oohelperd packaging and CI (ooni#374)

Closes ooni/backend#499

Co-authored-by: Simone Basso <bassosimone@gmail.com>

.github/workflows/oohelperd.yml

@@ -0,0 +1,42 @@
+# oohelperd builds oohelperd for Linux
+name: oohelperd
+on:
+  push:
+    branches:
+      - "release/**"
+
+jobs:
+  build_amd64:
+    runs-on: "ubuntu-20.04"
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v1
+        with:
+          go-version: "1.16.4"
+
+      - name: build oohelperd binary
+        run: GOOS=linux GOARCH=amd64 go build -v ./internal/cmd/oohelperd
+
+      - run: find . -type f -name oohelperd
+
+      - name: install deps
+        run: |
+          sudo apt-get -q update
+          sudo apt-get install -yq --no-install-recommends curl devscripts \
+            dpkg-dev debhelper git python3 python3-requests python3-gnupg s3cmd
+
+      - name: build deb package
+        run: |
+          cd ./internal/cmd/oohelperd
+          dpkg-buildpackage -us -uc -b
+
+      - name: upload package
+        run: |
+          curl -fsSLO https://raw.githubusercontent.com/ooni/sysadmin/master/tools/debops-ci
+          chmod +x debops-ci
+          find . -name '*.deb'
+          ./debops-ci --show-commands upload --bucket-name ooni-internal-deb --arch "amd64" internal/cmd/*.deb
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          DEB_GPG_KEY: ${{ secrets.DEB_GPG_KEY }}

internal/cmd/oohelperd/debian/changelog

@@ -0,0 +1,5 @@
+oohelperd (0.0.1) unstable; urgency=medium
+
+  * Test release
+
+ -- Federico Ceratto <federico@openobservatory.org>  Tue, 16 Feb 2021 12:39:41 +0000

internal/cmd/oohelperd/debian/compat

@@ -0,0 +1 @@
+11

internal/cmd/oohelperd/debian/control

@@ -0,0 +1,22 @@
+Source: oohelperd
+Maintainer: Federico Ceratto <federico@openobservatory.org>
+Section: devel
+Priority: optional
+Build-Depends:
+ devscripts,
+ dpkg-dev,
+Standards-Version: 4.5.0
+Vcs-Browser: https://github.com/ooni/probe-cli
+Vcs-Git: https://github.com/ooni/probe-cli.git
+Homepage: https://github.com/ooni/probe-cli
+Rules-Requires-Root: no
+XS-Go-Import-Path: github.com/ooni/probe-cli
+
+Package: oohelperd
+Architecture: any
+Pre-Depends: debconf (>= 1.0.0)
+Depends: ${misc:Depends}, ${shlibs:Depends},
+ adduser,
+ debconf
+Built-Using: ${misc:Built-Using}
+Description: OONI test helper

internal/cmd/oohelperd/debian/copyright

@@ -0,0 +1,40 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/ooni/probe-cli
+Upstream-Name: oohelperd
+
+Files: *
+Copyright: 2018 Open Observatory of Network Interference (OONI)
+License: BSD-3-clause
+
+Files: debian/*
+Copyright: 2020 Federico Ceratto <federico@openobservatory.org>
+License: BSD-3-clause
+Comment: Debian packaging is licensed under the same terms as upstream
+
+License: BSD-3-clause
+ Copyright 2018 Open Observatory of Network Interference (OONI), The Tor Project
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+ .
+ 1. Redistributions of source code must retain the above copyright notice, this
+    list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright notice,
+    this list of conditions and the following disclaimer in the documentation
+    and/or other materials provided with the distribution.
+ .
+ 3. Neither the name of the copyright holder nor the names of its contributors
+    may be used to endorse or promote products derived from this software
+    without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

internal/cmd/oohelperd/debian/oohelperd.install

@@ -0,0 +1 @@
+oohelperd /usr/bin

internal/cmd/oohelperd/debian/oohelperd.postinst

@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+if [ "$1" = "configure" ]; then
+    if ! getent passwd oohelperd >/dev/null; then
+        adduser --quiet --system --group --home /var/lib/oohelperd oohelperd
+    fi
+fi
+
+#DEBHELPER#
+
+exit 0

internal/cmd/oohelperd/debian/oohelperd.service

@@ -0,0 +1,50 @@
+[Unit]
+Description=OONI Test heper
+Documentation=https://ooni.org/
+After=network.target tor.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/oohelperd
+TimeoutStopSec=5
+KillMode=mixed
+
+User=oohelperd
+PermissionsStartOnly=true
+Restart=on-abnormal
+RestartSec=2s
+LimitNOFILE=65536
+WorkingDirectory=/var/lib/oohelperd
+RuntimeDirectory=oohelperd
+StateDirectory=oohelperd
+LogsDirectory=oohelperd
+ConfigurationDirectory=oohelperd
+
+# Sandboxing
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/proc
+ReadWriteDirectories=-/var/lib/oohelperd
+ReadWriteDirectories=-/var/run
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

internal/cmd/oohelperd/debian/rules

@@ -0,0 +1,19 @@
+#!/usr/bin/make -f
+
+export DH_VERBOSE=1
+
+%:
+	dh $@
+
+override_dh_auto_clean:
+	dh_auto_clean
+
+override_dh_auto_build:
+	# The oohelperd binary is provided
+	cp ../../../oohelperd .
+
+override_dh_dwz:
+	true
+
+override_dh_auto_install:
+	dh_auto_install -- --no-source

internal/cmd/oohelperd/debian/source/format

@@ -0,0 +1 @@
+3.0 (native)