $(SNAP_TAGS) $(DH_GOPKG)/cmd/snap) 178 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build go build $(BUILDFLAGS) $(GCCGOFLAGS) $(SNAP_TAGS) $(DH_GOPKG)/cmd/snap-bootstrap) 179 180 # Generate static snap-exec, snapctl and snap-update-ns - it somehow includes CGO so 181 # we must force a static build here. We need a static snap-{exec,update-ns}/snapctl 182 # inside the core snap because not all bases will have a libc 183 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build CGO_ENABLED=0 go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-exec) 184 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build CGO_ENABLED=0 go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snapctl) 185 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build go build --ldflags '-extldflags "-static"' $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-update-ns) 186 187 # ensure we generated a static build 188 $(shell if ldd _build/bin/snap-exec; then false "need static build"; fi) 189 $(shell if ldd _build/bin/snap-update-ns; then false "need static build"; fi) 190 $(shell if ldd _build/bin/snapctl; then false "need static build"; fi) 191 192 # ensure snap-seccomp is build with a static libseccomp on Ubuntu 193 ifeq ($(shell dpkg-vendor --query Vendor),Ubuntu) 194 sed -i "s|#cgo LDFLAGS:|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go 195 (cd _build/bin && GOPATH=$$(pwd)/.. GO111MODULE=off GOCACHE=/tmp/go-build CGO_LDFLAGS_ALLOW="/.*/libseccomp.a" go build $(GCCGOFLAGS) $(DH_GOPKG)/cmd/snap-seccomp) 196 # ensure that libseccomp is not dynamically linked 197 ldd _build/bin/snap-seccomp 198 test "$$(ldd _build/bin/snap-seccomp | grep libseccomp)" = "" 199 # revert again so that the subsequent tests work 200 sed -i "s|#cgo LDFLAGS: /usr/lib/$(shell dpkg-architecture -qDEB_TARGET_MULTIARCH)/libseccomp.a|#cgo LDFLAGS:|" _build/src/$(DH_GOPKG)/cmd/snap-seccomp/main.go 201 endif 202 203 # Build C bits, sadly manually 204 cd cmd && ( autoreconf -i -f ) 205 cd cmd && ( ./configure --prefix=/usr --libexecdir=/usr/lib/snapd $(VENDOR_ARGS)) 206 $(MAKE) -C cmd all 207 208 # Generate the real systemd/dbus/env config files 209 $(MAKE) -C data all 210 211 # build squashfuse and rename to snapfuse 212 (cd vendor/github.com/snapcore/squashfuse/src && mkdir -p autom4te.cache && ./autogen.sh --disable-demo && ./configure --disable-demo && make && mv squashfuse_ll snapfuse) 213 214 override_dh_auto_test: 215 dh_auto_test -- $(BUILDFLAGS) $(TAGS) $(GCCGOFLAGS) 216 # a tested default (production) build should have no test keys 217 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) 218 # check that only the main trusted account-keys are included 219 for b in _build/bin/snapd _build/bin/snap-bootstrap _build/bin/snap-preseed; do \ 220 [ $$(strings $$b |grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 2 ] && \ 221 strings $$b |grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" && \ 222 strings $$b |grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$"; \ 223 done; 224 # same for snap-repair 225 [ $$(strings _build/bin/snap-repair|grep -c -E "public-key-sha3-384: [a-zA-Z0-9_-]{64}") -eq 3 ] 226 # common with snapd 227 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: -CvQKAwRQ5h3Ffn10FILJoEZUXOv6km9FwA80-Rcj-f-6jadQ89VRswHNiEB9Lxk$$" 228 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: d-JcZF9nD9eBw7bwMnH61x-bklnQOhQud1Is6o_cn2wTj8EYDi9musrIT9z2MdAa$$" 229 # repair-root 230 strings _build/bin/snap-repair|grep -c "^public-key-sha3-384: nttW6NfBXI_E-00u38W-KH6eiksfQNXuI7IiumoV49_zkbhM0sYTzSnFlwZC-W4t$$" 231 endif 232 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) 233 # run the snap-confine tests 234 $(MAKE) -C cmd check 235 endif 236 237 override_dh_install: 238 # we do not need this in the package, its just needed during build 239 rm -rf ${CURDIR}/debian/tmp/usr/bin/xgettext-go 240 # toolbelt is not shippable 241 rm -f ${CURDIR}/debian/tmp/usr/bin/toolbelt 242 # we do not like /usr/bin/snappy anymore 243 rm -f ${CURDIR}/debian/tmp/usr/bin/snappy 244 # i18n stuff 245 mkdir -p debian/snapd/usr/share 246 if [ -d share/locale ]; then \ 247 cp -R share/locale debian/snapd/usr/share; \ 248 fi 249 # chrorder generator 250 rm -f ${CURDIR}/debian/tmp/usr/bin/chrorder 251 # bootloader assets generator 252 rm -f ${CURDIR}/debian/tmp/usr/bin/genasset 253 # docs generator 254 rm -f ${CURDIR}/debian/tmp/usr/bin/docs 255 256 # Install snapd's systemd units / upstart jobs, done 257 # here instead of debian/snapd.install because the 258 # ubuntu/14.04 release branch adds/changes bits here 259 $(MAKE) -C data install DESTDIR=$(CURDIR)/debian/snapd/ \ 260 SYSTEMDSYSTEMUNITDIR=$(SYSTEMD_UNITS_DESTDIR) 261 # We called this apps-bin-path.sh instead of snapd.sh, and 262 # it's a conf file so we're stuck with it 263 mv debian/snapd/etc/profile.d/snapd.sh debian/snapd/etc/profile.d/apps-bin-path.sh 264 265 $(MAKE) -C cmd install DESTDIR=$(CURDIR)/debian/tmp 266 267 # Rename the apparmor profile, see dh_apparmor call above for an explanation. 268 mv $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine $(CURDIR)/debian/tmp/etc/apparmor.d/usr.lib.snapd.snap-confine.real 269 270 dh_install 271 272 override_dh_auto_install: snap.8 273 dh_auto_install -O--buildsystem=golang 274 275 snap.8: 276 # fix reproducible builds as reported by: 277 # https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/snapd.html 278 # once golang-go-flags is fixed we can remove the "sed" expression 279 $(CURDIR)/_build/bin/snap help --man | sed '1 s/^.*/.TH snap 8 "$(shell date --reference=debian/changelog +"%d %B %Y")"/' > $@ 280 281 override_dh_auto_clean: 282 dh_auto_clean -O--buildsystem=golang 283 rm -vf snap.8 284 285 override_dh_gencontrol: 286 dh_gencontrol -- -VBuilt-Using="$(BUILT_USING)" $(SUBSTVARS)