[rb-general] [FOSDEM16] Reproducible FreeBSD and variants

Fri Feb 12 17:56:20 CET 2016

Holger Levsen wrote:
> (I believe) somehow your mail did not make it to the rb-general list, are you 
> subscribed? (leaving full quoted context for that reason…)

It is there:
http://lists.reproducible-builds.org/pipermail/rb-general/2016-February/000031.html
but, the mailing list scrubbed my GPG MIME signature, and I think when
it did that it broke the DKIM signature also :(

> I'm not sure I'll be comfortable building "anything+everything" on this box 
> then. ("rented for business uses")

And it's maybe only temporary;  if customers cancel I may no longer have
that machine available to use.

I looked at some other options, and really like the idea of using
(older) hardware I already have at home for this.  With 'free' hardware
+ the cost of electricity, it is still cheaper than server rentals or
clouds I think.  I'd need to utilize it really efficiently though.

> > I've decided to open up the Jenkins web interace now (except HTTP POST
> > because I really don't trust its security!)
> > http://jenkins.kfreebsd.eu/jenkins/
> 
> nice!

Helmut's rebootstrap jobs for kfreebsd->linux-armhf and linux-mipsel
completed yesterday for the first time (yay!).  I'll enable diffoscope
for the next run.

> > I've put Jenkins master in its own separate chroot jail.  The jobs run
> > one at a time, in another separate sid chroot jail.  Jails prevent
> > access to files or devices of the host, and I can firewall their network
> > access if I want to.
> > 
> > > I dont see us moving to DSA
> > > maintained host. patches for that (="less sudo usage…") welcome ;)
> > 
> > This is a major concern for me at the moment, as I allow Jenkins to do
> > many things on the host (outside of any jail) via sudo to set up the sid
> > chroot.  I'm experimenting with better ways to do this.
> 
> well, things should probably work nicely in a jail where jenkins thinks it can 
> do what it wants :-)
> 
> > I'd started out with sbuild, but it is incompatible with jails.  It was
> > also really slow, and that's a major concern for me with the limited
> > resources I have.  Optimizing is fun also.
> 
> I dont think I want to build reproducible Debian packages on one arch in a 
> different way than on the others. So pbuilder for now (until we maybe switch 
> to sbuild with the patch for reproducible rebuilds once we're rebuilding 
> against sid…)

pbuilder doesn't work yet on kfreebsd (patch in BTS for 4+ years but
never applied!).  I think it won't work with jails either.  I'll try to
fix it, or otherwise maybe add ZFS snapshot/clone support into sbuild.

> Also we have packages in the archive which build twice in <60s (on our amd64 
> "hw"), while the average time is 8min. 

It was quite bad on kfreebsd, taking several minutes for schroot to
unpack and install a few build-deps.  I definitely need to work on it.

> So currently we're building 60*24/8*32=5760 packages a day (/8 because average 
> build time is 8min and *32 because we have 32 amd64 builders).

Thanks for providing these numbers;  they'll be useful for me to
benchmark against.

> I suspect the numbers will look similar for armhf, but I'll leave that as an 
> excercize for the reader :)

I was curious about those too, if there are any ways to speed up the
armhf builds (and mipsel if we have hardware for that someday).  But,
one thing at a time...

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20160212/8f7b47b8/attachment.sig>