build: Make networking work inside LXC builder in gitian-building.md #7060
Conversation
|
utACK |
|
It also looks like we now need |
|
Can you also give this a try @theuni? Want to make sure that I'm not crazy (or somehow have a subtly different environment) that I need these changes. |
|
@laanwj I can't try until tomorrow, but I believe i've ended up doing similar things to get it somewhat working in the past. I never got it reproducibly working 100% though, so if this does the trick, that's great! |
|
There were three major issues in my case:
We need gitian-building instructions that work. If this too doesn't solve it reproducibly, then switching the VM image to Ubuntu may be the best plan (though it's nice if Gitian works from Debian as well). I'm not actually sure that these problems don't exist with an Ubuntu VM. |
Ideally this should work on any linux with the right hardware? |
For gitian itself you're right. Though with all the possible things that may be different between setups, a single "follow these steps" plan cannot work on any linux. To make sure it is actually tested and reproducible (which even now is lacking!) I'm just targeting one distro with this guide. |
|
We really need to be going the opposite direction here. gitian build environments should be banned from accessing the network at all, both because they shouldn't need it and its good hygene to not allow it and because we really should be supporting building on airgapped machines and always denying network access is a good way to ensure we continue to do that. |
|
My goal was just to get the guide working as it is specified now. Feel free to write it as you think is better. But if it isn't fixed before 0.12, I'd rather just remove it than leave it in a broken state. I mean, people follow these steps exactly and it doesn't work, can you think of anything more frustrating? |
|
Agree with @laanwj
Or mark it [outdated]? |
|
Is it no longer possible to build without network access? If so, can we just change the documentation to disallow network access instead of allow it? If not, when did we merge something with such a huge regression? Would it be easy to fix? |
If someone wants to resurrect it it's in git history.
It is possible, to be precise it's even mentioned in the guide in a separate section: https://github.com/bitcoin/bitcoin/blob/master/doc/gitian-building.md#building-fully-offline However it requires extra steps, building with network access in the container is easier. |
|
@theuni Can you go through this one time to test it please? Would be nice to have this up-to-date before we start building 0.12 RCs. |
| @@ -262,12 +262,12 @@ Then set up LXC and the rest with the following, which is a complex jumble of se | |||
| # the version of lxc-start in Debian 7.4 needs to run as root, so make sure | |||
There was a problem hiding this comment.
Should we address the comment about Debian 7.4 also, given that we've moved to 8.2
There was a problem hiding this comment.
Eh definitely. Removed the version here completely, leaves one less version number to update every time.
|
@laanwj Yep, will do in a few hours. |
272ebbc to
d3e8927
Compare
|
Sadly I didn't make it to this today. I'll revisit asap after the conference. |
|
@laanwj Just stepped through a 0.12 build for win32/linux and hit no snags. I haven't tried osx or the offline path (followed the guide from top to bottom, whoops). I'll get those going in the background next. |
|
From top to bottom makes a lot of sense :) |
These are changes I needed to get gitian building to work with Debian 8.2, which is the version we tell to use. - Set up NAT, so that container can access network beyond host - Remove explicit cgroup setup - these are mounted automatically now
d3e8927 to
3b468a0
Compare
|
ACK |
|
Tested ACK regarding adding the python package to the OS X descriptor. That let it work for me when it failed before (building in LXC on Ubuntu Trusty). I don't know if adding it is necessary for the non-OS X builds, and I haven't tried any of the network changes. In response to @TheBlueMatt, I don't think it's actually needed. I don't actually know if my container can access the Internet, but afaik it only needs it to download the depends files, and we have a step in release-process.md that downloads the files and seeds them into the gitian cache. |
These are changes I needed to get gitian building to work with Debian 8.2, which is the version we tell to use. - Set up NAT, so that container can access network beyond host - Remove explicit cgroup setup - these are mounted automatically now - gitian: Need `ca-certificates` and `python` for LXC builds Github-Pull: #7060 Rebased-From: 99fda26 3b468a0
Upstream gitian updates This PR pulls in all gitian-related PRs that have been merged upstream since 0.11.2. The only ones I left out were documentation-only PRs, because we removed `doc/gitian-building.md` at some point. Here are the commits applied here, in the order shown in `git log` (ie. last to first): - bitcoin/bitcoin#7283 - fa42a67 - fa58c76 - bitcoin/bitcoin#8175 - 74c1347 - bitcoin/bitcoin#8167 - 7e7eb27 - ad38204 - b676f38 - bitcoin/bitcoin#7776 - f063863 - bitcoin/bitcoin#7424 - a81c87f ~ we already partly applied - a8ce872 - f3d3eaf ~ we already partly applied - 475813b - ~~cd27bf5~~ X we already applied - bitcoin/bitcoin#7060 - 3b468a0 ~ we removed doc/gitian-building.md - ~~99fda26~~ X we removed doc/gitian-building.md - bitcoin/bitcoin#7251 - fa09562 - bitcoin/bitcoin#6900 - ~~2cecb24~~ X we removed doc/gitian-building.md - 957c0fd - 2e31d74 - ~~0b416c6~~ X we removed QT - 9f251b7 - bitcoin/bitcoin#6854 - 579b863 ~ we already partly applied Part of #540
These are changes I needed to get gitian building to work with a fresh Debian 8.2 VM, which is the version we tell to use.
Also needed a change to gitian: devrandom/gitian-builder#105
[skip ci]