CI documentation

cc50e17a · Bob Mottram · 43b06d45 · cc50e17a
Commit cc50e17a authored 6 years ago by Bob Mottram
--- a/website/EN/devguide_ci.html
+++ b/website/EN/devguide_ci.html
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<title>Freedombone</title>
+<!-- 2018-10-08 Mon 12:19 -->
+<meta  http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta  name="generator" content="Org-mode" />
+<meta  name="author" content="Bob Mottram" />
+<meta  name="description" content="Freedombone developers guide"
+ />
+<meta  name="keywords" content="freedombone, developers" />
+<style type="text/css">
+ <!--/*--><![CDATA[/*><!--*/
+  .title  { text-align: center; }
+  .todo   { font-family: monospace; color: red; }
+  .done   { color: green; }
+  .tag    { background-color: #eee; font-family: monospace;
+            padding: 2px; font-size: 80%; font-weight: normal; }
+  .timestamp { color: #bebebe; }
+  .timestamp-kwd { color: #5f9ea0; }
+  .right  { margin-left: auto; margin-right: 0px;  text-align: right; }
+  .left   { margin-left: 0px;  margin-right: auto; text-align: left; }
+  .center { margin-left: auto; margin-right: auto; text-align: center; }
+  .underline { text-decoration: underline; }
+  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
+  p.verse { margin-left: 3%; }
+  pre {
+    border: 1px solid #ccc;
+    box-shadow: 3px 3px 3px #eee;
+    padding: 8pt;
+    font-family: monospace;
+    overflow: auto;
+    margin: 1.2em;
+  }
+  pre.src {
+    position: relative;
+    overflow: visible;
+    padding-top: 1.2em;
+  }
+  pre.src:before {
+    display: none;
+    position: absolute;
+    background-color: white;
+    top: -10px;
+    right: 10px;
+    padding: 3px;
+    border: 1px solid black;
+  }
+  pre.src:hover:before { display: inline;}
+  pre.src-sh:before    { content: 'sh'; }
+  pre.src-bash:before  { content: 'sh'; }
+  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
+  pre.src-R:before     { content: 'R'; }
+  pre.src-perl:before  { content: 'Perl'; }
+  pre.src-java:before  { content: 'Java'; }
+  pre.src-sql:before   { content: 'SQL'; }
+
+  table { border-collapse:collapse; }
+  caption.t-above { caption-side: top; }
+  caption.t-bottom { caption-side: bottom; }
+  td, th { vertical-align:top;  }
+  th.right  { text-align: center;  }
+  th.left   { text-align: center;   }
+  th.center { text-align: center; }
+  td.right  { text-align: right;  }
+  td.left   { text-align: left;   }
+  td.center { text-align: center; }
+  dt { font-weight: bold; }
+  .footpara:nth-child(2) { display: inline; }
+  .footpara { display: block; }
+  .footdef  { margin-bottom: 1em; }
+  .figure { padding: 1em; }
+  .figure p { text-align: center; }
+  .inlinetask {
+    padding: 10px;
+    border: 2px solid gray;
+    margin: 10px;
+    background: #ffffcc;
+  }
+  #org-div-home-and-up
+   { text-align: right; font-size: 70%; white-space: nowrap; }
+  textarea { overflow-x: auto; }
+  .linenr { font-size: smaller }
+  .code-highlighted { background-color: #ffff00; }
+  .org-info-js_info-navigation { border-style: none; }
+  #org-info-js_console-label
+    { font-size: 10px; font-weight: bold; white-space: nowrap; }
+  .org-info-js_search-highlight
+    { background-color: #ffff00; color: #000000; font-weight: bold; }
+  /*]]>*/-->
+</style>
+<link rel="stylesheet" type="text/css" href="freedombone.css" />
+<script type="text/javascript">
+/*
+@licstart  The following is the entire license notice for the
+JavaScript code in this tag.
+
+Copyright (C) 2012-2013 Free Software Foundation, Inc.
+
+The JavaScript code in this tag is free software: you can
+redistribute it and/or modify it under the terms of the GNU
+General Public License (GNU GPL) as published by the Free Software
+Foundation, either version 3 of the License, or (at your option)
+any later version.  The code is distributed WITHOUT ANY WARRANTY;
+without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.
+
+As additional permission under GNU GPL version 3 section 7, you
+may distribute non-source (e.g., minimized or compacted) forms of
+that code without the copy of the GNU GPL normally required by
+section 4, provided you include this license notice and a URL
+through which recipients can access the Corresponding Source.
+
+
+@licend  The above is the entire license notice
+for the JavaScript code in this tag.
+*/
+<!--/*--><![CDATA[/*><!--*/
+ function CodeHighlightOn(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(null != target) {
+     elem.cacheClassElem = elem.className;
+     elem.cacheClassTarget = target.className;
+     target.className = "code-highlighted";
+     elem.className   = "code-highlighted";
+   }
+ }
+ function CodeHighlightOff(elem, id)
+ {
+   var target = document.getElementById(id);
+   if(elem.cacheClassElem)
+     elem.className = elem.cacheClassElem;
+   if(elem.cacheClassTarget)
+     target.className = elem.cacheClassTarget;
+ }
+/*]]>*///-->
+</script>
+</head>
+<body>
+<div id="preamble" class="status">
+<a name="top" id="top"></a>
+</div>
+<div id="content">
+<h1 class="title">Freedombone</h1>
+
+<div class="figure">
+<p><img src="images/logo.png" alt="logo.png" width="80%" height="10%" align="center" />
+</p>
+</div>
+
+<div id="outline-container-sec-1" class="outline-2">
+<h2 id="sec-1">Developers Guide</h2>
+<div class="outline-text-2" id="text-1">
+<div class="center">
+<table border="-1" cellspacing="0" cellpadding="6" rules="groups" frame="hsides">
+
+
+<colgroup>
+<col  class="left" />
+</colgroup>
+<tbody>
+<tr>
+<td class="left"><i>Why Rock64</i></td>
+</tr>
+
+<tr>
+<td class="left"><a href="#sec-1-2">Inventory</a></td>
+</tr>
+
+<tr>
+<td class="left"><a href="#sec-1-3">Setup of image</a></td>
+</tr>
+
+<tr>
+<td class="left"><a href="#sec-1-4">Install Freedombone build tools</a></td>
+</tr>
+
+<tr>
+<td class="left"><a href="#sec-1-5">Setup the CI system</a></td>
+</tr>
+</tbody>
+</table>
+</div>
+
+<p>
+What follows are instructions for how to set up a Rock64 ARM board to do continuous builds of <a href="https://freedombone.net">Freedombone</a> images. At present this only works for ARM images, since some Debian packages are only available for x86.
+</p>
+</div>
+
+<div id="outline-container-sec-1-1" class="outline-3">
+<h3 id="sec-1-1">Why Rock64?</h3>
+<div class="outline-text-3" id="text-1-1">
+<p>
+It's cheap. It has a reasonably powerful CPU which isn't vulnerable to spectre. You can get a version of it with 4GB RAM.
+</p>
+
+<p>
+The down side is that like all 64bit ARM boards currently it has proprietary boot blobs (see <a href="https://github.com/ayufan-rock64/rkbin">Rockchip firmware</a>). There isn't really any escaping from that at present. This system won't be especially security sensitive and will usually only be available within the local network.
+</p>
+
+<p>
+Having a fairly powerful CPU means that it can build multi-gigabyte images within a reasonable amount of time, rather than taking days as it would on slower systems. And being an ARM board electrical power consumption is still low, so it's not going to put much of a ding in anyone's solarpunk energy budget.
+</p>
+</div>
+</div>
+
+<div id="outline-container-sec-1-2" class="outline-3">
+<h3 id="sec-1-2">Inventory</h3>
+<div class="outline-text-3" id="text-1-2">
+<p>
+The hardware you'll need is:
+</p>
+
+<ul class="org-ul">
+<li>Rock64 (preferably not the Pro version which is Spectre vulnerable)
+</li>
+<li>SSD
+</li>
+<li>USB3 to SATA adaptor
+</li>
+<li>5v 2-3A Mains power supply with 3.5mm barrel plug
+</li>
+<li>Cat5/6 ethernet patch cable
+</li>
+</ul>
+
+<p>
+A 64GB SSD is about the smallest you can get away with if you want to build all of the images. If you just want to build one or two images then you could go lower than that.
+</p>
+
+<p>
+In the below image there's also an Atheros wifi dongle plugged in, but you don't need that for the this system.
+</p>
+
+
+<div class="figure">
+<p><img src="images/rock64_ci.jpg" alt="rock64_ci.jpg" width="50%" align="center" />
+</p>
+</div>
+</div>
+</div>
+
+<div id="outline-container-sec-1-3" class="outline-3">
+<h3 id="sec-1-3">Setup of image</h3>
+<div class="outline-text-3" id="text-1-3">
+<p>
+Download the SPI flash utility and copy it to a microSD card, replacing /dev/sdX with the drive corresponding to the microSD.
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">wget https://github.com/ayufan-rock64/linux-u-boot/releases/download/2017.09-rockchip-ayufan-1033-gdf02018479/u-boot-flash-spi-rock64.img.xz
+unxz u-boot-flash-spi-rock64.img.xz
+sudo dd bs=1M if=u-boot-flash-spi-rock64.img of=/dev/sdX conv=fdatasync,sync,noerror
+</pre>
+</div>
+
+<p>
+Now you will need to obtain the debian stretch image for the Rock64 and copy it to the SSD. There are various ways to do this. If you have a desktop machine you can connect the SSD that way, or you can use the USB to SATA adaptor with a laptop. Replace /dev/sdX with the drive for the SSD.
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">image_version='0.7.8'
+image_build_version=1061
+wget https://github.com/ayufan-rock64/linux-build/releases/download/$image_version/stretch-minimal-rock64-$image_version-$image_build_version-arm64.img.xz
+unxz stretch-minimal-rock64-$image_version-$image_build_version-arm64.img.xz
+sudo dd bs=1M if=stretch-minimal-rock64-$image_version-$image_build_version-arm64.img of=/dev/sdX conv=fdatasync,sync,noerror
+</pre>
+</div>
+
+<p>
+Plug the microSD card into the Rock64.
+</p>
+
+<p>
+Connect the SSD via the adaptor and plug it into the USB3 socket.
+</p>
+
+<p>
+Connect the Rock64 to your internet router using the ethernet cable.
+</p>
+
+<p>
+Plug in the power lead.
+</p>
+
+<p>
+You will notice the white LED blink off and then on again for one second.
+</p>
+
+<p>
+Now the SPI has been flashed. Unplug the power and remove the microSD card.
+</p>
+
+<p>
+Reconnect the power. The board should now boot from the SSD.
+</p>
+
+<p>
+From another system - maybe your laptop - login with:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">ssh rock64@rock64
+</pre>
+</div>
+
+<p>
+username: rock64
+password: rock64
+</p>
+
+<p>
+Then change the password:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">passwd
+</pre>
+</div>
+
+<p>
+Set an ssh key to login with, which is more secure than using a password:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">mkdir ~/.ssh
+nano ~/.ssh/authorized_keys
+</pre>
+</div>
+
+<p>
+Paste in your ssh public key and save.
+</p>
+
+<p>
+Then disable password logins.
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">sudo su
+nano /etc/ssh/ssh_config
+</pre>
+</div>
+
+<p>
+Uncomment and set:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">ForwardX11 no
+PasswordAuthentication no
+</pre>
+</div>
+
+<p>
+Now update the system:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">apt-get update
+apt-get upgrade
+</pre>
+</div>
+
+<p>
+Install the basic packages you'll need. Possibly you might want vim instead of emacs, or just stick with nano.
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">apt-get install git build-essential nginx python-xmpp emacs man unattended-upgrades xz-utils apt-listchanges
+</pre>
+</div>
+
+<p>
+To avoid possible attacks where the adversary knows the default ssh host keys, regenerate them as follows:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">rm -f /etc/ssh/ssh_host_*
+dpkg-reconfigure openssh-server
+awk '$5 &gt; 2000' /etc/ssh/moduli &gt; ~/moduli
+mv ~/moduli /etc/ssh/moduli
+systemctl restart ssh
+</pre>
+</div>
+
+<p>
+Then reboot
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">reboot
+</pre>
+</div>
+</div>
+</div>
+
+<div id="outline-container-sec-1-4" class="outline-3">
+<h3 id="sec-1-4">Install Freedombone build tools</h3>
+<div class="outline-text-3" id="text-1-4">
+<p>
+Prepare your system to make freedombone images:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">cd ~/
+git clone https://code.freedombone.net/bashrc/freedombone
+cd ~/freedombone
+git checkout stretch
+sudo make install
+freedombone-image --setup debian
+</pre>
+</div>
+</div>
+</div>
+
+<div id="outline-container-sec-1-5" class="outline-3">
+<h3 id="sec-1-5">Setup the CI system</h3>
+<div class="outline-text-3" id="text-1-5">
+<p>
+If you just want to test the system with a single build then run:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">sudo freedombone-ci setuptest
+</pre>
+</div>
+
+<p>
+Otherwise to install the full build system:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">sudo freedombone-ci setup
+</pre>
+</div>
+
+<p>
+To view build results in a non-Tor browser navigate to <a href="http://rock64">http://rock64</a>. Selecting the icon on the left side of the page will go to the downloads section so that you can download images.
+</p>
+</div>
+</div>
+</div>
+</div>
+<div id="postamble" class="status">
+
+<style type="text/css">
+.back-to-top {
+    position: fixed;
+    bottom: 2em;
+    right: 0px;
+    text-decoration: none;
+    color: #000000;
+    background-color: rgba(235, 235, 235, 0.80);
+    font-size: 12px;
+    padding: 1em;
+    display: none;
+}
+
+.back-to-top:hover {
+    background-color: rgba(135, 135, 135, 0.50);
+}
+</style>
+
+<div class="back-to-top">
+<a href="#top">Back to top</a> | <a href="mailto:bob@freedombone.net">E-mail me</a>
+</div>
+</div>
+</body>
+</html>