diff options
-rw-r--r-- | continuous_integration/debian_bookworm_setup.mdwn | 249 | ||||
-rw-r--r-- | continuous_integration/debian_buster_setup.mdwn | 2 | ||||
-rw-r--r-- | virtual_host_server.mdwn | 98 |
3 files changed, 347 insertions, 2 deletions
diff --git a/continuous_integration/debian_bookworm_setup.mdwn b/continuous_integration/debian_bookworm_setup.mdwn new file mode 100644 index 0000000..36cc145 --- /dev/null +++ b/continuous_integration/debian_bookworm_setup.mdwn @@ -0,0 +1,249 @@ +[[!meta title="Continuous Integration Debian Bookworm Setup"]] +[[!meta author="Kyllikki"]] +[[!meta date="2024-05-01T12:46:14Z"]] + + +[[!toc]] + +## Debian 12 (Bookworm) OS install + +### amd64 VDS install + +[[Virtual server setup|virtual_host_server]] + +Install minimal system direct from `https://deb.debian.org/debian/dists/bookworm/main/installer-amd64/` ensure virtual server is booting from UEFI using a modern chipset (Q35) + +Debian Installer Config options: + +- In the "role" selection select "ssh server" and "system utilities" only. +- The whole disc default partitioning is fine +- The base user the install insists on creating should be the netsurf user. + + +Once installed: + +- edit /etc/default/grub + + GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8" + +as root update grub + + update-grub2 + +### arm64 VDS install + +[[ARM64 virtual server setup|virtual_host_server_arm64]] + +Once installed: + +- create netsurf user +- install sudo package and add netsurf user to sudo group +- edit /etc/inittab comment pty 3 through 6 and uncomment serial T0 +- enable backports + +`echo "deb `[`http://http.debian.net/debian`](http://http.debian.net/debian)` buster-backports main" > /etc/apt/sources.list.d/backports.list` +`apt-get update` + + +## Packaged CI worker install + +Do a base OS install + +The recommended hostname for CI workers is "nsciworker17" this allows us +to clearly identify CI worker nodes. Note historically we have used +"cislave1" which has been objected to by several users. See +[[changing hostname|https://wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this. + +On master jenkins use "manage nodes" to create new node. Ensure "remote +fs root" is set to /var/lib/jenkins add variable JENKINS\_HOME set to +/var/lib/jenkins + +Note: replace arm64 with architecture name as required (armhf etc.) + +As superuser: + +create jenkins user + + adduser --system --group --home /var/lib/jenkins/ --disabled-login jenkins + +Install https transport + + apt-get install apt-transport-https + +Add CI server repo to slave apt sources + + echo "deb [allow-insecure=yes] https://ci.netsurf-browser.org/debian/ bookworm/amd64/" >> /etc/apt/sources.list.d/netsurf-browser.list + +update repos + + apt-get update + +install ci worker package. accept the large package list and the + unsigned package install for ns-ci-slave + + apt-get install ns-ci-worker + +edit /etc/default/ns-ci-worker to set the correct url and secret parameters + +ensure /opt is setup correctly to allow toolchains to be built on the node + + mkdir -p /opt/netsurf + chown jenkins:jenkins /opt/netsurf + +become jenkins user + + su -s/bin/bash - jenkins + +create ssh keypair (accept defaults - no password) + + ssh-keygen -t rsa -C "netsurf@nsciworker12.netsurf-browser.org" + +copy .ssh/id\_rsa.pub from worker to jenkins master node and append + to /home/netsurf/.ssh/authorized\_keys + + scp /home/jenkins/.ssh/id_rsa.pub netsurf@ci.netsurf-browser.org:nsciworker12_id_rsa.pub + +exit jenkins user shell + +start CI worker daemon + + systemctl start ns-ci-worker.service + + + +## Pbuilder setup + +This allows a worker to build Debian packages. The worker should be +installed as a normal CI worker node and then: + +as superuser on node: + + # apt-get install pbuilder + # addgroup pbuilder + # addgroup jenkins pbuilder + +create /etc/sudoers.d/pbuilder + + jenkins ALL = NOPASSWD:/usr/sbin/pbuilder + +`visudo` and alter Defaults + + Defaults env_reset,env_keep="DIST ARCH" + +replace `/etc/pbuilderrc` + + # this is your configuration file for pbuilder. + # the file in /usr/share/pbuilder/pbuilderrc is the default template. + # /etc/pbuilderrc is the one meant for overwriting defaults in + # the default template + # + # read pbuilderrc.5 document for notes on specific options. + + # List of Debian suites. + DEBIAN_SUITES=("sid", "buster", "jessie", "wheezy", "squeeze") + + # List of Ubuntu suites. + UBUNTU_SUITES=("vivid" "utopic" "trusty" "saucy" "raring" "quantal" "precise" "oneiric" "natty" "lucid" "hardy") + + # Mirrors to use. Update these to your preferred mirror. + DEBIAN_MIRROR="ftp.uk.debian.org" + UBUNTU_MIRROR="mirrors.kernel.org" + + # set a default distribution if none is used. + : ${DIST:="$(lsb_release --short --codename)"} + + # set the architecture to the host architecture if none set. + : ${ARCH:="$(dpkg --print-architecture)"} + + NAME="$DIST" + if [ -n "${ARCH}" ]; then + NAME="$NAME-$ARCH" + DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}") + fi + BASETGZ="/var/cache/pbuilder/$NAME-base.tgz" + DISTRIBUTION="$DIST" + BUILDRESULT="/var/cache/pbuilder/$NAME/result/" + APTCACHE="/var/cache/pbuilder/$NAME/aptcache/" + BUILDPLACE="/var/cache/pbuilder/build/" + + if $(echo ${DEBIAN_SUITES[@]} | grep -q $DIST); then + # Debian configuration + MIRRORSITE="http://$DEBIAN_MIRROR/debian/" + COMPONENTS="main contrib non-free" + if $(echo "$STABLE_CODENAME stable" | grep -q $DIST); then + OTHERMIRROR="$OTHERMIRROR | deb $MIRRORSITE $STABLE_BACKPORTS_SUITE $COMPONENTS" + fi + elif $(echo ${UBUNTU_SUITES[@]} | grep -q $DIST); then + # Ubuntu configuration + MIRRORSITE="http://$UBUNTU_MIRROR/ubuntu/" + COMPONENTS="main restricted universe multiverse" + else + echo "Unknown distribution: $DIST" + exit 1 + fi + +The architecture is assumed to be the native one from + + dpkg --print-architecture + +This can be set by passing ARCH to pbuilder (useful for i386 maybe?) + +for each distribution this node will build for: + +create pbuilder result directory and set ownership permissions + + # mkdir -p /var/cache/pbuilder/buster-armhf/result + # chown root:pbuilder /var/cache/pbuilder/buster-armhf/result + # chmod g+w /var/cache/pbuilder/buster-armhf/result + +become jenkins user + + su -s/bin/bash - jenkins + +create pbuilder base for distribution + + sudo DIST=buster pbuilder create + +if desired additional packages and config can be made to the base with + +`sudo DIST=buster pbuilder login --save-after-login` + +## distcc worker node + +Do a basic OS install but \*not\* a CI worker setup. + +A recommended hostname for distcc worker is something like "cicpu0" this +allows us to use systems as processing node for other purposes than just +distcc in future. See debians +[[changing hostname|https://wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this. + +The Netsurf repository has necessary updated packages in it and can be +accessed by doing the following: + +Add CI server repo to worker apt sources + + echo "deb https://ci.netsurf-browser.org/builds/debian/ buster/amd64/" >> /etc/apt/sources.list + +update repos + + apt-get update + +use apt to install these packages: + + build-essential + gcc + clang + distcc + +edit /etc/default/distcc + + STARTDISTCC="true" + ALLOWEDNETS="192.168.211.0/24" + LISTEN="0.0.0.0" + JOBS="8" + +start the service + + service distcc start + +ensure the client has hosts set to use the new worker diff --git a/continuous_integration/debian_buster_setup.mdwn b/continuous_integration/debian_buster_setup.mdwn index b216b14..e4a4d8d 100644 --- a/continuous_integration/debian_buster_setup.mdwn +++ b/continuous_integration/debian_buster_setup.mdwn @@ -5,7 +5,7 @@ [[!toc]] -## Debian 9 (Buster) OS install +## Debian 10 (Buster) OS install ### amd64 VDS install from media diff --git a/virtual_host_server.mdwn b/virtual_host_server.mdwn index 4fccfc5..59579ba 100644 --- a/virtual_host_server.mdwn +++ b/virtual_host_server.mdwn @@ -8,7 +8,12 @@ virtual host services for the NetSurf project is currently named phoenix. Access is \*only\* via the NetSurf VPN. For VPN access contact vince@netsurf-browser.org Developers can also use their ssh key access to ci.netsurf-browser.org and on from there -phoenix IP address is currently 192.168.211.50 if the DNS is unavailable +if the DNS is unavailable IP address are: + + phoenix 192.168.211.50 + phoenixii 192.168.211.51 + phoenixiii 192.168.211.52 + phoenixiv 192.168.211.53 Creating a new VPS ------------------ @@ -89,3 +94,94 @@ You can either use virsh on phoenix to directly admin consoles or alternatively use virt-admin over the VPN which is by far the easier option. +Setup +----- + +Phoenix is currently in its fourth iteration (phoenixiv) which is a +supermicro 1u dual socket E5-2680v2 with 64G of DDR3 memory. + +### Network + +network configuration is a l2tp tunnel over a wireguard point to point link. + +to setup a new wireguard link: + +on ci.netsurf-browser.org: + +might need to update dnsmasq interfaces + + # cd /etc/wireguard/ + # umask 077; wg genkey | tee phoenixiv.key | wg pubkey > phoenixiv.pub + # echo "" >>wg0.conf + # echo "# phoenixiv peer" >> wg0.conf + # echo "[Peer]" >> wg0.conf + # echo "PublicKey = $(cat phoenixiv.pub)" >> wg0.conf + # echo "AllowedIPs = 172.16.100.4/32 >> wg0.conf + +edit `/etc/network/interfaces.d/wg0` to add `post-up` and `pre-down` entries for the additional l2tp link + +edit `firewall.sh` to add l2tp ingress port e.g. 5002 + +on the remote system: + +install wireguard and bridge-utils + +`/etc/network/interfaces.d/br0` create a bridge on br0 which the l2tp link is inserted into when it comes up + + auto br0 + iface br0 inet static + bridge_ports tap_netsurf + address 192.168.211.53 + netmask 255.255.255.0 + network 192.168.211.0 + broadcast 192.168.211.255 + bridge_fd 9 + bridge_hello 2 + bridge_maxage 12 + bridge_stp off + + +`/etc/network/interfaces.d/wg0` creates the wireguard link + + auto wg0 + iface wg0 inet static + address 172.16.100.4/24 + + pre-up ip link add $IFACE type wireguard + + pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf + + post-up ip l2tp add tunnel tunnel_id 8000 peer_tunnel_id 7000 encap udp local 172.16.100.4 remote 172.16.100.1 udp_sport 6002 udp_dport 5002 + post-up ip l2tp add session tunnel_id 8000 session_id 6000 peer_session_id 5000 name l2tpphoenixiv + post-up ip link set l2tpphoenixiv up mtu 1500 + post-up brctl addif br0 l2tpphoenixiv + + pre-down brctl delif br0 l2tpphoenixiv + pre-down ip l2tp del tunnel tunnel_id 8000 + + post-down ip link del $IFACE + + +`/etc/wireguard/wg0.conf` configures the remote client + + [Interface] + + PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= + + [Peer] + + PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= + + AllowedIPs = 172.16.100.0/24 + + # endpoint is ip address as dns not available here + # ci.netsurf-browser.org = 93.93.129.191 + Endpoint = 93.93.129.191:51820 + PersistentKeepalive = 20 + + +### virtualisation + + # apt install --no-install-recommends qemu-system libvirt-clients libvirt-daemon-system ovmf + # adduser vince libvirt + |