That's pretty much my plan, find a way to get schroot to interface with
LXC (or just unshare the netns directly). Need something a bit more
clever than just blocking access completely though since you still want
to grab the build-depends, but passing a socket to a small proxy would
be a way, creating a veth pair would be another (and using iptables to
block non-archive traffic).
On Tue, Oct 22, 2013 at 11:33:19AM +1300, Robert Collins wrote:
> Cool. Using lxc rather than a chroot will let you cut internet off hard :)
>
> -Rob
>
> On 22 October 2013 03:31, Stéphane Graber <stgraber@ubuntu.com> wrote:
> > Hey everyone,
> >
> > With trusty now open, I uploaded a tool I've been using for a few months now.
> >
> > It's called sbuild-launchpad-chroot and pretty much does exactly what
> > the name says.
> >
> > The package contains 3 things:
> > - 1 tool to create/update/delete sbuild chroots
> > - 1 schroot hook to update the chroot at the beginning of a build
> > - 1 schroot hook to generate the right sources.list for the build
> >
> > That last hook was written by Andy Whitcroft and some of you may already
> > be using it.
> >
> > With the package installed, you can then do:
> > sudo sbuild-launchpad-chroot create -n trusty-amd64-sbuild -s trusty -a amd64
> >
> > This will define a new chroot in schroot called trusty-amd64-sbuild, set
> > some extra launchpad.* options for the series and architecture on
> > Launchpad, donwload the current Launchpad chroot and also setup the
> > following aliases:
> > - trusty-security-amd64-sbuild
> > - trusty-security+main-amd64-sbuild
> > - trusty-security+restricted-amd64-sbuild
> > - trusty-security+universe-amd64-sbuild
> > - trusty-security+multiverse-amd64-sbuild
> > - trusty-updates-amd64-sbuild
> > - trusty-updates+main-amd64-sbuild
> > - trusty-updates+restricted-amd64-sbuild
> > - trusty-updates+universe-amd64-sbuild
> > - trusty-updates+multiverse-amd64-sbuild
> > - trusty-proposed-amd64-sbuild
> > - trusty-proposed+main-amd64-sbuild
> > - trusty-proposed+restricted-amd64-sbuild
> > - trusty-proposed+universe-amd64-sbuild
> > - trusty-proposed+multiverse-amd64-sbuild
> >
> > Once done, you can then trigger a build with something like:
> > sbuild --dist=trusty --arch=amd64 -c trusty-proposed+restricted-amd64-sbuild <dsc>
> >
> > This will print the following:
> > I: 01launchpad-chroot: [trusty-amd64-sbuild] Processing config
> > I: 01launchpad-chroot: [trusty-amd64-sbuild] Already up to date.
> > I: 90apt-sources: setting apt pockets to 'release security updates proposed' in sources.list
> > I: 90apt-sources: setting apt components to 'main restricted' in sources.list
> >
> > Confirming that the hook has checked the chroot currently matches with
> > what Launchpad uses and telling you that the sources.list in the build
> > environment contains all the pockets (but backports) and the main and
> > restricted components.
> >
> >
> > In theory the only noticable difference between a build environment
> > created by sbuild-launchpad-chroot and the real thing is that you'll
> > have internet connectivity from inside the chroot (but I'm working on
> > also emulating that part of the LP build environment) and that you'll be
> > running with a newer version of sbuild than what's used on the real
> > buildds.
> >
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > --
> > ubuntu-devel mailing list
> > ubuntu-devel@lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
> >
>
>
>
> --
> Robert Collins <rbtcollins@hp.com>
> Distinguished Technologist
> HP Converged Cloud
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
