Re: HEADS-UP: dpb changes

[Marc Espie]

On Sun, May 10, 2015 at 08:16:05AM -0400, RD Thrush wrote:
 x6v64:build/packages 531cat dpb_hosts.amd64
 DEFAULT timeout=10 build_user=dpb memory=200M stuck=1000 fetch_user=dpb_fetch 
 log_user=dpb_log arch=amd64
 STARTUP=/home/rd/OpenBSD/build/packages/dpb_start
 dpb@localhost stuck=2000 memory=1G sf=1 jobs=1 arch=amd64
 x6v64:build/packages 532cat dirlist.amd64
 databases/p5-ldap
 x6v64:build/packages 533cat pkg_info-qPa.all
 databases/p5-ldap

This got changed late in the game. You have to specify
FETCH_USER
LOG_USER
UNPRIV_USER
as defines, not default stuff now.


my current hosts file contains:

STARTUP=/usr/ports/cleanup
UNPRIV_USER=dpbcheck
FETCH_USER=fetchuser
LOG_USER=espie
DIRMODE=0770
DEFAULT jobs=12 parallel=4 build_user=pbuild0 dirmode=0770 chroot=/build
localhost
openbsd-2
openbsd-3
COLOR=1
FETCH_JOBS=8

and I'm usually running dpb with 0 options.

Re: HEADS-UP: dpb changes

[RD Thrush]

On 05/01/15 16:10, Marc Espie wrote:
 I've worked hard to allow for dpb to work in a new model, most specifically
 so that chroot always works, and also to have a slightly better security 
 model.

Thanks for this large improvement.  I have struggled w/ the previous chroot 
model as I wanted to use stable boxes with idle cycles but did not want to 
compromise their working state.

 The corresponding code and documentation have been committed, but they
 probably need people to play with it a bit more to make sure all kinks
 are gone.
 
 There are some important implications with respect to ports bulk building
 security.
 
 In the new model, dpb no longer requires any kind of sudo operation, it's
 moved to a privilege separation model.
 
 - dpb should be started as root, it will drop privileges as needed.
 - the basic core of dpb runs as root, but any time it's actually looking
 at the ports tree, it will drop to a build_user (which has to be specified).
 This user does not require any root access.
 - dpb will stay root to run the STARTUP script, and also to run 
 pkg_add/pkg_delete   to handle dependencies.
 - fetch can be run as a separate user (thus, the build_user shouldn't even
 have internet access under normal rules).
 
 
 Commands in the ports tree will actually be run as
 chroot -u build_user /somedir cmd
 
 Thus, all builds are chrooted by default with / being used as a root when
 there's no chroot.
 
 Distant buils will ssh from root to root, and run the same command
 (chroot -u build_user /somedir cmd)
 on the distant host.
 
 This is somewhat necessary so that killing dpb will correctly propagate
 signals to all running jobs, which has been an issue with previous attempts
 at running chroot.
 
 That new user model  is probably going to become the ONLY operating model
 of dpb in the near future. Having options suck and is a problem for
 maintenance and security.
 
 People running bulks should transition as soon as they can. The manpage
 mentions which files belong to whom. It is highly advisable to have a
 specific build user without sudo rights and (possibly) restricted net
 access.

While I haven't been successful w/ a partial build, I was able to do a 
successful fetch for my partial build.

With the latest changes today, I thought it was time to make a report.

I've created accounts for dpb, dpb_fetch and dpb_log on the relevant boxes 
sharing the same gid.
x6v64:build/packages 522grep ^dpb /etc/passwd
dpb:*:1100:1100:dpb build user:/home/dpb:/bin/ksh
dpb_fetch:*:1101:1100:dpb fetch user:/home/dpb_fetch:/bin/ksh
dpb_log:*:1102:1100:dpb log user:/home/dpb_log:/bin/ksh
x6v64:build/packages 523grep ^dpb /etc/group
dpb:*:1100:

I use a wrapper and script the session.  Here's what I see targetting just the 
localhost:
x6v64:build/packages 524$TIME sudo ./Do_dpb-without-a8v -l -v dirlist.$(arch 
-s);exit
PACKAGE_REPOSITORY /nas3/work/OpenBSD/packages
  BULK_COOKIES_DIR /nas3/work/OpenBSD/x6v64/bulk/amd64
UPDATE_COOKIES_DIR /nas3/work/OpenBSD/x6v64/update/amd64
LOGGER_DIR /usr/obj/amd64/logs
rm -f /nas3/work/OpenBSD/x6v64/bulk/amd64/*
rm -f /nas3/work/OpenBSD/x6v64/update/amd64/*
rm -f /usr/obj/amd64/logs/term-report.log /usr/obj/amd64/logs/debug.log
OPTS=-L /usr/obj/amd64/logs -s -A amd64 -c -R -U -J 0 -X 
/home/rd/OpenBSD/build/packages/pkg_info-qPa.all -h 
/home/rd/OpenBSD/build/packages/dpb_hosts.amd64 -f 8 -D SYSLOG
/usr/bin/time sudo /usr/ports/infrastructure/bin/dpb -L /usr/obj/amd64/logs -s 
-A amd64 -c -R -U -J 0 -X /home/rd/OpenBSD/build/packages/pkg_info-qPa.all -h 
/home/rd/OpenBSD/build/packages/dpb_hosts.amd64 -f 8 -D SYSLOG -P dirlist.amd64
Too early at /usr/ports/infrastructure/lib/DPB/Logger.pm line 33.
DPB::Logger::new(DPB::Logger, DPB::State=HASH(0xc4e35c64670)) called at 
/usr/ports/infrastructure/lib/DPB/State.pm line 143
DPB::State::handle_options(DPB::State=HASH(0xc4e35c64670)) called at 
/usr/ports/infrastructure/bin/dpb line 145
0.84 real 0.45 user 0.13 sys
6.17 real 0.93 user 0.68 sys

Here's more info related to the above invocation:
x6v64:build/packages 531cat dpb_hosts.amd64
DEFAULT timeout=10 build_user=dpb memory=200M stuck=1000 fetch_user=dpb_fetch 
log_user=dpb_log arch=amd64
STARTUP=/home/rd/OpenBSD/build/packages/dpb_start
dpb@localhost stuck=2000 memory=1G sf=1 jobs=1 arch=amd64
x6v64:build/packages 532cat dirlist.amd64
databases/p5-ldap
x6v64:build/packages 533cat pkg_info-qPa.all
databases/p5-ldap

After the above, there are no file updates in the $LOGGER_DIR although 
ownership and perms seem ok:
x6v64:build/packages 535ls -ld /usr/obj/amd64/logs
drwxrwxrwx  6 rd  dpb  1024 May 10 07:22 /usr/obj/amd64/logs

I've collected the syslog debug level and don't see any clues (/usr  
/usr/local are separate partitions mounted read-only so the dpb_start script 
makes them read-only and results in the following sudo mount entries):
x6v64:build/packages 536cat /var/log/debug
May 10 07:41:19 x6v64 syslogd: start
May 

HEADS-UP: dpb changes

[Marc Espie]

I've worked hard to allow for dpb to work in a new model, most specifically
so that chroot always works, and also to have a slightly better security 
model.

The corresponding code and documentation have been committed, but they
probably need people to play with it a bit more to make sure all kinks
are gone.

There are some important implications with respect to ports bulk building
security.

In the new model, dpb no longer requires any kind of sudo operation, it's
moved to a privilege separation model.

- dpb should be started as root, it will drop privileges as needed.
- the basic core of dpb runs as root, but any time it's actually looking
at the ports tree, it will drop to a build_user (which has to be specified).
This user does not require any root access.
- dpb will stay root to run the STARTUP script, and also to run 
pkg_add/pkg_delete   to handle dependencies.
- fetch can be run as a separate user (thus, the build_user shouldn't even
have internet access under normal rules).


Commands in the ports tree will actually be run as
chroot -u build_user /somedir cmd

Thus, all builds are chrooted by default with / being used as a root when
there's no chroot.

Distant buils will ssh from root to root, and run the same command
(chroot -u build_user /somedir cmd)
on the distant host.

This is somewhat necessary so that killing dpb will correctly propagate
signals to all running jobs, which has been an issue with previous attempts
at running chroot.

That new user model  is probably going to become the ONLY operating model
of dpb in the near future. Having options suck and is a problem for
maintenance and security.

People running bulks should transition as soon as they can. The manpage
mentions which files belong to whom. It is highly advisable to have a
specific build user without sudo rights and (possibly) restricted net
access.

dpb changes

[Marc Espie]

A bit of stuff got committed. Now, build statistics get collected
under ${DISTDIR}/build-stats/${ARCH}

(as known as %f/build-stats/%a, since dpb can replace patterns inside
files now).

if you think the location is strange, I expect to, eventually, bootstrap
first run dpbs by asking one of the mirror sites to populate that file.

For now, this build-stats file is smart, using the same techniques as
per global distinfo, so that old stats will eventually vanish.

Expect things to change a bit more over the coming weeks...

One idea is that, now, you could simply zap the logs if you don't need them,
pass no option to dpb at all, and this file would ensure that eventually,
you'd get % for all builds, and also optimized builds from the previous builds.

One major point is that those stats don't have to be perfect, but just good
enough to direct dpb to build big stuff first.

dpb changes, summary

[Marc Espie]

Since my commit messages are probably a bit obscure, here's a small progress
report.

- fixed a bug that would make dpb loop if it were not happy with some
listing
- fixed a few display bugs. dpb had a problem with display containing
empty lines... not any more !
- distinguish between default and empty flavors. All error messages related
to avahi, xscreensaver... should be gone.
- ditched the P/I distinction. Some code gone, simpler stuff.
- distinguish between our errors and other random locks so that...
- in case of an error, rescan the affected directory when the lock gets
removed. YES, this does pick up revision bumps and other meta-info changes.
- create errors in case scanning doesn't grok directories. So, yes, you
can fix cvs update errors, remove the lock and it will pick it up.
- in case prepare fails, try depend anyways. Lightweight fix for the
ImageMagick build.

Not done yet:
- stop/resume control over each host
- devel/haddock,no_deps still shows up. Requires a full build to test that
I know how to kill that...

Re: dpb changes, summary

[Landry Breuil]

On Thu, Oct 28, 2010 at 01:43:57PM +0200, Marc Espie wrote:
 Since my commit messages are probably a bit obscure, here's a small progress
 report.
 
 - fixed a bug that would make dpb loop if it were not happy with some
 listing
 - fixed a few display bugs. dpb had a problem with display containing
 empty lines... not any more !
 - distinguish between default and empty flavors. All error messages related
 to avahi, xscreensaver... should be gone.
 - ditched the P/I distinction. Some code gone, simpler stuff.
 - distinguish between our errors and other random locks so that...
 - in case of an error, rescan the affected directory when the lock gets
 removed. YES, this does pick up revision bumps and other meta-info changes.

For the people using dpb, it means you can now apply diffs containing
fixes and a revision bump for a port and dpb will cope with it. So far
you had to apply diffs and manually remove the revision bump..

Landry