Restructure RPM for subpackages (#1025)

Restructure the RPM build into separate CLI and GUI installations

This does a few things:
- builds separate GUI and CLI RPMs
- separates the runtime dependency graph, greatly reducing the footprint
for the CLI
- updates the container builds to use mock
- adds workflow for Fedora 42, because it's that time of the year

The tdb tool is distributed as the initial CLI binary. It may be further
refactored in function, name, and possibly location.

Tested in Koji on Rawhide and EPEL 9.

Closes #1024

Author: jw3

.github/rpm-matrix.json

@@ -1,11 +1,20 @@
 {
   "props": [
+    {
+      "platform": "fedora",
+      "dist": "fc42",
+      "spec": "fapolicy-analyzer.spec",
+      "image": "registry.fedoraproject.org/fedora:42",
+      "chroot": "fedora-rawhide-x86_64",
+      "version": "42",
+      "prerelease": true
+    },
     {
       "platform": "fedora",
       "dist": "fc41",
       "spec": "fapolicy-analyzer.spec",
       "image": "registry.fedoraproject.org/fedora:41",
-      "chroot": "fedora-rawhide-x86_64",
+      "chroot": "fedora-41-x86_64",
       "version": "41",
       "prerelease": true
     },

.github/workflows/rpm.yml

@@ -109,8 +109,6 @@ jobs:
 
       - name: Adjust spec
         run: |
-          # disable dev-tools crate
-          sed -i '/tools/d' Cargo.toml
           # generate build deps with cargo2rpm
           cargo2rpm -p Cargo.toml buildrequires | while read line; do
             grep -n "BuildRequires:" fapolicy-analyzer.spec | head -n1 | cut -d: -f1 | xargs -I{} sed -i "{}iBuildRequires: $line" fapolicy-analyzer.spec

.github/workflows/tools.yml

@@ -44,7 +44,6 @@ jobs:
         run: |
           mkdir /tmp/tools
           mv target/release/tdb /tmp/tools/tdb
-          mv target/release/rulec /tmp/tools/rulec
           mv target/release/faprofiler /tmp/tools/faprofiler
 
       - name: Archive Tools

Cargo.lock

@@ -1,25 +1,40 @@
-ARG image=registry.fedoraproject.org/fedora:39
-FROM $image AS build-stage
+ARG image=registry.fedoraproject.org/fedora:latest
+FROM $image AS fedorabuild
+ARG version
+ARG spec=fapolicy-analyzer.spec
 
-RUN dnf install -y rpm-build rpmdevtools dnf-plugins-core python3-pip nano
+# rpmbuild tools could be installed in the el stage
+# but caching them here ends up saving time on rebuilds
+RUN dnf install -y mock rpm-build rpmdevtools
 
 RUN useradd -u 10001 -g 0 -d /home/default default
 
 USER 10001
 RUN mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
 WORKDIR /tmp/rpmbuild
 
-COPY --chown=10001:0 fapolicy-analyzer.spec SPECS/
+COPY --chown=10001:0 $spec SPECS/fapolicy-analyzer.spec
 
 USER root
 RUN dnf -y builddep SPECS/fapolicy-analyzer.spec
 
 USER 10001
 
-COPY --chown=10001:0 fapolicy-analyzer.tar.gz SOURCES/
-COPY --chown=10001:0 vendor-docs.tar.gz       SOURCES/
-COPY --chown=10001:0 scripts/srpm/build.sh    ./build.sh
+COPY --chown=10001:0 fapolicy-analyzer-$version.tar.gz SOURCES/
+COPY --chown=10001:0 vendor-docs-$version.tar.gz       SOURCES/
+COPY --chown=10001:0 scripts/srpm/build.sh             .
 
-RUN spectool -g -C /tmp/rpmbuild/SOURCES/ SPECS/fapolicy-analyzer.spec
+USER root
 
 ENTRYPOINT ["/tmp/rpmbuild/build.sh"]
+
+FROM fedorabuild as elbuild
+ARG version
+
+USER 10001
+
+RUN spectool --list-files SPECS/fapolicy-analyzer.spec | grep pythonhosted | cut -d' ' -f2 | xargs -I{} curl -sLO --output-dir SOURCES {}
+
+COPY --chown=10001:0 vendor-rs-$version.tar.gz         SOURCES/
+
+USER root

Containerfile

@@ -23,6 +23,8 @@ GRN=\033[0;32m
 RED=\033[0;31m
 NC=\033[0m # No Color
 
+VERSION ?= $(shell sed -n 's/^Version: *//p' fapolicy-analyzer.spec)
+
 # List the common developer targets
 list:
 	@echo
@@ -139,17 +141,17 @@ build-info:
 
 # Generate Fedora rawhide rpms
 fc-rpm:
-	@echo -e "${GRN}--- Fedora RPM generation...${NC}"
-	make -f .copr/Makefile vendor OS_ID=fedora
-	podman build -t fapolicy-analyzer:39 -f Containerfile .
-	podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:39 /v
+	@echo -e "${GRN}--- Fedora RPM generation v${VERSION}...${NC}"
+	make -f .copr/Makefile vendor OS_ID=fedora VERSION=${VERSION}
+	podman build -t fapolicy-analyzer:build --target fedorabuild --build-arg version=${VERSION} -f Containerfile .
+	podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build fedora-39-x86_64 /v
 
 # Generate RHEL 9 rpms
 el9-rpm:
-	@echo -e "${GRN}--- el9 RPM generation...${NC}"
-	make -f .copr/Makefile vendor OS_ID=rhel DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec
-	podman build -t fapolicy-analyzer:el9 -f scripts/srpm/Containerfile.el9 .
-	podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:el9 /v
+	@echo -e "${GRN}--- el9 RPM generation v${VERSION}...${NC}"
+	make -f .copr/Makefile vendor vendor-rs OS_ID=rhel VERSION=${VERSION} DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec
+	podman build -t fapolicy-analyzer:build --target elbuild --build-arg version=${VERSION} --build-arg spec=scripts/srpm/fapolicy-analyzer.el9.spec -f Containerfile .
+	podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build rocky+epel-9-x86_64 /v
 
 # Update embedded help documentation
 help-docs:

Makefile

@@ -9,10 +9,6 @@ edition = "2021"
 name = "tdb"
 path = "src/trust_db_util.rs"
 
-[[bin]]
-name = "rulec"
-path = "src/rule_check.rs"
-
 [[bin]]
 name = "faprofiler"
 path = "src/fapolicy_profiler.rs"
@@ -23,7 +19,6 @@ lmdb = "0.8"
 nom = "7.1"
 rayon = "1.5"
 thiserror = "1.0"
-ariadne = "0.1"
 log = "0.4"
 
 fapolicy-analyzer = { path = "../analyzer" }

crates/tools/Cargo.toml

@@ -1,4 +1,6 @@
 %bcond_without check
+%bcond_without cli
+%bcond_without gui
 
 Summary:       File Access Policy Analyzer
 Name:          fapolicy-analyzer
@@ -41,6 +43,22 @@ BuildRequires: audit-libs-devel
 BuildRequires: cargo-rpm-macros
 BuildRequires: python3dist(setuptools-rust)
 
+Requires:      %{name}-cli
+Requires:      %{name}-gui
+
+%description
+Tools to assist with the configuration and management of fapolicyd.
+
+
+%package cli
+Summary:       File Access Policy Analyzer CLI
+
+%description cli
+CLI Tools to assist with the configuration and management of fapolicyd.
+
+%package gui
+Summary:       File Access Policy Analyzer GUI
+
 Requires:      python3
 Requires:      python3-gobject
 Requires:      python3-events
@@ -67,15 +85,22 @@ Requires:      webkit2gtk4.1
 %global module_version  %{lua: v = string.gsub(rpm.expand("%{?version}"), "~dev", ".dev"); \
                                v = string.gsub(v, "~rc",  "rc"); print(v) }
 
-%description
-Tools to assist with the configuration and management of fapolicyd.
+%description gui
+GUI Tools to assist with the configuration and management of fapolicyd.
 
 %prep
 %autosetup -n %{name}
 %cargo_prep
 
-# disable dev-tools crate
+%if %{without cli}
+# disable tools crate
 sed -i '/tools/d' Cargo.toml
+%endif
+
+%if %{without gui}
+# disable pyo3 crate
+sed -i '/pyo3/d' Cargo.toml
+%endif
 
 # extract our doc sourcs
 tar xvzf %{SOURCE1}
@@ -96,6 +121,12 @@ echo "audit" > FEATURES
 %cargo_generate_buildrequires -a
 
 %build
+
+%if %{with cli}
+cargo build --bin tdb --release
+%endif
+
+%if %{with gui}
 # ensure standard Rust compiler flags are set
 export RUSTFLAGS="%{build_rustflags}"
 
@@ -105,8 +136,15 @@ export RUSTFLAGS="%{build_rustflags}"
 
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
+%endif
 
 %install
+
+%if %{with cli}
+install -D target/release/tdb %{buildroot}/%{_sbindir}/%{name}-trust
+%endif
+
+%if %{with gui}
 %{py3_install_wheel %{module}-%{module_version}*%{_target_cpu}.whl}
 %{python3} help install --dest %{buildroot}/%{_datadir}/help
 install -D bin/%{name} %{buildroot}/%{_sbindir}/%{name}
@@ -115,14 +153,17 @@ install -D data/config.toml -t %{buildroot}%{_sysconfdir}/%{name}/
 desktop-file-install data/%{name}.desktop
 find locale -name %{name}.mo -exec cp --parents -rv {} %{buildroot}/%{_datadir} \;
 %find_lang %{name} --with-gnome
+%endif
 
 %check
+%if %{with gui}
 desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop
+%endif
 
-%files -n %{name} -f %{name}.lang
-%doc scripts/srpm/README
-%license LICENSE
-%license LICENSE.dependencies
+%files cli
+%attr(755,root,root) %{_sbindir}/%{name}-trust
+
+%files gui
 %{python3_sitearch}/%{module}
 %{python3_sitearch}/%{module}-%{module_version}*
 %attr(755,root,root) %{_sbindir}/%{name}
@@ -131,6 +172,11 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop
 %config(noreplace) %attr(644,root,root) %{_sysconfdir}/%{name}/config.toml
 %ghost %attr(640,root,root) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}/%{name}.log
 
+%files -f %{name}.lang
+%doc scripts/srpm/README
+%license LICENSE
+%license LICENSE.dependencies
+
 %changelog
 * Sun Jul 28 2024 John Wass <[email protected]> 1.4.0-1
 - New release

fapolicy-analyzer.spec

@@ -0,0 +1 @@
+Subpackaged RPM build to support separate CLI and GUI installations.

news/1025.packaging.md

@@ -18,18 +18,13 @@
 spec_file="fapolicy-analyzer.spec"
 rpmbuild_dir=/tmp/rpmbuild
 
-if [[ "$ONLINE" -eq 1 ]]; then
-  cd ${rpmbuild_dir}/SOURCES
-  spectool -g "../SPECS/$spec_file"
-  cd ${rpmbuild_dir}/SPECS
-  dnf builddep "$spec_file" -y
-fi
-
-cd ${rpmbuild_dir}/SPECS
-rpmbuild -ba "$spec_file" -D "_topdir ${rpmbuild_dir}"
+echo "[build.sh] mock $1"
+mock -r "$1" --init
+mock -r "$1" --resultdir ${rpmbuild_dir} --buildsrpm --sources ${rpmbuild_dir}/SOURCES/ --spec ${rpmbuild_dir}/SPECS/${spec_file}
+mock -r "$1" --resultdir ${rpmbuild_dir} --rebuild ${rpmbuild_dir}/*.src.rpm
 
-if [[ ! -z "$1" ]]; then
-  echo "[build.sh] exporting *rpms to ${1}"
-  cp -v ${rpmbuild_dir}/RPMS/**/*.rpm ${1}
-  cp -v ${rpmbuild_dir}/SRPMS/*.rpm   ${1}
+if [[ -n "$2" ]]; then
+  echo "[build.sh] exporting rpms to ${2}"
+  cp -v ${rpmbuild_dir}/*.rpm ${2}
+  cp -v ${rpmbuild_dir}/*.rpm ${2}
 fi