That's pretty much my plan, find a way to get schroot to interface with LXC (or just unshare the netns directly). Need something a bit more clever than just blocking access completely though since you still want to grab the build-depends, but passing a socket to a small proxy would be a way, creating a veth pair would be another (and using iptables to block non-archive traffic).
On Tue, Oct 22, 2013 at 11:33:19AM +1300, Robert Collins wrote: > Cool. Using lxc rather than a chroot will let you cut internet off hard :) > > -Rob > > On 22 October 2013 03:31, Stéphane Graber <stgra...@ubuntu.com> wrote: > > Hey everyone, > > > > With trusty now open, I uploaded a tool I've been using for a few months > > now. > > > > It's called sbuild-launchpad-chroot and pretty much does exactly what > > the name says. > > > > The package contains 3 things: > > - 1 tool to create/update/delete sbuild chroots > > - 1 schroot hook to update the chroot at the beginning of a build > > - 1 schroot hook to generate the right sources.list for the build > > > > That last hook was written by Andy Whitcroft and some of you may already > > be using it. > > > > With the package installed, you can then do: > > sudo sbuild-launchpad-chroot create -n trusty-amd64-sbuild -s trusty -a > > amd64 > > > > This will define a new chroot in schroot called trusty-amd64-sbuild, set > > some extra launchpad.* options for the series and architecture on > > Launchpad, donwload the current Launchpad chroot and also setup the > > following aliases: > > - trusty-security-amd64-sbuild > > - trusty-security+main-amd64-sbuild > > - trusty-security+restricted-amd64-sbuild > > - trusty-security+universe-amd64-sbuild > > - trusty-security+multiverse-amd64-sbuild > > - trusty-updates-amd64-sbuild > > - trusty-updates+main-amd64-sbuild > > - trusty-updates+restricted-amd64-sbuild > > - trusty-updates+universe-amd64-sbuild > > - trusty-updates+multiverse-amd64-sbuild > > - trusty-proposed-amd64-sbuild > > - trusty-proposed+main-amd64-sbuild > > - trusty-proposed+restricted-amd64-sbuild > > - trusty-proposed+universe-amd64-sbuild > > - trusty-proposed+multiverse-amd64-sbuild > > > > Once done, you can then trigger a build with something like: > > sbuild --dist=trusty --arch=amd64 -c > > trusty-proposed+restricted-amd64-sbuild <dsc> > > > > This will print the following: > > I: 01launchpad-chroot: [trusty-amd64-sbuild] Processing config > > I: 01launchpad-chroot: [trusty-amd64-sbuild] Already up to date. > > I: 90apt-sources: setting apt pockets to 'release security updates > > proposed' in sources.list > > I: 90apt-sources: setting apt components to 'main restricted' in > > sources.list > > > > Confirming that the hook has checked the chroot currently matches with > > what Launchpad uses and telling you that the sources.list in the build > > environment contains all the pockets (but backports) and the main and > > restricted components. > > > > > > In theory the only noticable difference between a build environment > > created by sbuild-launchpad-chroot and the real thing is that you'll > > have internet connectivity from inside the chroot (but I'm working on > > also emulating that part of the LP build environment) and that you'll be > > running with a newer version of sbuild than what's used on the real > > buildds. > > > > > > -- > > Stéphane Graber > > Ubuntu developer > > http://www.ubuntu.com > > > > -- > > ubuntu-devel mailing list > > ubuntu-devel@lists.ubuntu.com > > Modify settings or unsubscribe at: > > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel > > > > > > -- > Robert Collins <rbtcoll...@hp.com> > Distinguished Technologist > HP Converged Cloud -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
