Difference between pages "Package:Nftables" and "Funtoo:Metro"

From Funtoo
(Difference between pages)
Jump to navigation Jump to search
 
 
Line 1: Line 1:
{{Ebuild
{{#layout:doc}}{{#widget:AddThis}}[[Metro]] is the build system for Funtoo Linux and [[Gentoo Linux]] stages. It automates the bootstrapping process.
|Summary=Linux kernel (3.13+) firewall, NAT and packet mangling tools
 
|CatPkg=net-firewall/nftables
This tutorial will take you through installing, setting up and running [[Metro]].
|Repository=Gentoo Portage Tree
 
These other Metro documents are also available:
 
{{#ask: [[Category:Metro]]
|format=ul
}}
}}
=== What is nftables? ===
'''nftables''' is the successor to [[iptables]]. It replaces the existing iptables, ip6tables, arptables and ebtables framework. It uses the Linux kernel and a new userspace utility called nft. nftables provides a compatibility layer for the ip(6)tables and framework.


==Introduction==
= Preface =  
As with the iptables framework, nftables is build upon rules which specify the actions. These rules are attached to chains. A chain can contain a collection of rules and is registered into the netfilter hooks. Chains are stored inside tables. A table is specific for one of the layer 3 protocols. One of the main differences with iptables is that there are no predefined tables and chains anymore.
 
== How Metro Works ==  
 
Metro is the Funtoo Linux automated build system, and is used to build Funtoo Linux stage tarballs.
 
[[Metro]] cannot create a stage tarball out of thin air. To build a new stage tarball, [[Metro]] must use an existing, older stage tarball called a "seed" stage. This seed stage typically is used as the ''build environment'' for creating the stage we want.
 
[[Metro]] can use two kinds of seed stages. Traditionally, [[Metro]] has used a stage3 as a seed stage. This stage3 is then used to build a new stage1, which in turn is used to build a new stage2, and then a new stage3. This is generally the most reliable way to build [[Gentoo Linux]] or Funtoo Linux, so it's the recommended approach.
{{fancyimportant|'''After switching metro builds to Funtoo profile, Gentoo stages are no longer provided'''!}}


===Tables===
== Seeds and Build Isolation ==
A table is nothing more than a container for your chains. With nftables there are no predefined tables (filter, raw, mangle...) anymore. You are free to recreate the iptables-like structure, but anything might do.
Currently there are 5 different families of tables:
* '''ip''': Used for IPv4 related chains;
* '''ip6''': Used for IPv6 related chains;
* '''arp''': Used for ARP related chains;
* '''bridge''': Used for bridging related chains;
* '''inet''': Mixed ipv4/ipv6 chains (kernel 3.14 and up).


It is not hard to recognize the old tables framework in these tables. The only new one is the inet table which is used for both IPv4 and IPv6 traffic. It should make firewalling for dual-stack hosts easier by combining the rules for IPv4 and IPv6.
Another important concept to mention here is something called ''build isolation''. Because [[Metro]] creates an isolated build environment, and the build environment is explicitly defined using existing, tangible entities -- a seed stage and a portage snapshot -- you will get consistent, repeatable results. In other words, the same seed stage, portage snapshot and build instructions will generate an essentially identical result, even if you perform the build a month later on someone else's workstation.


===Chains===
== Local Build ==  
Chains are used to group together rules. As with the tables, nftables does not have any predefined chains. Chains are grouped in base and non-base types. Base chains are registered in one of the netfilter hooks. A base chain has a hook its registered with, a type and a priority.  Non-base chains are not attached to a hook and they don't see any traffic by default. They can be used to arrange a rule-set in a tree of chains.
There are currently three types of chains:
* '''filter''': for filtering packets
* '''route''': for rerouting packets
* '''nat''': for performing Network Address Translation. Only the first packet of a flow hits this chain, making it impossible to use it for filtering.
The hooks that can be used are:
* '''prerouting''': This is before the routing decision, all packets entering the machine hits this chain
* '''input''': All packets for the local system hits this hook
* '''forward''': Packets not for the local system, those that need to be forwarded hits this hook
* '''output''': Packets that originate from the local system pass this hook
* '''postrouting''': This hook is after the routing decision, all packets leaving the machine hits this chain
{{Note|The ARP address family only supports the input and output hook}}
{{Note|The bridge address family only seems to supports the input, forward and output hook}}


====Priorities====
Say you wanted to build a new <tt>pentium4</tt> stage3 tarball. The recommended method of doing this would be to grab an existing <tt>pentium4</tt> stage3 tarball to use as your seed stage. [[Metro]] will be told to use this existing <tt>pentium4</tt> stage3 to build a new stage1 for the same <tt>pentium4</tt>. For this process, the generic <tt>pentium4</tt> stage3 would provide the ''build environment'' for creating our new stage1. Then, the new stage1 would serve as the build environment for creating the new <tt>pentium4</tt> stage2. And the new <tt>pentium4</tt> stage2 would serve as the build environment for creating the new <tt>pentium4</tt> stage3.


{{Note|Priorities do not currently appear to have any effect on which chain sees packets first.}}
In the [[Metro]] terminology this is called a '''local build''', which means a stage3 of a given architecture is used to seed a brand new build of the same architecture. Incidentally this will be the first exercise we are going to perform in this tutorial.


{{Note|Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities.}}
A week later, you may want to build a brand new <tt>pentium4</tt> stage3 tarball. Rather than starting from the original <tt>pentium4</tt> stage3 again, you'd probably configure [[Metro]] to use the most-recently-built <tt>pentium4</tt> stage3 as the seed. [[Metro]] has built-in functionality to make this easy, allowing it to easily find and track the most recent stage3 seed available.


===Rules===
== Remote Build ==  
Rules specify which action has to be taken for which packets. Rules are attached to chains. Each rule can has an expression to match packets with and one or multiple actions when matching. Main differences with iptables is that it is possible to specify multiple actions and that by default counters are off. It must be specified explicitly in rules if you want packet- and byte-counters for a rule.
Each rule has a unique handle number by which it can be distinguished.
The following matches are available:
* '''ip''': IP protocol
* '''ip6''': IPv6 protocol
* '''tcp''': TCP protocol
* '''udp''': UDP protocol
* '''udplite''': UDP-lite protocol
* '''sctp''': SCTP protocol
* '''dccp''': DCCP protocol
* '''ah''': Authentication headers
* '''esp''': Encrypted security payload headers
* '''ipcomp''': IPcomp headers
* '''icmp''': icmp protocol
* '''icmpv6''': icmpv6 protocol
* '''ct''': Connection tracking
* '''meta''': meta properties such as interfaces


====Matches====
[[Metro]] can also perform '''remote build''', where a stage3 of a different, but binary compatible, architecture is used as a seed to build a different architecture stage3. Consequentiality the second exercise we are going to perform in this tutorial will be to build a <tt>core2 32bit</tt> stage3 tarball from the <tt>pentium4</tt> stage3 tarball we have just built.
{|class=wikitable
| Match
| Arguments
| Description/Example
|-
| rowspan="11" | '''ip'''
| version
| Ip Header version
|-
| hdrlength
| IP header length
|-
| tos
|Type of Service
|-
| length
| Total packet length
|-
| id
| IP ID
|-
| frag-off
| Fragmentation offset
|-
| ttl
| Time to live
|-
| protocol
| Upper layer protocol
|-
| checksum
| IP header checksum
|-
| saddr
| Source address
|-
| daddr
| Destination address
|-
| rowspan="8" | '''ip6'''
| version
| IP header version
|-
| priority
|
|-
| flowlabel
| Flow label
|-
| length
| Payload length
|-
| nexthdr
| Next header type (Upper layer protocol number)
|-
| hoplimit
| Hop limit
|-
|saddr
| Source Address
|-
|daddr
| Destination Address
|-
| rowspan="9" | '''tcp'''
| sport
| Source port
|-
| dport
| Destination port
|-
| sequence
| Sequence number
|-
| ackseq
| Acknowledgement number
|-
| doff
| Data offset
|-
| flags
| TCP flags
|-
| window
| Window
|-
| checksum
| Checksum
|-
| urgptr
| Urgent pointer
|-
| rowspan="4" | '''udp'''
| sport
| Source port
|-
| dport
| destination port
|-
| length
| Total packet length
|-
| checksum
| Checksum
|-
| rowspan="4" | '''udplite'''
| sport
| Source port
|-
| dport
| destination port
|-
| cscov
| Checksum coverage
|-
| checksum
| Checksum
|-
| rowspan="4" |'''sctp'''
| sport
| Source port
|-
| dport
| destination port
|-
|vtag
|Verification tag
|-
| checksum
| Checksum
|-
| rowspan="2" |'''dccp'''
| sport
| Source port
|-
| dport
| destination port
|-
| rowspan="4" |'''ah'''
| nexthdr
| Next header protocol (Upper layer protocol)
|-
| hdrlength
| AH header length
|-
| spi
| Security Parameter Index
|-
| sequence
| Sequence Number
|-
| rowspan="2" | '''esp'''
| spi
| Security Parameter Index
|-
| sequence
| Sequence Number
|-
| rowspan="3" | '''ipcomp'''
| nexthdr
| Next header protocol (Upper layer protocol)
|-
| flags
| Flags
|-
| cfi
| Compression Parameter Index
|-
| '''icmp'''
| type
| icmp packet type
|-
| '''icmpv6'''
| type
| icmpv6 packet type
|-
|rowspan="12"|'''ct'''
|state
|State of the connection
|-
|direction
|Direction of the packet relative to the connection
|-
|status
|Status of the connection
|-
|mark
|Connection mark
|-
|expiration
|Connection expiration time
|-
|helper
|Helper associated with the connection
|-
|l3proto
|Layer 3 protocol of the connection
|-
|saddr
|Source address of the connection for the given direction
|-
|daddr
|Destination address of the connection for the given direction
|-
|protocol
|Layer 4 protocol of the connection for the given direction
|-
|proto-src
|Layer 4 protocol source for the given direction
|-
|proto-dst
|Layer 4 protocol destination for the given direction
|-
| rowspan="13" | '''meta'''
| length
| Length of the packet in bytes: ''meta length > 1000''
|-
| protocol
| ethertype protocol: ''meta protocol vlan''
|-
| priority
| TC packet priority
|-
| mark
| Packet mark
|-
| iif
| Input interface index
|-
| iifname
| Input interface name
|-
| iiftype
| Input interface type
|-
| oif
| Output interface index
|-
| oifname
| Output interface name
|-
| oiftype
| Output interface hardware type
|-
| skuid
| UID associated with originating socket
|-
| skgid
| GID associated with originating socket
|-
| rtclassid
| Routing realm
|-
|}
====Statements====
Statements represent the action to be performed when the rule matches. They exist in two kinds: Terminal statements, unconditionally terminate the evaluation of the current rules and non-terminal statements that either conditionally or never terminate the current rules. There can be an arbitrary amount of non-terminal statements, but there must be only a single terminal statement.
The terminal statements can be:
* '''accept''': Accept the packet and stop the ruleset evaluation.
* '''drop''': Drop the packet and stop the ruleset evaluation.
* '''reject''': Reject the packet with an icmp message
* '''queue''': Queue the packet to userspace and stop the ruleset evaluation.
* '''continue''':
* '''return''': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
* '''jump <chain>''': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
* '''goto <chain>''': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement


== Installing nftables ==
TODO: add caveats about what archs can be seeded and what can be not (maybe a table?)
=== Kernel ===
These kernel options must be set:


[*] Networking support  --->
== Tailored Build ==
    Networking options  --->
 
        [*] Network packet filtering framework (Netfilter)  --->
Last, it's also worthy noting that both in <tt>local</tt> and <tt>remote builds</tt>, [[Metro]] can be configured to add and/or remove individual packages to the final tarball.
            Core Netfilter Configuration  --->
Let's say you can't live without <tt>app-misc/screen</tt>, at the end of this tutorial, we will show how to have your tailored stage3 to include it.
                <M> Netfilter nf_tables support
 
                <M>   Netfilter nf_tables IPv6 exthdr module
== Installing Metro ==
                <M>   Netfilter nf_tables meta module
 
                <M>   Netfilter nf_tables conntrack module
'''The recommended and supported method''' is to use the Git repository of [[Metro]]. 
                <M>   Netfilter nf_tables rbtree set module
 
                <M>   Netfilter nf_tables hash set module
Ensure that {{Package|dev-vcs/git}} and {{Package|dev-python/boto}} (optional; required for EC2 support) are installed on your system:
                <M>  Netfilter nf_tables counter module
                <M>  Netfilter nf_tables log module
                <M>  Netfilter nf_tables limit module
                <M>  Netfilter nf_tables nat module
                <M>  Netfilter x_tables over nf_tables module
            IP: Netfilter Configuration  --->
                <M> IPv4 nf_tables support
                <M>  nf_tables IPv4 reject support
                <M>  IPv4 nf_tables route chain support
                <M>  IPv4 nf_tables nat chain support
            IPv6: Netfilter Configuration  --->
                <M> IPv6 nf_tables support
                <M>  IPv6 nf_tables route chain support
                <M>  IPv6 nf_tables nat chain support
            <M>  Ethernet Bridge nf_tables support


=== Emerging ===
To install nftables, run the following command:
<console>
<console>
###i## emerge net-firewall/nftables
# ##i##emerge dev-vcs/git
# ##i##emerge dev-python/boto
</console>
</console>


Next, clone the master git repository as follows:


== OpenRC configuration ==
Don't forget to add nftables service to startup:
<console>
<console>
###i## rc-update add nftables default
# ##i##cd /root
# ##i##git clone git://github.com/funtoo/metro.git
# ##i##cp /root/metro/metro.conf ~/.metro
</console>
</console>


You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded. Remove iptables_nat module:
You will now have a directory called <tt>/root/metro</tt> that contains all the [[Metro]] source code.
 
Metro is now installed. It's time to customize it for your local system.
 
= Configuring Metro =
 
{{Note|Metro is not currently able to build Gentoo stages. See {{Bug|FL-901}}.}}
 
[[User:Drobbins|Daniel Robbins]] maintains [[Metro]], so it comes pre-configured to successfully build Funtoo Linux releases. Before reading further, you might want to customize some basic settings like the number of concurrent jobs to fit your hardware's capabilities or the directory to use for produced stage archives. This is accomplished by editing <tt>~/.metro</tt> which is the [[Metro]]'s master configuration file.
 
Please note that <code>path/install</code> must point to where metro was installed. Point <code>path/distfiles</code> to where your distfiles reside. Also set <code>path/mirror/owner</code> and <code>path/mirror/group</code> to the owner and group of all the files that will be written to the build repository directory, which by default (as per the configuration file) is at <code>/home/mirror/funtoo</code>. The cache directory normally resides inside the temp directory -- this can be modified as desired. The cache directory can end up holding many cached .tbz2 packages, and eat up a lot of storage. You may want to place the temp directory on faster storage, for faster compile times, and place the cache directory on slower, but more plentiful storage.
 
{{file|name=.metro|desc=Metro configuration|body=
# Main metro configuration file - these settings need to be tailored to your install:
 
[section path]
install: /root/metro
tmp: /var/tmp/metro
cache: $[path/tmp]/cache
distfiles: /var/src/distfiles
work: $[path/tmp]/work/$[target/build]/$[target/name]
 
[section path/mirror]
 
: /home/mirror/funtoo
owner: root
group: repomgr
dirmode: 775
 
[section portage]
 
MAKEOPTS: auto
 
[section emerge]
 
options: --jobs=4 --load-average=4 --keep-going=n
 
# This line should not be modified:
[collect $[path/install]/etc/master.conf]
}}
 
== Arch and Subarch ==
 
In the following example we are creating a pentium4 stage 3 compiled for x86-32bit binary compatibility. Pentium4 is a subarch of the x86-32bit architecture. Once you have metro installed you may find a full list of each subarch in your <tt>/root/metro/subarch</tt> directory each subarch will have the file extension .spec
Example:
<console>
<console>
###i## rmmod iptable_nat
###i## ls /root/metro/subarch
# ls subarch/
amd64-bulldozer-pure64.spec  armv7a.spec          core-avx-i.spec        i686.spec        pentium.spec
amd64-bulldozer.spec        armv7a_hardfp.spec  core2_32.spec          k6-2.spec        pentium2.spec
amd64-k10-pure64.spec        athlon-4.spec        core2_64-pure64.spec    k6-3.spec        pentium3.spec
amd64-k10.spec              athlon-mp.spec      core2_64.spec          k6.spec          pentium4.spec
amd64-k8+sse3.spec          athlon-tbird.spec    corei7-pure64.spec      native_32.spec    pentiumpro.spec
amd64-k8+sse3_32.spec        athlon-xp.spec      corei7.spec            native_64.spec    prescott.spec
amd64-k8-pure64.spec        athlon.spec          generic_32.spec        niagara.spec      ultrasparc.spec
amd64-k8.spec                atom_32.spec        generic_64-pure64.spec  niagara2.spec    ultrasparc3.spec
amd64-k8_32.spec            atom_64-pure64.spec  generic_64.spec        nocona.spec      xen-pentium4+sse3.spec
armv5te.spec                atom_64.spec        generic_sparcv9.spec    opteron_64.spec  xen-pentium4+sse3_64.spec
armv6j.spec                  btver1.spec          geode.spec              pentium-m.spec
armv6j_hardfp.spec          btver1_64.spec      i486.spec              pentium-mmx.spec
</console>
</console>


Start nftables:
= First stages build (local build) =
 
To get this all started, we need to bootstrap the process by downloading an initial seed stage3 to use for building and place it in its proper location in <tt>/home/mirror/funtoo</tt>, so that [[Metro]] can find it. We will also need to create some special &quot;control&quot; files in <tt>/home/mirror/funtoo</tt>, which will allow [[Metro]] to understand how it is supposed to proceed.
 
== Step 1: Set up pentium4 repository (local build) ==
 
Assuming we're following the basic steps outlined in the previous section, and building an unstable funtoo (<tt>funtoo-current</tt>) build for the <tt>pentium4</tt>, using a generic <tt>pentium4</tt> stage3 as a seed stage, then here the first set of steps we'd perform:
 
<console>
<console>
###i## /etc/init.d/nftables start
# ##i##install -d /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4
# ##i##install -d /home/mirror/funtoo/funtoo-current/snapshots
# ##i##cd /home/metro/mirror/funtoo/funtoo-current/x86-32bit/pentium4
# ##i##install -d 2011-12-13
# ##i##cd 2011-12-13
# ##i##wget -c http://ftp.osuosl.org/pub/funtoo/funtoo-current/x86-32bit/pentium4/2011-12-13/stage3-pentium4-funtoo-current-2011-12-13.tar.xz
# ##i##cd ..
# ##i##install -d .control/version
# ##i##echo "2011-12-13" > .control/version/stage3
# ##i##install -d .control/strategy
# ##i##echo local >  .control/strategy/build
# ##i##echo stage3 > .control/strategy/seed
</console>
</console>


OK, let's review the steps above. First, we create the directory <tt>/home/mirror/funtoo/funtoo-current/x86-32bit/pentium4</tt>, which is where Metro will expect to find unstable <tt>funtoo-current</tt> pentium4 builds -- it is configured to look here by default. Then we create a specially-named directory to house our seed x86 stage3. Again, by default, Metro expects the directory to be named this way. We enter this directory, and download our seed x86 stage3 from funtoo.org. Note that the <tt>2010-12-24</tt> version stamp matches. Make sure that your directory name matches the stage3 name too. Everything has been set up to match Metro's default filesystem layout.
Next, we go back to the <tt>/home/mirror/metro/funtoo-current/x86-32bit/pentium4</tt> directory, and inside it, we create a <tt>.control</tt> directory. This directory and its subdirectories contain special files that Metro references to determine certain aspects of its behavior. The <tt>.control/version/stage3</tt> file is used by Metro to track the most recently-built stage3 for this particular build and subarch. Metro will automatically update this file with a new version stamp after it successfully builds a new stage3. But because Metro didn't actually ''build'' this stage3, we need to set up the <tt>.control/version/stage3</tt> file manually. This will allow Metro to find our downloaded stage3 when we set up our pentium4 build to use it as a seed. Also note that Metro will create a similar <tt>.control/version/stage1</tt> file after it successfully builds an pentium4 funtoo-current stage1.
We also set up <tt>.control/strategy/build</tt> and <tt>.control/strategy/seed</tt> files with values of <tt>local</tt> and <tt>stage3</tt> respectively. These files define the building strategy Metro will use when we build pentium4 funtoo-current stages. With a build strategy of <tt>local</tt>, Metro will source its seed stage from funtoo-current pentium4, the current directory. And with a seed strategy of <tt>stage3</tt>, Metro will use a stage3 as a seed, and use this seed to build a new stage1, stage2 and stage3.
== Step 2: Building the pentium4 stages ==
Incidentally, if all you wanted to do at this point was to build a new pentium4 funtoo-current stage1/2/3 (plus openvz and vserver templates). You would begin the process by typing:


== Using nftables ==
All nftable commands are done with the nft ultility from {{Package|net-firewall/nftables}}.
===Tables===
====Creating tables====
The following command adds a table called filter for the ip(v4) layer
<console>
<console>
###i## nft add table ip filter
# ##i##cd /root/metro
# ##i##scripts/ezbuild.sh funtoo-current pentium4
</console>
</console>
Likewise a table for arp can be created with
 
If you have a slow machine, it could take several hours to be completed because several "heavy" components like gcc or glibc have to be recompiled in each stage. Once a stage has been successfully completed, it is placed in the <tt>"${METRO_MIRROR}/funtoo-current/x32-bit/pentium4/YYYY-MM-DD"</tt> subdirectory, where <tt>YYYY-MM-DD</tt> is today's date at the time the <tt>ezbuild.sh</tt> script was started or the date you put on the ezscript.sh command line.
 
= Building for another binary compatible architecture (remote build) =
 
As written above, [[Metro]] is able to perform '''remote build''' building different architecture stage3 from a binary compatible seeding stage3 (e.g. using a pentium4 stage3 to seed a <tt>Intel Core2 32bits</tt> stage3).
 
In the Metro terminology this is called a '''remote build''' (a stage 3 of a different, but binary compatible, architecture is used as a seed).
What's not compatible? You can't use a <tt>Sparc</tt> architecture to generate an <tt>x86</tt> or <tt>ARM</tt> based stage and vice-versa. If you use a 32bit stage then you don't want to seed a 64bit build from it. Be sure that you are using a stage from the same architecture that you are trying to seed. Check [http://ftp.osuosl.org/pub/funtoo/funtoo-current/ Funtoo-current FTP Mirror] for a stage that is from the same Architecture that you will be building. 
 
{{Note|Often, one build (ie. funtoo-current) can be used as a seed for another build such as funtoo-stable. However, hardened builds require hardened stages as seeds in order for the build to complete successfully.}}
 
== Step 1: Set up Core_2 32bit repository ==
 
In this example, we're going to use this pentium4 funtoo-current stage3 to seed a new Core_2 32bit funtoo-current build. To get that done, we need to set up the pentium4 build directory as follows:
 
<console>
<console>
###i## nft add table arp filter
# ##i## cd /home/mirror/funtoo/funtoo-current/x86-32bit
# ##i##install -d core2_32
# ##i##cd core2_32
# ##i##install -d .control/strategy
# ##i##echo remote > .control/strategy/build
# ##i##echo stage3 > .control/strategy/seed
# ##i##install -d .control/remote
# ##i##echo funtoo-current > .control/remote/build
# ##i##echo x86-32bit > .control/remote/arch_desc
# ##i##echo pentium4 > .control/remote/subarch
</console>
</console>
{{Note|The name "filter" used here is completly arbitrary. It could have any name}}
 
====Listing tables====
The steps we follow are similar to those we performed for a ''local build'' to set up our pentium4 directory for local build. However, note the differences. We didn't download a stage, because we are going to use the pentium4 stage to build a new Core_2 32bit stage. We also didn't create the <tt>.control/version/stage{1,3}</tt> files because Metro will create them for us after it successfully builds a new stage1 and stage3. We are still using a <tt>stage3</tt> seed strategy, but we've set the build strategy to <tt>remote</tt>, which means that we're going to use a seed stage that's not from this particular subdirectory. Where are we going to get it from? The <tt>.control/remote</tt> directory contains this information, and lets Metro know that it should look for its seed stage3 in the <tt>/home/mirror/funtoo/funtoo-current/x86-32bit/pentium4</tt> directory. Which one will it grab? You guessed it -- the most recently built ''stage3'' (since our seed strategy was set to <tt>stage3</tt>) that has the version stamp of <tt>2010-12-24</tt>, as recorded in <tt>/home/mirror/funtoo-current/x86-32bit/pentium4/.control/version/stage</tt>. Now you can see how all those control files come together to direct Metro to do the right thing.
The following command lists all tables for the ip(v4) layer
 
{{Note|<code>arch_desc</code> should be set to one of: <code>x86-32bit</code>, <code>x86-64bit</code> or <code>pure64</code> for PC-compatible systems. You must use a 32-bit build as a seed for other 32-bit builds, and a 64-bit build as a seed for other 64-bit builds.}}
 
== Step 2: Building the Core_2 32bit stages ==
 
Now, you could start building your new Core_2 32bit stage1/2/3 (plus openvz and vserver templates) by typing the following:
 
<console>
<console>
###i## nft list tables ip
# ##i##/root/metro/scripts/ezbuild.sh funtoo-current core2_32
</console>
</console>
<pre>
table filter
</pre>
The contents of the table filter can be listed with:
<console>
###i## nft list table ip filter
</console>
<pre>
table ip filter {
        chain input {
                type filter hook input priority 0;
                ct state established,related accept
                iifname "lo" accept
                ip protocol icmp accept
                drop
        }
}
</pre>
using -a with the nft command, it shows the handle of each rule. Handles are used for various operations on specific rules:
<console>
###i## nft -a list table ip filter
</console>
<pre>
table ip filter {
        chain input {
                type filter hook input priority 0;
                ct state established,related accept # handle 2
                iifname "lo" accept # handle 3
                ip protocol icmp accept # handle 4
                drop # handle 5
        }
}
</pre>


====Deleting tables====
In that case, the produced stages are placed in the <tt>/home/mirror/funtoo/funtoo-current/x32-bit/core2_32/YYYY-MM-DD</tt> subdirectory.
The following command deletes the table called filter for the ip(v4) layer:
 
<console>
== Step 3: The Next Build ==
###i## nft delete table ip filter
 
</console>
At this point, you now have a new Core_2 32bit stage3, built using a "remote" pentium4 stage3. Once the first remote build completes successfully, metro will automatically change <code>.control/strategy/build</code> to be <code>local</code> instead of <code>remote</code>, so it will use the most recently-built Core_2 32bit stage3 as a seed for any new Core_2 32bit builds from now on.
===chains===
 
====Adding chains====
= Build your own tailored stage3 =
The following command adds a chain called input to the ip filter table and registered to the input hook with priority 0. It is of the type filter.
 
<console>
Metro can be easily configured for building custom stage3 by including additional packages. Edit the following configuration file <tt>/root/metro/etc/builds/funtoo-current/build.conf</tt>:
###i## nft add chain ip filter input { type filter hook input priority 0 \; }
{{file|name=funtoo-current/build.conf|body=
</console>
[collect ../../fslayouts/funtoo/layout.conf]
{{Note|If You're running this command from Bash you need to escape the semicolon}}
 
A non-base chain can be added by not specifying the chain configurations between the curly braces.
[section release]
 
author: Daniel Robbins <drobbins@funtoo.org>
 
[section target]
 
compression: xz
 
[section portage]
 
FEATURES:
SYNC: $[snapshot/source/remote]
USE:
 
[section profile]
 
format: new
path: gentoo:funtoo/1.0/linux-gnu
arch: $[:path]/arch/$[target/arch_desc]
build: $[:path]/build/current
flavor: $[:path]/flavor/core
mix-ins:
 
[section version]
 
python: 2.7
 
[section emerge]
 
 
[section snapshot]
 
type: live
compression: xz
 
[section snapshot/source]
 
type: git
branch: funtoo.org
# branch to have checked out for tarball:
branch/tar: origin/master
name: ports-2012
remote: git://github.com/funtoo/ports-2012.git
options: pull
 
[section metro]
 
options:
options/stage: cache/package
target: gentoo
 
[section baselayout]
 
services: sshd
 
[section multi]
 
snapshot: snapshot
 
[section files]
 
motd/trailer: [
 
>>> Send suggestions, improvements, bug reports relating to...
 
>>> This release:                  $[release/author]
>>> Funtoo Linux (general):       Funtoo Linux (http://www.funtoo.org)
>>> Gentoo Linux (general):        Gentoo Linux (http://www.gentoo.org)
]
 
[collect ../../multi-targets/$[multi/mode:zap]]
}}
 
= Building Gentoo stages =
 
Currently, Gentoo stages cannot be built in Metro. We have an open bug for this -- it is simply due to the fact that we focus on ensuring Funtoo Linux builds and building Gentoo is a lower priority. Historical note: Funtoo Linux originally started as a fork of Gentoo Linux so that metro could reliably build Gentoo stages.
 
= Advanced Features =
 
Metro also includes a number of advanced features that can be used to automate builds and set up distributed build servers. These features require you to {{c|emerge sqlalchemy}}, as SQLite is used as a dependency.
 
== Repository Management ==
 
Metro includes a script in the {{c|scripts}} directory called {{c|buildrepo}}. Buildrepo serves as the heart of Metro's advanced repository management features.
 
=== Initial Setup ===
 
To use {{c|buildrepo}}, you will first need to create a {{f|.buildbot}} configuration file. Here is the file I use on my AMD Jaguar build server:


====Removing chains====
{{file|name=/root/.buildbot|lang=python|body=
The following command deletes the chain called input
builds = (
<console>
"funtoo-current",
###i## nft delete chain ip filter input
"funtoo-current-hardened",
</console>
"funtoo-stable",
{{Note|Chains can only be deleted if there are no rules in them.}}
)
===rules===
====Adding rules====
The following command adds a rule to the chain called input, on the ip filter table, dropping all traffic to port 80:
<console>
###i## nft add rule ip filter input tcp dport 80 drop
</console>
====Deleting Rules====
To delete a rule, you first need to get the handle number of the rule. This can be done by using the -a flag on nft:
<console>
###i## nft  rule ip filter input tcp dport 80 drop
</console>
<pre>
table ip filter {
        chain input {
                type filter hook input priority 0;
                tcp dport http drop # handle 2
        }
}
</pre>
It is then possible to delete the rule with:
<console>
###i## nft delete rule ip filter input handle 2
</console>
== Management ==
=== Backup ===
You can also backup your rules:
<console>
###i## echo "nft flush ruleset" > backup.nft
</console>


<console>
arches = (
###i## nft list ruleset >> backup.nft
"x86-64bit",
</console>
"pure64"
)


=== Restoration ===
subarches = (
And load it atomically:
"amd64-jaguar",
<console>
"amd64-jaguar-pure64",
###i## nft -f backup.nft
)
</console>


== OpenRC configuration ==  
def map_build(build, subarch, full, full_date):
# arguments refer to last build...
if full == True:
buildtype = ( "freshen", )
else:
buildtype = ("full", )
return buildtype
}}


Don't forget to add nftables service to startup:
This file is actually a python source file that defines the tuples {{c|builds}}, {{c|arches}} and {{c|subarches}}. These variables tell {{c|buildrepo}} which builds, arches and subarches it should manage. A {{c|map_build()}} function is also defined which {{c|buildbot}} uses to determine what kind of build to perform. The arguments passed to the function are based on the last successful build. The function can read these arguments and return a string to define the type of the next build. In the above example, the {{c|map_build()}} function will cause the next build after a freshen build to be a full build, and the next build after a full build to be a freshen build, so that the build will alternate between full and freshen.
<console>
###i## rc-update add nftables default
</console>
== Init script - firewall nftables like a firewall iptables ==
<pre>
#!/sbin/runscript
#      Raphael Bastos aka coffnix        #
#      Init Script for Funtoo Linux      #
##########################################


depend() {
== Automated Builds ==
        need net
        need nftables
        }


start(){
Once the {{c|.buildbot}} file has been created, the {{c|buildrepo}} and {{c|buildbot.sh}} tools are ready to use. Here's how they work. These tools are designed to keep your repository ({{c|path/mirror}} in {{f|/root/.metro}} up-to-date by inspecting your repository and looking for stages that are out-of-date.
##################### PARTE 1 #####################
ebegin "Starting Firewall NFTables"


#######################################################################
To list the next build that will be performed, do this -- this is from my ARM build server:
### Incompatibilities ###
# You cannot use iptables and nft to perform NAT at the same time.
# So make sure that the iptable_nat module is unloaded
rmmod iptable_nat


#######################################################################
{{console|body=
# ##i##./buildrepo nextbuild
build=funtoo-current
arch_desc=arm-32bit
subarch=armv7a_hardfp
fulldate=2015-02-08
nextdate=2015-02-20
failcount=0
target=full
extras=''
}}


echo 1 > /proc/sys/net/ipv4/ip_forward
If no output is displayed, then all your builds are up-to-date.
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done


#######################################################################
To actually run the next build, run {{c|buildbot.sh}}:


iptables -t nat -F
{{console|body=
# ##i##./buildbot.sh
}}


#######################################################################
If you're thinking that {{c|buildbot.sh}} would be a good candidate for a cron job, you've got the right idea!


# ipv4
=== List Builds ===
nft -f /etc/nftables/ipv4-filter


# ipv4 nat
To get a quick look at our repository, let's run the {{c|buildrepo fails}} command:
nft -f /etc/nftables/ipv4-nat


# ipv6
{{console|body=
nft -f /etc/nftables/ipv6-filter
# ##i##./buildrepo fails
  0  2015-02-18 /home/mirror/funtoo/funtoo-current/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-current/pure64/amd64-jaguar-pure64
  0  2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/pure64/amd64-jaguar-pure64
  0  2015-02-18 /home/mirror/funtoo/funtoo-stable/x86-64bit/amd64-jaguar
  0  2015-02-18 /home/mirror/funtoo/funtoo-stable/pure64/amd64-jaguar-pure64
}}


# Rules firewall NTFtables
On my AMD Jaguar build server, on Feb 20, 2015, this lists all the builds that {{c|buildrepo}} has been configured to manage. The first number on each line is a '''failcount''', which is the number of consecutive times that the build has failed. A zero value indicates that everything's okay. The failcount is an important feature of the advanced repository management features. Here are a number of behaviors that are implemented based on failcount:
nft -f /etc/nftables/firewall.rules


#######################################################################
* If {{c|buildbot.sh}} tries to build a stage and the build fails, the failcount is incremented.
* If the build succeeds for a particular build, the failcount is reset to zero.
* Builds with the lowest failcount are prioritized by {{buildrepo}} to build next, to steer towards builds that are more likely to complete successfully.
* Once the failcount reaches 3 for a particular build, it is removed from the build rotation.


}
=== Resetting Failcount ===


stop(){
If a build has issues, the failcount for a build will reach 3, at which point it will be pulled out of build rotation. To clear failcount, so that these builds are attempted again -- possibly fixed by new updates to the Portage tree -- use {{c|buildrepo zap}}:
ebegin "Stoping Firewall NFTables"


#######################################################################
{{console|body=
# /root/metro/scripts/buildrepo zap
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv7a_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv6j_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv5te/.control/.failcount...
}}


#iptables -t nat -F
== Repository Maintenance ==
NFT=nft
FAMILIES="ip ip6 arp bridge"


for FAMILY in $FAMILIES; do
A couple of repository maintenance tools are provided:
  TABLES=$($NFT list tables $FAMILY | grep "^table\s" | cut -d' ' -f2)


  for TABLE in $TABLES; do
* {{c|buildrepo digestgen}} will generate hash files for the archives in your repository, and clean up stale hashes.
    CHAINS=$($NFT list table $FAMILY $TABLE | grep "^\schain\s" | cut -d' ' -f2)
* {{c|buildrepo index.xml}} will create an index.xml file at the root of your repository, listing all builds available.
* {{c|buildrepo clean}} will output a shell script that will remove old stages. No more than the three most recent stage builds for each build/arch/subarch are kept.


    for CHAIN in $CHAINS; do
== Distributed Repositories ==
      echo "Flushing chain: $FAMILY->$TABLE->$CHAIN"
      $NFT flush chain $FAMILY $TABLE $CHAIN
      $NFT delete chain $FAMILY $TABLE $CHAIN
    done


    echo "Flushing table: $FAMILY->$TABLE"
In many situation, you will have a number of build servers, and each will build a subset of your master repository, and then upload builds to the master repository. This is an area of Metro that is being actively developed. For now, automated upload functionality is not enabled, but is expected to be implemented in the relatively near future. However, it is possible to have your master repository differentiate between subarches that are built locally, and thus should be part of that system's {{c|buildbot}} build rotation, and those that are stored locally and built remotely. These builds should be cleaned when {{c|buildrepo clean}} is run, but should not enter the local build rotation. To set this up, modify {{f|/root/.buildbot}} and use the {{c|subarches}} and {{c|all_subarches}} variables:
    $NFT flush table $FAMILY $TABLE
    $NFT delete table $FAMILY $TABLE
  done
done
}


status(){
{{file|name=/root/.metro|desc=Excerpt of .metro config for master repository|body=
nft list ruleset
# subarches we are building locally:
}


# End
subarches = (
</pre>
        "pentium4",
        "athlon-xp",
        "corei7",
        "corei7-pure64",
        "generic_32",
        "i686",
        "amd64-k8",
        "amd64-k8-pure64",
        "core2_64",
        "core2_64-pure64",
        "generic_64",
        "generic_64-pure64",
)
 
# Things we need to clean, even if we may not be building:
 
all_subarches = subarches + (
        "atom_32",
        "atom_64",
        "atom_64-pure64",
        "amd64-k10",
        "amd64-k10-pure64",
        "amd64-bulldozer",
        "amd64-bulldozer-pure64",
        "amd64-steamroller",
        "amd64-steamroller-pure64",
        "amd64-piledriver",
        "amd64-piledriver-pure64",
        "amd64-jaguar",
        "amd64-jaguar-pure64",
        "intel64-haswell",
        "intel64-haswell-pure64",
        "intel64-ivybridge-pure64",
        "intel64-ivybridge",
        "armv7a_hardfp",
        "armv6j_hardfp",
        "armv5te"
)
}}


[[Category:System]]
[[Category:HOWTO]]
[[Category:First Steps]]
[[Category:Metro]]
{{EbuildFooter}}
__TOC__

Revision as of 15:18, February 22, 2015

{{#layout:doc}}Metro is the build system for Funtoo Linux and Gentoo Linux stages. It automates the bootstrapping process.

This tutorial will take you through installing, setting up and running Metro.

These other Metro documents are also available:

{{#ask: |format=ul }}

Preface

How Metro Works

Metro is the Funtoo Linux automated build system, and is used to build Funtoo Linux stage tarballs.

Metro cannot create a stage tarball out of thin air. To build a new stage tarball, Metro must use an existing, older stage tarball called a "seed" stage. This seed stage typically is used as the build environment for creating the stage we want.

Metro can use two kinds of seed stages. Traditionally, Metro has used a stage3 as a seed stage. This stage3 is then used to build a new stage1, which in turn is used to build a new stage2, and then a new stage3. This is generally the most reliable way to build Gentoo Linux or Funtoo Linux, so it's the recommended approach.

   Important

After switching metro builds to Funtoo profile, Gentoo stages are no longer provided!

Seeds and Build Isolation

Another important concept to mention here is something called build isolation. Because Metro creates an isolated build environment, and the build environment is explicitly defined using existing, tangible entities -- a seed stage and a portage snapshot -- you will get consistent, repeatable results. In other words, the same seed stage, portage snapshot and build instructions will generate an essentially identical result, even if you perform the build a month later on someone else's workstation.

Local Build

Say you wanted to build a new pentium4 stage3 tarball. The recommended method of doing this would be to grab an existing pentium4 stage3 tarball to use as your seed stage. Metro will be told to use this existing pentium4 stage3 to build a new stage1 for the same pentium4. For this process, the generic pentium4 stage3 would provide the build environment for creating our new stage1. Then, the new stage1 would serve as the build environment for creating the new pentium4 stage2. And the new pentium4 stage2 would serve as the build environment for creating the new pentium4 stage3.

In the Metro terminology this is called a local build, which means a stage3 of a given architecture is used to seed a brand new build of the same architecture. Incidentally this will be the first exercise we are going to perform in this tutorial.

A week later, you may want to build a brand new pentium4 stage3 tarball. Rather than starting from the original pentium4 stage3 again, you'd probably configure Metro to use the most-recently-built pentium4 stage3 as the seed. Metro has built-in functionality to make this easy, allowing it to easily find and track the most recent stage3 seed available.

Remote Build

Metro can also perform remote build, where a stage3 of a different, but binary compatible, architecture is used as a seed to build a different architecture stage3. Consequentiality the second exercise we are going to perform in this tutorial will be to build a core2 32bit stage3 tarball from the pentium4 stage3 tarball we have just built.

TODO: add caveats about what archs can be seeded and what can be not (maybe a table?)

Tailored Build

Last, it's also worthy noting that both in local and remote builds, Metro can be configured to add and/or remove individual packages to the final tarball. Let's say you can't live without app-misc/screen, at the end of this tutorial, we will show how to have your tailored stage3 to include it.

Installing Metro

The recommended and supported method is to use the Git repository of Metro.

Ensure that dev-vcs/git and No results (optional; required for EC2 support) are installed on your system: 

root # emerge dev-vcs/git
root # emerge dev-python/boto

Next, clone the master git repository as follows: 

root # cd /root
root # git clone git://github.com/funtoo/metro.git
root # cp /root/metro/metro.conf ~/.metro

You will now have a directory called /root/metro that contains all the Metro source code.

Metro is now installed. It's time to customize it for your local system.

Configuring Metro

   Note

Metro is not currently able to build Gentoo stages. See FL-901.

Daniel Robbins maintains Metro, so it comes pre-configured to successfully build Funtoo Linux releases. Before reading further, you might want to customize some basic settings like the number of concurrent jobs to fit your hardware's capabilities or the directory to use for produced stage archives. This is accomplished by editing ~/.metro which is the Metro's master configuration file.

Please note that path/install must point to where metro was installed. Point path/distfiles to where your distfiles reside. Also set path/mirror/owner and path/mirror/group to the owner and group of all the files that will be written to the build repository directory, which by default (as per the configuration file) is at /home/mirror/funtoo. The cache directory normally resides inside the temp directory -- this can be modified as desired. The cache directory can end up holding many cached .tbz2 packages, and eat up a lot of storage. You may want to place the temp directory on faster storage, for faster compile times, and place the cache directory on slower, but more plentiful storage.

   .metro - Metro configuration
# Main metro configuration file - these settings need to be tailored to your install:

[section path]
install: /root/metro
tmp: /var/tmp/metro
cache: $[path/tmp]/cache
distfiles: /var/src/distfiles
work: $[path/tmp]/work/$[target/build]/$[target/name]

[section path/mirror]

: /home/mirror/funtoo
owner: root
group: repomgr
dirmode: 775

[section portage]

MAKEOPTS: auto 

[section emerge]

options: --jobs=4 --load-average=4 --keep-going=n

# This line should not be modified:
[collect $[path/install]/etc/master.conf]

Arch and Subarch

In the following example we are creating a pentium4 stage 3 compiled for x86-32bit binary compatibility. Pentium4 is a subarch of the x86-32bit architecture. Once you have metro installed you may find a full list of each subarch in your /root/metro/subarch directory each subarch will have the file extension .spec Example: 

root # ls /root/metro/subarch
root # ls subarch/
amd64-bulldozer-pure64.spec  armv7a.spec          core-avx-i.spec         i686.spec         pentium.spec
amd64-bulldozer.spec         armv7a_hardfp.spec   core2_32.spec           k6-2.spec         pentium2.spec
amd64-k10-pure64.spec        athlon-4.spec        core2_64-pure64.spec    k6-3.spec         pentium3.spec
amd64-k10.spec               athlon-mp.spec       core2_64.spec           k6.spec           pentium4.spec
amd64-k8+sse3.spec           athlon-tbird.spec    corei7-pure64.spec      native_32.spec    pentiumpro.spec
amd64-k8+sse3_32.spec        athlon-xp.spec       corei7.spec             native_64.spec    prescott.spec
amd64-k8-pure64.spec         athlon.spec          generic_32.spec         niagara.spec      ultrasparc.spec
amd64-k8.spec                atom_32.spec         generic_64-pure64.spec  niagara2.spec     ultrasparc3.spec
amd64-k8_32.spec             atom_64-pure64.spec  generic_64.spec         nocona.spec       xen-pentium4+sse3.spec
armv5te.spec                 atom_64.spec         generic_sparcv9.spec    opteron_64.spec   xen-pentium4+sse3_64.spec
armv6j.spec                  btver1.spec          geode.spec              pentium-m.spec
armv6j_hardfp.spec           btver1_64.spec       i486.spec               pentium-mmx.spec

First stages build (local build)

To get this all started, we need to bootstrap the process by downloading an initial seed stage3 to use for building and place it in its proper location in /home/mirror/funtoo, so that Metro can find it. We will also need to create some special "control" files in /home/mirror/funtoo, which will allow Metro to understand how it is supposed to proceed.

Step 1: Set up pentium4 repository (local build)

Assuming we're following the basic steps outlined in the previous section, and building an unstable funtoo (funtoo-current) build for the pentium4, using a generic pentium4 stage3 as a seed stage, then here the first set of steps we'd perform: 

root # install -d /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4
root # install -d /home/mirror/funtoo/funtoo-current/snapshots
root # cd /home/metro/mirror/funtoo/funtoo-current/x86-32bit/pentium4
root # install -d 2011-12-13
root # cd 2011-12-13
root # wget -c http://ftp.osuosl.org/pub/funtoo/funtoo-current/x86-32bit/pentium4/2011-12-13/stage3-pentium4-funtoo-current-2011-12-13.tar.xz
root # cd ..
root # install -d .control/version
root # echo "2011-12-13" > .control/version/stage3
root # install -d .control/strategy
root # echo local >  .control/strategy/build
root # echo stage3 > .control/strategy/seed

OK, let's review the steps above. First, we create the directory /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4, which is where Metro will expect to find unstable funtoo-current pentium4 builds -- it is configured to look here by default. Then we create a specially-named directory to house our seed x86 stage3. Again, by default, Metro expects the directory to be named this way. We enter this directory, and download our seed x86 stage3 from funtoo.org. Note that the 2010-12-24 version stamp matches. Make sure that your directory name matches the stage3 name too. Everything has been set up to match Metro's default filesystem layout.

Next, we go back to the /home/mirror/metro/funtoo-current/x86-32bit/pentium4 directory, and inside it, we create a .control directory. This directory and its subdirectories contain special files that Metro references to determine certain aspects of its behavior. The .control/version/stage3 file is used by Metro to track the most recently-built stage3 for this particular build and subarch. Metro will automatically update this file with a new version stamp after it successfully builds a new stage3. But because Metro didn't actually build this stage3, we need to set up the .control/version/stage3 file manually. This will allow Metro to find our downloaded stage3 when we set up our pentium4 build to use it as a seed. Also note that Metro will create a similar .control/version/stage1 file after it successfully builds an pentium4 funtoo-current stage1.

We also set up .control/strategy/build and .control/strategy/seed files with values of local and stage3 respectively. These files define the building strategy Metro will use when we build pentium4 funtoo-current stages. With a build strategy of local, Metro will source its seed stage from funtoo-current pentium4, the current directory. And with a seed strategy of stage3, Metro will use a stage3 as a seed, and use this seed to build a new stage1, stage2 and stage3.

Step 2: Building the pentium4 stages

Incidentally, if all you wanted to do at this point was to build a new pentium4 funtoo-current stage1/2/3 (plus openvz and vserver templates). You would begin the process by typing: 

root # cd /root/metro
root # scripts/ezbuild.sh funtoo-current pentium4

If you have a slow machine, it could take several hours to be completed because several "heavy" components like gcc or glibc have to be recompiled in each stage. Once a stage has been successfully completed, it is placed in the "${METRO_MIRROR}/funtoo-current/x32-bit/pentium4/YYYY-MM-DD" subdirectory, where YYYY-MM-DD is today's date at the time the ezbuild.sh script was started or the date you put on the ezscript.sh command line.

Building for another binary compatible architecture (remote build)

As written above, Metro is able to perform remote build building different architecture stage3 from a binary compatible seeding stage3 (e.g. using a pentium4 stage3 to seed a Intel Core2 32bits stage3).

In the Metro terminology this is called a remote build (a stage 3 of a different, but binary compatible, architecture is used as a seed). What's not compatible? You can't use a Sparc architecture to generate an x86 or ARM based stage and vice-versa. If you use a 32bit stage then you don't want to seed a 64bit build from it. Be sure that you are using a stage from the same architecture that you are trying to seed. Check Funtoo-current FTP Mirror for a stage that is from the same Architecture that you will be building.

   Note

Often, one build (ie. funtoo-current) can be used as a seed for another build such as funtoo-stable. However, hardened builds require hardened stages as seeds in order for the build to complete successfully.

Step 1: Set up Core_2 32bit repository

In this example, we're going to use this pentium4 funtoo-current stage3 to seed a new Core_2 32bit funtoo-current build. To get that done, we need to set up the pentium4 build directory as follows: 

root #  cd /home/mirror/funtoo/funtoo-current/x86-32bit
root # install -d core2_32
root # cd core2_32
root # install -d .control/strategy
root # echo remote > .control/strategy/build
root # echo stage3 > .control/strategy/seed
root # install -d .control/remote
root # echo funtoo-current > .control/remote/build
root # echo x86-32bit > .control/remote/arch_desc
root # echo pentium4 > .control/remote/subarch

The steps we follow are similar to those we performed for a local build to set up our pentium4 directory for local build. However, note the differences. We didn't download a stage, because we are going to use the pentium4 stage to build a new Core_2 32bit stage. We also didn't create the .control/version/stage{1,3} files because Metro will create them for us after it successfully builds a new stage1 and stage3. We are still using a stage3 seed strategy, but we've set the build strategy to remote, which means that we're going to use a seed stage that's not from this particular subdirectory. Where are we going to get it from? The .control/remote directory contains this information, and lets Metro know that it should look for its seed stage3 in the /home/mirror/funtoo/funtoo-current/x86-32bit/pentium4 directory. Which one will it grab? You guessed it -- the most recently built stage3 (since our seed strategy was set to stage3) that has the version stamp of 2010-12-24, as recorded in /home/mirror/funtoo-current/x86-32bit/pentium4/.control/version/stage. Now you can see how all those control files come together to direct Metro to do the right thing.

   Note

arch_desc should be set to one of: x86-32bit, x86-64bit or pure64 for PC-compatible systems. You must use a 32-bit build as a seed for other 32-bit builds, and a 64-bit build as a seed for other 64-bit builds.

Step 2: Building the Core_2 32bit stages

Now, you could start building your new Core_2 32bit stage1/2/3 (plus openvz and vserver templates) by typing the following: 

root # /root/metro/scripts/ezbuild.sh funtoo-current core2_32

In that case, the produced stages are placed in the /home/mirror/funtoo/funtoo-current/x32-bit/core2_32/YYYY-MM-DD subdirectory.

Step 3: The Next Build

At this point, you now have a new Core_2 32bit stage3, built using a "remote" pentium4 stage3. Once the first remote build completes successfully, metro will automatically change .control/strategy/build to be local instead of remote, so it will use the most recently-built Core_2 32bit stage3 as a seed for any new Core_2 32bit builds from now on.

Build your own tailored stage3

Metro can be easily configured for building custom stage3 by including additional packages. Edit the following configuration file /root/metro/etc/builds/funtoo-current/build.conf:

   funtoo-current/build.conf 
[collect ../../fslayouts/funtoo/layout.conf]

[section release]

author: Daniel Robbins <drobbins@funtoo.org>

[section target]

compression: xz

[section portage]

FEATURES: 
SYNC: $[snapshot/source/remote]
USE:

[section profile]

format: new
path: gentoo:funtoo/1.0/linux-gnu
arch: $[:path]/arch/$[target/arch_desc]
build: $[:path]/build/current
flavor: $[:path]/flavor/core
mix-ins:

[section version]

python: 2.7

[section emerge]


[section snapshot]

type: live
compression: xz

[section snapshot/source]

type: git
branch: funtoo.org
# branch to have checked out for tarball:
branch/tar: origin/master
name: ports-2012 
remote: git://github.com/funtoo/ports-2012.git
options: pull

[section metro]

options: 
options/stage: cache/package
target: gentoo

[section baselayout]

services: sshd

[section multi]

snapshot: snapshot

[section files]

motd/trailer: [

 >>> Send suggestions, improvements, bug reports relating to...

 >>> This release:                  $[release/author]
 >>> Funtoo Linux (general):        Funtoo Linux (http://www.funtoo.org)
 >>> Gentoo Linux (general):        Gentoo Linux (http://www.gentoo.org)
]

[collect ../../multi-targets/$[multi/mode:zap]]

Building Gentoo stages

Currently, Gentoo stages cannot be built in Metro. We have an open bug for this -- it is simply due to the fact that we focus on ensuring Funtoo Linux builds and building Gentoo is a lower priority. Historical note: Funtoo Linux originally started as a fork of Gentoo Linux so that metro could reliably build Gentoo stages.

Advanced Features

Metro also includes a number of advanced features that can be used to automate builds and set up distributed build servers. These features require you to emerge sqlalchemy, as SQLite is used as a dependency.

Repository Management

Metro includes a script in the scripts directory called buildrepo. Buildrepo serves as the heart of Metro's advanced repository management features.

Initial Setup

To use buildrepo, you will first need to create a .buildbot configuration file. Here is the file I use on my AMD Jaguar build server:

   /root/.buildbot (python source code) 
builds = (
	"funtoo-current",
	"funtoo-current-hardened",
	"funtoo-stable",
)

arches = (
	"x86-64bit",
	"pure64"
)

subarches = (
	"amd64-jaguar",
	"amd64-jaguar-pure64",
)

def map_build(build, subarch, full, full_date):
	# arguments refer to last build...
	if full == True:
		buildtype =  ( "freshen", )
	else:
		buildtype =  ("full", )
	return buildtype

This file is actually a python source file that defines the tuples builds, arches and subarches. These variables tell buildrepo which builds, arches and subarches it should manage. A map_build() function is also defined which buildbot uses to determine what kind of build to perform. The arguments passed to the function are based on the last successful build. The function can read these arguments and return a string to define the type of the next build. In the above example, the map_build() function will cause the next build after a freshen build to be a full build, and the next build after a full build to be a freshen build, so that the build will alternate between full and freshen.

Automated Builds

Once the .buildbot file has been created, the buildrepo and buildbot.sh tools are ready to use. Here's how they work. These tools are designed to keep your repository (path/mirror in /root/.metro up-to-date by inspecting your repository and looking for stages that are out-of-date.

To list the next build that will be performed, do this -- this is from my ARM build server: 

root # ./buildrepo nextbuild
build=funtoo-current
arch_desc=arm-32bit
subarch=armv7a_hardfp
fulldate=2015-02-08
nextdate=2015-02-20
failcount=0
target=full
extras=''

If no output is displayed, then all your builds are up-to-date.

To actually run the next build, run buildbot.sh: 

root # ./buildbot.sh

If you're thinking that buildbot.sh would be a good candidate for a cron job, you've got the right idea!

List Builds

To get a quick look at our repository, let's run the buildrepo fails command: 

root # ./buildrepo fails
   0   2015-02-18 /home/mirror/funtoo/funtoo-current/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-current/pure64/amd64-jaguar-pure64
   0   2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-current-hardened/pure64/amd64-jaguar-pure64
   0   2015-02-18 /home/mirror/funtoo/funtoo-stable/x86-64bit/amd64-jaguar
   0   2015-02-18 /home/mirror/funtoo/funtoo-stable/pure64/amd64-jaguar-pure64

On my AMD Jaguar build server, on Feb 20, 2015, this lists all the builds that buildrepo has been configured to manage. The first number on each line is a failcount, which is the number of consecutive times that the build has failed. A zero value indicates that everything's okay. The failcount is an important feature of the advanced repository management features. Here are a number of behaviors that are implemented based on failcount:

  • If buildbot.sh tries to build a stage and the build fails, the failcount is incremented.
  • If the build succeeds for a particular build, the failcount is reset to zero.
  • Builds with the lowest failcount are prioritized by Template:Buildrepo to build next, to steer towards builds that are more likely to complete successfully.
  • Once the failcount reaches 3 for a particular build, it is removed from the build rotation.

Resetting Failcount

If a build has issues, the failcount for a build will reach 3, at which point it will be pulled out of build rotation. To clear failcount, so that these builds are attempted again -- possibly fixed by new updates to the Portage tree -- use buildrepo zap: 

root # /root/metro/scripts/buildrepo zap
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv7a_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv6j_hardfp/.control/.failcount...
Removing /mnt/data/funtoo/funtoo-current/arm-32bit/armv5te/.control/.failcount...

Repository Maintenance

A couple of repository maintenance tools are provided:

  • buildrepo digestgen will generate hash files for the archives in your repository, and clean up stale hashes.
  • buildrepo index.xml will create an index.xml file at the root of your repository, listing all builds available.
  • buildrepo clean will output a shell script that will remove old stages. No more than the three most recent stage builds for each build/arch/subarch are kept.

Distributed Repositories

In many situation, you will have a number of build servers, and each will build a subset of your master repository, and then upload builds to the master repository. This is an area of Metro that is being actively developed. For now, automated upload functionality is not enabled, but is expected to be implemented in the relatively near future. However, it is possible to have your master repository differentiate between subarches that are built locally, and thus should be part of that system's buildbot build rotation, and those that are stored locally and built remotely. These builds should be cleaned when buildrepo clean is run, but should not enter the local build rotation. To set this up, modify /root/.buildbot and use the subarches and all_subarches variables:

   /root/.metro - Excerpt of .metro config for master repository
# subarches we are building locally:

subarches = ( 
        "pentium4",
        "athlon-xp",
        "corei7",
        "corei7-pure64",
        "generic_32", 
        "i686", 
        "amd64-k8",
        "amd64-k8-pure64",
        "core2_64",
        "core2_64-pure64",
        "generic_64",
        "generic_64-pure64",
) 
  
# Things we need to clean, even if we may not be building:
  
all_subarches = subarches + (
        "atom_32",
        "atom_64",
        "atom_64-pure64",
        "amd64-k10",
        "amd64-k10-pure64",
        "amd64-bulldozer",
        "amd64-bulldozer-pure64",
        "amd64-steamroller",
        "amd64-steamroller-pure64",
        "amd64-piledriver",
        "amd64-piledriver-pure64",
        "amd64-jaguar",
        "amd64-jaguar-pure64",
        "intel64-haswell",
        "intel64-haswell-pure64",
        "intel64-ivybridge-pure64",
        "intel64-ivybridge",
        "armv7a_hardfp",
        "armv6j_hardfp",
        "armv5te"
)
Retrieved from "https://www.funtoo.org/index.php?title=Package:Nftables&oldid=9151"