macOS packaging for beats #6344
Conversation
adriansr
added
enhancement
in progress
| <string>--path.config</string> | ||
| <string>/etc/{{.beat_name}}</string> | ||
| <string>--path.data</string> | ||
| <string>{{.install_path}}/{{.beat_vendor}}/{{.beat_name}}</string> |
There was a problem hiding this comment.
Would it be OK to set path.data to /var/lib/{{.beat_name}} similar to Linux?
| -srcfolder dmg \ | ||
| -ov \ | ||
| "$DMG_NAME" | ||
|
|
There was a problem hiding this comment.
Should we sign the the dmg too? (e.g. codesign -s <identity> <disk-image>)
There was a problem hiding this comment.
Sure. I didn't know signing DMGs was a thing.
|
Pending tasks:
|
|
This looks really good!
What do you think about creating an Is there anything I can help with? I'm thinking the next step should be to get this building as part of https://beats-ci.elastic.co/job/elastic+beats+master+package/. We can get the key information stored into Vault then load it from there. This should make us a bit more prepared to integrate with the Release Manager. |
My plan was to add an Uninstall button to each beat in the Preference Pane.
Yes, that is already in progress. The certificates are deployed to the macOS images and the password is in Vault, now I'm waiting for infra to make the password and certificate path available to the build job via env vars (I added a link to the issue above). |
|
jenkins, test it |
|
jenkins, package it |
| @@ -17,3 +17,6 @@ docker run --rm -v ${BUILD_DIR}:/build \ | |||
| tudorg/fpm /build/run-$runid.sh | |||
|
|
|||
| rm ${BUILD_DIR}/settings-$runid.yml ${BUILD_DIR}/run-$runid.sh | |||
|
|
|||
| echo 'Running macOS packager' | |||
| ${BASEDIR}/pkg/build.sh | |||
There was a problem hiding this comment.
I think there should be a conditional preventing this from error'ing out if we aren't on Darwin.
Or it might be better to separate this into it's own build target such that you can run make packages on any machine with Docker and can run make macos-dmgs (naming TBD) afterwards to build the the DMGs (and it only works on macOS).
adriansr
removed
discuss
|
jenkins, test it |
dev-tools/osx-deploy
Outdated
| def main(): | ||
| parser = argparse.ArgumentParser( | ||
| description="Builds OSX packages for Beats") | ||
| args = parser.parse_args() |
There was a problem hiding this comment.
Probably this should have the same option as dev-tools/deploy?
Lines 9 to 10 in 96b5aee
|
|
adriansr
force-pushed
the
osxpkg
branch
4 times, most recently
from
dd234de
to
633ddae
Compare
This adds a new make target, `osx-package`, that will build a PKG installer for each beat supported in macOS. Also features a DMG file wrapping the installer and uninstaller. Installer and binaries need to be signed. Valid Apple-issued certificates and their associated keys need to be available in an unlocked keychain: - `Developer ID application` certificate, for code-signing. - `Developer ID installer` certificate, for signing .pkg installers.
The installer package includes the Beats preference pane and installs it along with the Beat.
Now `dev-tools/osx-deploy` builds two sets of packages per Beat:
- beatname-oss-version.{pkg,dmg} packages without X-Pack content.
- beatname-version.{pkg,dmg} packages with X-Pack content
The main Makefile target has been renamed to `osx-package-all` to match
the existing `package-all` target. From inside a Beat it is possible to
use the targets `osx-package-oss` and `osx-package-elastic` to build
only one set of packages.
When Docker is run in Mac under Virtualbox, volumes in docker don't have the expected uid=0,gid=0 permissions, but those that Docker is using inside it's VM (uid=1000(docker) gid=50(staff). This caused files in the TAR archives to have wrong permissions, triggering a packaging test error later on.
|
Ready to rebase and merge |
|
@adriansr With KEYCHAIN (and KEYCHAIN_PASS) not being used, can they be removed from the Jenkins job configuration? It looks like Ansible installs the keychain-db file to Jenkins, but does not add it to the keychain search list or unlock it. Was that done manually or am I missing something? It looks like Ansible could be made do the following and this would put the worker in a ready state. WDYT?
|
|
The problem that prompted me to get rid of KEYCHAIN is that, in macOS 10.12 and later, there is no reliable way of handling keychains from launchd services, due to issues with session isolation. The only reliable way to perform the code-signing from Jenkins is to copy the certificates into the System keychain. So we will need Ansible to do something like this https://apple.stackexchange.com/questions/80623/import-certificates-into-the-system-keychain-via-the-command-line |
|
Added via #7481. |
Added support to create signed PKG installers, bundled in a DMG file with a rudimentary uninstaller in it.
Currently disconnected from the packaging flow, must be run by hand aftermake packageWill be run by
dev-tools/deploygiven the environment variablesKEYCHAINandKEYCHAN_PASSpoint to a keychain file with the code-signing certificates and its password, respectively.