These are personal notes on how I setup package build environments. When done, I intend to writeup a blog post about it.
This step may be a bare-metal, or virtual machine, such as bare http://www.linux-kvm.org/, libvirt, VirtualBox or VMWare.
First, install a minimal system. For Ubuntu, I recommend using the Server CD, and install only the SSH Task. This installer is very similar to the Debian installation media, as both use the software |http://wiki.debian.org/DebianInstaller. This installer comes with extensive documentation here: http://www.debian.org/releases/testing/amd64/
For both, Debian and Ubuntu, I recommend installing in “expert mode”, which can be selected at the boot prompt.
Ubuntu (I guess the same is true for debian) offers convenient means to create Debian and Ubuntu based LXC containers. Inside the container the network, filesystem, and processes are isolated, but disk space, disk i/o and cpu time is shared. It is also very lightweight as no extra kernel is involved. For details, see https://help.ubuntu.com/lts/serverguide/lxc.html.
I recommend running the root filesystem on btrfs
, lxc-create will automatically detect this and create subvolumes as appropriate.
Steps to create a container suitable for package building:
SUITE=wheezy lxc-create -t debian-build ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf
Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code “breaking out” of the container. Unfortunately, some of those measures break schroot. To fix this there are two options:
# /etc/apparmor.d/lxc/lxc-schroot # # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-schroot flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> #include <abstractions/lxc/start-container> mount fstype=cgroup -> /sys/fs/cgroup/**, mount options in (ro,rw,bind,nosuid,noexec,remount) /**/ -> /var/lib/schroot/**/, mount fstype=proc, mount fstype=sysfs, }
Unfortunately, this is not enough. The default lxc configuration limits the use of mknod
, so further tweaks to the lxc container configuration are necessary. Here is my configuration for reference:
# Template used to create this container: debian # Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208 lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.network.ipv4 = 10.0.3.200 lxc.rootfs = /var/lib/lxc/debian-build/rootfs lxc.tty = 4 lxc.pts = 1024 lxc.utsname = debian-build # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined lxc.aa_profile = lxc-container-schroot lxc.cgroup.devices.deny = a # /dev/null and zero lxc.cgroup.devices.allow = c 1:3 rwm lxc.cgroup.devices.allow = c 1:5 rwm # consoles lxc.cgroup.devices.allow = c 5:1 rwm lxc.cgroup.devices.allow = c 5:0 rwm lxc.cgroup.devices.allow = c 4:0 rwm lxc.cgroup.devices.allow = c 4:1 rwm # /dev/{,u}random lxc.cgroup.devices.allow = c 1:9 rwm lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc lxc.cgroup.devices.allow = c 254:0 rwm # found on http://wiki.progress-linux.org/software/lxc/ # Allow to mknod all devices (but not using them) lxc.cgroup.devices.allow = c *:* m lxc.cgroup.devices.allow = b *:* m # mounts point lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = sysfs sys sysfs defaults 0 0
Install packages that are relevant for packaging. Note that I prefer ''sbuild'' over pbuilder
for two reasons: First, this is the software that runs on the official buildds in both Debian and Ubuntu. Second, the packaged version extensively uses schroot
for chroot management, which makes it very easy to setup and maintain separate build environments (such as squeeze + squeeze-backports
or quantal + some-extra-ppa
).
The following command gets you started:
sudo apt-get install packaging-dev pbuilder- sbuild ubuntu-dev-tools
The ubuntu-dev-tools
package is available in all relevant versions of Ubuntu, and in Debian since debian/wheezy
This step needs to be repeated for every build environment you want to use:
mk-sbuild --eatmydata unstable
Replace unstable
with the distribution you want to base this on. On Intel 64bit installations, this will create unstable-amd64
as schroot
managed “chroot”. Adjust to your environment as necessary.
Note that in this setup, your user needs to be in the group sbuild
. The mk-sbuild tool takes care about that, that is, it adds your user to the group via adduser, and asks you to relogin.
Now enter the chroot and edit the package sources in /etc/apt/sources.list
and /etc/apt/sources.list.d/*.list
:
sudo schroot -c source:unstable-amd64 -u root sensible-editor /etc/apt/sources.list
To install the latest update in that environment, use:
sudo schroot-update -ud unstable-amd64
This runs unattendedly and could also be run via cron.
To build a package, use:
sbuild -A -d unstable hello.dsc