diff options
| -rw-r--r-- | debian/TODO.Debian | 4 | ||||
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 27 | ||||
| -rw-r--r-- | debian/copyright | 18 | ||||
| -rw-r--r-- | debian/netdata.conf | 16 | ||||
| -rw-r--r-- | debian/netdata.dirs | 4 | ||||
| -rw-r--r-- | debian/netdata.docs | 1 | ||||
| -rw-r--r-- | debian/netdata.install | 1 | ||||
| -rw-r--r-- | debian/netdata.lintian-overrides | 15 | ||||
| -rw-r--r-- | debian/netdata.logrotate | 15 | ||||
| -rw-r--r-- | debian/netdata.postinst.in | 42 | ||||
| -rw-r--r-- | debian/netdata.postrm | 36 | ||||
| -rw-r--r-- | debian/netdata.service | 57 | ||||
| -rwxr-xr-x | debian/rules | 93 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/watch | 4 |
17 files changed, 340 insertions, 0 deletions
diff --git a/debian/TODO.Debian b/debian/TODO.Debian new file mode 100644 index 00000000..d2bc95ec --- /dev/null +++ b/debian/TODO.Debian @@ -0,0 +1,4 @@ +* De-vendorize JS libraries +* Restrict security permissions in netdata.service +* Do cleanup when apt-get purge is run + * delete user, /var/cache/netdata, /var/log/netdata diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..241e41c1 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +netdata (1.0.0-1) UNRELEASED; urgency=low + + * Initial release (Closes: #819661) + + -- Federico Ceratto <federico@debian.org> Wed, 30 Mar 2016 22:41:35 +0100 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..ec635144 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..c865d697 --- /dev/null +++ b/debian/control @@ -0,0 +1,27 @@ +Source: netdata +Section: net +Priority: optional +Maintainer: Lennart Weller <lhw@ring0.de> +Uploaders: James Cowgill <jcowgill@debian.org>, Federico Ceratto <federico@debian.org> +Build-Depends: debhelper (>= 9), + dh-autoreconf, + dh-systemd (>= 1.5), + dpkg-dev (>= 1.13.19), + zlib1g-dev +Standards-Version: 3.9.6 +Homepage: https://github.com/firehol/netdata +Vcs-Git: https://anonscm.debian.org/collab-maint/netdata.git +Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/netdata.git + +Package: netdata +Architecture: any +Depends: adduser, + libcap2-bin (>= 1:2.0), + lsb-base (>= 3.1-23.2), + ${misc:Depends}, + ${shlibs:Depends} +Description: real-time charts for system monitoring + Netdata is a daemon that collects data in realtime (per second) + and presents a web site to view and analyze them. The presentation + is also real-time and full of interactive charts that precisely + render all collected values. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..0418242b --- /dev/null +++ b/debian/copyright @@ -0,0 +1,18 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: netdata +Upstream-Contact: Costa Tsaousis <costa@tsaousis.gr> +Source: https://github.com/firehol/netdata + +Files: * +Copyright: 2014-2016, Costa Tsaousis +License: GPL-3+ + +Files: debian/* +Copyright: 2016 Matthew Newton <mcn4@leicester.ac.uk> +Copyright: 2016 Lennart Weller <lhw@ring0.de> +Copyright: 2016 Federico Ceratto <federico@debian.org> +License: GPL-3+ + +License: GPL-3+ + On Debian systems, the complete text of the GNU General Public + License version 3 can be found in /usr/share/common-licenses/GPL-3. diff --git a/debian/netdata.conf b/debian/netdata.conf new file mode 100644 index 00000000..a963d80b --- /dev/null +++ b/debian/netdata.conf @@ -0,0 +1,16 @@ +# NetData Configuration + +# The current full configuration can be retrieved from the running +# server at the URL +# +# http://localhost:19999/netdata.conf +# +# for example: +# +# wget -O /etc/netdata/netdata.conf http://localhost:19999/netdata.conf +# + +[global] + run as user = netdata + web files owner = root + web files group = netdata diff --git a/debian/netdata.dirs b/debian/netdata.dirs new file mode 100644 index 00000000..0dfa7901 --- /dev/null +++ b/debian/netdata.dirs @@ -0,0 +1,4 @@ +etc/netdata +var/cache/netdata +var/log/netdata +var/run diff --git a/debian/netdata.docs b/debian/netdata.docs new file mode 100644 index 00000000..b43bf86b --- /dev/null +++ b/debian/netdata.docs @@ -0,0 +1 @@ +README.md diff --git a/debian/netdata.install b/debian/netdata.install new file mode 100644 index 00000000..45d42b63 --- /dev/null +++ b/debian/netdata.install @@ -0,0 +1 @@ +debian/netdata.conf /etc/netdata/ diff --git a/debian/netdata.lintian-overrides b/debian/netdata.lintian-overrides new file mode 100644 index 00000000..a50a1753 --- /dev/null +++ b/debian/netdata.lintian-overrides @@ -0,0 +1,15 @@ +# See Debian policy 10.9. apps.plugin has extra capabilities, so don't let +# normal users run it. +netdata: non-standard-executable-perm usr/lib/*/netdata/plugins.d/apps.plugin 0754 != 0755 + + +# FontAwesome is at least in the fonts-font-awesome package, but this is +# not available in wheezy. glyphicons-halflings-regular isn't currently in +# a Debian package. Therefore don't complain about shipping them with netdata +# for the time being. +netdata: duplicate-font-file usr/share/netdata/fonts/* +netdata: font-in-non-font-package usr/share/netdata/fonts/* + +# Files here are marked as conffiles so that local updates to the html files +# isn't clobbered on upgrade. +netdata: non-etc-file-marked-as-conffile var/lib/netdata/www/* diff --git a/debian/netdata.logrotate b/debian/netdata.logrotate new file mode 100644 index 00000000..707eba3f --- /dev/null +++ b/debian/netdata.logrotate @@ -0,0 +1,15 @@ +/var/log/netdata/*log { + compress + create 0640 netdata adm + daily + delaycompress + missingok + notifempty + rotate 14 + sharedscripts + postrotate + if service netdata status > /dev/null ; then \ + service netdata restart > /dev/null; \ + fi; +} + diff --git a/debian/netdata.postinst.in b/debian/netdata.postinst.in new file mode 100644 index 00000000..36a03c0b --- /dev/null +++ b/debian/netdata.postinst.in @@ -0,0 +1,42 @@ +#! /bin/sh + +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + if ! getent group netdata >/dev/null; then + addgroup --quiet --system netdata + fi + + if ! getent passwd netdata >/dev/null; then + adduser --quiet --system --ingroup netdata --home /var/lib/netdata --no-create-home netdata + fi + + if ! dpkg-statoverride --list /var/lib/netdata >/dev/null 2>&1; then + dpkg-statoverride --update --add root netdata 0755 /var/lib/netdata + fi + + if ! dpkg-statoverride --list /var/lib/netdata/www >/dev/null 2>&1; then + dpkg-statoverride --update --add root netdata 0755 /var/lib/netdata/www + fi + + if ! dpkg-statoverride --list /var/cache/netdata >/dev/null 2>&1; then + dpkg-statoverride --update --add netdata netdata 0755 /var/cache/netdata + fi + + fi + + chown -R root:netdata /usr/share/netdata/* + chown -R root:netdata /usr/lib/@DEB_HOST_MULTIARCH@/netdata/plugins.d + setcap cap_dac_read_search,cap_sys_ptrace+ep /usr/lib/@DEB_HOST_MULTIARCH@/netdata/plugins.d/apps.plugin + chown netdata:adm /var/log/netdata + chmod 02750 /var/log/netdata + +#PERMS# + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/netdata.postrm b/debian/netdata.postrm new file mode 100644 index 00000000..c6ddc7e1 --- /dev/null +++ b/debian/netdata.postrm @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +case "$1" in + remove) + ;; + + purge) + for dir_name in /var/cache/netdata /var/lib/netdata /var/lib/netdata/www; do + if dpkg-statoverride --list | grep -qw "$dir_name"; then + dpkg-statoverride --remove "$dir_name" + fi + done + + if getent passwd netdata >/dev/null; then + if [ -x /usr/sbin/deluser ]; then + deluser --quiet --system netdata || echo "Unable to remove netdata user" + fi + fi + + if getent group netdata >/dev/null; then + if [ -x /usr/sbin/delgroup ]; then + delgroup --quiet --system netdata || echo "Unable to remove netdata group" + fi + fi + + ;; + + *) + ;; +esac + +#DEBHELPER# + +exit 0 diff --git a/debian/netdata.service b/debian/netdata.service new file mode 100644 index 00000000..59ca5754 --- /dev/null +++ b/debian/netdata.service @@ -0,0 +1,57 @@ +# netdata systemd target + +[Unit] +Description=netdata - Real-time performance monitoring +Documentation=man:netdata +Documentation=file:///usr/share/doc/netdata/html/index.html +Documentation=https://github.com/firehol/netdata +After=network.target httpd.service squid.service nfs-server.service mysqld.service named.service postfix.service +Wants=network-online.target +ConditionPathExists=/etc/netdata/netdata.conf + +[Service] +Type=forking +#PIDFile=/run/netdata.pid +PIDFile=/var/run/netdata/netdata.pid +Environment="netdata_LOG_LOCATION=/var/log/netdata/log" +ExecStart=/usr/sbin/netdata +ExecReload=/usr/sbin/netdata reload +#ExecStop=/bin/kill -SIGTERM $MAINPID +ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry=TERM/5/KILL/5 --pidfile /run/netdata.pid +TimeoutStopSec=30 +KillMode=mixed + +EnvironmentFile=-/etc/default/%p +User=netdata +PermissionsStartOnly=true +Restart=on-abnormal +RestartSec=2s +LimitNOFILE=65536 + +WorkingDirectory=/tmp +User=root +Group=root + +# Hardening +# AppArmorProfile=system_netdata +# CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FOWNER +NoNewPrivileges=yes +#PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=full +# TODO: restrict ReadOnlyDirectories +ReadOnlyDirectories=/ +ReadWriteDirectories=-/proc +ReadWriteDirectories=-/run +ReadWriteDirectories=-/var/log/netdata +ReadWriteDirectories=-/var +ReadWriteDirectories=-/var/cache +ReadWriteDirectories=-/var/cache/netdata +ReadWriteDirectories=-/var/run + +[Install] +WantedBy=multi-user.target + + + diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..dcc92dbb --- /dev/null +++ b/debian/rules @@ -0,0 +1,93 @@ +#!/usr/bin/make -f + +# Find the arch we are building for, as this determines +# the location of plugins in /usr/lib +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +TOP = $(CURDIR)/debian/netdata + +export DH_VERBOSE = 1 +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +export DEB_CFLAGS_MAINT_APPEND = -Wall -O3 +export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +%: + # For jessie and beyond + # + dh $@ --with autoreconf,systemd + + # For wheezy or other non-systemd distributions use the following. You + # should also see contrib/README.md which gives details of updates to + # make to debian/control. + # + #dh $@ --with autoreconf + +override_dh_auto_configure: + dh_auto_configure -- --with-math --with-webdir=/var/lib/netdata/www + +debian/%.postinst: debian/%.postinst.in + sed 's/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' $< > $@ + +override_dh_install: debian/netdata.postinst + dh_install + + # Remove unneeded .keep files + # + find "$(TOP)" -name .keep -exec rm '{}' ';' + + # Move files that local user shouldn't be editing to /usr/share/netdata + # + mkdir -p "$(TOP)/usr/share/netdata" + for D in $$(find "$(TOP)/var/lib/netdata/www/" -maxdepth 1 -type d -printf '%f '); do \ + echo Relocating $$D; \ + mv "$(TOP)/var/lib/netdata/www/$$D" "$(TOP)/usr/share/netdata/$$D"; \ + ln -s "/usr/share/netdata/$$D" "$(TOP)/var/lib/netdata/www/$$D"; \ + done + + # Update postinst to set correct group for www files on installation. + # Should probably be dpkg-statoverride really, but that gets *really* + # messy. We also set all web files in /var as conffiles so an upgrade + # doesn't splat them. + # + for D in $$(find "$(TOP)/var/lib/netdata/www/" -maxdepth 1 -type f -printf '%f '); do \ + echo Updating postinst for $$D; \ + sed -i "s/^#PERMS#/chgrp netdata \/var\/lib\/netdata\/www\/$$D\n#PERMS#/g" \ + $(CURDIR)/debian/netdata.postinst; \ + echo "/var/lib/netdata/www/$$D" >> $(CURDIR)/debian/netdata.conffiles; \ + done + sed -i "/^#PERMS#/d" $(CURDIR)/debian/netdata.postinst + +override_dh_installdocs: + dh_installdocs + + # Docs should not be under /usr/lib + # + mv $(TOP)/usr/lib/$(DEB_HOST_MULTIARCH)/netdata/plugins.d/README.md \ + $(TOP)/usr/share/doc/netdata/README.plugins.md + mv $(TOP)/usr/lib/$(DEB_HOST_MULTIARCH)/netdata/charts.d/README.md \ + $(TOP)/usr/share/doc/netdata/README.charts.md + + # This doc is currently empty, so no point installing it. + # + rm $(TOP)/usr/lib/$(DEB_HOST_MULTIARCH)/netdata/node.d/README.md + +override_dh_fixperms: + dh_fixperms + + # apps.plugin should only be runnable by the netdata user. It will be + # given extra capabilities in the postinst script. + # + chmod 0754 $(TOP)/usr/lib/$(DEB_HOST_MULTIARCH)/netdata/plugins.d/apps.plugin + +override_dh_installlogrotate: + dh_installlogrotate + +override_dh_clean: + dh_clean + + # Tidy up copied/generated files + rm -f $(CURDIR)/debian/netdata.postinst + rm -f $(CURDIR)/debian/netdata.conffiles + +override_dh_installchangelogs: + dh_installchangelogs ChangeLog diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/watch b/debian/watch new file mode 100644 index 00000000..a9075e89 --- /dev/null +++ b/debian/watch @@ -0,0 +1,4 @@ +version=3 + +opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/netdata-$1\.tar\.gz/ \ + https://github.com/firehol/netdata/tags .*/v?(\d\S*)\.tar\.gz |