Debian packaging

Debian packaging…because you’re worth it

Why “Debian” packaging? Debian packaging:

● dpkg for package creation/installation● apt for package downloading and dependency handling● aptitude as a higher-level version of apt● arguably the best package management system in Linux

All Debian-derivative distros use this!

Ubuntu, Lubuntu, Kubuntu, Edubuntu, Xubuntu, Knoppix, Raspbian, Mint, LXLE, Elementary OS, Kali Linux, SteamOS, Tails, Gparted Live, Elive, Proxmox, Grml….

Come on and type-a-long!- Debian/Ubuntu box?- local env in VM/Vagrant?

in any case:apt-get install git fakeroot lintian tree

What does a Debian package look like?Let’s download one.

[name]_[version-distroversion]_[architecture].deb

What does a Debian package contain?Let’s check the contents

…

…

It’s a compressed group of files.And they are pre-cooked! (installation path, owner, permissions)

But that’s NOT everything in the package...

I wanna look closer!Let’s unpack it

I wanna look closer!Let’s unpack it

Control files:

● Package metadata● Maintainer’s scripts

I wanna look closer!Let’s unpack it

Data files:

● Actual content● We already know what this is (remember “dpkg -c” ? Two slides earlier?)

I wanna look closer!Let’s unpack it

Format version:

● Contains which version of the Debian package format this package is using(it only contains “2.0”)

● You’ll probably never see something else. No need to worry about this.

control.tar.gz

control.tar.gz The main metadata file. All info about the package is here.

Package: fail2banVersion: 0.9.1-1Architecture: allMaintainer: Ubuntu Developers <[email protected]>Original-Maintainer: Yaroslav Halchenko <[email protected]>Installed-Size: 1075Depends: python3, python3:any (>= 3.3.2-2~), init-system-helpers (>= 1.18~), lsb-base (>= 2.0-7)Recommends: iptables, whois, python3-pyinotifySuggests: mailx, system-log-daemon, python3-systemdSection: netPriority: optionalHomepage: http://www.fail2ban.orgDescription: ban hosts that cause multiple authentication errors Fail2ban monitors log files (e.g. /var/log/auth.log, /var/log/apache/access.log) and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Fail2ban allows easy specification of different actions to be taken such as to ban an IP using iptables or hostsdeny rules, or simply to send a notification email.

control.tar.gz md5 checksums. Automatically created.

56ce6f9298838bcc3a9f0ba3e67c2917 lib/systemd/system/fail2ban.service3a318374fa0cb6e07a292b7cdc97f50d usr/bin/fail2ban-client72d77e966ca17f474de6daef24f83760 usr/bin/fail2ban-regex0c2a078af6af4bc3fc4ad30e427bee3e usr/bin/fail2ban-server86c43074af44dccc268750fa7b6f8b05 usr/bin/fail2ban-testcases2b87fac05ca20d8c82b2dc8039b7e84d usr/lib/python3/dist-packages/fail2ban-0.9.1.egg-info063c94472e76bee8522af76c7bb83043 usr/lib/python3/dist-packages/fail2ban/__init__.py1462fa8f21229ca8ce838cad186607d8 usr/lib/python3/dist-packages/fail2ban/client/__init__.py43c78526e2c53e278c222bfa0203ebca usr/lib/python3/dist-packages/fail2ban/client/actionreader.py5d3747e822e520751afda04b331670d9 usr/lib/python3/dist-packages/fail2ban/client/beautifier.pyced2218bc0120e247db682e838c1ad57 usr/lib/python3/dist-packages/fail2ban/client/configparserinc.py0ad1ac6cc7d6ccbc7f8fb509d01d6e1e usr/lib/python3/dist-packages/fail2ban/client/configreader.pyb25882f7c058745aaba76c7336cd7dad usr/lib/python3/dist-packages/fail2ban/client/configurator.pyf0fd3691740ec8bc93a74d65e324c35c usr/lib/python3/dist-packages/fail2ban/client/csocket.py

control.tar.gz Maintainer scripts. Executed when installing or removing the package.

● preinst:- executed before installation starts - maybe clear prev installation leftovers?

● postinst:- executed as last step of installation- e.g. change ownership/perms, start service

● prerm:- first step in package removal - e.g. stop service

● postrm: - last step in package removal- e.g. remove logs

control.tar.gz List of configuration files.Usually anything that resides in /etc

Special rules for these files:If changed, DO NOT OVERWRITE during package upgrade.(nobody wants to lose custom configuration after upgrade)

.../etc/fail2ban/action.d/sendmail-common.conf/etc/fail2ban/action.d/xarf-login-attack.conf/etc/fail2ban/action.d/iptables.conf/etc/fail2ban/action.d/sendmail-whois-lines.conf/etc/fail2ban/action.d/sendmail-whois-ipjailmatches.conf/etc/fail2ban/action.d/sendmail-whois-ipmatches.conf/etc/fail2ban/action.d/ipfw.conf/etc/fail2ban/action.d/apf.conf/etc/fail2ban/action.d/badips.conf/etc/fail2ban/action.d/mail-buffered.conf/etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf/etc/fail2ban/action.d/iptables-multiport-log.conf/etc/fail2ban/action.d/sendmail-buffered.conf/etc/fail2ban/action.d/osx-afctl.conf/etc/fail2ban/action.d/dummy.conf...

data.tar.gz

data.tar.gz Files to be installed.Full path is included.Just ignore the . at the beginning of each file.

Also, permissions!

$ ls -lat etc/fail2ban/*.conf-rw-r--r-- 1 dtsomp dtsomp 2104 okt 28 2014 etc/fail2ban/fail2ban.conf-rw-r--r-- 1 dtsomp dtsomp 16866 okt 28 2014 etc/fail2ban/jail.conf

What about the owner?

“fakeroot” assigns root as owner during the creation of the package.Or, we don’t care at all and just fix it via postinst ;)

Enough theory.

Let’s build something.

1. git it!Clone the packaging tutorial repo

DEBIAN/ control filesDOC/ documentation (man page, licence, etc) ROOT/ the directory structure with the actual filestarget/ will contain the final package

Why not put DOC/* under ROOT, like Debian asks you to?- Too lazy to find and update files every time. Script copies them over for me.

2. Prepare installation filesCreate dir and place the file

Don’t forget the permissions!0755 for executables, 0644 for others

Is it a configuration file?Needs to be added in conffiles

3. Metadata and maintainer scriptsDo you need to update the package information?YES! At least change the name of the package!

Make sure the maintainer’s scripts are up-to-date.It’s mandatory to have postinst and prerm scripts, even if they don’t do anything

Optional steps:

You know what is cool? Changelogs!

Any changes in copyright or the manual page?

4. Build time?

Wait, wait, wait.What does this script do?

All the boring bits:- preflight checks- creates dir structure- copies doc, metadata and content (ROOT) to the correct places in the structure- fixes permissions- compresses files (yes, some need to be compressed)- creates the actual package

The actual build command (once everything is in place):

fakeroot makes root owner of all files in the package, no sudo needed:

5. Build it already!

Congratulations!It’s a package!

Or is it?

6. Basic conformity check

…

Zero? Woohoo! No Errors!Warnings are OK. But you need to fix Errors.Now install it!

Did everything went according to plan? :)

ConclusionsWe built a Debian package!

Is it a *proper* package? No.(unsigned, bad changelog format, etc)

Is it a *good enough* package?Hell yeah!

Reference checklist (copied from http://www.tldp.org)

Prerequisite files:1. one or more binary executable or shell script files2. a man page for each executable file3. a 'control' file4. a 'copyright' file5. a 'changelog' and 'changelog.Debian' file

Setup temporary 'debian' directories: 1. create 'debian/usr/bin' directory (or wherever you plan to place your executable files)2. create 'debian/usr/share/man/man1' (or whatever section your man page belongs into)3. create 'debian/DEBIAN' directory4. create 'debian/usr/share/doc/<package_name>'5. make sure all sub directories of 'debian' have file permission 0755

Copy files into temporary 'debian' tree: 1. copy executable file into 'debian/usr/bin' directory (or wherever you plan to place your executable files)2. copy man page file into 'debian/usr/share/man/man1' directory3. copy 'control' file into 'debian/DEBIAN' directory4. copy 'copyright', 'changelog', and 'changelog.Debian' files into 'debian/usr/share/doc/<package_name>'5. gzip man page, 'copyright', 'changelog', and 'changelog.Debian' files with option '--best' inside the temporary 'debian' tree

Build and check binary Debian package: 1. invoke 'dpkg-deb --build' using 'fakeroot' on the 'debian' directory2. rename resulting 'debian.deb' file to its final package name including version and architecture information3. check resulting .deb package file for Debian policy compliance using 'lintian'

Reference cheatsheet●●●●

●●

EOM