Add conf-files statement to Cargo.toml to preserve configuration on upgrades for deb package; switch to SPDX license definition; add RPM build; add build.sh for local containerized builds; add support for glibc 2.17; add support for Ubuntu/RHEL update README; bump version to 1.1.0

xenago · xenago · commit e7f397164920 · 2024-05-30T23:18:40.000-04:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -10,8 +10,13 @@ jobs:
   build_release:
     name: build and release
     runs-on: ubuntu-20.04  # Build on Debian-based distro
+    container: quay.io/pypa/manylinux2014_x86_64  # Use a container with glibc 2.17
     steps:
-      - name: Checkout
+
+      - name: Show GLIBC  # Confirm glibc version
+        run: ldd --version
+
+      - name: Checkout  # Clone repository
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
@@ -21,22 +26,37 @@ jobs:
           export VERSION=${{github.ref_name}}
           sed -i "s/0.0.0/$VERSION/g" Cargo.toml
 
-      - name: Cargo build
+      - name: Install stable toolchain  # Install Rust
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+
+      - name: Cargo build  # Release build
         run: |
           cargo build --release --verbose
           ls -lah target/release
 
-      - name: Cargo deb
+      - name: Cargo deb  # deb package
         run: |
           cargo install --version 1.44.1 cargo-deb
           cargo deb --verbose
           ls -lah target/debian
 
-      - name: Release
+      - name: Cargo rpm  # RPM package
+        run: |
+          cargo install --version 0.14.0 cargo-generate-rpm
+          strip -s target/release/libnss_shim.so
+          cargo generate-rpm --payload-compress none
+          ls -lah target/generate-rpm
+
+      - name: Release  # Publish GitHub release
         uses: softprops/action-gh-release@v1
-        if: startsWith(github.ref, 'refs/tags/')  # Presumably redundant due to the [0-9] filter, but kept for safety
+        if: startsWith(github.ref, 'refs/tags/')  # Presumably redundant due to the `on: push: tags:` filter, but kept for safety
         with:
-          body_path: ${{github.workspace}}/changelog/CHANGELOG.txt  # Get the release notes from the changelog file
-          fail_on_unmatched_files: true
+          body_path: ${{github.workspace}}/changelog/CHANGELOG.txt  # Add the release notes from the changelog file
+          fail_on_unmatched_files: true  # Ensure all packages built, to avoid publishing an incomplete release
           files: |
             target/debian/*.deb
+            target/generate-rpm/*.rpm
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -5,7 +5,7 @@ authors = ["Noah Kruiper"]
 edition = "2021"
 description = "NSS module shim to use custom sources for group/passwd/shadow lookups"
 readme = "README.md"
-license-file = "LICENSE"
+license = "GPL-3.0-or-later"
 repository = "https://github.com/xenago/libnss_shim"
 
 # Reduce size when building for release
@@ -16,11 +16,11 @@ codegen-units = 1  # use a single thread
 
 [dependencies]
 lazy_static = "1.4.0"
-libc = "0.2.152"
+libc = "0.2.155"
 libnss = "0.4"
-paste = "1.0.14"
-serde = { version = "1.0.195", features = ["derive"] }
-serde_json = "1.0.111"
+paste = "1.0.15"
+serde = { version = "1.0.203", features = ["derive"] }
+serde_json = "1.0.117"
 shlex = "1.3.0"
 
 [lib]
@@ -37,4 +37,15 @@ assets = [
     ["default_config/config.json", "etc/libnss_shim/config.json", "640"],
     ["README.md", "usr/share/doc/libnss_shim/README", "644"],
 ]
+conf-files = ["etc/libnss_shim/config.json"]
 maintainer-scripts = "debian"
+
+[package.metadata.generate-rpm]
+summary = "A plugin for the Name Service Switch (NSS) framework that parses the output of commands to resolve queries."
+assets = [
+    { source = "target/release/libnss_shim.so", dest = "/lib64/libnss_shim.so.2", mode = "644", config = false, doc = false, user = "root", group = "root" },
+    { source = "default_config/config.json", dest = "/etc/libnss_shim/config.json", mode = "640", config = true, doc = false, user = "root", group = "root" },
+    { source = "README.md", dest = "/usr/share/doc/libnss_shim/README", mode = "644", config = false, doc = true, user = "root", group = "root" },
+]
+post_install_script = "debian/postinst"
+post_uninstall_script = "debian/postrm"
diff --git a/LICENSE b/LICENSE
@@ -678,7 +678,7 @@ Public License instead of this License.  But first, please read
 The following notice applies to all files in the package, unless a different copyright notice is defined within:
 
 libnss_shim
-Copyright (c) 2023 Noah Kruiper
+Copyright (c) 2024 Noah Kruiper
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
diff --git a/README.md b/README.md
@@ -31,28 +31,45 @@ can print to `stdout` in a supported format to be used with NSS.
 
 ### Compatibility notes
 
-- Tested on Debian-based GNU/Linux distributions
+- Tested on:
+    - CentOS 7
+    - AlmaLinux 8
+    - AlmaLinux 9
+    - Debian 11
+    - Debian 12
+    - Ubuntu 20.04
+    - Ubuntu 22.04
+    - Ubuntu 24.04
 - Builds for `amd64` architecture
-- If `.deb` packages are not supported on the desired target platform, `libnss_shim` might be usable if the `assets` as
-  described in `Cargo.toml` are installed prior to running the `debian/postinst`  script, but this has not been tested
+- Packaged in `.deb` and `.rpm` formats
+- If available packages do not work on a target platform, `libnss_shim` might be usable if the `assets` are installed
+  as described in `Cargo.toml` prior to running the `debian/postinst` script, but this has not been tested extensively.
 - To request support for a different configuration, please create a GitHub Issue
 
 ### Installation steps
 
 1. Prepare the commands/software that will be triggered by `libnss_shim` (see the Commands section for details).
 
-2. Download the latest release produced by GitHub Actions:
+2. Download the latest release produced by GitHub Actions.
+
+   **deb:**
+    ```
+    wget https://github.com/xenago/libnss_shim/releases/download/1.1.0/libnss_shim_1.1.0_amd64.deb
     ```
-    wget https://github.com/xenago/libnss_shim/releases/download/1.0.5/libnss_shim_1.0.5_amd64.deb
+   **RPM:**
     ```
+    wget https://github.com/xenago/libnss_shim/releases/download/1.1.0/libnss_shim-1.1.0-1.x86_64.rpm
+    ```
+
+3. Install it directly `dpkg` or `rpm`.
 
-3. Install it directly with `dpkg` or through `apt`:
+   **deb:**
     ```
-    sudo dpkg -i libnss_shim_1.0.5_amd64.deb
+    sudo dpkg -i libnss_shim_1.1.0_amd64.deb
     ```
-   or
+   **RPM:**
     ```
-    sudo apt install ./libnss_shim_1.0.5_amd64.deb
+    sudo rpm -i ./libnss_shim-1.1.0-1.x86_64.rpm
     ```
 
 4. Configure the shim by importing a custom `config.json`:
@@ -328,11 +345,34 @@ testing purposes. Environment variables are generally private, whereas commands/
 Commands are not passed through a shell for execution. Although it is possible to run software like `bash`
 with `libnss_shim`, using a shell is not recommended as this comes with additional risks such as command injection.
 
+## Development
+
+When building locally, using [`act`](https://github.com/nektos/act) can be helpful to run `.github/ci.yaml` directly.
+Depending on your configuration, some tweaks may be required to enable it to build successfully.
+
+I generally find it easiest to run `build.sh` inside a temporary container:
+
+1. Ensure `Docker` is installed and available
+2. Ensure `libnss_shim` is cloned:
+
+       git clone https://github.com/xenago/libnss_shim.git
+
+3. Run the build script inside a temporary container, setting `LIBNSS_SHIM_VERSION` and the cloned repo path as desired:
+
+       sudo docker run -e "LIBNSS_SHIM_VERSION=0.0.0" -v /path/to/cloned/libnss_shim:/libnss_shim --rm quay.io/pypa/manylinux2014_x86_64:latest bash /libnss_shim/build.sh
+
+4. The build script will output packages in the following subdirectories of the cloned repo:
+
+   * `target/debian/*.deb` 
+   * `target/generate-rpm/*.rpm`
+
 ## Useful resources
 
-- NSS Modules Interface
+- *Building Rust binaries in CI that work with older GLIBC*
+  - Jakub Beránek, AKA Kobzol's [blog](https://kobzol.github.io/rust/ci/2021/05/07/building-rust-binaries-in-ci-that-work-with-older-glibc.html)
+- *NSS Modules Interface*
     - The GNU C [library](https://www.gnu.org/software/libc/manual/html_node/NSS-Modules-Interface.html)
-- Actions in the NSS configuration
+- *Actions in the NSS configuration*
     - The GNU C [library](https://www.gnu.org/software/libc/manual/html_node/Actions-in-the-NSS-configuration.html)
 - Rust bindings for `libnss`
     - The `libnss` [crate](https://crates.io/crates/libnss)
@@ -342,11 +382,11 @@ with `libnss_shim`, using a shell is not recommended as this comes with addition
     - The `nss-wiregarden` [crate](https://crates.io/crates/libnss-wiregarden)
 - Example of parsing `passwd` and `group` formats with Rust
     - The `parsswd` [crate](https://crates.io/crates/parsswd)
-- Testing NSS modules in glibc
+- *Testing NSS modules in glibc*
     - Geoffrey Thomas's [blog](https://ldpreload.com/blog/testing-glibc-nsswitch)
-- NSS - Debathena (useful description of NSS and how it fits into their architecture)
+- *NSS - Debathena* (useful description of NSS and how it fits into their architecture)
     - MIT Debathena [wiki](https://debathena.mit.edu/trac/wiki/NSS)
-- Debathena hacks (links to more NSS-related code for their project)
+- *Debathena hacks* (links to more NSS-related code for their project)
     - MIT Debathena [website](https://debathena.mit.edu/hacks)
 - Debathena NSS module source example
     - MIT Debathena [repository](https://debathena.mit.edu/packages/debathena/libnss-afspag/libnss-afspag-1.0/)
diff --git a/build.sh b/build.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+set -e
+
+cd /libnss_shim
+
+echo "BUILD: Setting version to $LIBNSS_SHIM_VERSION"
+sed -i "s/0.0.0/$LIBNSS_SHIM_VERSION/g" Cargo.toml
+
+echo "BUILD: Installing Rust"
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+. "$HOME/.cargo/env"
+
+echo "BUILD: Building for release"
+cargo build --release --verbose
+echo "BUILD: built for release"
+ls -lah target/release
+
+echo "BUILD: Packaging deb"
+cargo install --version 1.44.1 cargo-deb
+cargo deb --verbose
+echo "BUILD: deb packaged"
+ls -lah target/debian
+
+echo "BUILD: Packaging RPM"
+cargo install --version 0.14.0 cargo-generate-rpm
+strip -s target/release/libnss_shim.so
+cargo generate-rpm --payload-compress none
+echo "BUILD: RPM packaged"
+ls -lah target/generate-rpm
diff --git a/changelog/CHANGELOG.txt b/changelog/CHANGELOG.txt
@@ -1 +1,15 @@
-
+- Support EL distros with RPM package
+- Define `conf-files` for deb package to preserve `config.json` on upgrades
+- Switch build container to `quay.io/pypa/manylinux2014_x86_64` to support `glibc` version `2.17`
+- Test `glibc 2.17` RPM build on CentOS 7, AlmaLinux 8, and AlmaLinux 9
+- Test `glibc 2.17` deb build on Debian 10, 11, and 12
+- Test `glibc 2.17` deb build on Ubuntu 20.04, 22.04, and 24.04
+- Define `conf-files` for deb package to preserve `config.json` on deb package upgrades
+- Bump `libc` to `0.2.155`
+- Bump `paste` to `1.0.15`
+- Bump `serde` to `1.0.203`
+- Bump `serde_json` to `1.0.117`
+- Add local build script `build.sh`
+- Add local build instructions to README.md
+- Use SPDX format for license
+- Update copyright year
