Difference between pages "Funtoo:Keychain" and "Funtoo:Metro"

From Funtoo
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
{{Article
{{#layout:doc}}{{#widget:AddThis}}[[Metro]] is the build system for Funtoo Linux and [[Gentoo Linux]] stages. It automates the bootstrapping process.
|Subtitle=Official Project Page
 
|Summary=Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. Download and learn how to use Keychain on your Linux, Unix or MacOS system.
This tutorial will take you through installing, setting up and running [[Metro]].
|Keywords=keychain,ssh,rsa,dsa,gpg,linux,gentoo,macos,download,source code
 
|Author=Drobbins
These other Metro documents are also available:
 
{{#ask: [[Category:Metro]]
|format=ul
}}
}}
<tt>Keychain</tt> helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to <tt>ssh-agent</tt> and <tt>ssh-add</tt>, but allows you to easily have one long running <tt>ssh-agent</tt> process per system, rather than the norm of one <tt>ssh-agent</tt> per login session.


This dramatically reduces the number of times you need to enter your passphrase. With <tt>keychain</tt>, you only need to enter a passphrase once every time your local machine is rebooted. <tt>Keychain</tt> also makes it easy for remote cron jobs to securely "hook in" to a long-running <tt>ssh-agent</tt> process, allowing your scripts to take advantage of key-based logins.
= Preface =
 
== How Metro Works ==


Those who are new to OpenSSH and the use of public/private keys for authentication may want to check out the following articles by Daniel Robbins, which will provide a gentle introduction to the concepts used by Keychain:
Metro is the Funtoo Linux automated build system, and is used to build Funtoo Linux stage tarballs.
* [[OpenSSH Key Management, Part 1]]
* [[OpenSSH Key Management, Part 2]]
* [[OpenSSH Key Management, Part 3]]


== Download and Resources ==
[[Metro]] cannot create a stage tarball out of thin air. To build a new stage tarball, [[Metro]] must use an existing, older stage tarball called a "seed" stage. This seed stage typically is used as the ''build environment'' for creating the stage we want.


The latest release of keychain is version <tt>2.7.2_beta1</tt>, and was released on July 7, 2014. The current version of keychain supports <tt>gpg-agent</tt> as well as <tt>ssh-agent</tt>.
[[Metro]] can use two kinds of seed stages. Traditionally, [[Metro]] has used a stage3 as a seed stage. This stage3 is then used to build a new stage1, which in turn is used to build a new stage2, and then a new stage3. This is generally the most reliable way to build [[Gentoo Linux]] or Funtoo Linux, so it's the recommended approach.
{{fancyimportant|'''After switching metro builds to Funtoo profile, Gentoo stages are no longer provided'''!}}


Keychain is compatible with many operating systems, including <tt>AIX</tt>, <tt>*BSD</tt>, <tt>Cygwin</tt>, <tt>MacOS X</tt>, <tt>Linux</tt>, <tt>HP/UX</tt>, <tt>Tru64 UNIX</tt>, <tt>IRIX</tt>, <tt>Solaris</tt> and <tt>GNU Hurd</tt>.
== Seeds and Build Isolation ==


=== Download ===
Another important concept to mention here is something called ''build isolation''. Because [[Metro]] creates an isolated build environment, and the build environment is explicitly defined using existing, tangible entities -- a seed stage and a portage snapshot -- you will get consistent, repeatable results. In other words, the same seed stage, portage snapshot and build instructions will generate an essentially identical result, even if you perform the build a month later on someone else's workstation.


* ''Release Archive''
== Local Build ==
** [http://www.funtoo.org/distfiles/keychain/keychain-2.7.2_beta1.tar.bz2 keychain 2.7.2_beta1]
** [http://www.funtoo.org/distfiles/keychain/keychain-2.7.1.tar.bz2 keychain 2.7.1]


* ''Apple MacOS X Packages''
Say you wanted to build a new <tt>pentium4</tt> stage3 tarball. The recommended method of doing this would be to grab an existing <tt>pentium4</tt> stage3 tarball to use as your seed stage. [[Metro]] will be told to use this existing <tt>pentium4</tt> stage3 to build a new stage1 for the same <tt>pentium4</tt>. For this process, the generic <tt>pentium4</tt> stage3 would provide the ''build environment'' for creating our new stage1. Then, the new stage1 would serve as the build environment for creating the new <tt>pentium4</tt> stage2. And the new <tt>pentium4</tt> stage2 would serve as the build environment for creating the new <tt>pentium4</tt> stage3.
** [http://www.funtoo.org/distfiles/keychain/keychain-2.7.1-macosx.tar.gz keychain 2.7.1 MacOS X package]


Keychain development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [https://bugs.funtoo.org Funtoo Linux bug tracker] and [irc://irc.freenode.net/funtoo #funtoo irc channel] for keychain support questions as well as bug reports.
In the [[Metro]] terminology this is called a '''local build''', which means a stage3 of a given architecture is used to seed a brand new build of the same architecture. Incidentally this will be the first exercise we are going to perform in this tutorial.


=== Project History ===
A week later, you may want to build a brand new <tt>pentium4</tt> stage3 tarball. Rather than starting from the original <tt>pentium4</tt> stage3 again, you'd probably configure [[Metro]] to use the most-recently-built <tt>pentium4</tt> stage3 as the seed. [[Metro]] has built-in functionality to make this easy, allowing it to easily find and track the most recent stage3 seed available.


Daniel Robbins originally wrote <tt>keychain</tt> 1.0 through 2.0.3. 1.0 was written around June 2001, and 2.0.3 was released in late August, 2002.
== Remote Build ==


After 2.0.3, <tt>keychain</tt> was maintained by various Gentoo developers, including Seth Chandler, Mike Frysinger and Robin H. Johnson, through July 3, 2003.
[[Metro]] can also perform '''remote build''', where a stage3 of a different, but binary compatible, architecture is used as a seed to build a different architecture stage3. Consequentiality the second exercise we are going to perform in this tutorial will be to build a <tt>core2 32bit</tt> stage3 tarball from the <tt>pentium4</tt> stage3 tarball we have just built.


On April 21, 2004, Aron Griffis committed a major rewrite of <tt>keychain</tt> which was released as 2.2.0. Aron continued to actively maintain and improve <tt>keychain</tt> through October 2006 and the <tt>keychain</tt> 2.6.8 release. He also made a few commits after that date, up through mid-July, 2007. At this point, <tt>keychain</tt> had reached a point of maturity.
TODO: add caveats about what archs can be seeded and what can be not (maybe a table?)


In mid-July, 2009, Daniel Robbins migrated Aron's mercurial repository to git and set up a new project page on funtoo.org, and made a few bug fix commits to the git repo that had been collecting in [http://bugs.gentoo.org bugs.gentoo.org]. Daniel continues to maintain <tt>keychain</tt> and supporting documentation on funtoo.org, and plans to make regular maintenance releases of <tt>keychain</tt> as needed.
== Tailored Build ==


== Quick Setup ==
Last, it's also worthy noting that both in <tt>local</tt> and <tt>remote builds</tt>, [[Metro]] can be configured to add and/or remove individual packages to the final tarball.
Let's say you can't live without <tt>app-misc/screen</tt>, at the end of this tutorial, we will show how to have your tailored stage3 to include it.


=== Linux ===
== Installing Metro ==
 
'''The recommended and supported method''' is to use the Git repository of [[Metro]]. 
 
Ensure that {{Package|dev-vcs/git}} and {{Package|dev-python/boto}} (optional; required for EC2 support) are installed on your system:


To install under Gentoo or Funtoo Linux, type
<console>
<console>
###i## emerge keychain
# ##i##emerge dev-vcs/git
# ##i##emerge dev-python/boto
</console>
</console>


For other Linux distributions, use your distribution's package manager, or download and install using the source tarball above. Then generate RSA/DSA keys if necessary. The quick install docs assume you have a DSA key pair named <tt>id_dsa</tt> and <tt>id_dsa.pub</tt> in your <tt>~/.ssh/</tt> directory. Add the following to your <tt>~/.bash_profile</tt>:
Next, clone the master git repository as follows:
 
<console>
# ##i##cd /root
# ##i##git clone git://github.com/funtoo/metro.git
# ##i##cp /root/metro/metro.conf ~/.metro
</console>
 
You will now have a directory called <tt>/root/metro</tt> that contains all the [[Metro]] source code.
 
Metro is now installed. It's time to customize it for your local system.
 
= Configuring Metro =
 
{{Note|Metro is not currently able to build Gentoo stages. See {{Bug|FL-901}}.}}
 
[[User:Drobbins|Daniel Robbins]] maintains [[Metro]], so it comes pre-configured to successfully build Funtoo Linux releases. Before reading further, you might want to customize some basic settings like the number of concurrent jobs to fit your hardware's capabilities or the directory to use for produced stage archives. This is accomplished by editing <tt>~/.metro</tt> which is the [[Metro]]'s master configuration file.
 
Please note that <code>path/install</code> must point to where metro was installed. Point <code>path/distfiles</code> to where your distfiles reside. Also set <code>path/mirror/owner</code> and <code>path/mirror/group</code> to the owner and group of all the files that will be written to the build repository directory, which by default (as per the configuration file) is at <code>/home/mirror/funtoo</code>. The cache directory normally resides inside the temp directory -- this can be modified as desired. The cache directory can end up holding many cached .tbz2 packages, and eat up a lot of storage. You may want to place the temp directory on faster storage, for faster compile times, and place the cache directory on slower, but more plentiful storage.
 
{{file|name=.metro|desc=Metro configuration|body=
# Main metro configuration file - these settings need to be tailored to your install:
 
[section path]
install: /root/metro
tmp: /var/tmp/metro
cache: $[path/tmp]/cache
distfiles: /var/src/distfiles
work: $[path/tmp]/work/$[target/build]/$[target/name]
 
[section path/mirror]
 
: /home/mirror/funtoo
owner: root
group: repomgr
dirmode: 775
 
[section portage]
 
MAKEOPTS: auto
 
[section emerge]


{{file|name=~/.bash_profile|body=
options: --jobs=4 --load-average=4 --keep-going=n
eval `keychain --eval --agents ssh id_rsa`
 
# This line should not be modified:
[collect $[path/install]/etc/master.conf]
}}
}}


If you want to take advantage of GPG functionality, ensure that GNU Privacy Guard is installed and omit the <tt>--agents ssh</tt> option above.
== Arch and Subarch ==
 
In the following example we are creating a pentium4 stage 3 compiled for x86-32bit binary compatibility. Pentium4 is a subarch of the x86-32bit architecture. Once you have metro installed you may find a full list of each subarch in your <tt>/root/metro/subarch</tt> directory each subarch will have the file extension .spec
Example:
<console>
###i## ls /root/metro/subarch
# ls subarch/
amd64-bulldozer-pure64.spec  armv7a.spec          core-avx-i.spec        i686.spec        pentium.spec
amd64-bulldozer.spec        armv7a_hardfp.spec  core2_32.spec          k6-2.spec        pentium2.spec
amd64-k10-pure64.spec        athlon-4.spec        core2_64-pure64.spec    k6-3.spec        pentium3.spec
amd64-k10.spec              athlon-mp.spec      core2_64.spec          k6.spec          pentium4.spec
amd64-k8+sse3.spec          athlon-tbird.spec    corei7-pure64.spec      native_32.spec    pentiumpro.spec
amd64-k8+sse3_32.spec        athlon-xp.spec      corei7.spec            native_64.spec    prescott.spec
amd64-k8-pure64.spec        athlon.spec          generic_32.spec        niagara.spec      ultrasparc.spec
amd64-k8.spec                atom_32.spec        generic_64-pure64.spec  niagara2.spec    ultrasparc3.spec
amd64-k8_32.spec            atom_64-pure64.spec  generic_64.spec        nocona.spec      xen-pentium4+sse3.spec
armv5te.spec                atom_64.spec        generic_sparcv9.spec    opteron_64.spec  xen-pentium4+sse3_64.spec
armv6j.spec                  btver1.spec          geode.spec              pentium-m.spec
armv6j_hardfp.spec          btver1_64.spec      i486.spec              pentium-mmx.spec
</console>


=== Apple MacOS X ===
= First stages build (local build) =


To install under MacOS X, install the MacOS X package for keychain. Assuming you have an <tt>id_dsa</tt> and <tt>id_dsa.pub</tt> key pair in your <tt>~/.ssh/</tt> directory, add the following to your <tt>~/.bash_profile</tt>:
To get this all started, we need to bootstrap the process by downloading an initial seed stage3 to use for building and place it in its proper location in <tt>/home/mirror/funtoo</tt>, so that [[Metro]] can find it. We will also need to create some special &quot;control&quot; files in <tt>/home/mirror/funtoo</tt>, which will allow [[Metro]] to understand how it is supposed to proceed.


{{file|name=~/.bash_profile|body=
== Step 1: Set up pentium4 repository (local build) ==
eval `keychain --eval --agents ssh --inherit any id_dsa`
 
}}
Assuming we're following the basic steps outlined in the previous section, and building an unstable funtoo (<tt>funtoo-current</tt>) build for the <tt>pentium4</tt>, using a generic <tt>pentium4</tt> stage3 as a seed stage, then here the first set of steps we'd perform:
 
<console>
# ##i##install -d /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4
# ##i##install -d /home/mirror/funtoo/funtoo-current/snapshots
# ##i##cd /home/metro/mirror/funtoo/funtoo-current/x86-32bit/pentium4
# ##i##install -d 2011-12-13
# ##i##cd 2011-12-13
# ##i##wget -c http://ftp.osuosl.org/pub/funtoo/funtoo-current/x86-32bit/pentium4/2011-12-13/stage3-pentium4-funtoo-current-2011-12-13.tar.xz
# ##i##cd ..
# ##i##install -d .control/version
# ##i##echo "2011-12-13" > .control/version/stage3
# ##i##install -d .control/strategy
# ##i##echo local >  .control/strategy/build
# ##i##echo stage3 > .control/strategy/seed
</console>
 
OK, let's review the steps above. First, we create the directory <tt>/home/mirror/funtoo/funtoo-current/x86-32bit/pentium4</tt>, which is where Metro will expect to find unstable <tt>funtoo-current</tt> pentium4 builds -- it is configured to look here by default. Then we create a specially-named directory to house our seed x86 stage3. Again, by default, Metro expects the directory to be named this way. We enter this directory, and download our seed x86 stage3 from funtoo.org. Note that the <tt>2010-12-24</tt> version stamp matches. Make sure that your directory name matches the stage3 name too. Everything has been set up to match Metro's default filesystem layout.
 
Next, we go back to the <tt>/home/mirror/metro/funtoo-current/x86-32bit/pentium4</tt> directory, and inside it, we create a <tt>.control</tt> directory. This directory and its subdirectories contain special files that Metro references to determine certain aspects of its behavior. The <tt>.control/version/stage3</tt> file is used by Metro to track the most recently-built stage3 for this particular build and subarch. Metro will automatically update this file with a new version stamp after it successfully builds a new stage3. But because Metro didn't actually ''build'' this stage3, we need to set up the <tt>.control/version/stage3</tt> file manually. This will allow Metro to find our downloaded stage3 when we set up our pentium4 build to use it as a seed. Also note that Metro will create a similar <tt>.control/version/stage1</tt> file after it successfully builds an pentium4 funtoo-current stage1.
 
We also set up <tt>.control/strategy/build</tt> and <tt>.control/strategy/seed</tt> files with values of <tt>local</tt> and <tt>stage3</tt> respectively. These files define the building strategy Metro will use when we build pentium4 funtoo-current stages. With a build strategy of <tt>local</tt>, Metro will source its seed stage from funtoo-current pentium4, the current directory. And with a seed strategy of <tt>stage3</tt>, Metro will use a stage3 as a seed, and use this seed to build a new stage1, stage2 and stage3.
 
== Step 2: Building the pentium4 stages ==
 
Incidentally, if all you wanted to do at this point was to build a new pentium4 funtoo-current stage1/2/3 (plus openvz and vserver templates). You would begin the process by typing:
 
<console>
# ##i##cd /root/metro
# ##i##scripts/ezbuild.sh funtoo-current pentium4
</console>
 
If you have a slow machine, it could take several hours to be completed because several "heavy" components like gcc or glibc have to be recompiled in each stage. Once a stage has been successfully completed, it is placed in the <tt>"${METRO_MIRROR}/funtoo-current/x32-bit/pentium4/YYYY-MM-DD"</tt> subdirectory, where <tt>YYYY-MM-DD</tt> is today's date at the time the <tt>ezbuild.sh</tt> script was started or the date you put on the ezscript.sh command line.
 
= Building for another binary compatible architecture (remote build) =
 
As written above, [[Metro]] is able to perform '''remote build''' building different architecture stage3 from a binary compatible seeding stage3 (e.g. using a pentium4 stage3 to seed a <tt>Intel Core2 32bits</tt> stage3).
 
In the Metro terminology this is called a '''remote build''' (a stage 3 of a different, but binary compatible, architecture is used as a seed).
What's not compatible? You can't use a <tt>Sparc</tt> architecture to generate an <tt>x86</tt> or <tt>ARM</tt> based stage and vice-versa. If you use a 32bit stage then you don't want to seed a 64bit build from it. Be sure that you are using a stage from the same architecture that you are trying to seed. Check [http://ftp.osuosl.org/pub/funtoo/funtoo-current/ Funtoo-current FTP Mirror] for a stage that is from the same Architecture that you will be building. 
 
{{Note|Often, one build (ie. funtoo-current) can be used as a seed for another build such as funtoo-stable. However, hardened builds require hardened stages as seeds in order for the build to complete successfully.}}
 
== Step 1: Set up Core_2 32bit repository ==
 
In this example, we're going to use this pentium4 funtoo-current stage3 to seed a new Core_2 32bit funtoo-current build. To get that done, we need to set up the pentium4 build directory as follows:
 
<console>
# ##i## cd /home/mirror/funtoo/funtoo-current/x86-32bit
# ##i##install -d core2_32
# ##i##cd core2_32
# ##i##install -d .control/strategy
# ##i##echo remote > .control/strategy/build
# ##i##echo stage3 > .control/strategy/seed
# ##i##install -d .control/remote
# ##i##echo funtoo-current > .control/remote/build
# ##i##echo x86-32bit > .control/remote/arch_desc
# ##i##echo pentium4 > .control/remote/subarch
</console>
 
The steps we follow are similar to those we performed for a ''local build'' to set up our pentium4 directory for local build. However, note the differences. We didn't download a stage, because we are going to use the pentium4 stage to build a new Core_2 32bit stage. We also didn't create the <tt>.control/version/stage{1,3}</tt> files because Metro will create them for us after it successfully builds a new stage1 and stage3. We are still using a <tt>stage3</tt> seed strategy, but we've set the build strategy to <tt>remote</tt>, which means that we're going to use a seed stage that's not from this particular subdirectory. Where are we going to get it from? The <tt>.control/remote</tt> directory contains this information, and lets Metro know that it should look for its seed stage3 in the <tt>/home/mirror/funtoo/funtoo-current/x86-32bit/pentium4</tt> directory. Which one will it grab? You guessed it -- the most recently built ''stage3'' (since our seed strategy was set to <tt>stage3</tt>) that has the version stamp of <tt>2010-12-24</tt>, as recorded in <tt>/home/mirror/funtoo-current/x86-32bit/pentium4/.control/version/stage</tt>. Now you can see how all those control files come together to direct Metro to do the right thing.
 
{{Note|<code>arch_desc</code> should be set to one of: <code>x86-32bit</code>, <code>x86-64bit</code> or <code>pure64</code> for PC-compatible systems. You must use a 32-bit build as a seed for other 32-bit builds, and a 64-bit build as a seed for other 64-bit builds.}}
 
== Step 2: Building the Core_2 32bit stages ==
 
Now, you could start building your new Core_2 32bit stage1/2/3 (plus openvz and vserver templates) by typing the following:
 
<console>
# ##i##/root/metro/scripts/ezbuild.sh funtoo-current core2_32
</console>
 
In that case, the produced stages are placed in the <tt>/home/mirror/funtoo/funtoo-current/x32-bit/core2_32/YYYY-MM-DD</tt> subdirectory.
 
== Step 3: The Next Build ==
 
At this point, you now have a new Core_2 32bit stage3, built using a "remote" pentium4 stage3. Once the first remote build completes successfully, metro will automatically change <code>.control/strategy/build</code> to be <code>local</code> instead of <code>remote</code>, so it will use the most recently-built Core_2 32bit stage3 as a seed for any new Core_2 32bit builds from now on.
 
= Build your own tailored stage3 =
 
Metro can be easily configured for building custom stage3 by including additional packages. Edit the following configuration file <tt>/root/metro/etc/builds/funtoo-current/build.conf</tt>:
{{file|name=funtoo-current/build.conf|body=
[collect ../../fslayouts/funtoo/layout.conf]
 
[section release]
 
author: Daniel Robbins <drobbins@funtoo.org>
 
[section target]
 
compression: xz


{{Fancynote|The <tt>--inherit any</tt> option above causes keychain to inherit any ssh key passphrases stored in your Apple MacOS Keychain. If you would prefer for this to not happen, then this option can be omitted.}}
[section portage]


=== Fish Shell ===
FEATURES:
SYNC: $[snapshot/source/remote]
USE:


When using the fish shell, the simplest way to call keychain is to source instead of using eval:
[section profile]


{{file|body=
format: new
if status --is-interactive
path: gentoo:funtoo/1.0/linux-gnu
  keychain --eval --quiet -Q id_rsa | source
arch: $[:path]/arch/$[target/arch_desc]
end
build: $[:path]/build/current
}}
flavor: $[:path]/flavor/core
mix-ins:


Alternatively if you wish to still use eval (which really is just a wrapper around piping to source, although it does some job control manipulation that isn't relevant here) you would use
[section version]


{{file|body=
python: 2.7
if status --is-interactive
  set -l IFS # this temporarily clears IFS, which disables the newline-splitting
  eval (keychain --eval --quiet -Q id_rsa)
end
}}


Thanks to Kevin Ballard for this information (See {{Bug|FL-2006}}).
[section emerge]


== Background ==


You're probably familiar with <tt>ssh</tt>, which has become a secure replacement for the venerable <tt>telnet</tt> and <tt>rsh</tt> commands.
[section snapshot]


Typically, when one uses <tt>ssh</tt> to connect to a remote system, one supplies a secret passphrase to <tt>ssh</tt>, which is then passed in encrypted form over the network to the remote server. This passphrase is used by the remote <tt>sshd</tt> server to determine if you should be granted access to the system.
type: live
compression: xz


However, OpenSSH and nearly all other SSH clients and servers have the ability to perform another type of authentication, called asymmetric public key authentication, using the RSA or DSA authentication algorithms. They are very useful, but can also be complicated to use. <tt>keychain</tt> has been designed to make it easy to take advantage of the benefits of RSA and DSA authentication.
[section snapshot/source]


== Generating a Key Pair ==
type: git
branch: funtoo.org
# branch to have checked out for tarball:
branch/tar: origin/master
name: ports-2012
remote: git://github.com/funtoo/ports-2012.git
options: pull


To use RSA and DSA authentication, first you use a program called <tt>ssh-keygen</tt> (included with OpenSSH) to generate a ''key pair'' -- two small files. One of the files is the ''public key''. The other small file contains the ''private key''. <tt>ssh-keygen</tt> will ask you for a passphrase, and this passphrase will be used to encrypt your private key. You will need to supply this passphrase to use your private key. If you wanted to generate a DSA key pair, you would do this:
[section metro]


<console># ##i##ssh-keygen -t dsa
options:
Generating public/private dsa key pair.</console>
options/stage: cache/package
You would then be prompted for a location to store your key pair. If you do not have one currently stored in <tt>~/.ssh</tt>, it is fine to accept the default location:
target: gentoo


<console>Enter file in which to save the key (/root/.ssh/id_dsa): </console>
[section baselayout]
Then, you are prompted for a passphrase. This passphrase is used to encrypt the ''private key'' on disk, so even if it is stolen, it will be difficult for someone else to use it to successfully authenticate as you with any accounts that have been configured to recognize your public key.


Note that conversely, if you '''do not''' provide a passphrase for your private key file, then your private key file '''will not''' be encrypted. This means that if someone steals your private key file, ''they will have the full ability to authenticate with any remote accounts that are set up with your public key.''
services: sshd


Below, I have supplied a passphrase so that my private key file will be encrypted on disk:
[section multi]


<console>Enter passphrase (empty for no passphrase): ##i#########
snapshot: snapshot
Enter same passphrase again: ##i#########
Your identification has been saved in /var/tmp/id_dsa.
Your public key has been saved in /var/tmp/id_dsa.pub.
The key fingerprint is:
5c:13:ff:46:7d:b3:bf:0e:37:1e:5e:8c:7b:a3:88:f4 root@devbox-ve
The key's randomart image is:
+--[ DSA 1024]----+
|          .      |
|          o  . |
|          o . ..o|
|      . . . o  +|
|        S    o. |
|            . o.|
|        .  ..++|
|        . o . =o*|
|        . E .+*.|
+-----------------+</console>


== Setting up Authentication ==
[section files]


Here's how you use these files to authenticate with a remote server. On the remote server, you would append the contents of your ''public key'' to the <tt>~.ssh/authorized_keys</tt> file, if such a file exists. If it doesn't exist, you can simply create a new <tt>authorized_keys</tt> file in the remote account's <tt>~/.ssh</tt> directory that contains the contents of your local <tt>id_dsa.pub</tt> file.
motd/trailer: [


Then, if you weren't going to use <tt>keychain</tt>, you'd perform the following steps. On your local client, you would start a program called <tt>ssh-agent</tt>, which runs in the background. Then you would use a program called <tt>ssh-add</tt> to tell <tt>ssh-agent</tt> about your secret private key. Then, if you've set up your environment properly, the next time you run <tt>ssh</tt>, it will find <tt>ssh-agent</tt> running, grab the private key that you added to <tt>ssh-agent</tt> using <tt>ssh-add</tt>, and use this key to authenticate with the remote server.
>>> Send suggestions, improvements, bug reports relating to...


Again, the steps in the previous paragraph is what you'd do if <tt>keychain</tt> wasn't around to help. If you are using <tt>keychain</tt>, and I hope you are, you would simply add the following line to your <tt>~/.bash_profile</tt> or if a regular user to<tt>~/.bashrc</tt> :
>>> This release:                  $[release/author]
>>> Funtoo Linux (general):        Funtoo Linux (http://www.funtoo.org)
>>> Gentoo Linux (general):        Gentoo Linux (http://www.gentoo.org)
]


{{file|name=~/.bash_profile|body=
[collect ../../multi-targets/$[multi/mode:zap]]
eval `keychain --eval id_dsa`
}}
}}


The next time you log in or source your <tt>~/.bash_profile</tt> or if you use <tt>~/.bashrc</tt>, <tt>keychain</tt> will start, start <tt>ssh-agent</tt> for you if it has not yet been started, use <tt>ssh-add</tt> to add your <tt>id_dsa</tt> private key file to <tt>ssh-agent</tt>, and set up your shell environment so that <tt>ssh</tt> will be able to find <tt>ssh-agent</tt>. If <tt>ssh-agent</tt> is already running, <tt>keychain</tt> will ensure that your <tt>id_dsa</tt> private key has been added to <tt>ssh-agent</tt> and then set up your environment so that <tt>ssh</tt> can find the already-running <tt>ssh-agent</tt>. It will look something like this:
= Building Gentoo stages =
 
Metro can also build Gentoo stages. After switching to Funtoo profile, see http://www.funtoo.org/Funtoo_Profiles metro require additional steps for this. We have an open bug for this -- it is simply due to the fact that we focus on ensuring Funtoo Linux builds and building Gentoo is a lower priority. Historical note: Funtoo Linux originally started as a fork of Gentoo Linux so that metro could reliably build Gentoo stages.
http://www.funtoo.org/Funtoo_Profiles
 
= Advanced Features =
 
Metro also includes a number of advanced features that can be used to automate builds and set up distributed build servers. These features require you to {{c|emerge sqlalchemy}}, as SQLite is used as a dependency.
 
== Repository Management ==
 
Metro includes a script in the {{c|scripts}} directory called {{c|buildrepo}}. Buildrepo serves as the heart of Metro's advanced repository management features.
 
=== Initial Setup ===
 
To use {{c|buildrepo}}, you will first need to create a {{f|.buildbot}} configuration file. Here is the file I use on my AMD Jaguar build server:


Note that when <tt>keychain</tt> runs for the first time after your local system has booted, you will be prompted for a passphrase for your private key file if it is encrypted. But here's the nice thing about using <tt>keychain</tt> -- even if you are using an encrypted private key file, you will only need to enter your passphrase when your system first boots (or in the case of a server, when you first log in.) After that, <tt>ssh-agent</tt> is already running and has your decrypted private key cached in memory. So if you open a new shell, you will see something like this:
{{file|name=/root/.buildbot|lang=python|body=
builds = (
"funtoo-current",
"funtoo-current-hardened",
"funtoo-stable",
)


This means that you can now <tt>ssh</tt> to your heart's content, without supplying a passphrase.
arches = (
"x86-64bit",
"pure64"
)


You can also execute batch <tt>cron</tt> jobs and scripts that need to use <tt>ssh</tt> or <tt>scp</tt>, and they can take advantage of passwordless RSA/DSA authentication as well. To do this, you would add the following line to the top of a bash script:
subarches = (
"amd64-jaguar",
"amd64-jaguar-pure64",
)


{{file|name=example-script.sh|body=
def map_build(build, subarch, full, full_date):
eval `keychain --noask --eval id_dsa` || exit 1
# arguments refer to last build...
if full == True:
buildtype =  ( "freshen", )
else:
buildtype =  ("full", )
return buildtype
}}
}}


The extra <tt>--noask</tt> option tells <tt>keychain</tt> that it should not prompt for a passphrase if one is needed. Since it is not running interactively, it is better for the script to fail if the decrypted private key isn't cached in memory via <tt>ssh-agent</tt>.
This file is actually a python source file that defines the tuples {{c|builds}}, {{c|arches}} and {{c|subarches}}. These variables tell {{c|buildrepo}} which builds, arches and subarches it should manage. A {{c|map_build()}} function is also defined which {{c|buildbot}} uses to determine what kind of build to perform. The arguments passed to the function are based on the last successful build. The function can read these arguments and return a string to define the type of the next build. In the above example, the {{c|map_build()}} function will cause the next build after a freshen build to be a full build, and the next build after a full build to be a freshen build, so that the build will alternate between full and freshen.


== Keychain Options ==
== Automated Builds ==


=== Specifying Agents ===
Once the {{c|.buildbot}} file has been created, the {{c|buildrepo}} and {{c|buildbot.sh}} tools are ready to use. Here's how they work. These tools are designed to keep your repository ({{c|path/mirror}} in {{f|/root/.metro}} up-to-date by inspecting your repository and looking for stages that are out-of-date.


In the images above, you will note that <tt>keychain</tt> starts <tt>ssh-agent</tt>, but also starts <tt>gpg-agent</tt>. Modern versions of <tt>keychain</tt> also support caching decrypted GPG keys via use of <tt>gpg-agent</tt>, and will start <tt>gpg-agent</tt> by default if it is available on your system. To avoid this behavior and only start <tt>ssh-agent</tt>, modify your <tt>~/.bash_profile</tt> as follows:
To list the next build that will be performed, do this -- this is from my ARM build server:


{{file|name=~/.bash_profile|body=
{{console|body=
eval `keychain --agents ssh --eval id_dsa` || exit 1
# ##i##./buildrepo nextbuild
build=funtoo-current
arch_desc=arm-32bit
subarch=armv7a_hardfp
fulldate=2015-02-08
nextdate=2015-02-20
failcount=0
target=full
extras=''
}}
}}


The additional <tt>--agents ssh</tt> option tells <tt>keychain</tt> just to manage <tt>ssh-agent</tt>, and ignore <tt>gpg-agent</tt> even if it is available.
If no output is displayed, then all your builds are up-to-date.


=== Clearing Keys ===
To actually run the next build, run {{c|buildbot.sh}}:


Sometimes, it might be necessary to flush all cached keys in memory. To do this, type:
{{console|body=
# ##i##./buildbot.sh
}}


<console># ##i##keychain --clear</console>
If you're thinking that {{c|buildbot.sh}} would be a good candidate for a cron job, you've got the right idea!
Any agent(s) will continue to run.


=== Improving Security ===
=== List Builds ===


To improve the security of <tt>keychain</tt>, some people add the <tt>--clear</tt> option to their <tt>~/.bash_profile</tt> <tt>keychain</tt> invocation. The rationale behind this is that any user logging in should be assumed to be an intruder until proven otherwise. This means that you will need to re-enter any passphrases when you log in, but cron jobs will still be able to run when you log out.
To get a quick look at our repository, let's run the {{c|buildrepo fails}} command:


=== Stopping Agents ===
{{console|body=
# ##i##./buildrepo fails
  0  2015-02-18 /home/mirror/funtoo/funtoo-current/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-current/pure64/amd64-jaguar-pure64
  0  2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/pure64/amd64-jaguar-pure64
  0  2015-02-18 /home/mirror/funtoo/funtoo-stable/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-stable/pure64/amd64-jaguar-pure64
}}


If you want to stop all agents, which will also of course cause your keys/identities to be flushed from memory, you can do this as follows:
On my AMD Jaguar build server, on Feb 20, 2015, this lists all the builds that {{c|buildrepo}} has been configured to manage. The first number on each line is a '''failcount''', which is the number of consecutive times that the build has failed. A zero value indicates that everything's okay. The failcount is an important feature of the advanced repository management features. Here are a number of behaviors that are implemented based on failcount:


<console># ##i##keychain -k all</console>
* If {{c|buildbot.sh}} tries to build a stage and the build fails, the failcount is incremented.
If you have other agents running under your user account, you can also tell <tt>keychain</tt> to just stop only the agents that <tt>keychain</tt> started:
* If the build succeeds for a particular build, the failcount is reset to zero.
* Builds with the lowest failcount are prioritized by {{buildrepo}} to build next, to steer towards builds that are more likely to complete successfully.
* Once the failcount reaches 3 for a particular build, it is removed from the build rotation.


<console># ##i##keychain -k mine</console>
=== Resetting Failcount ===


=== GPG ===
If a build has issues, the failcount for a build will reach 3, at which point it will be pulled out of build rotation. To clear failcount, so that these builds are attempted again -- possibly fixed by new updates to the Portage tree -- use {{c|buildrepo zap}}:


Keychain can ask you for your GPG passphrase if you provide it the GPG key ID. To find it out:
{{console|body=
<console>
# /root/metro/scripts/buildrepo zap
$##i## gpg -k
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv7a_hardfp/.control/.failcount...
pub  2048R/DEADBEEF 2012-08-16
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv6j_hardfp/.control/.failcount...
uid                  Name (Comment) <email@host.tld>
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv5te/.control/.failcount...
sub  2048R/86D2FAC6 2012-08-16
}}
</console>


Note the '''DEADBEEF''' above is the ID. Then, in your login script, do your usual
== Repository Maintenance ==


<console>
A couple of repository maintenance tools are provided:
$##i## keychain --dir ~/.ssh/.keychain ~/.ssh/id_rsa DEADBEEF
$##i## source ~/.ssh/.keychain/$HOST-sh
$##i## source ~/.ssh/.keychain/$HOST-sh-gpg
</console>


=== Learning More ===
* {{c|buildrepo digestgen}} will generate hash files for the archives in your repository, and clean up stale hashes.
* {{c|buildrepo index.xml}} will create an index.xml file at the root of your repository, listing all builds available.
* {{c|buildrepo clean}} will output a shell script that will remove old stages. No more than the three most recent stage builds for each build/arch/subarch are kept.


The instructions above will work on any system that uses <tt>bash</tt> as its default shell, such as most Linux systems and Mac OS X.
== Distributed Repositories ==


To learn more about the many things that <tt>keychain</tt> can do, including alternate shell support, consult the keychain man page, or type <tt>keychain --help | less</tt> for a full list of command options.
In many situation, you will have a number of build servers, and each will build a subset of your master repository, and then upload builds to the master repository. This is an area of Metro that is being actively developed. For now, automated upload functionality is not enabled, but is expected to be implemented in the relatively near future. However, it is possible to have your master repository differentiate between subarches that are built locally, and thus should be part of that system's {{c|buildbot}} build rotation, and those that are stored locally and built remotely. These builds should be cleaned when {{c|buildrepo clean}} is run, but should not enter the local build rotation. To set this up, modify {{f|/root/.buildbot}} and use the {{c|subarches}} and {{c|all_subarches}} variables:


I also recommend you read my original series of articles about [http://www.openssh.com OpenSSH] that I wrote for IBM developerWorks, called <tt>OpenSSH Key Management</tt>. Please note that <tt>keychain</tt> 1.0 was released along with Part 2 of this article, which was written in 2001. <tt>keychain</tt> has changed quite a bit since then. In other words, read these articles for the conceptual and [http://www.openssh.com OpenSSH] information, but consult the <tt>keychain</tt> man page for command-line options and usage instructions :)
{{file|name=/root/.metro|desc=Excerpt of .metro config for master repository|body=
# subarches we are building locally:


* [http://www.ibm.com/developerworks/library/l-keyc.html Common Threads: OpenSSH key management, Part 1] - Understanding RSA/DSA Authentication
subarches = (
* [http://www.ibm.com/developerworks/library/l-keyc2/ Common Threads: OpenSSH key management, Part 2] - Introducing <tt>ssh-agent</tt> and <tt>keychain</tt>
        "pentium4",
* [http://www.ibm.com/developerworks/library/l-keyc3/ Common Threads: OpenSSH key management, Part 3] - Agent forwarding and <tt>keychain</tt> improvements
        "athlon-xp",
 
        "corei7",
As mentioned at the top of the page, <tt>keychain</tt> development sources can be found in the [http://www.github.com/funtoo/keychain keychain git repository]. Please use the [http://groups.google.com/group/funtoo-dev funtoo-dev mailing list] and [irc://irc.freenode.net/funtoo #funtoo irc channel] for keychain support questions as well as bug reports.
        "corei7-pure64",
        "generic_32",
        "i686",
        "amd64-k8",
        "amd64-k8-pure64",
        "core2_64",
        "core2_64-pure64",
        "generic_64",
        "generic_64-pure64",
)
 
# Things we need to clean, even if we may not be building:
 
all_subarches = subarches + (
        "atom_32",
        "atom_64",
        "atom_64-pure64",
        "amd64-k10",
        "amd64-k10-pure64",
        "amd64-bulldozer",
        "amd64-bulldozer-pure64",
        "amd64-steamroller",
        "amd64-steamroller-pure64",
        "amd64-piledriver",
        "amd64-piledriver-pure64",
        "amd64-jaguar",
        "amd64-jaguar-pure64",
        "intel64-haswell",
        "intel64-haswell-pure64",
        "intel64-ivybridge-pure64",
        "intel64-ivybridge",
        "armv7a_hardfp",
        "armv6j_hardfp",
        "armv5te"
)
}}


[[Category:HOWTO]]
[[Category:HOWTO]]
[[Category:Projects]]
[[Category:Metro]]
[[Category:First Steps]]
__TOC__
[[Category:Articles]]
{{ArticleFooter}}

Revision as of 17:21, March 19, 2015

{{#layout:doc}}Metro is the build system for Funtoo Linux and Gentoo Linux stages. It automates the bootstrapping process.

This tutorial will take you through installing, setting up and running Metro.

These other Metro documents are also available:

{{#ask: |format=ul }}

Preface

How Metro Works

Metro is the Funtoo Linux automated build system, and is used to build Funtoo Linux stage tarballs.

Metro cannot create a stage tarball out of thin air. To build a new stage tarball, Metro must use an existing, older stage tarball called a "seed" stage. This seed stage typically is used as the build environment for creating the stage we want.

Metro can use two kinds of seed stages. Traditionally, Metro has used a stage3 as a seed stage. This stage3 is then used to build a new stage1, which in turn is used to build a new stage2, and then a new stage3. This is generally the most reliable way to build Gentoo Linux or Funtoo Linux, so it's the recommended approach.

   Important

After switching metro builds to Funtoo profile, Gentoo stages are no longer provided!

Seeds and Build Isolation

Another important concept to mention here is something called build isolation. Because Metro creates an isolated build environment, and the build environment is explicitly defined using existing, tangible entities -- a seed stage and a portage snapshot -- you will get consistent, repeatable results. In other words, the same seed stage, portage snapshot and build instructions will generate an essentially identical result, even if you perform the build a month later on someone else's workstation.

Local Build

Say you wanted to build a new pentium4 stage3 tarball. The recommended method of doing this would be to grab an existing pentium4 stage3 tarball to use as your seed stage. Metro will be told to use this existing pentium4 stage3 to build a new stage1 for the same pentium4. For this process, the generic pentium4 stage3 would provide the build environment for creating our new stage1. Then, the new stage1 would serve as the build environment for creating the new pentium4 stage2. And the new pentium4 stage2 would serve as the build environment for creating the new pentium4 stage3.

In the Metro terminology this is called a local build, which means a stage3 of a given architecture is used to seed a brand new build of the same architecture. Incidentally this will be the first exercise we are going to perform in this tutorial.

A week later, you may want to build a brand new pentium4 stage3 tarball. Rather than starting from the original pentium4 stage3 again, you'd probably configure Metro to use the most-recently-built pentium4 stage3 as the seed. Metro has built-in functionality to make this easy, allowing it to easily find and track the most recent stage3 seed available.

Remote Build

Metro can also perform remote build, where a stage3 of a different, but binary compatible, architecture is used as a seed to build a different architecture stage3. Consequentiality the second exercise we are going to perform in this tutorial will be to build a core2 32bit stage3 tarball from the pentium4 stage3 tarball we have just built.

TODO: add caveats about what archs can be seeded and what can be not (maybe a table?)

Tailored Build

Last, it's also worthy noting that both in local and remote builds, Metro can be configured to add and/or remove individual packages to the final tarball. Let's say you can't live without app-misc/screen, at the end of this tutorial, we will show how to have your tailored stage3 to include it.

Installing Metro

The recommended and supported method is to use the Git repository of Metro.

Ensure that dev-vcs/git and No results (optional; required for EC2 support) are installed on your system: 

root # emerge dev-vcs/git
root # emerge dev-python/boto

Next, clone the master git repository as follows: 

root # cd /root
root # git clone git://github.com/funtoo/metro.git
root # cp /root/metro/metro.conf ~/.metro

You will now have a directory called /root/metro that contains all the Metro source code.

Metro is now installed. It's time to customize it for your local system.

Configuring Metro

   Note

Metro is not currently able to build Gentoo stages. See FL-901.

Daniel Robbins maintains Metro, so it comes pre-configured to successfully build Funtoo Linux releases. Before reading further, you might want to customize some basic settings like the number of concurrent jobs to fit your hardware's capabilities or the directory to use for produced stage archives. This is accomplished by editing ~/.metro which is the Metro's master configuration file.

Please note that path/install must point to where metro was installed. Point path/distfiles to where your distfiles reside. Also set path/mirror/owner and path/mirror/group to the owner and group of all the files that will be written to the build repository directory, which by default (as per the configuration file) is at /home/mirror/funtoo. The cache directory normally resides inside the temp directory -- this can be modified as desired. The cache directory can end up holding many cached .tbz2 packages, and eat up a lot of storage. You may want to place the temp directory on faster storage, for faster compile times, and place the cache directory on slower, but more plentiful storage.

   .metro - Metro configuration
# Main metro configuration file - these settings need to be tailored to your install:

[section path]
install: /root/metro
tmp: /var/tmp/metro
cache: $[path/tmp]/cache
distfiles: /var/src/distfiles
work: $[path/tmp]/work/$[target/build]/$[target/name]

[section path/mirror]

: /home/mirror/funtoo
owner: root
group: repomgr
dirmode: 775

[section portage]

MAKEOPTS: auto 

[section emerge]

options: --jobs=4 --load-average=4 --keep-going=n

# This line should not be modified:
[collect $[path/install]/etc/master.conf]

Arch and Subarch

In the following example we are creating a pentium4 stage 3 compiled for x86-32bit binary compatibility. Pentium4 is a subarch of the x86-32bit architecture. Once you have metro installed you may find a full list of each subarch in your /root/metro/subarch directory each subarch will have the file extension .spec Example: 

root # ls /root/metro/subarch
root # ls subarch/
amd64-bulldozer-pure64.spec  armv7a.spec          core-avx-i.spec         i686.spec         pentium.spec
amd64-bulldozer.spec         armv7a_hardfp.spec   core2_32.spec           k6-2.spec         pentium2.spec
amd64-k10-pure64.spec        athlon-4.spec        core2_64-pure64.spec    k6-3.spec         pentium3.spec
amd64-k10.spec               athlon-mp.spec       core2_64.spec           k6.spec           pentium4.spec
amd64-k8+sse3.spec           athlon-tbird.spec    corei7-pure64.spec      native_32.spec    pentiumpro.spec
amd64-k8+sse3_32.spec        athlon-xp.spec       corei7.spec             native_64.spec    prescott.spec
amd64-k8-pure64.spec         athlon.spec          generic_32.spec         niagara.spec      ultrasparc.spec
amd64-k8.spec                atom_32.spec         generic_64-pure64.spec  niagara2.spec     ultrasparc3.spec
amd64-k8_32.spec             atom_64-pure64.spec  generic_64.spec         nocona.spec       xen-pentium4+sse3.spec
armv5te.spec                 atom_64.spec         generic_sparcv9.spec    opteron_64.spec   xen-pentium4+sse3_64.spec
armv6j.spec                  btver1.spec          geode.spec              pentium-m.spec
armv6j_hardfp.spec           btver1_64.spec       i486.spec               pentium-mmx.spec

First stages build (local build)

To get this all started, we need to bootstrap the process by downloading an initial seed stage3 to use for building and place it in its proper location in /home/mirror/funtoo, so that Metro can find it. We will also need to create some special "control" files in /home/mirror/funtoo, which will allow Metro to understand how it is supposed to proceed.

Step 1: Set up pentium4 repository (local build)

Assuming we're following the basic steps outlined in the previous section, and building an unstable funtoo (funtoo-current) build for the pentium4, using a generic pentium4 stage3 as a seed stage, then here the first set of steps we'd perform: 

root # install -d /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4
root # install -d /home/mirror/funtoo/funtoo-current/snapshots
root # cd /home/metro/mirror/funtoo/funtoo-current/x86-32bit/pentium4
root # install -d 2011-12-13
root # cd 2011-12-13
root # wget -c http://ftp.osuosl.org/pub/funtoo/funtoo-current/x86-32bit/pentium4/2011-12-13/stage3-pentium4-funtoo-current-2011-12-13.tar.xz
root # cd ..
root # install -d .control/version
root # echo "2011-12-13" > .control/version/stage3
root # install -d .control/strategy
root # echo local >  .control/strategy/build
root # echo stage3 > .control/strategy/seed

OK, let's review the steps above. First, we create the directory /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4, which is where Metro will expect to find unstable funtoo-current pentium4 builds -- it is configured to look here by default. Then we create a specially-named directory to house our seed x86 stage3. Again, by default, Metro expects the directory to be named this way. We enter this directory, and download our seed x86 stage3 from funtoo.org. Note that the 2010-12-24 version stamp matches. Make sure that your directory name matches the stage3 name too. Everything has been set up to match Metro's default filesystem layout.

Next, we go back to the /home/mirror/metro/funtoo-current/x86-32bit/pentium4 directory, and inside it, we create a .control directory. This directory and its subdirectories contain special files that Metro references to determine certain aspects of its behavior. The .control/version/stage3 file is used by Metro to track the most recently-built stage3 for this particular build and subarch. Metro will automatically update this file with a new version stamp after it successfully builds a new stage3. But because Metro didn't actually build this stage3, we need to set up the .control/version/stage3 file manually. This will allow Metro to find our downloaded stage3 when we set up our pentium4 build to use it as a seed. Also note that Metro will create a similar .control/version/stage1 file after it successfully builds an pentium4 funtoo-current stage1.

We also set up .control/strategy/build and .control/strategy/seed files with values of local and stage3 respectively. These files define the building strategy Metro will use when we build pentium4 funtoo-current stages. With a build strategy of local, Metro will source its seed stage from funtoo-current pentium4, the current directory. And with a seed strategy of stage3, Metro will use a stage3 as a seed, and use this seed to build a new stage1, stage2 and stage3.

Step 2: Building the pentium4 stages

Incidentally, if all you wanted to do at this point was to build a new pentium4 funtoo-current stage1/2/3 (plus openvz and vserver templates). You would begin the process by typing: 

root # cd /root/metro
root # scripts/ezbuild.sh funtoo-current pentium4

If you have a slow machine, it could take several hours to be completed because several "heavy" components like gcc or glibc have to be recompiled in each stage. Once a stage has been successfully completed, it is placed in the "${METRO_MIRROR}/funtoo-current/x32-bit/pentium4/YYYY-MM-DD" subdirectory, where YYYY-MM-DD is today's date at the time the ezbuild.sh script was started or the date you put on the ezscript.sh command line.

Building for another binary compatible architecture (remote build)

As written above, Metro is able to perform remote build building different architecture stage3 from a binary compatible seeding stage3 (e.g. using a pentium4 stage3 to seed a Intel Core2 32bits stage3).

In the Metro terminology this is called a remote build (a stage 3 of a different, but binary compatible, architecture is used as a seed). What's not compatible? You can't use a Sparc architecture to generate an x86 or ARM based stage and vice-versa. If you use a 32bit stage then you don't want to seed a 64bit build from it. Be sure that you are using a stage from the same architecture that you are trying to seed. Check Funtoo-current FTP Mirror for a stage that is from the same Architecture that you will be building.

   Note

Often, one build (ie. funtoo-current) can be used as a seed for another build such as funtoo-stable. However, hardened builds require hardened stages as seeds in order for the build to complete successfully.

Step 1: Set up Core_2 32bit repository

In this example, we're going to use this pentium4 funtoo-current stage3 to seed a new Core_2 32bit funtoo-current build. To get that done, we need to set up the pentium4 build directory as follows: 

root #  cd /home/mirror/funtoo/funtoo-current/x86-32bit
root # install -d core2_32
root # cd core2_32
root # install -d .control/strategy
root # echo remote > .control/strategy/build
root # echo stage3 > .control/strategy/seed
root # install -d .control/remote
root # echo funtoo-current > .control/remote/build
root # echo x86-32bit > .control/remote/arch_desc
root # echo pentium4 > .control/remote/subarch

The steps we follow are similar to those we performed for a local build to set up our pentium4 directory for local build. However, note the differences. We didn't download a stage, because we are going to use the pentium4 stage to build a new Core_2 32bit stage. We also didn't create the .control/version/stage{1,3} files because Metro will create them for us after it successfully builds a new stage1 and stage3. We are still using a stage3 seed strategy, but we've set the build strategy to remote, which means that we're going to use a seed stage that's not from this particular subdirectory. Where are we going to get it from? The .control/remote directory contains this information, and lets Metro know that it should look for its seed stage3 in the /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4 directory. Which one will it grab? You guessed it -- the most recently built stage3 (since our seed strategy was set to stage3) that has the version stamp of 2010-12-24, as recorded in /home/mirror/funtoo-current/x86-32bit/pentium4/.control/version/stage. Now you can see how all those control files come together to direct Metro to do the right thing.

   Note

arch_desc should be set to one of: x86-32bit, x86-64bit or pure64 for PC-compatible systems. You must use a 32-bit build as a seed for other 32-bit builds, and a 64-bit build as a seed for other 64-bit builds.

Step 2: Building the Core_2 32bit stages

Now, you could start building your new Core_2 32bit stage1/2/3 (plus openvz and vserver templates) by typing the following: 

root # /root/metro/scripts/ezbuild.sh funtoo-current core2_32

In that case, the produced stages are placed in the /home/mirror/funtoo/funtoo-current/x32-bit/core2_32/YYYY-MM-DD subdirectory.

Step 3: The Next Build

At this point, you now have a new Core_2 32bit stage3, built using a "remote" pentium4 stage3. Once the first remote build completes successfully, metro will automatically change .control/strategy/build to be local instead of remote, so it will use the most recently-built Core_2 32bit stage3 as a seed for any new Core_2 32bit builds from now on.

Build your own tailored stage3

Metro can be easily configured for building custom stage3 by including additional packages. Edit the following configuration file /root/metro/etc/builds/funtoo-current/build.conf:

   funtoo-current/build.conf 
[collect ../../fslayouts/funtoo/layout.conf]

[section release]

author: Daniel Robbins <drobbins@funtoo.org>

[section target]

compression: xz

[section portage]

FEATURES: 
SYNC: $[snapshot/source/remote]
USE:

[section profile]

format: new
path: gentoo:funtoo/1.0/linux-gnu
arch: $[:path]/arch/$[target/arch_desc]
build: $[:path]/build/current
flavor: $[:path]/flavor/core
mix-ins:

[section version]

python: 2.7

[section emerge]


[section snapshot]

type: live
compression: xz

[section snapshot/source]

type: git
branch: funtoo.org
# branch to have checked out for tarball:
branch/tar: origin/master
name: ports-2012 
remote: git://github.com/funtoo/ports-2012.git
options: pull

[section metro]

options: 
options/stage: cache/package
target: gentoo

[section baselayout]

services: sshd

[section multi]

snapshot: snapshot

[section files]

motd/trailer: [

 >>> Send suggestions, improvements, bug reports relating to...

 >>> This release:                  $[release/author]
 >>> Funtoo Linux (general):        Funtoo Linux (http://www.funtoo.org)
 >>> Gentoo Linux (general):        Gentoo Linux (http://www.gentoo.org)
]

[collect ../../multi-targets/$[multi/mode:zap]]

Building Gentoo stages

Metro can also build Gentoo stages. After switching to Funtoo profile, see http://www.funtoo.org/Funtoo_Profiles metro require additional steps for this. We have an open bug for this -- it is simply due to the fact that we focus on ensuring Funtoo Linux builds and building Gentoo is a lower priority. Historical note: Funtoo Linux originally started as a fork of Gentoo Linux so that metro could reliably build Gentoo stages. http://www.funtoo.org/Funtoo_Profiles

Advanced Features

Metro also includes a number of advanced features that can be used to automate builds and set up distributed build servers. These features require you to emerge sqlalchemy, as SQLite is used as a dependency.

Repository Management

Metro includes a script in the scripts directory called buildrepo. Buildrepo serves as the heart of Metro's advanced repository management features.

Initial Setup

To use buildrepo, you will first need to create a .buildbot configuration file. Here is the file I use on my AMD Jaguar build server:

   /root/.buildbot (python source code) 
builds = (
	"funtoo-current",
	"funtoo-current-hardened",
	"funtoo-stable",
)

arches = (
	"x86-64bit",
	"pure64"
)

subarches = (
	"amd64-jaguar",
	"amd64-jaguar-pure64",
)

def map_build(build, subarch, full, full_date):
	# arguments refer to last build...
	if full == True:
		buildtype =  ( "freshen", )
	else:
		buildtype =  ("full", )
	return buildtype

This file is actually a python source file that defines the tuples builds, arches and subarches. These variables tell buildrepo which builds, arches and subarches it should manage. A map_build() function is also defined which buildbot uses to determine what kind of build to perform. The arguments passed to the function are based on the last successful build. The function can read these arguments and return a string to define the type of the next build. In the above example, the map_build() function will cause the next build after a freshen build to be a full build, and the next build after a full build to be a freshen build, so that the build will alternate between full and freshen.

Automated Builds

Once the .buildbot file has been created, the buildrepo and buildbot.sh tools are ready to use. Here's how they work. These tools are designed to keep your repository (path/mirror in /root/.metro up-to-date by inspecting your repository and looking for stages that are out-of-date.

To list the next build that will be performed, do this -- this is from my ARM build server: 

root # ./buildrepo nextbuild
build=funtoo-current
arch_desc=arm-32bit
subarch=armv7a_hardfp
fulldate=2015-02-08
nextdate=2015-02-20
failcount=0
target=full
extras=''

If no output is displayed, then all your builds are up-to-date.

To actually run the next build, run buildbot.sh: 

root # ./buildbot.sh

If you're thinking that buildbot.sh would be a good candidate for a cron job, you've got the right idea!

List Builds

To get a quick look at our repository, let's run the buildrepo fails command: 

root # ./buildrepo fails
   0   2015-02-18 /home/mirror/funtoo/funtoo-current/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-current/pure64/amd64-jaguar-pure64
   0   2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/pure64/amd64-jaguar-pure64
   0   2015-02-18 /home/mirror/funtoo/funtoo-stable/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-stable/pure64/amd64-jaguar-pure64

On my AMD Jaguar build server, on Feb 20, 2015, this lists all the builds that buildrepo has been configured to manage. The first number on each line is a failcount, which is the number of consecutive times that the build has failed. A zero value indicates that everything's okay. The failcount is an important feature of the advanced repository management features. Here are a number of behaviors that are implemented based on failcount:

  • If buildbot.sh tries to build a stage and the build fails, the failcount is incremented.
  • If the build succeeds for a particular build, the failcount is reset to zero.
  • Builds with the lowest failcount are prioritized by Template:Buildrepo to build next, to steer towards builds that are more likely to complete successfully.
  • Once the failcount reaches 3 for a particular build, it is removed from the build rotation.

Resetting Failcount

If a build has issues, the failcount for a build will reach 3, at which point it will be pulled out of build rotation. To clear failcount, so that these builds are attempted again -- possibly fixed by new updates to the Portage tree -- use buildrepo zap: 

root # /root/metro/scripts/buildrepo zap
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv7a_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv6j_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv5te/.control/.failcount...

Repository Maintenance

A couple of repository maintenance tools are provided:

  • buildrepo digestgen will generate hash files for the archives in your repository, and clean up stale hashes.
  • buildrepo index.xml will create an index.xml file at the root of your repository, listing all builds available.
  • buildrepo clean will output a shell script that will remove old stages. No more than the three most recent stage builds for each build/arch/subarch are kept.

Distributed Repositories

In many situation, you will have a number of build servers, and each will build a subset of your master repository, and then upload builds to the master repository. This is an area of Metro that is being actively developed. For now, automated upload functionality is not enabled, but is expected to be implemented in the relatively near future. However, it is possible to have your master repository differentiate between subarches that are built locally, and thus should be part of that system's buildbot build rotation, and those that are stored locally and built remotely. These builds should be cleaned when buildrepo clean is run, but should not enter the local build rotation. To set this up, modify /root/.buildbot and use the subarches and all_subarches variables:

   /root/.metro - Excerpt of .metro config for master repository
# subarches we are building locally:

subarches = ( 
        "pentium4",
        "athlon-xp",
        "corei7",
        "corei7-pure64",
        "generic_32", 
        "i686", 
        "amd64-k8",
        "amd64-k8-pure64",
        "core2_64",
        "core2_64-pure64",
        "generic_64",
        "generic_64-pure64",
) 
  
# Things we need to clean, even if we may not be building:
  
all_subarches = subarches + (
        "atom_32",
        "atom_64",
        "atom_64-pure64",
        "amd64-k10",
        "amd64-k10-pure64",
        "amd64-bulldozer",
        "amd64-bulldozer-pure64",
        "amd64-steamroller",
        "amd64-steamroller-pure64",
        "amd64-piledriver",
        "amd64-piledriver-pure64",
        "amd64-jaguar",
        "amd64-jaguar-pure64",
        "intel64-haswell",
        "intel64-haswell-pure64",
        "intel64-ivybridge-pure64",
        "intel64-ivybridge",
        "armv7a_hardfp",
        "armv6j_hardfp",
        "armv5te"
)
Retrieved from "https://www.funtoo.org/index.php?title=Funtoo:Keychain&oldid=9352"