build: Make networking work inside LXC builder in gitian-building.md #7060

pull laanwj wants to merge 2 commits into bitcoin:master from laanwj:2015_11_gitian_building changing 4 files +9 −3
  1. laanwj commented at 12:13 PM on November 19, 2015: member

    These are changes I needed to get gitian building to work with a fresh Debian 8.2 VM, which is the version we tell to use.

    • Set up NAT and forwarding, so that LXC container can access network beyond host
    • Remove explicit cgroup setup - these are mounted automatically now

    Also needed a change to gitian: https://github.com/devrandom/gitian-builder/issues/105 [skip ci]

  2. laanwj added the label Build system on Nov 19, 2015
  3. fanquake commented at 12:15 PM on November 19, 2015: member

    utACK

  4. laanwj commented at 12:25 PM on November 19, 2015: member

    It also looks like we now need ca-certificates and python as dependencies in the descriptors for LXC gitian builds. Apparently for KVM they are added to the base image, but not for LXC.

  5. laanwj commented at 12:30 PM on November 19, 2015: member

    Can you also give this a try @theuni? Want to make sure that I'm not crazy (or somehow have a subtly different environment) that I need these changes.

  6. laanwj renamed this:
    doc: Make networking work inside builder in gitian-building.md
    doc: Make networking work inside LXC builder in gitian-building.md
    on Nov 19, 2015
  7. theuni commented at 5:42 PM on November 19, 2015: member

    @laanwj I can't try until tomorrow, but I believe i've ended up doing similar things to get it somewhat working in the past. I never got it reproducibly working 100% though, so if this does the trick, that's great!

  8. laanwj commented at 8:15 AM on November 20, 2015: member

    There were three major issues in my case:

    • LXC container couldn't reach the internet (solved by setting up masquerading/forwarding, as well as the gitian change to set 'auto' gateway)
    • TLS certificates couldn't be verified (solved by adding ca-certificates package)
    • Python missing error (I think during MacOsX build, adding python package)

    We need gitian-building instructions that work. If this too doesn't solve it reproducibly, then switching the VM image to Ubuntu may be the best plan (though it's nice if Gitian works from Debian as well). I'm not actually sure that these problems don't exist with an Ubuntu VM.

  9. laanwj renamed this:
    doc: Make networking work inside LXC builder in gitian-building.md
    build: Make networking work inside LXC builder in gitian-building.md
    on Nov 20, 2015
  10. MarcoFalke commented at 12:21 PM on November 20, 2015: member

    switching the VM image to Ubuntu

    Ideally this should work on any linux with the right hardware?

  11. laanwj commented at 9:08 AM on November 24, 2015: member

    Ideally this should work on any linux with the right hardware?

    For gitian itself you're right.

    Though with all the possible things that may be different between setups, a single "follow these steps" plan cannot work on any linux. To make sure it is actually tested and reproducible (which even now is lacking!) I'm just targeting one distro with this guide. (same answer to questions like "why not KVM" etc - this is not meant to be a comprehensive book on all the capabilities of gitian, just one tested way to get from a VM to built executables)

  12. TheBlueMatt commented at 1:37 AM on November 26, 2015: member

    We really need to be going the opposite direction here. gitian build environments should be banned from accessing the network at all, both because they shouldn't need it and its good hygene to not allow it and because we really should be supporting building on airgapped machines and always denying network access is a good way to ensure we continue to do that.

  13. laanwj commented at 7:45 AM on November 26, 2015: member

    My goal was just to get the guide working as it is specified now. I agree with you long term @TheBlueMatt but right now, having a broken guide is more harmful than one that isn't perfect.

    Feel free to write it as you think is better.

    But if it isn't fixed before 0.12, I'd rather just remove it than leave it in a broken state. I mean, people follow these steps exactly and it doesn't work, can you think of anything more frustrating?

  14. MarcoFalke commented at 11:26 AM on November 26, 2015: member

    Agree with @laanwj

    just remove it than leave it in a broken state

    Or mark it [outdated]?

  15. TheBlueMatt commented at 2:19 AM on November 27, 2015: member

    Is it no longer possible to build without network access? If so, can we just change the documentation to disallow network access instead of allow it? If not, when did we merge something with such a huge regression? Would it be easy to fix?

  16. laanwj commented at 8:35 AM on November 27, 2015: member

    Or mark it [outdated]?

    If someone wants to resurrect it it's in git history.

    Is it no longer possible to build without network access?

    It is possible, to be precise it's even mentioned in the guide in a separate section: https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md#building-fully-offline

    However it requires extra steps, building with network access in the container is easier.

  17. laanwj commented at 9:24 AM on December 1, 2015: member

    @theuni Can you go through this one time to test it please? Would be nice to have this up-to-date before we start building 0.12 RCs.

  18. in doc/gitian-building.md:None in 272ebbc165 outdated 
     261 | @@ -262,12 +262,12 @@ Then set up LXC and the rest with the following, which is a complex jumble of se
 262 |  # the version of lxc-start in Debian 7.4 needs to run as root, so make sure
    fanquake commented at 3:42 AM on December 3, 2015:

    Should we address the comment about Debian 7.4 also, given that we've moved to 8.2

    laanwj commented at 10:06 AM on December 3, 2015:

    Eh definitely. Removed the version here completely, leaves one less version number to update every time.

  19. theuni commented at 4:03 AM on December 3, 2015: member

    @laanwj Yep, will do in a few hours.

  20. laanwj force-pushed on Dec 3, 2015
  21. theuni commented at 4:57 AM on December 4, 2015: member

    Sadly I didn't make it to this today. I'll revisit asap after the conference.

  22. theuni commented at 5:23 AM on December 17, 2015: member

    @laanwj Just stepped through a 0.12 build for win32/linux and hit no snags. I haven't tried osx or the offline path (followed the guide from top to bottom, whoops). I'll get those going in the background next.

  23. laanwj commented at 10:48 AM on December 17, 2015: member

    From top to bottom makes a lot of sense :)

  24. laanwj closed this on Jan 18, 2016
  25. laanwj reopened this on Jan 18, 2016
  26. doc: Make networking work inside builder in gitian-building.md
    These are changes I needed to get gitian building to work with Debian
8.2, which is the version we tell to use.

- Set up NAT, so that container can access network beyond host
- Remove explicit cgroup setup - these are mounted automatically now
    99fda26de0
  27. gitian: Need `ca-certificates` and `python` for LXC builds 3b468a0e60
  28. laanwj force-pushed on Jan 18, 2016
  29. fanquake commented at 10:02 AM on January 19, 2016: member

    ACK

  30. Michagogo commented at 10:08 AM on January 19, 2016: contributor

    Tested ACK regarding adding the python package to the OS X descriptor. That let it work for me when it failed before (building in LXC on Ubuntu Trusty). I don't know if adding it is necessary for the non-OS X builds, and I haven't tried any of the network changes. In response to @TheBlueMatt, I don't think it's actually needed. I don't actually know if my container can access the Internet, but afaik it only needs it to download the depends files, and we have a step in release-process.md that downloads the files and seeds them into the gitian cache.

  31. laanwj merged this on Jan 20, 2016
  32. laanwj closed this on Jan 20, 2016
  33. laanwj referenced this in commit 53fa09f04d on Jan 20, 2016
  34. laanwj referenced this in commit 5bb3e263e2 on Jan 20, 2016
  35. zkbot referenced this in commit 4ee9d712b5 on Oct 17, 2016
  36. DrahtBot locked this on Sep 8, 2021
Contributors
laanwjfanquaketheuniMarcoFalkeTheBlueMattMichagogo
Labels
Build system
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me