< Previous | Contents | Next >
10.3.2. Creating Configuration Packages
Now that we have touched on PXE booting and discussed configuration management with Salt- Stack as well as package forking, it is time to wrap these processes up into a practical example and extend the scenario by creating a custom configuration package to deploy a custom configuration to multiple machines semi-automatically.
In this example, you will create a custom package that sets up and utilizes your own package repos- itory and GnuPG signing key, distributes a SaltStack configuration, pushes a custom background, and provides default desktop settings in a unified way to all your Kali installations.
This may seem like a daunting task (especially if you glance through the Debian New Maintainer Guide1) but fortunately for us, a configuration package is mainly a sophisticated file archive and turning it into a package is rather easy.
Looking into a Sample If you want to look into a real package that is basically a configuration package, con- Package sider the kali-defaults package. It is not as simple as the sample in this section but it has all the relevant characteristics and even uses some advanced techniques (like
dpkg-divert) to replace files already provided by other packages.
Looking into a Sample If you want to look into a real package that is basically a configuration package, con- Package sider the kali-defaults package. It is not as simple as the sample in this section but it has all the relevant characteristics and even uses some advanced techniques (like
dpkg-divert) to replace files already provided by other packages.
1https://www.debian.org/doc/manuals/maint-guide/
The offsec-defaults package will contain a few files:
• /etc/apt/sources.list.d/offsec.list: a sources.list entry for APT, enabling the company’s internal package repository
• /etc/apt/trusted.gpg.d/offsec.gpg: the GnuPG key used to sign the company’s inter- nal package repository
• /etc/salt/minion.d/offsec.conf: a SaltStack configuration file to indicate where to find the Salt master
• /usr/share/images/offsec/background.png: a nice background image with the Offensive Security logo
• /usr/share/glib-2.0/schemas/90_offsec-defaults.gschema.override: a file provid- ing alternate default settings for the GNOME desktop
First, create an offsec-defaults-1.0 directory and put all the files in that directory. Then run dh_make --native (from the dh-make package) to add Debian packaging instructions, which will be stored in a debian sub-directory:
$ mkdir offsec-defaults-1.0; cd offsec-defaults-1.0
$ dh_make --native
Type of package: (single, indep, library, python) [s/i/l/p]? i
Email-Address : [email protected] License : gpl3
Package Name : offsec-defaults Maintainer Name : Raphaël Hertzog Version : 1.0
Package Type : indep
Date : Thu, 16 Jun 2016 18:04:21 +0200
Are the details correct? [Y/n/q] y
Currently there is not top level Makefile. This may require additional tuning Done. Please edit the files in the debian/ subdirectory now.
$ mkdir offsec-defaults-1.0; cd offsec-defaults-1.0
$ dh_make --native
Type of package: (single, indep, library, python) [s/i/l/p]? i
Email-Address : [email protected] License : gpl3
Package Name : offsec-defaults Maintainer Name : Raphaël Hertzog Version : 1.0
Package Type : indep
Date : Thu, 16 Jun 2016 18:04:21 +0200
Are the details correct? [Y/n/q] y
Currently there is not top level Makefile. This may require additional tuning Done. Please edit the files in the debian/ subdirectory now.
First, you are prompted for a package type. In the example, we selected indep, which indicates that this source package will generate a single binary package that can be shared across all archi- tectures (Architecture: all). single acts as a counterpart, and produces a single binary package that is dependent on the target architecture (Architecture: any). In this case, indep is more relevant, since the package only contains text files and no binary programs, so that it can be used similarly on computers of all architectures. The library type is useful for shared libraries, since they need to follow strict packaging rules. In a similar fashion, python should be restricted to Python modules.
Maintainer’s Name and Most of the programs involved in package maintenance will look for your name and Email Address email address in the DEBFULLNAME and DEBEMAIL or EMAIL environment variables. Defining them, once and for all, prevents re-typing them multiple times. If your usual shell is Bash, it is a simple matter of adding the following two lines in your ~/.bashrc file. For example: | |
export EMAIL=”[email protected]” export DEBFULLNAME=”Raphael Hertzog” | |
The dh_make command created a debian subdirectory containing many files. Some are required, in particular rules, control, changelog, and copyright. Files with the .ex extension are ex- ample files that can be used by modifying them and removing the extension. When they are not needed, we recommend removing them. The compat file should be kept, since it is required for the correct functioning of the debhelper suite of programs (all beginning with the dh_ prefix) used at various stages of the package build process.
The copyright file must contain information about the authors of the documents included in the package, and the related license. If the default license selected by dh_make does not suit you, then you must edit this file. Here is the modified version of the copyright file:
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: offsec-defaults
Files: *
Copyright: 2016 Offensive Security License: GPL-3.0+
License: GPL-3.0+
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
.
This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in ”/usr/share/common-licenses/GPL-3”.
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: offsec-defaults
Files: *
Copyright: 2016 Offensive Security License: GPL-3.0+
License: GPL-3.0+
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
.
This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>.
.
On Debian systems, the complete text of the GNU General
Public License version 3 can be found in ”/usr/share/common-licenses/GPL-3”.
The default changelog file is generally appropriate; replacing the “Initial release” with a more verbose explanation should be enough:
offsec-defaults (1.0) unstable; urgency=medium
* Add salt minion’s configuration file.
* Add an APT’s sources.list entry and an APT’s trusted GPG key.
* Override the gsettings schema defining the background picture.
-- Raphaël Hertzog <[email protected]> Thu, 16 Jun 2016 18:04:21 +0200
offsec-defaults (1.0) unstable; urgency=medium
* Add salt minion’s configuration file.
* Add an APT’s sources.list entry and an APT’s trusted GPG key.
* Override the gsettings schema defining the background picture.
-- Raphaël Hertzog <[email protected]> Thu, 16 Jun 2016 18:04:21 +0200
In the example, we will make changes to the control file. We will change the Section field to misc and remove the Homepage, Vcs-Git, and Vcs-Browser fields. Lastly, we will fill in the Description field:
Source: offsec-defaults Section: misc
Priority: optional
Maintainer: Raphaël Hertzog <[email protected]> Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.8
Package: offsec-defaults Architecture: all Depends: ${misc:Depends}
Description: Default settings for Offensive Security
This package contains multiple files to configure computers owned by Offensive Security.
.
It notably modifies:
- APT’s configuration
- salt-minion’s configuration
- the default desktop settings
Source: offsec-defaults Section: misc
Priority: optional
Maintainer: Raphaël Hertzog <[email protected]> Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.8
Package: offsec-defaults Architecture: all Depends: ${misc:Depends}
Description: Default settings for Offensive Security
This package contains multiple files to configure computers owned by Offensive Security.
.
It notably modifies:
- APT’s configuration
- salt-minion’s configuration
- the default desktop settings
The rules file usually contains a set of rules used to configure, build, and install the software in a dedicated subdirectory (named after the generated binary package). The contents of this subdirectory are then archived within the Debian package as if it were the root of the filesystem. In this case, files will be installed in the debian/offsec-defaults/ subdirectory. For example, to end up with a package installing /etc/apt/sources.list.d/offsec.list, install the file in debian/offsec-defaults/etc/apt/sources.list.d/offsec.list. The rules file is used as a Makefile, with a few standard targets (including clean and binary, used respectively to clean the source directory and generate the binary package).
What is a Makefile file? You may have noticed the message concerning the missing Makefile at the end of the dh_make output and the mention of its similarity to the rules file. A Makefile is a script file used by the make program; it describes rules for how to build a set of files from each other in a tree of dependencies. For instance, a program can be built from a set of source files. The Makefile file describes these rules in the following format: | |
target: source1 source2 ... command1 command2 | |
The interpretation of such a rule is as follows: if one of the source* files is more recent than the target file, then the target needs to be generated, using command1 and command2. Note that the command lines must start with a tab character; also note that when a command line starts with a dash character (-), failure of the command does not interrupt the whole process. |
Although this file is the heart of the process, it contains only the bare minimum for running a standard set of commands provided by the debhelper tool. Such is the case for files gener- ated by dh_make. To install most of your files, we recommend configuring the behavior of the dh_install command by creating the following debian/offsec-defaults.install file:
apt/offsec.list etc/apt/sources.list.d/ apt/offsec.gpg etc/apt/trusted.gpg.d/ salt/offsec.conf etc/salt/minion.d/ images/background.png usr/share/images/offsec/
apt/offsec.list etc/apt/sources.list.d/ apt/offsec.gpg etc/apt/trusted.gpg.d/ salt/offsec.conf etc/salt/minion.d/ images/background.png usr/share/images/offsec/
You could also use this to install the gsettings override file but debhelper provides a dedicated tool for this (dh_installgsettings) so you can rely on it. First, put your settings in debian/ offsec-defaults.gsettings-override:
[org.gnome.desktop.background] picture-options=’zoom’
picture-uri=’file:///usr/share/images/offsec/background.png’
[org.gnome.desktop.background] picture-options=’zoom’
picture-uri=’file:///usr/share/images/offsec/background.png’
Next, override the dh_installgsettings call in debian/rules to increase the priority to the level expected for an organization override (which is 90 according to the manual page):
#!/usr/bin/make -f
%:
dh $@
override_dh_installgsettings: dh_installgsettings --priority=90
#!/usr/bin/make -f
%:
dh $@
override_dh_installgsettings: dh_installgsettings --priority=90
At this point, the source package is ready. All that is left to do is to generate the binary package with the same method used previously for rebuilding packages: run the dpkg-buildpackage -us
-uc command from within the offsec-defaults-1.0 directory:
$ dpkg-buildpackage -us -uc
dpkg-buildpackage: info: source package offsec-defaults dpkg-buildpackage: info: source version 1.0
dpkg-buildpackage: info: source distribution unstable
dpkg-buildpackage: info: source changed by Raphaël Hertzog <[email protected]> dpkg-buildpackage: info: host architecture amd64
dpkg-source --before-build offsec-defaults-1.0 fakeroot debian/rules clean
dh clean
dh_testdir dh_auto_clean dh_clean
dpkg-source -b offsec-defaults-1.0
dpkg-source: info: using source format ’3.0 (native)’
dpkg-source: info: building offsec-defaults in offsec-defaults_1.0.tar.xz dpkg-source: info: building offsec-defaults in offsec-defaults_1.0.dsc
debian/rules build dh build
dh_testdir dh_update_autotools_config dh_auto_configure dh_auto_build
dh_auto_test
fakeroot debian/rules binary dh binary
dh_testroot dh_prep dh_auto_install dh_install dh_installdocs
dh_installchangelogs
debian/rules override_dh_installgsettings
make[1]: Entering directory ’/home/rhertzog/kali/kali-book/samples/offsec-defaults-1.0’ dh_installgsettings --priority=90
make[1]: Leaving directory ’/home/rhertzog/kali/kali-book/samples/offsec-defaults-1.0’ dh_perl
dh_link dh_strip_nondeterminism dh_compress
dh_fixperms dh_installdeb dh_gencontrol dh_md5sums
dh_builddeb
dpkg-deb: building package ’offsec-defaults’ in ’../offsec-defaults_1.0_all.deb’. dpkg-genchanges >../offsec-defaults_1.0_amd64.changes
dpkg-genchanges: info: including full source code in upload dpkg-source --after-build offsec-defaults-1.0
dpkg-buildpackage: info: full upload; Debian-native package (full source is included)
dh_builddeb
dpkg-deb: building package ’offsec-defaults’ in ’../offsec-defaults_1.0_all.deb’. dpkg-genchanges >../offsec-defaults_1.0_amd64.changes
dpkg-genchanges: info: including full source code in upload dpkg-source --after-build offsec-defaults-1.0
dpkg-buildpackage: info: full upload; Debian-native package (full source is included)