diff options
Diffstat (limited to 'debian/PACKAGING')
-rw-r--r-- | debian/PACKAGING | 459 |
1 files changed, 459 insertions, 0 deletions
diff --git a/debian/PACKAGING b/debian/PACKAGING new file mode 100644 index 0000000..6eec260 --- /dev/null +++ b/debian/PACKAGING @@ -0,0 +1,459 @@ +Apache 2 Packaging Guidelines +============================= + +This document describes handling and behavior of reverse dependencies which +would like to interact with the Apache 2 HTTP server + +Contents +======== + + 1. Overview + + 2. Packaging Modules + 2.1 '.load' and '.conf' files + 2.2 Maintainer scripts + + 3. Packaging Sites and Configurations for Web Applications + 3.1 Web application module dependencies + 3.2 Package dependencies + + 4. Maintainer Scripts + 4.1 Enabling Configurations + 4.2 Switching MPMs + + 5. Tools + 5.1 a2query + 5.2 apache2-maintscript-helper + 5.3 dh_apache2 + + 6. Version + 6.1 Changes + + +1 Overview +========== + +The Apache 2 web server package in Debian supports two types of reverse +dependencies: modules and web applications. They need to be treated differently +as their requirements are different. We have special requirements for how to +declare dependencies against Apache 2 web server packages depending on the type +of package. Refer to the appropriate parts for extensive information. + +Furthermore, there are several helper tools available to assist with common +tasks. These are outlined in their respective sub sections as well. You should +use these tools to get maintainer scripts and dependencies right. + +This document adopts the normative wording of the Debian Policy Manual ยง1.1[1]. +The words "must", "should", and "may", and the adjectives "required", +"recommended", and "optional", are used to distinguish the significance of the +various guidelines in this policy document. + +[1] http://www.debian.org/doc/debian-policy/ch-scope.html#s1.1 + +2 Packaging Modules +=================== + +Modules are packages which are installing third party extensions to the Apache 2 +web server which can be loaded at runtime to extend the functionality of the +core server. Please be aware that such compiled modules make use of a stable +Application Binary Interface (ABI) and therefore need a recompile if the web +server changes. Hence be careful how you declare dependencies against the web +server. You need to make sure it does not break upon upgrades. + +A module package providing an Apache module must obey these policies to make +sure it can be upgraded without breakage of local sites. To achieve this, a +package must build-depend on apache2-dev. That package provides the 'apxs' +compile helper which makes sure the module to be compiled is compatible with the +Apache 2 web server and the C headers the server is providing as a public +interface. If an updated package is not buildable with Apache 2.2 anymore, the +apache2-dev build-dependency should be versioned ">> 2.4~", because older +versions of apache2-threaded-dev did provide apache2-dev. + +A module package that uses openssl specific interfaces in mod_ssl, either by +using the mod_ssl_openssl.h header, or by using mod_ssl-internal private +interfaces (don't do that!), must build-depend on apache2-ssl-dev to ensure +that the correct version of the openssl headers are used. In this case, +dh_apache2 will also create a dependency on a apache2-api-YYYYMMDD-opensslM.M +virtual package. + +The resulting binary package should be called libapache2-mod-<modulename> and +MUST NOT depend on apache2 or apache2-bin. Instead a module package must depend +on our virtual package providing the module magic number which denotes the ABI +compatibility version number. The virtual package is called apache2-api-YYYYMMDD +and is guaranteed to be stable through all binary updates of 2.4.x. The +dh_apache2 helper assists in getting the dependencies right. + +2.1 '.load' and '.conf' files +----------------------------- + +The module must install a 'module.load' file to /etc/apache2/modules-available, +where 'module' is the name of the installed module minus the "mod_" prefix. The +'.load' file must contain an appropriate "LoadModule" directive only. +Additionally maintainers may use a magic line in '.load' files to declare +module dependencies and conflicts which need to be resolved to load a module for +a local site. This is useful if a module depends on other modules to be +loaded, or to conflict with other modules if they can't be loaded at the same +time. a2enmod and a2dismod will parse any "magic comment lines" with the format +"# Depends: module [module [...]]" and "# Conflicts: module [module [...]]"; +for example to load mod_foo: + +In 'foo.load': + + # Depends: bar + # Conflicts: baz + LoadModule foo_module /usr/lib/modules/mod_foo.so + + +Additionally, if required, a 'foo.conf' configuration file to configure the +module may be installed along with the 'load' file, following the same naming +scheme. This is useful if the module in question requires some initial +configuration to be useful. No magic comments are recognized in '.conf' files. +Otherwise they have the same functionality and requirements as configuration +files (see section 3 below). You should use only directives provided by default +by our web server configuration or which are provided by your module itelf in a +supplied '.conf' file. + +In some rare cases it can't be avoided that a module depends on an another +module being loaded already before its own loading process can succeed. The +module load order is guaranteed to be sorted alphabetically, which could lead to +problems if the new module to be loaded sorts later. In most cases such +pre-load dependencies can be avoided upstream - consider filing a bug. If there +is no way out of this problem, you may want to add a conditional Include in your +own module file. + +Suppose mod_foo relies on mod_bar to be loaded first. You may want to write a +module 'load' file like this: + + # Depends: bar + <IfModule !mod_bar.c> + Include mods-enabled/bar.load + </IfModule> + + LoadModule foo_module /usr/lib/modules/mod_foo.so + +Please note that the bar.load file must also contain a matching "<IfModule +!mod_bar.c>" guard as it would be loaded twice otherwise. Use this method +extremely sparingly and in agreement with related package maintainers only. +Note that such a module '.load' file must still contain a "Depends:" magic line +to make sure that the a2enmod/a2dismod dependency resolver works correctly. + +2.2 Maintainer scripts +---------------------- + +Maintainer scripts should not invoke a2enmod directly. Instead, the +apache2-maintscript-helper should be used. Please be aware that the helper is +not guaranteed to be installed on the target system. There are certain setups +which do not require Debian specific configurations, so modules must not do +anything in maintainer scripts which makes use of Debian-specific enhancements +like apache2-maintscript-helper, a2enmod, or a2query unconditionally. It is +recommended to invoke it like this: + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + apache2_invoke enmod foo + fi + +The dh_apache2 helper can be used to install module configuration and load +files. Additionally it generates appropriate maintainer scripts. The +apache2-maintscript-helper provides a few functions for common tasks. See their +respective reference documentations below. + +If maintainer scripts use a2enmod/a2dismod manually, they must invoke them with +the "-m" (maintainer mode) switch. + +3 Packaging Sites and Configurations for Web Applications +========================================================= + +Web applications are different from modules in that they do not have a hard +dependency on the web server. Typically they require a running web server, +but they do not need to worry about binary compatibility of modules. We accept +that there are other web servers besides Apache; thus we discourage package +maintainers of web applications from depending unconditionally on Apache. That +said, we provide several helpers to assist web application packagers to invoke +configuration snippets to enable a web application in the Apache 2 web server. + +We differentiate between two sub-types: sites and general configuration. Sites +are installed to /etc/apache2/sites-available and configure a particular +virtual host. Special care must be taken when installing a site configuration +to make sure it does not interfere with site-local configuration used by the +administrator. Typically there are only a few use cases where a Debian +package should include a virtual host configuration. + +The general configuration snippets are installed to /etc/apache2/conf-available +instead. Package maintainers are advised to avoid "local-" prefixes to +installed conffiles, and ideally use "packagename.conf" to avoid name clashes. +This type of configuration must be used when installing a global (i.e. virtual +host independent) configuration. Usually these configuration snippets will be +included in the global server context via the conf-enabled directory. However, +it is planned to allow the administrator to only enable the configuration +snippets in a selected set of virtual hosts. + +Typically a "packagename.conf" should enable a global alias pointing to your web +application along with a script-dependendent per-script configuration; for +example: + + Alias /packagename /usr/share/packagename + + <Directory /usr/share/packagename> + ... + </Directory> + +Please be careful about the directives you are using. Some might be provided by +modules which are not enabled by default. By default you can unconditionally use +directives from these modules: mod_access_compat, mod_alias, mod_auth_basic, +mod_authn_file, mod_authz_host, mod_authz_user, mod_autoindex, mod_deflate, +mod_dir, mod_env, mod_filter, mod_logio, mod_mime, mod_negotiation, +mod_setenvif, mod_unixd, mod_version, mod_watchdog. Check the module +documentation for the modules providing directives you are using. + +Note that not all directives are really required. If your <Directory> +configuration can be enhanced by mod_rewrite rules, but does not necessarily +need to use them, you could do something like: + + <Directory /usr/share/packagename> + ... + <IfModule mod_rewrite.c> + RewriteEngine on + RewriteRule ... + </IfModule> + </Directory> + +(Note that some common uses of mod_rewrite for web applications can be replaced +by the relatively new FallbackResource directive.) + +3.1 Web application module dependencies +--------------------------------------- + +There are use cases where a configuration really needs a certain module to be +enabled. This is tricky to achieve for web applications as dependencies could +lead to complex dependency chains which could break unrelated web applications +installed alongside your package. Thus, we do not resolve module dependencies +for web applications automatically, but they may be expressed (see 'load' files +in section 2.1), and a2enconf will warn the site administrator about modules +which need to enabled. Moreover, modules can be arbitrarily enabled and +disabled by local administrators, so a web application must make sure not to +break the web server's start-up if a required module is not available. + +The syntax for config snippets to express dependencies is identical to the +syntax in modules' '.load' files. Within your package.conf file you still need +to protect non-default directives with <IfModule> clauses as there is no +guarantee that the modules are actually enabled. It is acceptable if your +configuration file turns into a no-op as long as it does not break the server +start-up. + +For both types of configuration (configurations and sites), dh_apache2 can be +used to assist packagers. + +3.2 Package dependencies +------------------------ + +Web applications must only depend on (or recommend) the apache2 package. Web +applications must not depend on or recommend the packages apache2-bin or +apache2-data. Generally, web server dependencies should be declared in the form: + + Depends: apache2 | <alternative web servers you support> | httpd-cgi + +Using dh_apache2 assists you to do so, although dh_apache2 declares a weaker +Recommends relation only. While a consolidated and consistent behavior among web +applications would be desirable, from Apache's point of view, both alternatives +are acceptable. If your web application depends on a particular web server module +you need to depend on that, too. For example, PHP applications might need to +formulate dependency lines in the form: + + Depends: libapache2-mod-php5 | php5-cgi | php5-fpm + Recommends: apache2 | <alternative web servers you support> | httpd-cgi + +A with modules, web applications may enable their configuration files in +maintainer scripts. Use of dh_apache2 is recommended to achieve this. Generally, +special care should be taken not to use Apache2 Debian helper scripts like +a2query and a2enmod unconditionally. You can use the apache2-maintscript-helper +tools provided by the apache2 package for common tasks this way: + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + apache2_invoke enconf foo + fi + +Refer to the reference documentation below to learn how to use +apache2-maintscript-helper. Do not enable or disable modules in web +application maintainer scripts; instead protect your configuration with +<IfModule> clauses if you require non-standard modules. + +4 Maintainer Scripts +==================== + +Though already discussed briefly in previous sections, here follow some +clarifications regarding the invocation of wrapper scripts in maintainer scripts +of modules and web applications. + +4.1 Enabling Configurations +--------------------------- + +Both modules and web applications should use the apache2-maintscript-helper in +general. The helper will obey local policies to decide when to enable a piece of +configuration, to reload the web server, and so on. Moreover, it will remember +whether a module was activated by the site administrator or a maintainer script. +Thus, it is particularly important you do not use "a2enmod" and so on directly +(though a2query is acceptable). + +This is a summary of how the apache2-maintscript-helper should be invoked in +maintainer scripts: + +Modules: + Unless a maintainer or debconf script verified that no configuration was + to be installed at all, e.g. for scripts supporting several web servers, + modules should unconditionally call apache2_invoke in their "postinst + configure" sections. It will obey site-local policies in future and will + make sure that disabled modules are not enabled again during upgrades of + a module package. + + Modules need to be disabled on removal (and purge anyway), as otherwise + their configuration will be broken (as LoadModule would fail because of + the missing shared object file). Thus, modules need to call + "apache2_invoke dismod" on both removal and purge. It's apache2_invoke's + job to deal with upgrades and it will remember modules it removed during + removal and will reenable them during re-install. + +Web Applications: + Web Applications derive the same behavior as modules if the web + application can be run with a sensible out-of-box configuration; don't + enable it otherwise. Likewise, web application should also be disabled + on removal (and on purge anyway), because important files may be missing + (and that's the point of package removal, anyway). + +4.2 Switching MPMs +------------------ + +Only modules are allowed to switch the enabled MPM. Web applications must not +switch the enabled MPM in their maintainer scripts. To actually switch the MPM, +packagers can use a2query to find out whether it is necessary, and if so, can +switch it by using the corresponding helper function provided in +apache2-maintscript-helper. Do not try to switch the MPM yourself - the helper +function takes special care not to leave the site in a state without an enabled +MPM, which is a fatal error. + + +The helper call may fail. Your maintainer script must cope with this +possibility. It is not recommended to make your maintainer script fail if the +MPM could not be changed. Instead emit a warning. You can use the apache2_msg +function from apache2-maintscript-helper which will also log to syslog. If you +are using debconf anyway you may want to consider using that - but continue +operation. However, make sure you only enable the module in question if the MPM +was changed successfully. See below for an example snippet: + + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + + # mod_foo requires the prefork MPM + if [ $(a2query -M) != 'prefork' ] ; then + if apache2_switch_mpm prefork ; then + apache2_invoke enmod foo + else + apache2_msg err "Could not switch to prefork, not enabling mod_foo" + fi + else + apache2_invoke enmod foo + fi + + fi + + +5. Tools +======== + +This is an overview of tools supplied with the Apache2 package which can assist +in building web application and module packages. + +5.1 apache2-maintscript-helper +------------------------------ + +The apache2-maintscript-helper is a collection of functions which can be +sourced in maintainer scripts to do required tasks in a simple and +standardized way. It is NOT a script; it is a library (insofar as shell +functions can be libraries). This is to avoid users calling these functions. +They are not meant to be used by users. The helper is installed within the +apache2 binary package. Thus you MUST NOT use any function of it +unconditionally, as for both modules and web applications there are use cases +when this package is not added as a dependency. Thus, use it in a protected +conditional like this only: + + if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then + . /usr/share/apache2/apache2-maintscript-helper + <call apache2-maintscript-helper specific functions> + fi + +The helper provides functions to enable and disable configuration files, +restart the web server, switch the MPM in use and similar. Refer to the source +code for detailed interface documentation. When available, please use the +apache2-maintscript-helper instead of calling helper scripts directly, as these +functions are careful to invoke and use the appropriate helper. Later versions +may be configurable to allow the administrator to influence which actions are +performed. + +Always check the return code of the called function to find out whether +something went wrong: + + if ! apache2_invoke enmod modulename ; then + echo "Whoops! Something went wrong" + fi + +5.2 dh_apache2 +-------------- + +dh_apache2 is a debhelper which can be used to install modules, module +configuration, site configuration, and global configuration snippets. It assists +you to set appropriate dependencies and maintainer scripts. Refer to +dh_apache2(1) for full usage guidelines. + +5.2 a2enmod +----------- + +a2enmod and its special invocations a2enconf, a2ensite, a2dismod, a2dissite and +a2disconf can be used to enable all types of Apache 2 configuration files. When +invoking these helpers in maintainer scripts, you should carefully check their +error return codes. These scripts must always be used with the -q (quiet) and -m +(maintainer mode) switches in maintainer scripts. Preferably, you should not +interface with this scripts directly; instead it is recommended to use +apache2-maintscript-helper. For detailed usage refer to their respective man +pages. + +5.3 a2query +---------- + +a2query is a query tool to retrieve runtime status information about the Apache +2 web server instance. You can use this tool to get information about loaded +modules, the MPM used on the installation site, the module magic number and +other useful information. Use this script instead of accessing configuration +files in /etc/apache2 directly as it tries its best to return useful information +even on incomplete or broken configurations. + +For example, you can use a2query to retrieve the MPM enabled on the local site +and make actions dependent on the result like this: + + [ -x /usr/sbin/a2query ] || exit $? + CUR_MPM=$(a2query -M) || exit $? + case "$CUR_MPM" in + worker) + ;; + ... + esac + +Refer to the a2query(1) man page for the full documentation. Please note that +the apache2-maintscript-helper can be used to interface with this task as well. + +6 Version +========= + +Document version: 1.0 + +Starting with Apache2 2.4.2-2 this document is versioned. Any change which affects +packaging is denoted by an increased major nummer; clarifications, spelling fixes +and minor edits are denoted by minor numbers. In future, a changelog will appear +here as well. + +6.1 Changes +----------- + +1.0: + * first version of this document which is versioned. |