feat(roles/duplicity): support Debian/Ubuntu and remove the build toolchain#282
Open
markuslf wants to merge 1 commit into
Open
feat(roles/duplicity): support Debian/Ubuntu and remove the build toolchain#282markuslf wants to merge 1 commit into
markuslf wants to merge 1 commit into
Conversation
…lchain Security win: backup hosts no longer get a C compiler. duplicity's Swift backend pulled the deprecated, source-only netifaces (via the unused pyrax stack), which forced gcc and the Python -devel headers onto every backup host. Pinning a modern oslo.* stack drops netifaces, so the role now installs no build toolchain at all - a significant reduction of the attack surface on production machines. * python_venv: add an optional per-venv pip_constraints key (writes a constraints file and passes pip --constraint), plus meta/argument_specs.yml. * duplicity: pin a modern oslo.* stack via pip_constraints. This also fixes the collections.Mapping crash on Python 3.10+, so the manual oslo.config workaround is gone. package_requirements is now interpreter-only (no gcc, no -devel, no librsync-devel). * duplicity: add Debian 12/13 and Ubuntu 22.04/24.04/26.04 support, proven on all of them plus RHEL 8/9/10 via containers. Install gnupg from the role. * duplicity: add meta/argument_specs.yml, load platform vars under the always tag, drop a duplicate gpg --import task, set owner/group on all templates, and align the tags with the LFOps vocabulary (duplicity:script folded into duplicity:configure, new duplicity:dump for the backup schedule). * Mark Debian and Ubuntu proven for duplicity in COMPATIBILITY.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security win: no build toolchain on backup hosts
Until now the
duplicityrole installedgccplus the Python-develheaders on every backup host. The cause sat deep in the dependency tree: duplicity unconditionally depends onpyrax(its Rackspace backend, which we never use), and that old stack pulled innetifaces- a package that is deprecated and unmaintained (last release 2021), ships no wheels for current Python, and therefore had to be compiled from source on the target.Pinning a modern
oslo.*stack (which no longer depends onnetifaces) through a pip constraints file removesnetifacesfrom the tree entirely. The role now installs no compiler and no development headers;package_requirementsis reduced to the Python interpreter only. Taking the build toolchain off production backup machines is a significant reduction of the attack surface.Verified across all supported distros that
gccis absent andnetifacesis not installed, while Swift backups still work.What else is in here
duplicitynow runs on Debian 12/13 and Ubuntu 22.04/24.04/26.04 in addition to RHEL 8/9/10. All ten distros were validated in containers (manylinux wheel install,gpgpresent, Swift code path reached). Marked proven (x) inCOMPATIBILITY.md.oslo.*pin fixes the long-standingcollections.Mappingcrash (AttributeErrorinoslo_config), so the manualoslo.config>=9workaround documented in the README is no longer needed.librsync-develdropped. duplicity 3.1.0 ships manylinux wheels that bundle its_librsyncextension, so that build dependency is obsolete.gpg.New generic feature in
python_venvTo wire the constraints cleanly,
python_venvgained an optional per-venvpip_constraintskey: it writes a constraints file into the venv and passespip --constraint. Backward compatible (no change without the key). This is reusable by any venv-based role that needs to pin a transitive dependency without listing it as a direct package.CONTRIBUTING /
exampleconformanceWhile in the role, aligned it with the guidelines and the
examplerole:meta/argument_specs.ymlto bothduplicityandpython_venv(validates inputs at role entry; required GPG keys,choicesfor backend/loglevel).alwaystag.gpg --importtask; setowner/groupon all template tasks.duplicity:script(the script deploys underduplicity:configure), addedduplicity:dumpfor the backup schedule.Testing
gcc, nonetifaces,duplicity --version, and the Swift code path reaching a real auth/network error (not the import crash).python_venvrole run against a Rocky 8 container via thecontainers.podmanconnection: constraints file deployed,gccnot installed,netifacesavoided,duplicityrunnable via the exposed-binary symlink.argument_specsvalidated withansible-playbook(required-var, type, andchoicesenforcement; Swift and SFTP paths both pass).yamllintclean on all changed files.🤖 Generated with Claude Code