[PATCH proxmox-ebpf 03/16] debian: add packaging and boot-time oneshot unit

[Hannes Laimer <h.laimer@proxmox.com>]

Package the agent and ship a systemd unit that runs `apply` once at boot,
bringing BPF state in line with the SDN running-config.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 Makefile                    | 66 +++++++++++++++++++++++++++++++++++++
 debian/changelog            |  5 +++
 debian/control              | 34 +++++++++++++++++++
 debian/copyright            | 18 ++++++++++
 debian/proxmox-ebpf.install |  1 +
 debian/proxmox-ebpf.postrm  | 11 +++++++
 debian/proxmox-ebpf.prerm   | 12 +++++++
 debian/proxmox-ebpf.service | 15 +++++++++
 debian/rules                | 33 +++++++++++++++++++
 debian/source/format        |  1 +
 10 files changed, 196 insertions(+)
 create mode 100644 Makefile
 create mode 100644 debian/changelog
 create mode 100644 debian/control
 create mode 100644 debian/copyright
 create mode 100644 debian/proxmox-ebpf.install
 create mode 100755 debian/proxmox-ebpf.postrm
 create mode 100755 debian/proxmox-ebpf.prerm
 create mode 100644 debian/proxmox-ebpf.service
 create mode 100755 debian/rules
 create mode 100644 debian/source/format

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..bf3d7e7
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,66 @@
+include /usr/share/dpkg/architecture.mk
+include /usr/share/dpkg/pkg-info.mk
+
+PACKAGE := proxmox-ebpf
+BUILDDIR ?= $(PACKAGE)-$(DEB_VERSION_UPSTREAM)
+CARGO ?= cargo
+
+ifeq ($(BUILD_MODE), release)
+CARGO_BUILD_ARGS += --release
+endif
+
+DEB=$(PACKAGE)_$(DEB_VERSION)_$(DEB_HOST_ARCH).deb
+DBG_DEB=$(PACKAGE)-dbgsym_$(DEB_VERSION)_$(DEB_HOST_ARCH).deb
+DSC=$(PACKAGE)_$(DEB_VERSION).dsc
+
+all: cargo-build
+
+.PHONY: cargo-build
+cargo-build:
+	$(CARGO) build $(CARGO_BUILD_ARGS)
+
+.PHONY: test
+test:
+	$(CARGO) test $(CARGO_BUILD_ARGS)
+
+.PHONY: check
+check: test
+
+$(BUILDDIR): src include debian Cargo.toml build.rs
+	rm -rf $(BUILDDIR) $(BUILDDIR).tmp
+	mkdir $(BUILDDIR).tmp
+	cp -a -t $(BUILDDIR).tmp $^ Makefile
+	mv $(BUILDDIR).tmp $(BUILDDIR)
+
+.PHONY: deb
+deb: $(DEB)
+$(DEB) $(DBG_DEB) &: $(BUILDDIR)
+	cd $(BUILDDIR); dpkg-buildpackage -b -us -uc
+	lintian $(DEB)
+
+.PHONY: dsc
+dsc:
+	$(MAKE) clean
+	$(MAKE) $(DSC)
+	lintian $(DSC)
+
+$(DSC): $(BUILDDIR)
+	cd $(BUILDDIR); dpkg-buildpackage -S -us -uc -d
+
+sbuild: $(DSC)
+	sbuild $(DSC)
+
+.PHONY: upload
+upload: UPLOAD_DIST ?= $(DEB_DISTRIBUTION)
+upload: $(DEB) $(DBG_DEB)
+	tar -cf - $(DEB) $(DBG_DEB) | ssh -X repoman@repo.proxmox.com upload --product pve --dist $(UPLOAD_DIST)
+
+.PHONY: dinstall
+dinstall:
+	$(MAKE) deb
+	sudo -k dpkg -i $(DEB)
+
+clean:
+	$(CARGO) clean
+	rm -rf ./$(BUILDDIR)
+	rm -f -- *.deb *.dsc *.tar.?z *.buildinfo *.build *.changes
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..310d2cd
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+proxmox-ebpf (0.1.0) trixie; urgency=medium
+
+  * initial packaging.
+
+ -- Proxmox Support Team <support@proxmox.com>  Mon, 18 May 2026 11:00:00 +0200
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..680da4f
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,34 @@
+Source: proxmox-ebpf
+Section: admin
+Priority: optional
+Build-Depends: debhelper-compat (= 13),
+ clang,
+ llvm,
+ libbpf-dev,
+ linux-libc-dev,
+ cargo:native,
+ rustc:native,
+ libstd-rust-dev,
+ librust-anyhow-1+default-dev,
+ librust-aya-0.13+default-dev,
+ librust-log-0.4+default-dev,
+ librust-pico-args-0.5+default-dev,
+ librust-proxmox-log-1+default-dev,
+ librust-proxmox-ve-config-0.10+default-dev,
+ librust-nix-0.29+default-dev,
+ librust-nix-0.29+hostname-dev,
+ librust-nix-0.29+net-dev,
+ librust-serde-json-1+default-dev,
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.6.2
+Homepage: https://www.proxmox.com
+Rules-Requires-Root: no
+
+Package: proxmox-ebpf
+Architecture: any
+Depends: pve-cluster (>= 9.0.1),
+         libpve-network-perl,
+         ${shlibs:Depends},
+         ${misc:Depends},
+Description: eBPF-based microsegmentation agent for Proxmox VE
+ Filters traffic between guests by identity.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..01138fa
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,18 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+
+Files:
+ *
+Copyright: 2026 Proxmox Server Solutions GmbH <support@proxmox.com>
+License: AGPL-3.0-or-later
+ This program is free software: you can redistribute it and/or modify it under
+ the terms of the GNU Affero General Public License as published by the Free
+ Software Foundation, either version 3 of the License, or (at your option) any
+ later version.
+ .
+ This program is distributed in the hope that it will be useful, but WITHOUT
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU Affero General Public License along
+ with this program. If not, see <https://www.gnu.org/licenses/>.
diff --git a/debian/proxmox-ebpf.install b/debian/proxmox-ebpf.install
new file mode 100644
index 0000000..7fbce7e
--- /dev/null
+++ b/debian/proxmox-ebpf.install
@@ -0,0 +1 @@
+target/x86_64-unknown-linux-gnu/release/proxmox-ebpf usr/libexec/proxmox
diff --git a/debian/proxmox-ebpf.postrm b/debian/proxmox-ebpf.postrm
new file mode 100755
index 0000000..2a7d9a5
--- /dev/null
+++ b/debian/proxmox-ebpf.postrm
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    remove|purge)
+        rm -rf /sys/fs/bpf/proxmox-ebpf /sys/fs/bpf/proxmox-ebpf-test || true
+        rm -rf /run/proxmox-ebpf || true
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/debian/proxmox-ebpf.prerm b/debian/proxmox-ebpf.prerm
new file mode 100755
index 0000000..cce50f0
--- /dev/null
+++ b/debian/proxmox-ebpf.prerm
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    remove)
+        if [ -x /usr/libexec/proxmox/proxmox-ebpf ]; then
+            /usr/libexec/proxmox/proxmox-ebpf clear || true
+        fi
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/debian/proxmox-ebpf.service b/debian/proxmox-ebpf.service
new file mode 100644
index 0000000..b78259e
--- /dev/null
+++ b/debian/proxmox-ebpf.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Proxmox VE eBPF microsegmentation boot reconcile
+Wants=pve-cluster.service network-online.target
+After=pve-cluster.service network-online.target pve-sdn-commit.service
+Before=pve-guests.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/proxmox/proxmox-ebpf apply
+RuntimeDirectory=proxmox-ebpf
+RuntimeDirectoryPreserve=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..db2a8c9
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,33 @@
+#!/usr/bin/make -f
+# See debhelper(7) (uncomment to enable)
+# output every command that modifies files on the build system.
+DH_VERBOSE = 1
+
+include /usr/share/dpkg/pkg-info.mk
+include /usr/share/rustc/architecture.mk
+
+export BUILD_MODE=release
+
+export CFLAGS CXXFLAGS CPPFLAGS LDFLAGS
+export DEB_HOST_RUST_TYPE DEB_HOST_GNU_TYPE
+
+export CARGO=/usr/share/cargo/bin/cargo
+export CARGO_HOME = $(CURDIR)/debian/cargo_home
+
+export DEB_CARGO_CRATE=proxmox-ebpf_$(DEB_VERSION_UPSTREAM)
+export DEB_CARGO_PACKAGE=proxmox-ebpf
+
+%:
+	dh $@
+
+override_dh_auto_configure:
+	@perl -ne 'if (/^version\s*=\s*"(\d+(?:\.\d+)+)"/) { my $$v_cargo = $$1; my $$v_deb = "$(DEB_VERSION_UPSTREAM)"; \
+	    die "ERROR: d/changelog <-> Cargo.toml version mismatch: $$v_cargo != $$v_deb\n" if $$v_cargo ne $$v_deb; exit(0); }' Cargo.toml
+	$(CARGO) prepare-debian $(CURDIR)/debian/cargo_registry --link-from-system
+	dh_auto_configure
+
+override_dh_missing:
+	dh_missing --fail-missing
+
+override_dh_installsystemd:
+	dh_installsystemd proxmox-ebpf.service
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
-- 
2.47.3