From b6a80cc175ba8e43852ff73674479dd472fca666 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 11 Aug 2017 15:08:16 +0200 Subject: [PATCH] Update spec file - add python2-custodia-ipa with custodia.ipa plugins - ship /etc/custodia/ipa.conf - check RPMs with rpmlint - remove check for python-etcd on PPC, 0.4.5-5 no longer depends on etcd - use %tmpfiles_create macro to create /var/run/custodia in %post hook - simplify conflict with freeipa-server w/o Python 3 fix - drop workaround for Fedora 25 Signed-off-by: Christian Heimes --- Makefile | 6 ++- contrib/rpmlint | 32 +++++++++++ custodia.spec | 120 +++++++++++++++++++++++------------------ docs/source/readme.rst | 15 ++++++ 4 files changed, 121 insertions(+), 52 deletions(-) create mode 100644 contrib/rpmlint diff --git a/Makefile b/Makefile index b7875e4..6b5d441 100644 --- a/Makefile +++ b/Makefile @@ -123,7 +123,9 @@ releasecheck: clean tox -r $(MAKE) packages $(MAKE) rpm + $(MAKE) rpmlint $(MAKE) dockerbuild + @echo "Release check passed" run: egg_info $(PYTHON) $(CURDIR)/bin/custodia $(CONF) @@ -143,7 +145,7 @@ rpmroot: rpmfiles: rpmroot packages mv dist/custodia-$(VERSION).tar.gz* $(RPMBUILD)/SOURCES - cp contrib/config/custodia/custodia.conf $(RPMBUILD)/SOURCES/ + cp contrib/config/custodia/{custodia,ipa}.conf $(RPMBUILD)/SOURCES/ cp contrib/config/systemd/system/custodia@.service $(RPMBUILD)/SOURCES/ cp contrib/config/systemd/system/custodia@.socket $(RPMBUILD)/SOURCES/ cp contrib/config/tmpfiles.d/custodia.conf $(RPMBUILD)/SOURCES/custodia.tmpfiles.conf @@ -155,6 +157,8 @@ rpm: clean rpmfiles egg_info -ba custodia.spec echo "$(RPMBUILD)/RPMS" +rpmlint: + rpmlint -f contrib/rpmlint $(RPMBUILD)/RPMS .PHONY: dockerbuild dockerdemo dockerdemoinit dockershell dockerreleasebuild dockerbuild: diff --git a/contrib/rpmlint b/contrib/rpmlint new file mode 100644 index 0000000..d23d171 --- /dev/null +++ b/contrib/rpmlint @@ -0,0 +1,32 @@ +addFilter('spelling-error.*etcdstore') + +addFilter('non-readable /etc/custodia/custodia.conf') +addFilter('non-readable /etc/custodia/ipa.conf') +addFilter('non-standard-dir-perm /etc/custodia') +addFilter('non-standard-uid /etc/custodia') +addFilter('non-standard-gid /etc/custodia') +addFilter('non-standard-dir-perm /var/lib/custodia') +addFilter('non-standard-uid /var/lib/custodia') +addFilter('non-standard-gid /var/lib/custodia') +addFilter('non-standard-dir-perm /var/log/custodia') +addFilter('non-standard-uid /var/log/custodia') +addFilter('non-standard-gid /var/log/custodia') +addFilter('non-standard-uid /var/run/custodia') +addFilter('non-standard-gid /var/run/custodia') + +# provided by dependencies +addFilter('dangling-relative-symlink /usr/bin/custodia-cli') +addFilter('dangling-relative-symlink /usr/sbin/custodia') + +# https://github.com/latchset/custodia/issues/228 +addFilter('no-manual-page-for-binary custodia-cli') +addFilter('no-manual-page-for-binary custodia-cli-2') +addFilter('no-manual-page-for-binary custodia-cli-3') +addFilter('no-manual-page-for-binary custodia-2') +addFilter('no-manual-page-for-binary custodia-3') + +# systemd_postun is defined as '%{nil}' +addFilter('empty-%postun') + +# upstream specfile has no changelog +addFilter('no-changelogname-tag') diff --git a/custodia.spec b/custodia.spec index d1751c7..3b3b422 100644 --- a/custodia.spec +++ b/custodia.spec @@ -1,25 +1,12 @@ -%if 0%{?fedora} -%global with_python3 1 -%endif - %{!?version: %define version 0.6.dev1} -# Workaround for python-etcd issue on PPC64. Although it's a noarch package -# it depends on etcd for testing. Go does not support PPC64 yet. -%ifarch ppc64 -%global with_etcd 0 -%else -%global with_etcd 1 +%if 0%{?fedora} +%global with_python3 1 %endif # FreeIPA up to 4.4.4 are not compatible with custodia because the custodia # script now runs under Python 3. FreeIPA 4.4.5 and 4.4.4-2 on F26 are fixed. -# ipa_conflict is used with '<' version comparison. -%if 0%{?fedora} >= 26 -%global ipa_conflict 4.4.4-2 -%else -%global ipa_conflict 4.4.5 -%endif +%global ipa_version 4.4.4-2 Name: custodia Version: %{version} @@ -33,6 +20,7 @@ Source2: custodia.conf Source3: custodia@.service Source4: custodia@.socket Source5: custodia.tmpfiles.conf +Source6: ipa.conf BuildArch: noarch @@ -44,12 +32,12 @@ BuildRequires: python2-setuptools >= 18 BuildRequires: python2-coverage BuildRequires: python2-tox >= 2.3.1 BuildRequires: python2-pytest -%if %{?with_etcd} +BuildRequires: python2-mock BuildRequires: python2-python-etcd -%endif BuildRequires: python2-docutils BuildRequires: python2-configparser BuildRequires: python2-systemd +BuildRequires: python2-ipaclient >= %{ipa_version} %if 0%{?with_python3} BuildRequires: python%{python3_pkgversion}-devel @@ -59,27 +47,19 @@ BuildRequires: python%{python3_pkgversion}-setuptools > 18 BuildRequires: python%{python3_pkgversion}-coverage BuildRequires: python%{python3_pkgversion}-tox >= 2.3.1 BuildRequires: python%{python3_pkgversion}-pytest -%if %{?with_etcd} +BuildRequires: python%{python3_pkgversion}-mock BuildRequires: python%{python3_pkgversion}-python-etcd -%endif BuildRequires: python%{python3_pkgversion}-docutils BuildRequires: python%{python3_pkgversion}-systemd -%endif +BuildRequires: python%{python3_pkgversion}-ipaclient >= %{ipa_version} +%endif # with_python3 -%if 0%{?with_python3} Requires: python%{python3_pkgversion}-custodia = %{version}-%{release} -%else -Requires: python2-custodia = %{version}-%{release} -%endif - +Conflicts: freeipa-server < %{ipa_version} Requires(preun): systemd-units Requires(postun): systemd-units Requires(post): systemd-units -Conflicts: freeipa-server-common < %{ipa_conflict} -Conflicts: ipa-server-common < %{ipa_conflict} - - %global overview \ Custodia is a Secrets Service Provider, it stores or proxies access to \ keys, password, and secret material in general. Custodia is built to \ @@ -101,18 +81,17 @@ A service to manage, retrieve and store secrets for other processes Summary: Sub-package with python2 custodia modules %{?python_provide:%python_provide python2-%{name}} Requires: python2-configparser -Requires: python2-jwcrypto > 0.4.2 +Requires: python2-jwcrypto >= 0.4.2 Requires: python2-requests Requires: python2-setuptools Requires: python2-systemd -Conflicts: python2-ipalib < %{ipa_conflict} + %description -n python2-custodia Sub-package with python custodia modules %{overview} -%if %{?with_etcd} %package -n python2-custodia-extra Summary: Sub-package with python2 custodia extra modules Requires: python2-python-etcd @@ -123,7 +102,17 @@ Sub-package with python2 custodia extra modules (etcdstore) %{overview} -%endif # with_etcd +%package -n python2-custodia-ipa +Summary: Sub-package with python2 custodia.ipa modules +%{?python_provide:%python_provide python2-custodia-ipa} +Requires: python2-setuptools +Requires: python2-custodia = %{version}-%{release} +Requires: python2-ipaclient >= %{ipa_version} + +%description -n python2-custodia-ipa +custodia.ipa is a storage plugin for Custodia. It provides integration +with FreeIPA's vault facility. Secrets are encrypted and stored in +Dogtag's Key Recovery Agent. %if 0%{?with_python3} %package -n python%{python3_pkgversion}-custodia @@ -133,14 +122,12 @@ Requires: python%{python3_pkgversion}-jwcrypto >= 0.4.2 Requires: python%{python3_pkgversion}-requests Requires: python%{python3_pkgversion}-setuptools Requires: python%{python3_pkgversion}-systemd -Conflicts: python%{python3_pkgversion}-ipalib < %{ipa_conflict} %description -n python%{python3_pkgversion}-custodia Sub-package with python custodia modules %{overview} -%if %{?with_etcd} %package -n python%{python3_pkgversion}-custodia-extra Summary: Sub-package with python3 custodia extra modules Requires: python%{python3_pkgversion}-python-etcd @@ -151,7 +138,20 @@ Sub-package with python3 custodia extra modules (etcdstore) %{overview} -%endif # with_etcd +%if 0%{?with_ipa_python3} +%package -n python%{python3_pkgversion}-custodia-ipa +Summary: Sub-package with python3 custodia.ipa modules +%{?python_provide:%python_provide python%{python3_pkgversion}-custodia-ipa} +Requires: python%{python3_pkgversion}-setuptools +Requires: python%{python3_pkgversion}-custodia = %{version}-%{release} +Requires: python%{python3_pkgversion}-ipaclient >= %{ipa_version} + +%description -n python%{python3_pkgversion}-custodia-ipa +custodia.ipa is a storage plugin for Custodia. It provides integration +with FreeIPA's vault facility. Secrets are encrypted and stored in +Dogtag's Key Recovery Agent. + +%endif # wit_ipa_python3 %endif # with_python3 @@ -169,7 +169,7 @@ Sub-package with python3 custodia extra modules (etcdstore) %check # don't download packages export PIP_INDEX_URL=http://host.invalid./ -# Don't try to download dnspython3. The package is provided by python%{python3_pkgversion}-dns +# Don't try to download dnspython3. The package is provided by python3-dns export PIP_NO_DEPS=yes # Ignore all install packages to enforce installation of sdist. Otherwise tox # may pick up this package from global site-packages instead of source dist. @@ -191,12 +191,10 @@ mkdir -p %{buildroot}/%{_unitdir} mkdir -p %{buildroot}/%{_tmpfilesdir} mkdir -p %{buildroot}/%{_localstatedir}/lib/custodia mkdir -p %{buildroot}/%{_localstatedir}/log/custodia -mkdir -p %{buildroot}/%{_localstatedir}/run/custodia %py2_install -mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia -cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-2 -cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2 +mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia-2 +mv %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-2 install -m 644 -t "%{buildroot}/%{_mandir}/man7" man/custodia.7 install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia" README API.md install -m 644 -t "%{buildroot}/%{_defaultdocdir}/custodia/examples" custodia.conf @@ -204,14 +202,24 @@ install -m 600 %{SOURCE2} %{buildroot}%{_sysconfdir}/custodia install -m 644 %{SOURCE3} %{buildroot}%{_unitdir} install -m 644 %{SOURCE4} %{buildroot}%{_unitdir} install -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/custodia.conf +install -m 600 %{SOURCE6} %{buildroot}%{_sysconfdir}/custodia %if 0%{?with_python3} # overrides /usr/bin/custodia-cli and /usr/sbin/custodia with Python 3 shebang %py3_install -mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia -cp %{buildroot}/%{_sbindir}/custodia %{buildroot}/%{_sbindir}/custodia-3 -cp %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 -%endif + +%if ! 0%{?with_ipa_python3} +rm -rf %{buildroot}%{python3_sitelib}/custodia/ipa +%endif # with_ipa_python3 + +mv %{buildroot}/%{_bindir}/custodia %{buildroot}/%{_sbindir}/custodia-3 +mv %{buildroot}/%{_bindir}/custodia-cli %{buildroot}/%{_bindir}/custodia-cli-3 +ln -sr %{buildroot}/%{_sbindir}/custodia-3 %{buildroot}/%{_sbindir}/custodia +ln -sr %{buildroot}/%{_bindir}/custodia-cli-3 %{buildroot}/%{_bindir}/custodia-cli +%else +ln -sr %{buildroot}/%{_sbindir}/custodia-2 %{buildroot}/%{_sbindir}/custodia +ln -sr %{buildroot}/%{_bindir}/custodia-cli-2 %{buildroot}/%{_bindir}/custodia-cli +%endif # with_python3 %pre @@ -225,6 +233,7 @@ exit 0 %post %systemd_post custodia@\*.socket %systemd_post custodia@\*.service +%tmpfiles_create custodia.conf %preun @@ -246,15 +255,16 @@ exit 0 %{_bindir}/custodia-cli %dir %attr(0700,custodia,custodia) %{_sysconfdir}/custodia %config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/custodia.conf +%config(noreplace) %attr(600,custodia,custodia) %{_sysconfdir}/custodia/ipa.conf %attr(644,root,root) %{_unitdir}/custodia@.socket %attr(644,root,root) %{_unitdir}/custodia@.service %dir %attr(0700,custodia,custodia) %{_localstatedir}/lib/custodia %dir %attr(0700,custodia,custodia) %{_localstatedir}/log/custodia -%dir %attr(0755,custodia,custodia) %{_localstatedir}/run/custodia %{_tmpfilesdir}/custodia.conf %files -n python2-custodia %license LICENSE +%exclude %{python2_sitelib}/custodia/ipa %exclude %{python2_sitelib}/custodia/store/etcdstore.py* %{python2_sitelib}/%{name} %{python2_sitelib}/%{name}-%{version}-py%{python2_version}.egg-info @@ -262,15 +272,18 @@ exit 0 %{_sbindir}/custodia-2 %{_bindir}/custodia-cli-2 -%if %{?with_etcd} %files -n python2-custodia-extra %license LICENSE %{python2_sitelib}/custodia/store/etcdstore.py* -%endif # with_etcd + +%files -n python2-custodia-ipa +%license LICENSE +%{python2_sitelib}/custodia/ipa %if 0%{?with_python3} %files -n python%{python3_pkgversion}-custodia %license LICENSE +%exclude %{python3_sitelib}/custodia/ipa %exclude %{python3_sitelib}/custodia/store/etcdstore.py %exclude %{python3_sitelib}/custodia/store/__pycache__/etcdstore.* %{python3_sitelib}/%{name} @@ -279,10 +292,15 @@ exit 0 %{_sbindir}/custodia-3 %{_bindir}/custodia-cli-3 -%if %{?with_etcd} %files -n python%{python3_pkgversion}-custodia-extra %license LICENSE %{python3_sitelib}/custodia/store/etcdstore.py %{python3_sitelib}/custodia/store/__pycache__/etcdstore.* -%endif # with_etcd + +%if 0%{?with_ipa_python3} +%files -n python2-custodia-ipa +%license LICENSE +%{python3_sitelib}/custodia/ipa +%endif # with_ipa_python3 + %endif # with_python3 diff --git a/docs/source/readme.rst b/docs/source/readme.rst index 2b65573..bd516b0 100644 --- a/docs/source/readme.rst +++ b/docs/source/readme.rst @@ -209,6 +209,21 @@ Create ``/etc/custodia/ipa.conf`` handler = Secrets store = cert +Create ``/etc/systemd/system/custodia@ipa.service.d/override.conf`` + +On Fedora 26 and newer, the Custodia service file defaults to Python 3. +Although FreeIPA 4.5 has support for Python 3, it's not stable yet. +Therefore it is necessary to run the ``custodia.ipa`` plugins with +Python 2.7. You can either use ``systemctl edit custodia@py2.service`` +to create an override or copy the file manually. Don't forget to run +``systemctl daemon-reload`` in the latter case. + +:: + + [Service] + ExecStart= + ExecStart=/usr/sbin/custodia-2 --instance=%i /etc/custodia/%i.conf + Run Custodia server ::