debian: run as a daemon, ask informed consent (#162)

* Set verbose mode, depend on adduser * Run as daemon * Generate manpage * Implement informed consent * Set version * Switch format to native * Set environment * Update packaging * Create test and release pipelines * Update debian/ooniprobe-cli.service Co-authored-by: Simone Basso <bassosimone@gmail.com> * Update debian/ooniprobe-cli.service Co-authored-by: Simone Basso <bassosimone@gmail.com> * Update debian/ooniprobe.conf.disabled Co-authored-by: Simone Basso <bassosimone@gmail.com> * fix(linux-debian-packages): build also on pull requests Otherwise there's no way for us to test :^). * fix(debian/control): ubuntu 20.04 has debhelper 12 See https://packages.ubuntu.com/focal/debhelper * fix(debian/control): debhelper-compat relations doesn't work the way I thought * Update debian/ooniprobe-cli.timer Co-authored-by: Simone Basso <bassosimone@gmail.com>
2020-12-15 12:05:13 +00:00 · 2020-12-15 12:05:13 +00:00 · 8df91ecb1b
commit 8df91ecb1b
parent 862e27efcd
15 changed files with 192 additions and 13 deletions
--- a/.github/workflows/linux-debian-packages-release.yml
+++ b/.github/workflows/linux-debian-packages-release.yml
@ -0,0 +1,37 @@
+# Build a Debian package only when a relase tag is applied
+# and publish it on the public/release archive
+name: linux-debian-packages
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  build:
+    runs-on: "ubuntu-20.04"
+    steps:
+      - uses: actions/setup-go@v1
+        with:
+          go-version: "1.14"
+      - uses: actions/checkout@v2
+      - run: ./build.sh linux
+      # - run: ./smoketest.sh ./CLI/linux/amd64/ooniprobe
+      - run: find . -name ooniprobe -type f -executable
+      - run: sudo apt-get update -q
+      - run: sudo apt-get build-dep -y --no-install-recommends .
+      # Use probe version as package version
+      - run: |
+          DVER=$(./CLI/linux/amd64/ooniprobe version)
+          dch -v $DVER "New release"
+          dpkg-buildpackage -us -uc -b
+          find ../ -name "*.deb" -type f
+          DEB="../ooniprobe-cli_${DVER}_amd64.deb"
+          BT_FNAME="ooniprobe-cli_${DVER}_amd64.deb"
+          curl --upload-file "${DEB}" -u "${BT_APIUSER}:${BT_APIKEY}" \
+            "https://api.bintray.com/content/${BT_ORG}/${BT_REPO}/${BT_PKGNAME}/${DVER}/${BT_FNAME};deb_distribution=${DEBDIST};deb_component=main;deb_architecture=amd64;publish=1"
+        env:
+          DEBDIST: unstable
+          BT_APIKEY: ${{ secrets.BT_APIKEY }}
+          BT_APIUSER: federicoceratto
+          BT_ORG: ooni
+          BT_PKGNAME: ooniprobe
+          BT_REPO: ooniprobe-debian
--- a/.github/workflows/linux-debian-packages.yml
+++ b/.github/workflows/linux-debian-packages.yml
@ -1,6 +1,7 @@
 # Build a Debian package and publish on a test/internal archive
 name: linux-debian-packages
 on:
+  pull_request:
  push:
    branches:
      - master
@ -13,9 +14,11 @@ jobs:
          go-version: "1.14"
      - uses: actions/checkout@v2
      - run: ./build.sh linux
+      # - run: ./smoketest.sh ./CLI/linux/amd64/ooniprobe
      - run: find . -name ooniprobe -type f -executable
      - run: sudo apt-get update -q
      - run: sudo apt-get build-dep -y --no-install-recommends .
+      # Use <probe version>~<github build number> as package version
      - run: |
          VER=$(./CLI/linux/amd64/ooniprobe version)
          DVER="${VER}~${GITHUB_RUN_NUMBER}"
@ -32,4 +35,4 @@ jobs:
          BT_APIUSER: federicoceratto
          BT_ORG: ooni
          BT_PKGNAME: ooniprobe
-          BT_REPO: ooniprobe-debian
+          BT_REPO: ooniprobe-debian-test
--- a/debian/TODO
+++ b/debian/TODO
@ -1,8 +1,4 @@
-
-pull python script
 create bintray repo
-detect tags
+detect tags in github CI
 /etc conf file
- timer
- sandbox
 shared unix group
--- a/debian/changelog
+++ b/debian/changelog
@ -1,5 +1,5 @@
-ooniprobe-cli (0.0.0) UNRELEASED; urgency=medium
+ooniprobe-cli (3.0.9) UNRELEASED; urgency=medium

  * Test release

- -- Federico Ceratto <federico@openobservatory.org>  Thu, 12 Nov 2020 16:26:14 +0000
+ -- Federico Ceratto <federico@openobservatory.org>  Fri, 04 Dec 2020 19:43:15 +0000
--- a/debian/compat
+++ b/debian/compat
@ -1 +0,0 @@
-11
--- a/debian/config
+++ b/debian/config
@ -0,0 +1,13 @@
+#! /bin/sh
+#
+# Load debconf module and ask informed consent
+#
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+db_input high ooniprobe-cli/ask-consent || true
+db_go
+
+exit 0
--- a/debian/control
+++ b/debian/control
@ -2,7 +2,10 @@ Source: ooniprobe-cli
 Maintainer: Federico Ceratto <federico@openobservatory.org>
 Section: devel
 Priority: optional
-Build-Depends: dpkg-dev, debhelper, devscripts
+Build-Depends:
+ debhelper-compat (= 12),
+ devscripts,
+ dpkg-dev,
 Standards-Version: 4.5.0
 Vcs-Browser: https://github.com/ooni/probe-cli
 Vcs-Git: https://github.com/ooni/probe-cli.git
@ -12,6 +15,9 @@ XS-Go-Import-Path: github.com/ooni/probe-cli

 Package: ooniprobe-cli
 Architecture: any
-Depends: ${misc:Depends}, ${shlibs:Depends}
+Pre-Depends: debconf (>= 1.0.0)
+Depends: ${misc:Depends}, ${shlibs:Depends},
+ adduser,
+ debconf
 Built-Using: ${misc:Built-Using}
 Description: OONI Probe CLI
--- a/debian/ooniprobe-cli.install
+++ b/debian/ooniprobe-cli.install
@ -1 +1,2 @@
 ./CLI/linux/amd64/ooniprobe usr/bin
+debian/ooniprobe.conf.disabled /etc/ooniprobe
--- a/debian/ooniprobe-cli.postinst
+++ b/debian/ooniprobe-cli.postinst
@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+if [ "$1" = "configure" ]; then
+    if ! getent passwd ooniprobe >/dev/null; then
+        adduser --quiet --system --group --home /var/lib/ooniprobe ooniprobe
+    fi
+fi
+
+# Extract the answer
+db_get ooniprobe-cli/ask-consent || true
+consent="$RET"
+CF=/etc/ooniprobe/ooniprobe.conf
+
+[ "$consent" = true ]  && [ -f ${CF}.disabled ] && mv ${CF}.disabled ${CF}
+[ "$consent" = false ] && [ -f ${CF} ]          && mv ${CF} ${CF}.disabled
+
+#DEBHELPER#
+
+exit 0
--- a/debian/ooniprobe-cli.service
+++ b/debian/ooniprobe-cli.service
@ -0,0 +1,51 @@
+[Unit]
+Description=OONI Probe CLI
+Documentation=man:ooniprobe-cli
+#Documentation=file:///usr/share/doc/ooniprobe-cli/html/index.html
+Documentation=https://ooni.org/
+After=network.target tor.target
+Wants=network-online.target
+ConditionPathExists=/etc/ooniprobe/ooniprobe.conf
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/ooniprobe --config=/etc/ooniprobe/ooniprobe.conf run unattended
+TimeoutStopSec=5
+KillMode=mixed
+
+Environment="OONI_HOME=/var/lib/ooniprobe"
+User=ooniprobe
+PermissionsStartOnly=true
+Restart=on-abnormal
+RestartSec=2s
+LimitNOFILE=65536
+WorkingDirectory=/var/lib/ooniprobe
+
+# Sandboxing
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/proc
+ReadWriteDirectories=-/var/log/ooniprobe
+ReadWriteDirectories=-/var/lib/ooniprobe
+ReadWriteDirectories=-/var/run
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target
--- a/debian/ooniprobe-cli.templates
+++ b/debian/ooniprobe-cli.templates
@ -0,0 +1,17 @@
+Template: ooniprobe-cli/ask-consent
+Type: boolean
+Default: false
+Description: Do you consent to OONI Probe data collection?
+ OONI Probe collects evidence of internet censorship and measures
+ network performance.
+ .
+ WARNING:
+ .
+ - OONI Probe will likely test objectionable sites and services
+ .
+ - Anyone monitoring your internet activity (such as a government
+ or Internet provider) may be able to tell that you are using OONI Probe
+ .
+ - The network data you collect will be published automatically
+ .
+ To learn more, see https://ooni.org/about/risks/
--- a/debian/ooniprobe-cli.timer
+++ b/debian/ooniprobe-cli.timer
@ -0,0 +1,11 @@
+[Unit]
+Description=OONI Probe CLI
+Requires=ooniprobe-cli.service
+
+[Timer]
+Unit=ooniprobe-cli.service
+OnCalendar=daily
+RandomizedDelaySec=24h
+
+[Install]
+WantedBy=timers.target
--- a/debian/ooniprobe.conf.disabled
+++ b/debian/ooniprobe.conf.disabled
@ -0,0 +1,15 @@
+{
+  "_": "",
+  "_version": 1,
+  "_informed_consent": true,
+  "sharing": {
+    "upload_results": true
+  },
+  "nettests": {
+    "websites_url_limit": 0,
+    "websites_enabled_category_codes": null
+  },
+  "advanced": {
+    "send_crash_reports": true
+  }
+}
--- a/debian/rules
+++ b/debian/rules
@ -1,10 +1,17 @@
 #!/usr/bin/make -f

+export DH_VERBOSE=1
+
 %:
 	dh $@

+override_dh_auto_clean:
+	rm -f debian/ooniprobe.1
+	dh_auto_clean
+
 override_dh_auto_build:
-	true
+	# The ooniprobe binary is provided
+	./CLI/linux/amd64/ooniprobe --help-man > debian/ooniprobe.1

 override_dh_dwz:
 	true
--- a/debian/source/format
+++ b/debian/source/format
@ -1 +1 @@
-3.0 (quilt)
+3.0 (native)