TAUWiki

User Tools

Site Tools

Trace:
projects:package-building

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
projects:package-building [2013/04/14 09:02] siretartprojects:package-building [2013/07/14 08:31] (current) – notes on my lxc setup siretart
Line 10: Line 10:
  
 For both, Debian and Ubuntu, I recommend installing in "expert mode", which can be selected at the boot prompt. For both, Debian and Ubuntu, I recommend installing in "expert mode", which can be selected at the boot prompt.
 +
 +==== Installing LXC ====
 +
 +Ubuntu (I guess the same is true for debian) offers convenient means to create Debian and Ubuntu based LXC containers. Inside the container the network, filesystem, and processes are isolated, but disk space, disk i/o and cpu time is shared. It is also very lightweight as no extra kernel is involved. For details, see https://help.ubuntu.com/lts/serverguide/lxc.html.
 +
 +I recommend running the root filesystem on ''btrfs'', lxc-create will automatically detect this and create subvolumes as appropriate.
 +
 +Steps to create a container suitable for package building:
 +
 +  SUITE=wheezy lxc-create -t debian-build
 +  ln -s /var/lib/lxc/debian-build/config /etc/lxc/auto/debian-build.conf
 +
 +Ubuntu confines the container with app-armor in order to limit the capability and permissions of processes inside the container, and thus, to limit the security risks of untrusted code "breaking out" of the container. Unfortunately, some of those measures break schroot. To fix this there are two options:
 +
 +  - Run the container in with the unconfined profile
 +  - Create and use the following profile:
 +
 +<code>
 +# /etc/apparmor.d/lxc/lxc-schroot
 +#
 +# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
 +# will source all profiles under /etc/apparmor.d/lxc
 +
 +profile lxc-container-schroot flags=(attach_disconnected,mediate_deleted) {
 +  #include <abstractions/lxc/container-base>
 +  #include <abstractions/lxc/start-container>
 +  
 +  mount fstype=cgroup -> /sys/fs/cgroup/**,
 +
 +  mount options in (ro,rw,bind,nosuid,noexec,remount) /**/ -> /var/lib/schroot/**/,
 +  mount fstype=proc,
 +  mount fstype=sysfs,
 +}
 +</code>
 +
 +Unfortunately, this is not enough. The default lxc configuration limits the use of ''mknod'', so further tweaks to the lxc container configuration are necessary. Here is my configuration for reference:
 +
 +<code>
 +# Template used to create this container: debian                                                                                                                         
 +# Template script checksum (SHA-1): 33e3fc0cb7e2809453c36e81fe0fe4aa5542c208                                                                                             
 +
 +lxc.network.type = veth
 +lxc.network.link = lxcbr0
 +lxc.network.flags = up
 +lxc.network.ipv4 = 10.0.3.200
 +
 +lxc.rootfs = /var/lib/lxc/debian-build/rootfs
 +lxc.tty = 4
 +lxc.pts = 1024
 +lxc.utsname = debian-build
 +
 +# When using LXC with apparmor, uncomment the next line to run unconfined:                                                                                               
 +#lxc.aa_profile = unconfined                                                                                                                                             
 +
 +lxc.aa_profile = lxc-container-schroot
 +
 +lxc.cgroup.devices.deny = a
 +# /dev/null and zero                                                                                                                                                     
 +lxc.cgroup.devices.allow = c 1:3 rwm
 +lxc.cgroup.devices.allow = c 1:5 rwm
 +# consoles                                                                                                                                                               
 +lxc.cgroup.devices.allow = c 5:1 rwm
 +lxc.cgroup.devices.allow = c 5:0 rwm
 +lxc.cgroup.devices.allow = c 4:0 rwm
 +lxc.cgroup.devices.allow = c 4:1 rwm
 +# /dev/{,u}random                                                                                                                                                        
 +lxc.cgroup.devices.allow = c 1:9 rwm
 +lxc.cgroup.devices.allow = c 1:8 rwm
 +lxc.cgroup.devices.allow = c 136:* rwm
 +lxc.cgroup.devices.allow = c 5:2 rwm
 +# rtc                                                                                                                                                                    
 +lxc.cgroup.devices.allow = c 254:0 rwm
 +
 +# found on http://wiki.progress-linux.org/software/lxc/                                                                                                                  
 +# Allow to mknod all devices (but not using them)                                                                                                                        
 +lxc.cgroup.devices.allow                = c *:* m
 +lxc.cgroup.devices.allow                = b *:* m
 +
 +# mounts point                                                                                                                                                           
 +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 +lxc.mount.entry = sysfs sys sysfs defaults  0 0
 +</code>
 +   
 +
  
 ==== Preparing the environment ==== ==== Preparing the environment ====
Line 28: Line 112:
  
 Replace ''unstable'' with the distribution you want to base this on. On Intel 64bit installations, this will create ''unstable-amd64'' as ''schroot'' managed "chroot". Adjust to your environment as necessary. Replace ''unstable'' with the distribution you want to base this on. On Intel 64bit installations, this will create ''unstable-amd64'' as ''schroot'' managed "chroot". Adjust to your environment as necessary.
 +
 +Note that in this setup, your user needs to be in the group ''sbuild''. The [[man>mk-sbuild]] tool takes care about that, that is, it adds your user to the group via [[man>adduser]], and asks you to relogin.
 +
 +Now enter the chroot and edit the package sources in ''/etc/apt/sources.list'' and ''/etc/apt/sources.list.d/*.list'':
 +
 +  sudo schroot -c source:unstable-amd64 -u root
 +  sensible-editor /etc/apt/sources.list
  
 To install the latest update in that environment, use: To install the latest update in that environment, use:
Line 40: Line 131:
  
   sbuild -A -d unstable hello.dsc   sbuild -A -d unstable hello.dsc
- 
projects/package-building.1365930155.txt.gz · Last modified: 2013/04/14 09:02 by siretart