Packaging: Add conf files to deb/rpm packages (#6330)

Author: cognifloyd

CHANGELOG.rst

@@ -80,7 +80,7 @@ Added
   #6118 #6141 #6133 #6120 #6181 #6183 #6200 #6237 #6229 #6240 #6241 #6244 #6251 #6253
   #6254 #6258 #6259 #6260 #6269 #6275 #6279 #6278 #6282 #6283 #6273 #6287 #6306 #6307
   #6311 #6314 #6315 #6317 #6319 #6312 #6320 #6321 #6323 #6324 #6325 #6326 #6327 #6328
-  #6329
+  #6329 #6330
   Contributed by @cognifloyd
 * Build of ST2 EL9 packages #6153
   Contributed by @amanda11

conf/BUILD

@@ -57,3 +57,55 @@ file(
     name="st2_package_conf",
     source="st2.package.conf",
 )
+
+shell_command(
+    name="htpasswd",
+    description="An empty htpasswd file for st2-auth-backend-flat-file",
+    command="touch htpasswd",
+    tools=["touch"],
+    output_files=["htpasswd"],
+)
+
+shell_command(
+    name="packaged_st2_conf",
+    execution_dependencies=[":st2_package_conf"],
+    # virtualenv_opts is no longer needed for most OSes. We used to do this only for EL 8.
+    command="""crudini --verbose --set st2.package.conf actionrunner virtualenv_opts ''""",
+    runnable_dependencies=["//:crudini"],
+    output_files=["st2.package.conf"],
+)
+
+nfpm_content_files(
+    name="packaged_conf_files",
+    dependencies=[
+        ":packaged_st2_conf",
+        ":logrotate",
+        ":nginx_sample_config",
+        ":htpasswd",
+    ],
+    files=[
+        ("st2.package.conf", "/etc/st2/st2.conf"),
+        ("logrotate.conf", "/etc/logrotate.d/st2"),
+        ("nginx/st2.conf", "/usr/share/doc/st2/conf/nginx/st2.conf"),
+        ("htpasswd", "/etc/st2/htpasswd"),
+    ],
+    content_type="config|noreplace",
+    file_owner="root",
+    file_group="root",
+    file_mode="rw-r--r--",
+    overrides={
+        "/etc/st2/st2.conf": dict(
+            # st2.conf typically contains secrets, so it is not world readable.
+            file_mode="rw-r-----",  # NOTE: Packaging used to install this world readable.
+            # TODO: Maybe set file_group=ST2_SVC_USER if a non-root process needs access.
+        ),
+        "/etc/st2/htpasswd": dict(
+            file_owner=ST2_SVC_USER,
+            file_group=ST2_SVC_USER,
+            file_mode="rw-------",
+        ),
+        "/usr/share/doc/st2/conf/nginx/st2.conf": dict(
+            content_type="",
+        ),
+    },
+)

packaging/BUILD

@@ -45,6 +45,7 @@ nfpm_deb_package(
         "./deb/scripts",
         "./deb/systemd:services",
         "./common/systemd:generators",
+        "./common:conf_files",
         "./common:dirs",
         "./common:symlinks",
         *_st2_venv_deps(),
@@ -80,6 +81,7 @@ nfpm_rpm_package(
         "./rpm/scripts",
         "./rpm/systemd:services",
         "./common/systemd:generators",
+        "./common:conf_files",
         "./common:dirs",
         "./common:symlinks",
         *_st2_venv_deps(),

packaging/common/BUILD

@@ -1,8 +1,6 @@
 nfpm_content_dirs(
     name="root_dirs",
     dirs=[
-        # "/etc/bash_completion.d",
-        # "/etc/logrotate.d",
         "/etc/st2",
         "/opt/stackstorm",
         "/opt/stackstorm/st2",
@@ -71,3 +69,16 @@ nfpm_content_symlinks(
     file_owner="root",
     file_group="root",
 )
+
+target(
+    name="conf_files",
+    dependencies=[
+        "//conf:packaged_conf_files",
+        "//st2actions/conf:packaged_conf_files",
+        "//st2api/conf:packaged_conf_files",
+        "//st2auth/conf:packaged_conf_files",
+        "//st2client/conf:packaged_bash_completion",
+        "//st2reactor/conf:packaged_conf_files",
+        "//st2stream/conf:packaged_conf_files",
+    ],
+)

pants-plugins/macros.py

@@ -226,3 +226,32 @@ def st2_logging_conf_resources(**kwargs):
     deps = list(deps) + list(_st2common_logging_deps)
     kwargs["dependencies"] = tuple(deps)
     resources(**kwargs)  # noqa: F821
+
+
+def st2_logging_conf_for_nfpm(**kwargs):
+    deps = kwargs.pop("dependencies") or []
+
+    shell_command(  # noqa: F821
+        name="package_logging_conf",
+        execution_dependencies=deps,
+        # Using "-E" and specifying the ".bak" suffix makes this portable
+        command="""
+        sed -E -i.bak "/args[[:space:]]*=[[:space:]]*/s:logs/:/var/log/st2/:g" logging.*conf;
+        for conf_file in logging.*conf syslog.*conf; do
+            crudini --verbose --set "${conf_file}" logger_root level INFO;
+        done
+        """,
+        runnable_dependencies=["//:crudini"],
+        tools=["sed"],
+        output_files=["*.conf"],
+    )
+
+    nfpm_content_files(  # noqa: F821
+        name="packaged_conf_files",
+        dependencies=[":package_logging_conf"],
+        file_owner="root",
+        file_group="root",
+        file_mode="rw-r--r--",
+        content_type="config|noreplace",
+        **kwargs,
+    )

st2actions/conf/BUILD

@@ -21,3 +21,20 @@ st2_logging_conf_files(
     name="logging_syslog",
     sources=["syslog*.conf"],
 )
+
+st2_logging_conf_for_nfpm(
+    dependencies=[
+        ":logging",
+        ":logging_syslog",
+    ],
+    files=[
+        ("logging.conf", "/etc/st2/logging.actionrunner.conf"),
+        ("syslog.conf", "/etc/st2/syslog.actionrunner.conf"),
+        ("logging.notifier.conf", "/etc/st2/logging.notifier.conf"),
+        ("syslog.notifier.conf", "/etc/st2/syslog.notifier.conf"),
+        ("logging.scheduler.conf", "/etc/st2/logging.scheduler.conf"),
+        ("syslog.scheduler.conf", "/etc/st2/syslog.scheduler.conf"),
+        ("logging.workflowengine.conf", "/etc/st2/logging.workflowengine.conf"),
+        ("syslog.workflowengine.conf", "/etc/st2/syslog.workflowengine.conf"),
+    ],
+)

st2api/conf/BUILD

@@ -19,3 +19,16 @@ st2_logging_conf_file(
     name="logging_syslog",
     source="syslog.conf",
 )
+
+st2_logging_conf_for_nfpm(
+    dependencies=[
+        ":logging",
+        ":logging_gunicorn",
+        ":logging_syslog",
+    ],
+    files=[
+        ("logging.conf", "/etc/st2/logging.api.conf"),
+        ("logging.gunicorn.conf", "/etc/st2/logging.api.gunicorn.conf"),
+        ("syslog.conf", "/etc/st2/syslog.api.conf"),
+    ],
+)

st2auth/conf/BUILD

@@ -29,3 +29,16 @@ st2_logging_conf_file(
     name="logging_syslog",
     source="syslog.conf",
 )
+
+st2_logging_conf_for_nfpm(
+    dependencies=[
+        ":logging",
+        ":logging_gunicorn",
+        ":logging_syslog",
+    ],
+    files=[
+        ("logging.conf", "/etc/st2/logging.auth.conf"),
+        ("logging.gunicorn.conf", "/etc/st2/logging.auth.gunicorn.conf"),
+        ("syslog.conf", "/etc/st2/syslog.auth.conf"),
+    ],
+)

st2client/conf/BUILD

@@ -1 +1,12 @@
 shell_sources()
+
+nfpm_content_file(
+    name="packaged_bash_completion",
+    dependencies=["./st2.complete.sh"],
+    src="st2.complete.sh",
+    dst="/etc/bash_completion.d/st2",
+    content_type="config",
+    file_owner="root",
+    file_group="root",
+    file_mode="rwxr-xr-x",
+)

st2reactor/conf/BUILD

@@ -13,3 +13,20 @@ st2_logging_conf_files(
     name="logging_syslog",
     sources=["syslog*.conf"],
 )
+
+st2_logging_conf_for_nfpm(
+    dependencies=[
+        ":logging",
+        ":logging_syslog",
+    ],
+    files=[
+        ("logging.garbagecollector.conf", "/etc/st2/logging.garbagecollector.conf"),
+        ("syslog.garbagecollector.conf", "/etc/st2/syslog.garbagecollector.conf"),
+        ("logging.rulesengine.conf", "/etc/st2/logging.rulesengine.conf"),
+        ("syslog.rulesengine.conf", "/etc/st2/syslog.rulesengine.conf"),
+        ("logging.sensorcontainer.conf", "/etc/st2/logging.sensorcontainer.conf"),
+        ("syslog.sensorcontainer.conf", "/etc/st2/syslog.sensorcontainer.conf"),
+        ("logging.timersengine.conf", "/etc/st2/logging.timersengine.conf"),
+        ("syslog.timersengine.conf", "/etc/st2/syslog.timersengine.conf"),
+    ],
+)