BuildEnvironment

Revision 3 as of 2010-05-19 18:11:26

Clear message

Describe SecurityTeam/BuildEnvironment here.

In an effort to recreate a build environment that closely mimics the Launchpad buildds, the Ubuntu Security team has defined the following steps. This is in many ways an extension of SbuildLVMHowto. This is also documented in LINK HERE.

Sbuild/Aufs with ddebs (Lucid)

mk-sbuild in Lucid uses 'union-type=aufs' by default with schroot now. Also, mk-sbuild passes --variant=buildd to debootstrap so you don't have to. Due to performance issues with ext4 in Ubuntu 10.04 LTS, it is recommened that you use ext3 for your builds.

Creating the schroots

  1. Install sbuild and schroot:

    $ sudo apt-get install sbuild schroot

  2. Make sure you are in the 'sbuild' group:

    $ sudo adduser <username> sbuild

  3. If /var doesn't have enough space, create a big partition for your chroots:

    $ sudo mkfs.ext3 /dev/sdXN
$ sudo mkdir /srv/devel
$ ls -l /dev/disk/by-uuid/|grep sdXN   # find the UUID for the disk
lrwxrwxrwx 1 root root 10 2010-04-22 12:14 d9300709-7b77-4fcc-8d95-77cecdef9e51 -> ../../sdXN

    Add the partition to /etc/fstab (by UUID):

    UUID=d9300709-7b77-4fcc-8d95-77cecdef9e51 /srv/devel ext3 defaults,relatime 0 0

    Mount it:

    $ sudo mount /srv/devel
$ df -h|grep devel
/dev/sdXN             166G  188M  157G   1% /srv/devel

    Create the schroot directory:

    $ sudo mkdir /srv/devel/schroot

  4. Create ~/.mk-sbuild.sources.ubuntu (can use simply .mk-sbuild.sources and also .mk-sbuild.sources.debian) substituting a local mirror, a nearby mirror or the official archive for '<mirror>'. Eg:

    deb http://<mirror>/ubuntu RELEASE main restricted universe multiverse
deb-src http://<mirror>/ubuntu RELEASE main restricted universe multiverse
deb http://<mirror>/ubuntu RELEASE-updates main restricted universe multiverse
deb-src http://<mirror>/ubuntu RELEASE-updates main restricted universe multiverse
deb http://<mirror>/ubuntu RELEASE-security main restricted universe multiverse
deb-src http://<mirror>/ubuntu RELEASE-security main restricted universe multiverse
  5. Setup for extracting the ddebs:

    • Append /etc/schroot/mount-defaults:

      /home/<username>/scratch             /scratch             none    rw,bind     0   0

    • Create /etc/schroot/script-get-ddebs:

      # Do whatever the default script would do
. /etc/schroot/script-defaults

# Clean up during 00check
if [ "x$0" = "x/etc/schroot/setup.d/00check" ]; then
    if [ $1 = "setup-stop" ]; then
        # Pull out .ddebs
        mv /var/cache/buildtmp/schroot/union/overlay/"$SESSION_ID"/build/*/*.ddeb /scratch/ddebs/ 2>/dev/null || true
    fi
fi
# end script

    • Create the following directory:

      $ mkdir ~/scratch/ddebs

  6. Create ~/.mk-sbuild.rc:

    # mk-sbuild tunables -- SOURCE_CHROOTS_TGZ used with 'file' and SOURCE_CHROOTS_DIR with 'directory'
SOURCE_CHROOTS_DIR="/srv/devel/schroot"         # default: /var/lib/schroot/chroots
SCHROOT_CONF_SUFFIX="script-config=script-get-ddebs
source-root-users=root,sbuild,admin
source-root-groups=root,sbuild,admin"
SKIP_UPDATES="1"
    What this does is tells schroot that the chroots are in "/srv/devel/schroot", and to append to the configuration of the chroot in /etc/schroot/schroot.conf the contents of SCHROOT_CONF_SUFFIX. Using 'SCHROOT_CONF_SUFFIX="script-config=script-get-ddebs"' means that /etc/schroot/script-get-ddebs gets called to configure the chroot. This script sources '/etc/schroot/script-defaults' so it behaves normally, then pulls the ddebs out and puts them into the bind mounted /scratch directory in the chroot (ie into ~/scratch).

  7. Finally, create the schroots (see man mk-sbuild for details):

    for i in dapper hardy intrepid jaunty karmic lucid ; do
    mk-sbuild $i --arch=amd64 --skip-updates --debootstrap-mirror=http://debmirror/ubuntu --distro=ubuntu
    mk-sbuild $i --arch=i386 --skip-updates --debootstrap-mirror=http://debmirror/ubuntu --distro=ubuntu
done

for i in etch lenny squeeze sid ; do
    mk-sbuild $i --skip-updates --distro=debian
done

    For arm (see ARM/RootfsFromScratch for more details) :

    $ mk-sbuild --arch armel lucid

Deleting a schroot

Edit /etc/schroot/schroot.conf to remove the stanza for the chroot, then do:

$ sudo rm -rf /srv/devel/schroot/lucid-amd64

Using the schroot

Using a schroot is similar to the chroot command but you specify the chroot and user you want to use rather than the directory. 

$ schroot -c lucid-amd64 -u root
(lucid-amd64)root@foo:/home/user# apt-get install ...
(lucid-amd64)root@foo:/home/user# su user
(lucid-amd64)user@foo$ exit
exit
(lucid-amd64)root@foo:/home/user# exit
logout
$

Chroot to the other architectures with:

$ schroot -c lucid-i386 -u root
$ schroot -c lucid-armel -u root

Or without root with:

$ schroot -c lucid-amd64

Or building via sbuild directly:

$ sbuild -d lucid package_1.2.3-4.dsc