Setting Up A Build Server
Note: Every effort should be made to ensure that we use stock versions of the build tools wherever possible. Where we can't, ensure that detailed build instructions, as well as a list of patches we apply, are available. As of October 2012, we use stock versions of sbuild and schroot.
- The build server should ideally be an Ubuntu LTS (as of Oct 2012, Precise). Ops prefers Ubuntu to Debian testing/unstable/experimental because they already maintain Ubuntu LTS servers (the dialups). It should have free space in an LVM volume group (ideally named "builder", but configurable in most cases). The build chroots consume 4GB each, and there are 2 architectures for each distro we support. As of Oct 2012, a 50G LVM is sufficient, but this may change in the future.
- Install debathena-login, as well as debathena-debian-dev.
- If you install debathena manually (please don't), ensure that you add the apt key, either via the debathena-archive-keyring package, or with apt-key add /afs/sipb.mit.edu/project/debathena/apt/debathena-archive-keyring.asc. If you're very paranoid, you can run apt-key export on the old build server and then apt-key add on the new one.
- Install the packages listed in scripts/build-server/packages. debathena-debian-dev should have taken care of most of these.
- If we're still using a unioning filesystem, ensure that the necessary kernel modules are available. See above about using stock versions wherever possible. As of Oct 2012, the filesystems we use (overlayfs) and those we used in the past (aufs) are part of the stock kernel.
- Append to /etc/approx/approx.conf the contents of scripts/build-server/approx.conf.tail. Restart approx (as of precise, approx is run from inetd).
- Apply scripts/build-server/mount-defaults.patch to /etc/schroot/mount-defaults. If for some reason that patch fails to apply, note that it's simply adding /afs as a bind mount.
/afs /afs none rw,bind 0 0
- Apply scripts/build-server/pam-schroot.patch to /etc/pam.d/schroot. This patch does not include common-session and instead adds a basic pam_unix session module. This prevents PAM from mucking with Kerberos and AFS.
- For each supported DIST (see scripts/debian-versions.sh) run:
scripts/build-server/make-chroot DIST i386 scripts/build-server/make-chroot DIST amd64
Example: scripts/build-server/make-chroot intrepid i386
Configuring the builder account
- Create a local account for builder with:
adduser --uid 1047 --disabled-password builder
N.B. In the old days, the UID was relevant for AFS and matching Hesiod. With OpenAFS 1.6, it is likely no longer relevant, but double-checking never hurt.
- Make the home directory mode 700.
- Install a daemon keytab for the host (e.g. daemon/linux-build-10.mit.edu) in the home directory, named keytab. Ensure that this principal also has a PTS id in both the sipb and athena cells, and add it to the list debathena-build-server-acl.
- Install a copy of the secret repository-signing key (for debathena@…) in the home directory's keyring with something like:
builder@old-build-server:~$ kinit builder builder@old-build-server:~$ gpg --export-secret-keys email@example.com | \ ssh -l builder new-build-server gpg --importYou may transfer the key securely via another method, but ensure that the key is not left lying around anywhere. (Even a correctly-ACL'd directory in AFS is not ideal).
- Create a file named .sbuildrc in builder's homedir containing:
$mailto = undef; $log_dir = '/tmp/sbuild-logs'; $maintainer_name = 'Debathena Project <firstname.lastname@example.org>'; $force_orig_source = 1; $sbuild_mode = 'user'; # Pass all DEBATHENA-specific variables to external commands # (e.g. chroot-sources) # N.B. This replaces the default value, it does not union them. # So ensure that this has the defaults as noted in sbuild.conf $environment_filter = [ '^DEBATHENA_', '^KRB5CCNAME_', '^PATH$', '^DEB(IAN|SIGN)?_[A-Z_]+$', '^(C(PP|XX)?|LD|F)FLAGS(_APPEND)?$', '^USER(NAME)?$', '^LOGNAME$', '^HOME$', '^TERM$', '^SHELL$']; # Ensure file evaluates as true in Perl 1;
- Create a file named .ssh/config in builder's homedir containing:
Host svn.mit.edu User debuildsvn
- Add builder to the sbuild group in /etc/group.
- Create a file named .devscripts in builder's homedir containing:
DEBUILD_DPKG_BUILDPACKAGE_OPTS="-sa -us -uc -i -I.svn"
- In builder's homedir, append to .bashrc:
add debathena export PATH=$PATH:~/bin export DEBATHENA_APT=/mit/debathena/apt
- Copy ~/bin from the old build server.
- Run sbuild-update --keygen to generate the key for signing the temporary repo used during the build process. This requires entropy, and the rng-tools package is helpful for generating the necessary entropy, seeing as how you probably don't have access to the machine's keyboard or mouse.
- Copy scripts/build-server/autodebathenify to builder's homedir. Create a file named autodebathenify.config in builder's homedir containing:
email@example.com scripts_dir=/mit/debathena/bin build_dir=/mit/debathena/packages/third packages="lprng openafs" export DEBATHENA_APT=/mit/debathena/apt
- Copy scripts/build-server/autodebathenify.cron to builder's homedir and install it with "crontab autodebathenify.cron". You should probably test autodebathenify by hand to ensure it works.
NOT CURRENTLY USED
Copy scripts/build-server/autolivebuilder to builder's homedir. Create a file called autolivebuilder.config in builder's homedir containing:
firstname.lastname@example.org release_version='9.04' release='jaunty' arch='i386' mirror='mirrors.mit.edu' gpg_opts=("-u" "0D8A9E8F") live_dir=/net/sipb-isilon-sc.mit.edu/ifs/mirror/sipb/debathena/livecd