Checkpoint

svn path=/branches/tk377/; revision=4959
author: Rob Austein <sra@hactrn.net> 2013-01-08 20:03:01 +0000
committer: Rob Austein <sra@hactrn.net> 2013-01-08 20:03:01 +0000
commit: 5bfaa95b9c6a076bbe16966bb77c4dd42ddc5039 (patch)
tree: 6e39f420ae7e34b6292a7cc823cd116ea714f3b7 /buildtools/build-freebsd-rp-port.py
parent: c224ba7a2f2e662ec3e6d7e22a62ee0cfb3c549f (diff)
1 files changed, 191 insertions, 12 deletions
diff --git a/buildtools/build-freebsd-rp-port.py b/buildtools/build-freebsd-rp-port.py
index 140c67ae..e63ff52a 100644
--- a/buildtools/build-freebsd-rp-port.py
+++ b/buildtools/build-freebsd-rp-port.py
@@ -60,18 +60,15 @@ except:
 if trunk != "trunk" or not vers.isdigit():
   sys.exit("Unexpected tarball URL name format")
 
-mkdir_maybe(base)
-
-# Just want relying party tools, and have to whack rcynic jail
-# location to something acceptable to FreeBSD package system.
+base += "-rp"
 
-configure_args = "--disable-ca-tools --with-rcynic-jail=/usr/local/var/rcynic"
+mkdir_maybe(base)
 
 with open(os.path.join(base, "Makefile"), "w") as f:
   print "Writing", f.name
 
   f.write('''\
-PORTNAME=	%(portname)s-rp
+PORTNAME=	%(portname)s
 PORTVERSION=	0.%(snapshot)s
 CATEGORIES=	net
 MASTER_SITES=	%(master_sites)s
@@ -94,15 +91,22 @@ BUILD_DEPENDS+= makedepend>0:${PORTSDIR}/devel/makedepend
 # For rcynic-html
 RUN_DEPENDS+=   rrdtool>0:${PORTSDIR}/databases/rrdtool
 
-CONIGURE_ARGS=  %(configure_args)s
+# Just want relying party tools, and have to whack rcynic jail
+# location to something acceptable to FreeBSD package system.
+
+CONIGURE_ARGS=  --disable-ca-tools --with-rcynic-jail=/usr/local/var/rcynic
+
+# This is not necessary at the moment because "make install" does
+# all the same things.  This is here as a reminder in case that changes.
+#
+#post-install:; PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL.
 
 .include <bsd.port.mk>
 ''' % { "portname"      : base,
         "snapshot"      : vers,
         "tarname"       : name,
         "master_sites"  : os.path.dirname(url) + "/",
-        "distfiles"     : os.path.basename(url),
-        "configure_args": configure_args })
+        "distfiles"     : os.path.basename(url) })
 
 with open(os.path.join(base, "pkg-descr"), "w") as f:
   print "Writing", f.name
@@ -123,7 +127,7 @@ subprocess.check_call(("make", "makesum", "DISTDIR=" + os.getcwd()), cwd = base)
 
 print "Extracting list of trust anchors"
 
-trust_anchors = ["var/rcynic/etc/trust-anchors/%s" % os.path.basename(fn)
+trust_anchors = [os.path.basename(fn)
                  for fn in subprocess.check_output(("tar", "tf", os.path.basename(url))).splitlines()
                  if "/rcynic/sample-trust-anchors/" in fn and fn.endswith(".tal")]
 
@@ -142,17 +146,192 @@ etc/rc.d/rcynic
 var/rcynic/bin/rcynic
 var/rcynic/bin/rcynic-html
 var/rcynic/bin/rsync
+@unexec if cmp -s %D/var/rcynic/etc/rcynic.conf.sample %D/var/rcynic/etc/rcynic.conf; then rm -f %D/var/rcynic/etc/rcynic.conf; fi
+var/rcynic/etc/rcynic.conf.sample
+@exec if [ ! -f  %D/var/rcynic/etc/rcynic.conf ] ; then cp -p %D/%F %D/var/rcynic/etc/rcynic.conf; fi
 ''')
 
-  for trust_anchor in trust_anchors:
-    f.write("%s\n" % trust_anchor)
+  for trust_anchor in sorted(trust_anchors):
+    f.write("var/rcynic/etc/trust-anchors/%s\n" % trust_anchor)
 
   f.write('''\
+@exec mkdir -p %D/var/rcynic/var
 @dirrm var/rcynic/var
 @dirrm var/rcynic/etc/trust-anchors
 @dirrm var/rcynic/etc
+@exec mkdir -p %D/var/rcynic/dev
 @dirrm var/rcynic/dev
+@exec mkdir -p %D/var/rcynic/data
 @dirrm var/rcynic/data
 @dirrm var/rcynic/bin
 @dirrm var/rcynic
 ''')
+
+# 90% of this is $top/rcynic/installation-scripts/freebsd/install.sh.
+# Somehow or another this duplication needs to go away, but priority
+# for today is a working package.
+
+with open(os.path.join(base, "pkg-install"), "w") as f:
+
+  print "Writing", f.name
+
+  f.write('''\
+#!/bin/sh -
+
+/bin/test "X$2" = 'XPRE-INSTALL' && exit 0
+
+: ${jaildir="${DESTDIR}/usr/local/var/rcynic"}
+: ${jailuser="rcynic"}
+: ${jailgroup="rcynic"}
+: ${setupcron="NO"}
+
+echo "Setting up \"${jaildir}\" as a chroot jail for rcynic."
+
+if /usr/sbin/pw groupshow "${jailgroup}" 2>/dev/null; then
+    echo "You already have a group \"${jailgroup}\", so I will use it."
+elif /usr/sbin/pw groupadd ${jailgroup}; then
+    echo "Added group \"${jailgroup}\"."
+else
+    echo "Adding group \"${jailgroup}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if /usr/sbin/pw usershow "${jailuser}" 2>/dev/null; then
+    echo "You already have a user \"${jailuser}\", so I will use it."
+elif /usr/sbin/pw useradd ${jailuser} -g ${jailgroup} -h - -d /nonexistant -s /usr/sbin/nologin -c "RPKI validation system"; then
+    echo "Added user \"${jailuser}\"."
+else
+    echo "Adding user \"${jailuser}\" failed..."
+    echo "Please create it, then try again."
+    exit 1
+fi
+
+if ! /bin/test -d "${jaildir}"; then
+    /bin/mkdir "${jaildir}"
+fi
+
+if /usr/bin/install -m 555 -o root -g wheel -p rc.d.rcynic ${DESTDIR}/usr/local/etc/rc.d/rcynic; then
+    echo "Installed rc.d.rcynic as ${DESTDIR}/usr/local/etc/rc.d/rcynic"
+else
+    echo "Installing ${DESTDIR}/usr/local/etc/rc.d/rcynic failed"
+    exit 1
+fi
+
+echo "Running /usr/local/etc/rc.d/rcynic to set up directories"
+
+if ! rcynic_jaildir="$jaildir" rcynic_user="$jailuser" rcynic_group="$jailgroup" /bin/sh /usr/local/etc/rc.d/rcynic start; then
+    echo "Directory setup failed"
+    exit 1
+fi
+
+if /usr/bin/install -m 444 -o root -g wheel -p ../sample-rcynic.conf "${jaildir}/etc/rcynic.conf.sample"; then
+    echo "Installed minimal ${jaildir}/etc/rcynic.conf.sample, adding SAMPLE trust anchors"
+    for i in ../../sample-trust-anchors/*.tal; do
+	j="$jaildir/etc/trust-anchors/${i##*/}"
+	/bin/test -r "$i" || continue
+	/bin/test -r "$j" && continue
+	echo "Installing $i as $j"
+	/usr/bin/install -m 444 -o root -g wheel -p "$i" "$j"
+    done
+    j=1
+    for i in $jaildir/etc/trust-anchors/*.tal; do
+	echo >>"${jaildir}/etc/rcynic.conf.sample" "trust-anchor-locator.$j	= /etc/trust-anchors/${i##*/}"
+	j=$((j+1))
+    done
+else
+    echo "Installing minimal ${jaildir}/etc/rcynic.conf.sample failed"
+    exit 1
+fi
+
+if /bin/test -r "$jaildir/etc/rcynic.conf"; then
+    echo "You already have config file \"${jaildir}/etc/rcynic.conf\", so I will use it."
+elif /bin/cp -p "$jaildir/etc/rcynic.conf.sample" "$jaildir/etc/rcynic.conf"
+    echo "Installed minimal ${jaildir}/etc/rcynic.conf"
+else
+    echo "Installing minimal ${jaildir}/etc/rcynic.conf failed"
+    exit 1
+fi
+
+echo "Installing rcynic as ${jaildir}/bin/rcynic"
+
+/usr/bin/install -m 555 -o root -g wheel -p ../../rcynic "${jaildir}/bin/rcynic"
+
+if /bin/test ! -x "$jaildir/bin/rsync" -a ! -x ../../static-rsync/rsync; then
+    echo "Building static rsync for jail, this may take a little while"
+    (cd ../../static-rsync && exec make)
+fi
+
+if /bin/test -x "$jaildir/bin/rsync"; then
+    echo "You already have an executable \"$jaildir/bin/rsync\", so I will use it"
+elif /usr/bin/install -m 555 -o root -g wheel -p ../../static-rsync/rsync "${jaildir}/bin/rsync"; then
+    echo "Installed static rsync as \"${jaildir}/bin/rsync\""
+else
+    echo "Installing static rsync failed"
+    exit 1
+fi
+
+if /usr/bin/install -m 555 -o root -g wheel -p ../../rcynic-html "${jaildir}/bin/rcynic-html"; then
+    echo "Installed rcynic.py as \"${jaildir}/bin/rcynic-html\""
+else
+    echo "Installing rcynic-html failed"
+    exit 1
+fi
+
+# "'"
+
+echo "Setting up root's crontab to run jailed rcynic"
+
+case "$setupcron" in
+YES|yes)
+    /usr/bin/crontab -l -u root 2>/dev/null |
+    /usr/bin/awk -v "jailuser=$jailuser" -v "jailgroup=$jailgroup" -v "jaildir=$jaildir" '
+	BEGIN {
+	    cmd = "exec /usr/sbin/chroot -u " jailuser " -g " jailgroup " " jaildir;
+	    cmd = cmd " /bin/rcynic -c /etc/rcynic.conf";
+	}
+	$0 !~ cmd {
+	    print;
+	}
+	END {
+	    "/usr/bin/hexdump -n 2 -e \"\\\"%u\\\\\\n\\\"\" /dev/random" | getline;
+	    printf "%u * * * *\t%s\n", $1 % 60, cmd;
+	}' |
+    /usr/bin/crontab -u root -
+    /bin/cat <<EOF
+
+	crontab is set up to run rcynic hourly, at a randomly selected
+	minute (to spread load on the rsync servers).  Please do NOT
+	adjust this to run on the hour.  In particular please do NOT
+	adjust this to run at midnight UTC.
+EOF
+    ;;
+
+*)
+    /bin/cat <<EOF
+
+	You'll need to add a crontab entry running the following command as root:
+
+	    /usr/sbin/chroot -u $jailuser -g $jailgroup $jaildir /bin/rcynic -c /etc/rcynic.conf
+
+	Please try to pick a random time for this, don't just run it on the hour,
+	or at local midnight, or, worst of all, at midnight UTC.
+
+EOF
+    ;;
+
+esac
+''')
+
+with open(os.path.join(base, "pkg-message"), "w") as f:
+
+  print "Writing", f.name
+
+  f.write('''\
+You may need to customize /usr/local/var/rcynic/etc/rcynic.conf.
+If you did not install your own trust anchors, a default set of SAMPLE
+trust anchors may have been installed for you, but you, the relying
+party, are the only one who can decide whether you trust those
+anchors.  rcynic will not do anything useful without good trust
+anchors.
+''')
author	Rob Austein <sra@hactrn.net>	2013-01-08 20:03:01 +0000
committer	Rob Austein <sra@hactrn.net>	2013-01-08 20:03:01 +0000
commit	5bfaa95b9c6a076bbe16966bb77c4dd42ddc5039 (patch)
tree	6e39f420ae7e34b6292a7cc823cd116ea714f3b7 /buildtools/build-freebsd-rp-port.py
parent	c224ba7a2f2e662ec3e6d7e22a62ee0cfb3c549f (diff)