Table of Contents

Setup an package building environment for Debian/Ubuntu

These are personal notes on how I setup package build environments. When done, I intend to writeup a blog post about it.

Install a Debian or Ubuntu Machine

This step may be a bare-metal, or virtual machine, such as bare http://www.linux-kvm.org/, libvirt, VirtualBox or VMWare.

First, install a minimal system. For Ubuntu, I recommend using the Server CD, and install only the SSH Task. This installer is very similar to the Debian installation media, as both use the software |http://wiki.debian.org/DebianInstaller. This installer comes with extensive documentation here: http://www.debian.org/releases/testing/amd64/

For both, Debian and Ubuntu, I recommend installing in “expert mode”, which can be selected at the boot prompt.

Installing LXC

Ubuntu (I guess the same is true for debian) offers convenient means to create Debian and Ubuntu based LXC containers. Inside the container the network, filesystem, and processes are isolated, but disk space, disk i/o and cpu time is shared. It is also very lightweight as no extra kernel is involved. For details, see https://help.ubuntu.com/lts/serverguide/lxc.html.

I recommend running the root filesystem on btrfs, lxc-create will automatically detect this and create subvolumes as appropriate.

Steps to create a container suitable for package building:

SUITE=wheezy lxc-create -t debian-build
ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf

Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code “breaking out” of the container. Unfortunately, some of those measures break schroot. To fix this there are two options:

  1. Run the container in with the unconfined profile
  2. Create and use the following profile:
# /etc/apparmor.d/lxc/lxc-schroot
#
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-schroot flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>
  
  mount fstype=cgroup -> /sys/fs/cgroup/**,

  mount options in (ro,rw,bind,nosuid,noexec,remount) /**/ -> /var/lib/schroot/**/,
  mount fstype=proc,
  mount fstype=sysfs,
}

Unfortunately, this is not enough. The default lxc configuration limits the use of mknod, so further tweaks to the lxc container configuration are necessary. Here is my configuration for reference:

# Template used to create this container: debian                                                                                                                         
# Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208                                                                                             

lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.ipv4 = 10.0.3.200

lxc.rootfs = /var/lib/lxc/debian-build/rootfs
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = debian-build

# When using LXC with apparmor, uncomment the next line to run unconfined:                                                                                               
#lxc.aa_profile = unconfined                                                                                                                                             

lxc.aa_profile = lxc-container-schroot

lxc.cgroup.devices.deny = a
# /dev/null and zero                                                                                                                                                     
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles                                                                                                                                                               
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random                                                                                                                                                        
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc                                                                                                                                                                    
lxc.cgroup.devices.allow = c 254:0 rwm

# found on http://wiki.progress-linux.org/software/lxc/                                                                                                                  
# Allow to mknod all devices (but not using them)                                                                                                                        
lxc.cgroup.devices.allow                = c *:* m
lxc.cgroup.devices.allow                = b *:* m

# mounts point                                                                                                                                                           
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs defaults  0 0

Preparing the environment

Install packages that are relevant for packaging. Note that I prefer ''sbuild'' over pbuilder for two reasons: First, this is the software that runs on the official buildds in both Debian and Ubuntu. Second, the packaged version extensively uses schroot for chroot management, which makes it very easy to setup and maintain separate build environments (such as squeeze + squeeze-backports or quantal + some-extra-ppa).

The following command gets you started:

sudo apt-get install packaging-dev pbuilder- sbuild ubuntu-dev-tools

The ubuntu-dev-tools package is available in all relevant versions of Ubuntu, and in Debian since debian/wheezy

Setup the build chroot and keeping it up-to-date

This step needs to be repeated for every build environment you want to use:

mk-sbuild --eatmydata unstable

Replace unstable with the distribution you want to base this on. On Intel 64bit installations, this will create unstable-amd64 as schroot managed “chroot”. Adjust to your environment as necessary.

Note that in this setup, your user needs to be in the group sbuild. The mk-sbuild tool takes care about that, that is, it adds your user to the group via adduser, and asks you to relogin.

Now enter the chroot and edit the package sources in /etc/apt/sources.list and /etc/apt/sources.list.d/*.list:

sudo schroot -c source:unstable-amd64 -u root
sensible-editor /etc/apt/sources.list

To install the latest update in that environment, use:

sudo schroot-update -ud unstable-amd64

This runs unattendedly and could also be run via cron.

Building a package

To build a package, use:

sbuild -A -d unstable hello.dsc