PAR::Tutorial - Cross-Platform Packaging and Deployment with PAR

This is a tutorial on PAR, first appeared at the 7th Perl Conference. The HTML version of this tutorial is available online as <http://aut.dyndns.org/par-tutorial/>.

 % sshnuke.pl 10.2.2.2 -rootpw="Z1ON0101"
 Perl v5.6.1 required--this is only v5.6.0, stopped at sshnuke.pl line 1.
 BEGIN failed--compilation aborted at sshnuke.pl line 1.

* How do we know which modules are needed?

* Possibly overwriting existing modules; not cross-platform at all

* Do what JAR (Java Archive) does for Perl

* Aggregates modules, scripts and other files into a Zip file

* Easy to generate, update and extract

* Version consistency: solves forward-compatibility problems

* PAR files can be packed into self-contained scripts

* Automatically scans perl script for dependencies

* Bundles all necessary 3rd-party modules with it

* Requires only core Perl to run on the target machine

 % pp -o sshnuke.exe sshnuke.pl # stand-alone executable!

* PAR files are just Zip files with modules in it

* Any Zip tools can generate them:

 % zip foo.par Hello.pm World.pm        # pack two modules
 % zip -r bar.par lib/          # grab all modules in lib/

* To load modules from PAR files:

 use PAR;
 use lib "foo.par";             # the .par part is optional
 use Hello;

* This also works:

 use PAR "/home/mylibs/*.par";  # put all of them into @INC
 use Hello;

 % par.pl foo.par               # looks for 'main.pl' by default
 % par.pl foo.par test.pl       # runs script/test.pl in foo.par

 % parl foo.par                 # no perl or PAR.pm needed!
 % parl foo.par test.pl         # ditto

* The PAR loader can prepend itself to a PAR file:

 % par.pl -b -O./foo.pl foo.par # self-contained script

 % parl -B -O./foo.exe foo.par  # self-contained binary

 % scandeps.pl sshnuke.pl
 # Legend: [C]ore [X]ternal [S]ubmodule [?]NotOnCPAN
 'Crypt::SSLeay'       => '0', #  X   #
 'Net::HTTP'           => '0', #      #
 'Crypt::SSLeay::X509' => '0', # S    # Crypt::SSLeay
 'Net::HTTP::Methods'  => '0', # S    # Net::HTTP
 'Compress::Zlib'      => '0', #  X   # Net::HTTP::Methods

* Scan an one-liner, list all involved files:

 % scandeps.pl -V -e "use Dynaloader;"
 ...
 # auto/DynaLoader/dl_findfile.al [autoload]
 # auto/DynaLoader/extralibs.ld [autoload]
 # auto/File/Glob/Glob.bs [data]
 # auto/File/Glob/Glob.so [shared]
 ...

* Combines scanning, zipping and loader-embedding:

 % pp -o out.exe src.pl         # self-contained .exe
 % out.exe                      # runs anywhere on the same OS

* Bundle additional modules:

 % pp -o out.exe -M CGI src.pl  # pack CGI + its dependencies, too

* Pack one-liners:

 % pp -o out.exe -e 'print "Hi!"'   # turns one-liner into executable

* Generate PAR files instead of executables:

 % pp -p src.pl                 # makes 'source.par'
 % pp -B -p src.pl              # include core modules

 % pp --gui --verbose --output=out.exe src.pl

* Small initial overhead; no runtime overhead

* Dependencies are POD-stripped before packing

* Loads modules directly into memory on demand

* Shared libraries (DLLs) are extracted with File::Temp

* Works on Perl 5.6.0 or above

* Tested on Win32 (VC++ and MinGW), FreeBSD, NetBSD, Linux, MacOSX, Cygwin, AIX, Solaris, HP-UX, Tru64...

* A common question:

 > I have used pp to make several standalone applications which work
 > great, the only problem is that for each executable that I make, I am
 > assuming the parl.exe is somehow bundled into the resulting exe.

* The obvious workaround:

 You can ship parl.exe by itself, along with .par files built
 by "pp -p", and run those PAR files by associating them to parl.exe.

 % pp --output=a.out a.pl b.pl  # two scripts in one!
 % ln a.out b.out               # symlink also works
 % ./a.out                      # runs a.pl
 % ./b.out                      # runs b.pl

* Of course, there is no cross-platform binary format

* Pure-perl PAR packages are cross-platform by default

* However, XS modules are specific to Perl version and platform

* Multiple versions of a XS module can co-exist in a PAR file

 C:\> pp --multiarch --output=out.par src.pl
 ...copy src.pl and out.par to a Finix machine...
 % pp --multiarch --output=out.par src.pl

* Now it works on both platforms:

 % parl out.par                 # runs src.pl
 % perl -MPAR=out.par -e '...'  # uses modules inside out.par

* Modules can reside in several directories:

 /                      # casual packaging only
 /lib/                  # standard location
 /arch/                 # for creating from blib/ 
 /i386-freebsd/         # i.e. $Config{archname}
 /5.8.0/                # i.e. Perl version number
 /5.8.0/i386-freebsd/   # combination of the two above

* Scripts are stored in one of the two locations:

 /                      # casual packaging only
 /script/               # standard location

* Shared libraries may be architecture- or perl-version-specific:

 /shlib/(5.8.0/)?(i386-freebsd/)?

* PAR files may recursively contain other PAR files:

 /par/(5.8.0/)?(i386-freebsd/)?

* MANIFEST

* Index of all files inside PAR

* META.yml

* Dependency, license, runtime options

* SIGNATURE

* OpenPGP-signed digital signature

* This is not meant to be a flame

* All three maintainers have contributed to PAR directly; I'm grateful

* perlcc

* Guaranteed to not work is more like it

* PerlApp / Perl2exe

* Expensive: Need to pay for each upgrade

* Non-portable: Only available for limited platforms

* Proprietary: Cannot extend its features or fix bugs

* Obfuscated: Vendor and black-hats can see your code, but you can't

* Inflexible: Does not work with existing Perl installations

 jar:file:///home/autrijus/foo.par!/MANIFEST

* Open it in a Gecko browser (e.g. Netscape 6+) with Javascript enabled:

* No needed to unzip anything; just click on files to view them

* Static, machine-readable distribution metadata

 build_requires: {}
 conflicts: {}
 dist_name: out.par
 distribution_type: par
 dynamic_config: 0
 generated_by: 'Perl Packager version 0.03'
 license: unknown
 par:
   clean: 0
   signature: ''
   verbatim: 0
   version: 0.68

* OpenPGP clear-signed manifest with SHA1 digests

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 SHA1 8a014cd6d0f6775552a01d1e6354a69eb6826046 AUTHORS
 ...
 -----BEGIN PGP SIGNATURE-----
 ...
 -----END PGP SIGNATURE-----

 % pp -s -o foo.par bar.pl      # make and sign foo.par from bar.pl
 % cpansign -s foo.par  # sign this PAR file
 % cpansign -v foo.par  # verify this PAR file

* Framework for self-contained Web applications

* Works with mod_perl 1.x or 2.x

* Apache configuration, static files, Perl modules...

* Supports Static, Registry and PerlRun handlers

* Can also load all PARs under a directory

 Alias /myapp/cgi-perl/ ##PARFILE##/
 <Location /myapp/cgi-perl>
     Options +ExecCGI
     SetHandler perl-script
     PerlHandler Apache::PAR::Registry
 </Location>

 # use the "web.conf" from the previous slide
 % pp -p -o hondah.par -e 'print "Hon Dah!\n"' \
      --add web.conf
 % chmod a+x hondah.par

 <IfDefine MODPERL2>
 PerlModule Apache2
 </IfDefine>
 PerlAddVar PARInclude /home/autrijus/hondah.par
 PerlModule Apache::PAR

* Test it out:

 % GET http://localhost/myapp/cgi-perl/main.pl
 Hon Dah!

* Instant one-liner web application that works!

* With LWP installed, your can use remote PAR files:

 use PAR;
 use lib 'http://aut.dyndns.org/par/DBI-latest.par';
 use DBI;    # always up to date!

* Download only if modified

* Safe for offline use after the first time

* Makes large-scale deployment a breeze

* Upgrades from a central location

* No installers needed

* Also known as source-hiding techniques

* It is not encryption

* Offered by PerlApp, Perl2Exe, Stunnix...

* Usually easy to defeat

* Bundled examples: Bleach, PodStrip and PatchContent

* Or even _product activation_ over the internet

* Alternatively, just keep core logic in your server and use RPC

* To get the host archive from a packed program:

 my $zip = PAR::par_handle($0); # an Archive::Zip object
 my $content = $zip->contents('MANIFEST');

 my $content = PAR::read_file('MANIFEST');

 use PAR '/home/mylibs/*.par';
 while (my ($filename, $zip) = each %PAR::LibCache) {
     print "[$filename - MANIFEST]\n";
     print $zip->contents('MANIFEST');
 }

* GUI toolkits often need to link with shared libraries:

 # search for libncurses under library paths and pack it
 % pp -l ncurses curses_app.pl  # same for Tk, Wx, Gtk, Qt...

 # pack 'src.pl' into a console-less 'out.exe' (Win32 only)
 % pp --gui -o out.exe src.pl

* Tk problems mostly fixed by now, but other toolkits may still break

* Installing XS extensions from CPAN was difficult

* Some platforms do not come with a compiler (Win32, MacOSX...)

* Some headers or libraries may be missing

* PAR.pm itself used to suffer from both problems

 # same old Makefile.PL, with a few changes
 use inc::Module::Install;      # was "use ExtUtils::MakeMaker;"
 WriteMakefile( ... );          # same as the original
 check_nmake();                 # make sure the user have nmake
 par_base('AUTRIJUS');          # your CPAN ID or a URL
 fetch_par() unless can_cc();   # use precompiled PAR only if necessary

* Users will not notice anything, except now it works

* Win32 and other icon-savvy platforms

* PE Header manipulation in Perl volunteers wanted!

* Linux and other libc-based platforms

* Older versions with an earlier libc won't work with new ones

* Solaris and other zlib-lacking platforms (but not Win32)

* Any platform with limited bandwidth or disk space

* Use UPX to minimize the executable size

* Additional resources

* List archive: <http://nntp.x.perl.org/group/perl.par>

* PAR::Intro: <http://search.cpan.org/dist/PAR/lib/PAR/Intro.pod>

* Apache::PAR: <http://search.cpan.org/dist/Apache-PAR/>

* Module::Install: <http://search.cpan.org/dist/Module-Install/>

* Any questions?

* Here begins the scary part

* Grues, Dragons and Jabberwocks abound...

* You are going to learn weird things about Perl internals

* PAR invokes four areas of Perl arcana:

* On-the-fly source filtering

* Making self-bootstrapping binary executables

* The first two only works on 5.6 or later

* PAR currently needs 5.6, but a 5.005 port is possible

* On 1999-07-19, Ken Fox submitted a patch to P5P

* It's accepted to come in Perl 5.6, but undocumented until 5.8

 push @INC, sub {
     my ($coderef, $filename) = @_;  # $coderef is \&my_sub
     open my $fh, "wget ftp://example.com/$filename |";
     return $fh;        # using remote modules, indeed!
 };

* Perl 5.8 let you open a file handle to a string, so we just use that:

        open my $fh, '<', \($zip->memberNamed($filename)->contents);
        return $fh;

* But Perl 5.6 does not have that, and I don't want to use temp files...

* ... Undocumented features to the rescue!

* The first is still the file handle

* The second is a code reference for line-by-line source filtering!

 # Force all modules used to use strict and warnings
 open my $fh, "<", $filename or return;
 my @lines = ("use strict; use warnings;\n", "#line 1 \"$full\"\n");
 return ($fh, sub {
     return 0 unless @lines;    
     push @lines, $_; $_ = shift @lines; return length $_;
 });

* But we don't really have a filehandle for anything

* Another undocumented feature saves the day!

* We can actually omit the first return value altogether:

 # Return all contents line-by-line from the file inside PAR
 my @lines = split(
     /(?<=\n)/,
     $zip->memberNamed($filename)->contents
 );
 return (sub {
     $_ = shift(@lines);
     return length $_;
 });

* XS modules have dynamically loaded libraries

* They cannot be loaded as part of a zip file, so we extract them out

* Must intercept DynaLoader's library-finding process

* So we install pre-hooks around both functions

* The file will be automatically cleaned up when the program ends

* The par script ($0) itself

* May be in plain-text or native executable format

* Any number of embedded files

* Typically used to bootstrap PAR's various dependencies

* Length of filename in pack('N') format and the filename (auto/.../)

* File length in pack('N') and the file's content (not compressed)

* One PAR file

* Ending section

* A pack('N') number of the total length of FILE and PAR sections

* All we can expect is a working perl interpreter

* The self-contained script *must not* use any modules at all

* But to process PAR files, we need XS modules like Compress::Zlib

* Answer: bundle all modules + libraries used by PAR.pm

* Load modules to memory, and write object files to disk

* Minimizing the amount of temporary files

* First, try to load PerlIO::scalar and File::Temp

* Set up an END hook to unlink all temp files up to this point

* Load other bundled files, and look in the compressed PAR section

* Any questions, please?

<http://www.autrijus.org/par-tutorial/>

<http://www.autrijus.org/par-intro/> (English version)

<http://www.autrijus.org/par-intro.zh/> (Chinese version)

PAR, pp, par.pl, parl

ex::lib::zip, Acme::use::strict::with::pride

App::Packer, Apache::PAR, CPANPLUS, Module::Install

Autrijus Tang <autrijus@autrijus.org>

<http://par.perl.org/> is the official PAR website. You can write to the mailing list at <par@perl.org>, or send an empty mail to <par-subscribe@perl.org> to participate in the discussion.

Please submit bug reports to <bug-par@rt.cpan.org>.

Copyright 2003, 2004, 2005 by Autrijus Tang <autrijus@autrijus.org>.

This document is free documentation; you can redistribute it and/or modify it under the same terms as Perl itself.

See <http://www.perl.com/perl/misc/Artistic.html>