Differences between revisions 15 and 17 (spanning 2 versions)
Revision 15 as of 2021-04-14 09:19:10
Size: 4903
Editor: GuillemJover
Comment: Use OpenPGP instead of GPG when referring to keys or the standard
Revision 17 as of 2022-05-20 03:04:42
Size: 4939
Editor: PaulWise
Comment: cleanup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from PortsDocs/BuilddSetup
Line 27: Line 28:
  . For a buildd: `apt-get install buildd git curl moreutils sudo devscripts debian-ports-archive-keyring`   . For a buildd: `apt install buildd git curl moreutils sudo devscripts debian-ports-archive-keyring`
Line 29: Line 30:
  . For a porterbox: `apt-get install debootstrap schroot git curl moreutils sudo devscripts locales-all libpam-pwdfile`   . For a porterbox: `apt install debootstrap schroot git curl moreutils sudo devscripts locales-all libpam-pwdfile`
Line 53: Line 54:
 3. For a porterbox, run `apt-get update` and `apt-get install userdir-ldap` (has to be done after setup-porterbox is run, as that will add the db.debian.org sources.list entry and keys).  3. For a porterbox, run `apt update` and `apt install userdir-ldap` (has to be done after setup-porterbox is run, as that will add the db.debian.org sources.list entry and keys).
Line 82: Line 83:
= How to update buildd ggp keys = = How to update buildd OpenPGP keys =

This page documents how to use the debian-ports buildd/porterbox setup scripts.

Patch Scripts

  1. If your architecture ($arch) and/or host ($host) are not yet supported, fork https://salsa.debian.org/debian-ports-team/dsa-puppet (though this guide will continue to use that URL)

  2. Add $arch to the ports case entry in modules/schroot/files/schroot-setup.d/99porterbox-extra-sources (line 43 at time of writing)

  3. Add $arch to the two case statements in modules/schroot/files/setup-all-dchroots (and set $extra and/or $extra_buildd if needed based on the host)

  4. Set $admin_mail for $arch in the case statement in scripts/setup-common

  5. Configure the setup scripts themselves.
    • For a buildd, add an entry configuring the host's details in scripts/setup-buildd, and add $host to the "$hostname is not a porterbox" case entry in scripts/setup-porterbox

    • For a porterbox, add an entry configuring the host's details in scripts/setup-porterbox, and add $host to the "$hostname is not a buildd" case entry in scripts/setup-buildd

  6. Please submit the patches back to debian-ports!

Use Scripts

Note: for a buildd, you must have already created the buildd user(s), SSH key and OpenPGP key; see BuilddSetup for how to do this (but ignore some of it).

  1. Install required system packages:
    • For a buildd: apt install buildd git curl moreutils sudo devscripts debian-ports-archive-keyring

    • For a porterbox: apt install debootstrap schroot git curl moreutils sudo devscripts locales-all libpam-pwdfile

    • (curl is not needed if you intend to disable the monitoring feature)
  2. Clone https://salsa.debian.org/debian-ports-team/dsa-puppet.git as root (this guide will assume to /opt/dsa-puppet)

  3. Run /opt/dsa-puppet/scripts/setup-buildd or setup-porterbox. This will install two crontabs:

    1. /etc/cron.d/dsa-puppet:

      • Pulls the repository and re-runs the setup script every hour on the hour, so you can make changes by just pushing to your fork
      • If the monitoring feature is enabled, runs notify-monitor every 5 minutes.

    2. Depends on the setup type:
      • (For buildds) /etc/cron.d/buildd, which will run buildd-watcher and buildd-uploader, and recreate the chroot(s) at 21:31 on Sunday and Wednesday.

      • (For porterboxes) /etc/cron.d/puppet-update-dchroots, which will recreate the chroot(s) at 15:00 on Sunday.

      • Both will also check every 5 minutes for ~root/SETUP-DCHROOTS-PLEASE; if it exists, it is removed, and the chroot(s) are recreated.

      • Since this is all done by cron, times are in the system timezone. (Why those times? That's what the real dsa-puppet does.)
  4. For a porterbox, run apt update and apt install userdir-ldap (has to be done after setup-porterbox is run, as that will add the db.debian.org sources.list entry and keys).

  5. For a porterbox, make sure hostname -f gives the correct FQDN and that debian.org is in the domain search path (as ud-replicate needs db to resolve to db.debian.org), then request an LDAP entry for the machine from DSA by submitting an RT ticket. See below for an example entry.

Example LDAP entry

dn: host=sakharov,ou=hosts,dc=debian,dc=org
host: sakharov
hostname: sakharov.debian.net
objectClass: top
objectClass: debianServer
description: sparc64 porterbox
distribution: Debian GNU/Linux
access: public (non-DSA-machine)
architecture: sparc64
machine: SPARC T5
purpose: porterbox
exportOptions: NOPASSWD
exportOptions: NOMARKERS
ipHostNumber: 195.170.63.225
admin: foo@example.com
sponsor: Foo Bar
rebootPolicy: porterbox
sshRSAHostKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9k5W469fzttqc6iL6opofHSJm6uSxMoNg8gEPMnv/lH8NElusEUVrtPb5RfRYPQCTMzJTbY6ekkz4q3M5+C/TvEr2+1yrggF/NWHsyI3vRsoyV9EMC7Z7kh9QA0MlctarXzxSMTj+Z+uReuo+65b4OW/jOicxkPwd1JRQap0F3dcm4Nzb7i5ypgAlLsVtXCCaO6VnfVuQrdlRtEPPZ0Yv9clVgpVAPn3mw634GWTDsYY0bLG2fPYny8QqnCO/2SP9uru8aMV0NB7MuyOTknbpD456Rkp9MkSlMyyeEmZQW3HRWCn20H1ytUvefsXKHl5tdsZF8WbKA6+AjoAH3taF root@sakharov
sshRSAHostKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANmAFlhmyBlFMnnRQJq6cD6CTIfNVBw2E9cXDINxJzE root@sakharov
allowedGroups: Debian

How to update buildd OpenPGP keys

1. Run /usr/local/sbin/gpg-new-buildd-key (as root). It creates a new key and installs it in the keyring of each of the buildd users on the machine.

2. Log in as "buildd" user, run gpg -k to see all keys and then export the relevant key with

  • gpg --export XXXXXXXXXX > /tmp/mymachine.key

3. Send the key file to Aurelien Jarno in a (with your private email key) signed email.

4. After Aurelien has installed the key, modify the scripts/setup-buildd script, push those changes and restart the buildd daemon in order that they pick up the new OpenPGP key.