debian: converge packaging between authentic2 and -multitenant packages (#42305)

* remove db-config usage
* renanme authentic2-ctl to authentic2-manage
* add systemd service file for authentic2 standalone package
* add a force-reload synonym for restart (to comply with lintian)
* remove creation of /var/run/$NAME in .postinst and .dirs
* usr %p template variable to name RuntimeDirectory in systemd service
file
* add a /var/lib/authentic2/locale directory to authentic2.dirs
* use a WORKERS variable set to 4 in authentic2.init
* remove -R flag to chown when setting user rights on
/var/lib/authentic2 (to comply with lintian)
* add handling of configuration files in /etc/authentic2/settings.d/
* use pybuild instead of python_distutils in rules
* fix check on DEFAULT_FROM_EMAIL
* rename user from authentic to authentic2

debian/authentic2-ctl

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-export AUTHENTIC2_SETTINGS_FILE=/usr/share/authentic2/debian_config.py
-
-if [ "$(whoami)" != "authentic" ]; then
-    if which sudo >/dev/null; then
-      if sudo -v -u authentic; then
-        sudo -u authentic authentic2-ctl "$@"
-        exit $?
-      fi
-      echo "You must run this script with authentic user"
-      exit 1
-    fi
-fi
-
-if [ -f /etc/default/authentic2 ]; then
-    . /etc/default/authentic2
-fi
-
-if [ -f /etc/authentic2/db.conf ]; then
-    . /etc/authentic2/db.conf
-fi
-if [ -f /etc/authentic2/authentic.conf ]; then
-    . /etc/authentic2/authentic.conf
-fi
-
-/usr/lib/authentic2/manage.py "$@"

debian/authentic2-manage

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+NAME="authentic2"
+MANAGE="/usr/lib/authentic2/manage.py"
+USER=authentic2
+
+export AUTHENTIC2_SETTINGS_FILE=/usr/lib/authentic2/debian_config.py
+
+if [ "$(whoami)" != "$USER" ]; then
+    if which sudo >/dev/null; then
+      if sudo -v -u "$USER"; then
+        sudo -u "$USER" authentic2-manage "$@"
+        exit $?
+      fi
+      echo "You must run this script with $USER user"
+      exit 1
+    fi
+fi
+
+if [ -f /etc/default/authentic2 ]; then
+    . /etc/default/authentic2
+fi
+
+if [ -f /etc/authentic2/db.conf ]; then
+    . /etc/authentic2/db.conf
+fi
+if [ -f /etc/authentic2/authentic.conf ]; then
+    . /etc/authentic2/authentic.conf
+fi
+
+python ${MANAGE} "$@"

debian/authentic2-multitenant.dirs

@@ -6,5 +6,4 @@ var/lib/authentic2-multitenant/static
 var/lib/authentic2-multitenant/collectstatic
 var/lib/authentic2-multitenant/locale
 var/lib/authentic2-multitenant/templates
-var/run/authentic2-multitenant
 var/log/authentic2-multitenant

debian/authentic2-multitenant.init

@@ -163,7 +163,7 @@ case "$1" in
 	do_migrate && do_collectstatic
 	log_end_msg $?
 	;;
-  restart)
+  restart|force-reload)
 	#
 	# If the "reload" option is implemented then remove the
 	# 'force-reload' alias

debian/authentic2-multitenant.postinst

@@ -36,7 +36,6 @@ case "$1" in
         fi
         chown $AUTHENTIC_USER:$AUTHENTIC_GROUP $AUTHENTIC_HOME/tenants \
             /var/lib/$NAME/collectstatic \
-            /var/run/$NAME \
             /var/log/$NAME
         /etc/init.d/$NAME update
         ;;

debian/authentic2-multitenant.service

@@ -21,7 +21,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStartSec=0
 PrivateTmp=true
 Restart=on-failure
-RuntimeDirectory=authentic2-multitenant
+RuntimeDirectory=%p
 
 [Install]
 WantedBy=multi-user.target

debian/authentic2.config

@@ -1,14 +0,0 @@
-#!/bin/sh
-# config maintainer script for foo-pgsql
-
-set -e
-
-# source debconf stuff
-. /usr/share/debconf/confmodule
-# source dbconfig-common shell library, and call the hook function
-if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
-    . /usr/share/dbconfig-common/dpkg/config.pgsql 
-    dbc_go authentic2 $@
-fi
-
-#DEBHELPER#

debian/authentic2.cron.d

@@ -1,7 +1,7 @@
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 MAILTO=root
 
-0 * * * * authentic authentic2-ctl clearsessions
-5 * * * * authentic authentic2-ctl cleanupauthentic
-10 * * * * authentic authentic2-ctl sync-ldap-users
+0 * * * * authentic2 authentic2-manage clearsessions
+5 * * * * authentic2 authentic2-manage cleanupauthentic
+10 * * * * authentic2 authentic2-manage sync-ldap-users
 

debian/authentic2.dirs

@@ -1,8 +1,9 @@
 etc/authentic2
-usr/share/dbconfig-common/scripts/authentic2/install
+etc/authentic2/settings.d
+usr/lib/authentic2
 var/lib/authentic2/media
 var/lib/authentic2/static
 var/lib/authentic2/collectstatic
+var/lib/authentic2/locale
 var/lib/authentic2/templates
-var/run/authentic2
 var/log/authentic2

debian/authentic2.init

@@ -22,12 +22,14 @@ CACHE_DIR=/var/cache/$NAME
 LOG_DIR=/var/log/$NAME
 PIDFILE=$PID_DIR/$NAME.pid
 SCRIPTNAME=/etc/init.d/$NAME
-MANAGE_SCRIPT=/usr/bin/$NAME-ctl
 BIND=unix:$PID_DIR/$NAME.sock
-AUTHENTIC2_SETTINGS_FILE=/usr/share/$NAME/debian_config.py
+WORKERS=4
 
-USER=authentic
-GROUP=authentic
+export AUTHENTIC2_SETTINGS_FILE=/usr/share/$NAME/debian_config.py
+MANAGE_SCRIPT=/usr/bin/$NAME-manage
+
+USER=authentic2
+GROUP=authentic2
 
 # Exit if the package is not installed
 [ -x $DAEMON ] || exit 0
@@ -41,19 +43,11 @@ DAEMON_ARGS="--pid $PIDFILE \
 --access-logfile $LOG_DIR/gunicorn-access.log \
 --log-file $LOG_DIR/gunicorn-error.log \
 --bind=$BIND \
---workers=10 \
+--workers=$WORKERS \
 --worker-class=sync \
 --timeout=60 \
 authentic2.wsgi:application"
 
-# Load config
-if [ -f /etc/authentic2/db.conf ]; then
-	. /etc/authentic2/db.conf
-fi
-if [ -f /etc/authentic2/authentic.conf ]; then
-	. /etc/authentic2/authentic.conf
-fi
-
 # Load the VERBOSE setting and other rcS variables
 . /lib/init/vars.sh
 
@@ -71,6 +65,21 @@ if [ ! -d $CACHE_DIR ]; then
     install -d -m 755 -o $USER -g $GROUP $CACHE_DIR
 fi
 
+# Load old authentic configuration
+if [ -f /etc/authentic2/db.conf ]; then
+	. /etc/authentic2/db.conf
+fi
+if [ -f /etc/authentic2/authentic.conf ]; then
+	. /etc/authentic2/authentic.conf
+fi
+
+# Function collecting static files
+do_collectstatic() {
+    log_action_msg "Collect static files.."
+    su $USER -s /bin/sh -p -c "$MANAGE_SCRIPT collectstatic -l --noinput"
+    log_action_msg ".. done"
+}
+
 #
 # Function that starts the daemon/service
 #
@@ -129,22 +138,10 @@ do_reload() {
 
 do_migrate() {
     log_action_msg "Applying new migrations .."
-    VERSION=`dpkg-query --show --showformat '${Version}' python-django`
-    if dpkg --compare-versions $VERSION lt 1.7; then
-      su $USER -p -c "$MANAGE_SCRIPT syncdb --migrate --noinput"
-    else
-      su $USER -p -c "$MANAGE_SCRIPT migrate --noinput"
-    fi
+    su $USER -p -c "$MANAGE_SCRIPT migrate --noinput"
     log_action_msg ".. done"
 }
 
-do_collectstatic() {
-    log_action_msg "Collecting static files .."
-    su $USER -p -c "$MANAGE_SCRIPT collectstatic -l --noinput"
-    log_action_msg ".. done"
-}
-
-
 case "$1" in
   start)
     log_daemon_msg "Starting $DESC " "$NAME"
@@ -177,7 +174,7 @@ case "$1" in
 	do_migrate && do_collectstatic
 	log_end_msg $?
 	;;
-  restart)
+  restart|force-reload)
 	log_daemon_msg "Restarting $DESC" "$NAME"
 	do_stop
 	case "$?" in

debian/authentic2.install

@@ -1,5 +1,4 @@
 debian/conf/authentic.conf            /etc/authentic2
-debian/conf/nginx-example.conf        /etc/authentic2
-debian/sql/db.conf                    /usr/share/authentic2/templates
-debian/authentic2-ctl                 /usr/bin
-debian/debian_config.py               /usr/share/authentic2
+debian/authentic2-manage              /usr/bin
+debian/conf/nginx-example.conf        /usr/share/authentic2
+debian/debian_config.py               /usr/lib/authentic2

debian/authentic2.postinst

@@ -6,8 +6,10 @@
 set -e
 
 NAME=authentic2
-AUTHENTIC_USER=authentic
-AUTHENTIC_GROUP=authentic
+OLD_AUTHENTIC_USER=authentic
+OLD_AUTHENTIC_GROUP=authentic
+AUTHENTIC_USER=authentic2
+AUTHENTIC_GROUP=authentic2
 AUTHENTIC_HOME=/var/lib/authentic2
 AUTHENTIC_SECRET_KEY="$AUTHENTIC_HOME/secret_key"
 
@@ -17,17 +19,30 @@ AUTHENTIC_SECRET_KEY="$AUTHENTIC_HOME/secret_key"
 case "$1" in
     configure)
         if ! getent group $AUTHENTIC_GROUP > /dev/null 2>&1; then
-            echo -n "Adding group $AUTHENTIC_GROUP.." >&2
-            addgroup --quiet --system $AUTHENTIC_GROUP
-            echo "..done" >&2
+            if getent group $OLD_AUTHENTIC_GROUP >/dev/null 2>&1; then
+                echo -n "Renaming group $OLD_AUTHENTIC_GROUP to $AUTHENTIC_GROUP.." >&2
+                groupmod -n $AUTHENTIC_GROUP $OLD_AUTHENTIC_GROUP
+                echo "..done" >&2
+            else
+                echo -n "Adding group $AUTHENTIC_GROUP.." >&2
+                addgroup --quiet --system $AUTHENTIC_GROUP
+                echo "..done" >&2
+            fi
         fi
         if ! getent passwd $AUTHENTIC_USER > /dev/null 2>&1; then
-            echo -n "Adding user $AUTHENTIC_USER.." >&2
-            adduser --quiet --system --gecos "Authentic2 daemon" \
-                    --ingroup $AUTHENTIC_GROUP \
-                    --no-create-home --home $AUTHENTIC_HOME \
-                    $AUTHENTIC_USER
-            echo "..done" >&2
+            if getent passwd $OLD_AUTHENTIC_USER >/dev/null 2>&1; then
+                echo -n "Renaming user $OLD_AUTHENTIC_USER to $AUTHENTIC_USER.." >&2
+                usermod -l $AUTHENTIC_USER $OLD_AUTHENTIC_USER
+                echo "..done" >&2
+            else
+                echo -n "Adding user $AUTHENTIC_USER.." >&2
+                adduser --quiet --system --gecos "Authentic2 daemon" \
+                        --ingroup $AUTHENTIC_GROUP \
+                        --no-create-home --home $AUTHENTIC_HOME \
+                        $AUTHENTIC_USER
+                echo "..done" >&2
+                echo "If you currently use a local postgres database with UNIX security, please rename the postgresql user."
+            fi
         fi
 
         if [ ! -f $AUTHENTIC_SECRET_KEY ]; then
@@ -35,12 +50,14 @@ case "$1" in
                 echo -n "Converting storage of the secret key.." >&2
                 . /etc/$NAME/secret
                 echo -n "$SECRET_KEY" >"$AUTHENTIC_SECRET_KEY"
+                chown $AUTHENTIC_USER:$AUTHENTIC_GROUP $AUTHENTIC_SECRET_KEY
                 rm /etc/$NAME/secret
                 echo "..done" >&2
             else
                 echo -n "Generating a secret key.." >&2
                 echo -n "`</dev/urandom tr -dc [:alnum:]-_\!\%\^:\; | head -c70`" > "$AUTHENTIC_SECRET_KEY"
                 chmod 0600 $AUTHENTIC_SECRET_KEY
+                chown $AUTHENTIC_USER:$AUTHENTIC_GROUP $AUTHENTIC_SECRET_KEY
                 echo "..done" >&2
             fi
         fi
@@ -65,19 +82,6 @@ case "$1" in
                 /etc/authentic2/authentic.conf >&2
         fi
 
-        chown -R $AUTHENTIC_USER:$AUTHENTIC_GROUP /var/lib/authentic2/
-
-        # source dbconfig-common shell library, and call the hook function
-        if [ -f /usr/share/dbconfig-common/dpkg/postinst.pgsql ]; then
-            . /usr/share/dbconfig-common/dpkg/postinst.pgsql 
-            dbc_generate_include="template:/etc/authentic2/db.conf"
-            dbc_generate_include_args="-o template_infile=/usr/share/authentic2/templates/db.conf -U"
-            dbc_generate_include_owner="root:authentic"
-            dbc_generate_include_perms="640"
-            dbc_pgsql_createdb_encoding="UTF8"
-            dbc_go authentic2 $@
-        fi
-
         if [ ! -f /etc/authentic2/cert.pem -a ! -f /etc/authentic2/key.pem ]; then
             echo -n "Generating key material..." >&2
             openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out /etc/authentic2/key.pem >&2
@@ -86,6 +90,16 @@ case "$1" in
             chmod 640 /etc/authentic2/cert.pem /etc/authentic2/key.pem
             echo "..done" >&2
         fi
+
+        chown $AUTHENTIC_USER:$AUTHENTIC_GROUP \
+            $AUTHENTIC_HOME \
+            $AUTHENTIC_HOME/static \
+            $AUTHENTIC_HOME/collectstatic \
+            $AUTHENTIC_HOME/locale \
+            $AUTHENTIC_HOME/media \
+            $AUTHENTIC_HOME/templates \
+            /var/log/$NAME \
+
         /etc/init.d/$NAME update
         ;;
 

debian/authentic2.postrm

@@ -6,7 +6,8 @@
 set -e
 
 case "$1" in purge)
-    deluser --quiet --system authentic > /dev/null || true
+    deluser --quiet --system authentic2 >/dev/null || true
+    delgroup --quiet --system authentic2 >/dev/null || true
     rm -f /etc/authentic2/secret
     rm -rf /var/lib/authentic2/static/*
     # source debconf stuff

debian/authentic2.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Authentic 2
+After=network.target postgresql.service
+Wants=postgresql.service
+
+[Service]
+Environment=AUTHENTIC2_SETTINGS_FILE=/usr/lib/%p/debian_config.py
+Environment=LANG=C.UTF-8
+User=authentic2
+Group=authentic2
+ExecStartPre=/usr/bin/authentic2-manage migrate --noinput
+ExecStartPre=/usr/bin/authentic2-manage collectstatic --noinput
+ExecStart=python2 -m gunicorn.app.wsgiapp \
+          --bind unix:/run/%p/%p.sock \
+          --worker-class=sync \
+          --workers 5 \
+          --timeout=60 \
+          --name %p \
+          authentic2.wsgi:application
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStartSec=0
+PrivateTmp=true
+Restart=on-failure
+RuntimeDirectory=%p
+
+[Install]
+WantedBy=multi-user.target

debian/compat

@@ -1 +1 @@
-9
+10

debian/control

@@ -1,12 +1,11 @@
 Source: authentic2
 Section: python
 Priority: optional
-Maintainer: Jerome Schneider <jschneider@entrouvert.com>
+Maintainer: Benjamin Dauvergne <bdauvergne@entrouvert.com>
 Build-Depends-Indep: python-all-dev (>= 2.6)
-Build-Depends: debhelper (>= 9.0), python-setuptools, python-django (>= 1.5), dh-python, dh-systemd
-Standards-Version: 3.8.3
-Homepage: http://authentic.labs.libre-entreprise.org
-X-Python-Version: >= 2.7
+Build-Depends: debhelper (>= 9.0), python-setuptools, python-django (>= 1:1.11), dh-python, dh-systemd
+Standards-Version: 3.9.6
+Homepage: http://dev.entrouvert.org/projects/authentic/
 
 Package: python-authentic2
 Architecture: all

debian/debian_config.py

@@ -1,7 +1,9 @@
+import glob
 import os
 import warnings
 from authentic2 import logger
 
+ETC_DIR = '/etc/authentic2/'
 
 # Add the XForwardedForMiddleware
 MIDDLEWARE = ('authentic2.middleware.XForwardedForMiddleware',) + MIDDLEWARE
@@ -118,7 +120,6 @@ LOGGING = {
 
 # Old settings method
 def extract_settings_from_environ():
-    import os
     import json
     from django.core.exceptions import ImproperlyConfigured
     global MANAGERS, DATABASES, SENTRY_TRANSPORT, SENTRY_DSN, INSTALLED_APPS, \
@@ -296,6 +297,9 @@ if os.path.exists(CONFIG_FILE):
     with open(CONFIG_FILE) as fd:
         exec(fd.read())
 
-# Warn if DEFAULT_FROM_EMAIL is the default value
-if DEFAULT_FROM_EMAIL == 'webmaster@localhost':
+for filename in sorted(glob.glob(os.path.join(ETC_DIR, 'settings.d', '*.py'))):
+    exec(open(filename).read())
+
+# Warn if DEFAULT_FROM_EMAIL is absent
+if not locals().get('DEFAULT_FROM_EMAIL'):
     warnings.warn('DEFAULT_FROM_EMAIL must be customized')

debian/python-authentic2.install

@@ -1 +0,0 @@
-usr/lib/

debian/rules

@@ -1,12 +1,11 @@
 #!/usr/bin/make -f
 
-authentic2=$(CURDIR)/debian/authentic2
-pythonauthentic2=$(CURDIR)/debian/python-authentic2
+export PYBUILD_NAME=authentic2
+export PYBUILD_DISABLE=test
 
 %:
-	dh $@ --with python2,systemd
+	dh $@ --with python2,systemd --buildsystem=pybuild
 
 override_dh_install:
 	dh_install
-	mv $(CURDIR)/debian/tmp/usr/bin/authentic2-ctl $(pythonauthentic2)/usr/lib/authentic2/manage.py
-
+	mv $(CURDIR)/debian/python-authentic2/usr/bin/authentic2-ctl $(CURDIR)/debian/python-authentic2/usr/lib/authentic2/manage.py

debian/sql/db.conf

@@ -1,5 +0,0 @@
-export DATABASE_ENGINE='django.db.backends.postgresql_psycopg2'
-export DATABASE_NAME='_DBC_DBNAME_'
-export DATABASE_USER='_DBC_DBUSER_'
-export DATABASE_PASSWORD='_DBC_DBPASS_'
-export DATABASE_HOST='localhost'

rules

@@ -1,9 +0,0 @@
-#!/usr/bin/make -f
-
-# This file was automatically generated by stdeb 0.6.0+git at
-# Fri, 14 Jun 2013 17:33:52 +0200
-
-%:
-	dh $@ --with python2 --buildsystem=python_distutils
-
-