Introducing sbuild-launchpad-chroot

Mon Oct 21 22:45:55 UTC 2013

That's pretty much my plan, find a way to get schroot to interface with
LXC (or just unshare the netns directly). Need something a bit more
clever than just blocking access completely though since you still want
to grab the build-depends, but passing a socket to a small proxy would
be a way, creating a veth pair would be another (and using iptables to
block non-archive traffic).

On Tue, Oct 22, 2013 at 11:33:19AM +1300, Robert Collins wrote:
> Cool. Using lxc rather than a chroot will let you cut internet off hard :)
> 
> -Rob
> 
> On 22 October 2013 03:31, Stéphane Graber <stgraber at ubuntu.com> wrote:
> > Hey everyone,
> >
> > With trusty now open, I uploaded a tool I've been using for a few months now.
> >
> > It's called sbuild-launchpad-chroot and pretty much does exactly what
> > the name says.
> >
> > The package contains 3 things:
> >  - 1 tool to create/update/delete sbuild chroots
> >  - 1 schroot hook to update the chroot at the beginning of a build
> >  - 1 schroot hook to generate the right sources.list for the build
> >
> > That last hook was written by Andy Whitcroft and some of you may already
> > be using it.
> >
> > With the package installed, you can then do:
> >  sudo sbuild-launchpad-chroot create -n trusty-amd64-sbuild -s trusty -a amd64
> >
> > This will define a new chroot in schroot called trusty-amd64-sbuild, set
> > some extra launchpad.* options for the series and architecture on
> > Launchpad, donwload the current Launchpad chroot and also setup the
> > following aliases:
> >  - trusty-security-amd64-sbuild
> >  - trusty-security+main-amd64-sbuild
> >  - trusty-security+restricted-amd64-sbuild
> >  - trusty-security+universe-amd64-sbuild
> >  - trusty-security+multiverse-amd64-sbuild
> >  - trusty-updates-amd64-sbuild
> >  - trusty-updates+main-amd64-sbuild
> >  - trusty-updates+restricted-amd64-sbuild
> >  - trusty-updates+universe-amd64-sbuild
> >  - trusty-updates+multiverse-amd64-sbuild
> >  - trusty-proposed-amd64-sbuild
> >  - trusty-proposed+main-amd64-sbuild
> >  - trusty-proposed+restricted-amd64-sbuild
> >  - trusty-proposed+universe-amd64-sbuild
> >  - trusty-proposed+multiverse-amd64-sbuild
> >
> > Once done, you can then trigger a build with something like:
> >  sbuild --dist=trusty --arch=amd64 -c trusty-proposed+restricted-amd64-sbuild <dsc>
> >
> > This will print the following:
> >  I: 01launchpad-chroot: [trusty-amd64-sbuild] Processing config
> >  I: 01launchpad-chroot: [trusty-amd64-sbuild] Already up to date.
> >  I: 90apt-sources: setting apt pockets to 'release security updates proposed' in sources.list
> >  I: 90apt-sources: setting apt components to 'main restricted' in sources.list
> >
> > Confirming that the hook has checked the chroot currently matches with
> > what Launchpad uses and telling you that the sources.list in the build
> > environment contains all the pockets (but backports) and the main and
> > restricted components.
> >
> >
> > In theory the only noticable difference between a build environment
> > created by sbuild-launchpad-chroot and the real thing is that you'll
> > have internet connectivity from inside the chroot (but I'm working on
> > also emulating that part of the LP build environment) and that you'll be
> > running with a newer version of sbuild than what's used on the real
> > buildds.
> >
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > --
> > ubuntu-devel mailing list
> > ubuntu-devel at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
> >
> 
> 
> 
> -- 
> Robert Collins <rbtcollins at hp.com>
> Distinguished Technologist
> HP Converged Cloud

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20131021/ff767485/attachment.pgp>