On Monday, November 25, 2024 4:57:50 PM MST Soren Stoutner wrote:
> On Saturday, November 23, 2024 2:20:45 PM MST Philipp Kern wrote:
> > The news are collected on https://wiki.debian.org/DeveloperNews
> > Please contribute short news about your work/plans/subproject.
> >
> > In this issue:
> > + Debian buildds are using sbuild with unshare now
> > + sbuild chroot manager for unshare backend users
> > + Building packages with make --shuffle
> > + debian.org: Support for Security Key-backed SSH keys
> >
> > Debian buildds are using sbuild with unshare now
> > ------------------------------------------------
> >
> > The wanna-build team switched all buildds to the sbuild unshare backend
> > for trixie/sid/experimental plus *-backports. This means that official
> > Debian builds now run as non-root user and rely on user namespaces
> > instead of schroot. In addition this blocks any network access during
> > the build as per Debian policy 4.9.
> >
> > Prior to the switch Santiago Vila did test rebuilds of all packages and
> > bugs have been filed:
> >
> > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=unshare;users=debian-wb-t
> > ea
> >
> > m@lists.debian.org
> >
> > Help is welcome to fix the remaining bugs.
> >
> > We recommend all developers to use sbuild with unshare as well.
> > Notes on how to set it up as well as hints for custom usage are collected
> > on the Wiki:
> >
> > https://wiki.debian.org/sbuild
>
> I am not able to get the example unshare .sbuildrc to work with piuparts.
>
> 0m0.0s DEBUG: Unpacking /home/soren/.cache/sbuild/unstable-amd64.tar.xz into
/
> tmp/tmplbhnn26l
> 0m0.0s DEBUG: Starting command: ['tar', '-C', '/tmp/tmplbhnn26l', '--auto-
> compress', '-xf', '/home/soren/.cache/sbuild/unstable-amd64.tar.xz']
> 0m0.5s DUMP:
> tar: ./dev/console: Cannot mknod: Operation not permitted
> tar: ./dev/full: Cannot mknod: Operation not permitted
> tar: ./dev/null: Cannot mknod: Operation not permitted
> tar: ./dev/ptmx: Cannot mknod: Operation not permitted
> tar: ./dev/random: Cannot mknod: Operation not permitted
> tar: ./dev/tty: Cannot mknod: Operation not permitted
> tar: ./dev/urandom: Cannot mknod: Operation not permitted
> tar: ./dev/zero: Cannot mknod: Operation not permitted
> tar: Exiting with failure status due to previous errors
>
> Does anyone have any pointers as to the root of the problem?
I suppose I should note that I have made a few modifications to the example file
because it wasn’t behaving as expected. Specifically, I disabled the
mmdebstgrap auto create because otherwise it was ignoring the tarball I had
created in the previous steps (including the apt-cacher-ng setting) and
creating a new tarball pulling straight from the internet at each build, at
each run of lintian, and at each run of piuparts. I also had to specify the
distribution or things didn’t work when building against a changelog that
targeting UNRELEASED.
Piuparts is fine if I let it generate its own tarball on each run. But it
doesn’t like using the tarball previously created.
# Set the chroot mode to be unshare.
$chroot_mode = 'unshare';
# Exit to a shell on command failures.
$external_commands = { "build-failed-commands" => [ [ '%SBUILD_SHELL' ] ] };
# Specify the distribution, -d
$distribution = 'unstable';
# Use an existing tarball instead of creating one each time.
$unshare_mmdebstrap_auto_create = 0;
## run lintian after every build (in the same chroot as the build): use --no-
run-lintian to override
$run_lintian = 1;
# pass any lintian options
$lintian_opts=['--info', '--display-info', '--verbose', '--fail-
on','error,warning'];
## run autopkgtest after every build (in a new, clean, chroot): use --no-run-
autopkgtest to override
$run_autopkgtest = 1;
# use 'unshare' for autopkgtests
$autopkgtest_root_args = [''];
$autopkgtest_opts = ['--apt-upgrade', '--', 'unshare', '--release', '%r', '--
arch', '%a' ];
## run piuparts after every build (in a new, clean, chroot): use --no-run-
piuparts to override
# this does not work in bookworm
$run_piuparts = 1;
$piuparts_root_args = ['PATH=/usr/sbin:/usr/bin', 'unshare', '--pid', '--
fork', '--mount-proc', '--map-root-user', '--map-auto'];
$piuparts_opts = ["--basetgz=$HOME/.cache/sbuild/%r-%a.tar.xz", '--no-
eatmydata', '--fake-essential-packages=systemd-sysv', '--distribution=%r'];
--
Soren Stoutner
soren@debian.orgAttachment:
signature.asc
Description: This is a digitally signed message part.