Commit b919cc33 authored by Mike Hibler's avatar Mike Hibler

Instructions for setting up a ZFS-based git repo serving jail.

Though we are not currently using the jail...
parent b865e08a
A. How to setup update the genilib-jail environment.
A. How to setup and update the genilib-jail and git-profile-jail environments.
We use a combination of iocage and our own hand-rolled script to efficiently
spawn up environments in which we can interpret geni-lib scripts. Right now
we only have to do this at Utah, but down the road, if other sites start
running their own portal, this will be needed.
We also use a persistant jail for caching "git-based profile" repos. It
doesn't need genilib stuff, just git, but we just roll it all into the same
setup (and FreeBSD package) cuz, ya know, who doesn't want git!
0. Convert your ops node to using ZFS.
Ugh.
......@@ -18,10 +22,6 @@ running their own portal, this will be needed.
iocage fetch release=10.2-RELEASE
iocage create -c release=10.2-RELEASE tag=py-cage-new
# if you want to be able to start it up with IP addr
iocage set ip4_addr='ix0|155.98.33.87' py-cage-new
iocage set host_hostname='py-cage-new.emulab.net' py-cage-new
iocage set compression=off py-cage-new
iocage set quota=10G py-cage-new
......@@ -58,6 +58,120 @@ B. Updating your iocage:
1. Fetch the appropriate release:
sudo iocage fetch release=10.2-RELEASE
iocage fetch release=10.2-RELEASE
2. to be finished...
C. Setting up the git repo cache.
Skip to step 8 if you are only exporting a ZFS to boss (no jail).
Skip step 1 if you already have iocage installed.
Skip step 2 if you already have iocages (e.g., if you have a genilib-jail).
1. Make sure the "iocage" package is installed.
We are using version 1.7.4.
pkg install iocage
echo 'iocage_enable="YES"' >> /etc/rc.conf
2. Load the appropriate release
iocage fetch release=10.2-RELEASE
3. Setup the jail.
iocage create -c release=10.2-RELEASE tag=repo
# Make it network ready
iocage set ip4_addr='xn0|128.110.100.35' repo
iocage set host_hostname='repo.apt.emulab.net' repo
# Override the UUID default for hostname
iocage set hostname='repo.apt.emulab.net' repo
# If not on a flat control network
iocage set defaultrouter=128.110.100.33 repo
# XXX for the git repo jail, you will want a resolver
iocage set resolver='nameserver 128.110.100.4;search apt.emulab.net' repo
# so we can install updates from inside
iocage set securelevel=0 repo
# make it boot at host boot time
iocage set boot=on repo
# tweak our zfs fs
iocage set compression=off repo
iocage set quota=10G repo
4. Make sure sshd starts up and you can login from boss (for our benefit)
cd /iocage/jails/<UUID>/root
mkdir -m 0700 root/.ssh
cp -p /root/.ssh/authorized_keys root/.ssh/
echo 'sshd_enable="YES"' >> etc/rc.conf
echo 'PermitRootLogin without-password' >> etc/ssh/sshd_config
5. Fire it up and apply updates
iocage start repo
sudo ssh repo # from boss
freebsd-update fetch
freebsd-update install
6. Install packages:
sudo ssh repo # from boss
cat > /etc/pkg/Emulab-devel.conf <<EOF
Emulab-devel: {
url: "https://www.emulab.net/FreeBSD/10.2-devel/packages",
mirror_type: NONE,
enabled: yes
}
EOF
pkg install ca_root_nss
pkg install -r Emulab-devel emulab-genilib
# XXX til I update the above package
pkg install -r Emulab-devel git
7. Take care of some riff-raff
sudo ssh repo # from boss
# symlinks we use
ln -sf python2.7 /usr/local/bin/python2
ln -sf python2.7 /usr/local/bin/python
# if perl is loaded
ln -sf /usr/local/bin/perl5 /usr/bin/perl
8. Create and attach a ZFS for the repos.
zfs create -o quota=50G -o mountpoint=/repos -o sharenfs=off z/git-repos
Add to ops:/etc/exports.head:
/repos boss.apt.emulab.net -maproot=root
Add to boss:/etc/fstab:
fs.apt.emulab.net:/repos /repos nfs rw,tcp,soft,-b,nosuid,late 0 0
then do:
exports_setup
mkdir /repos
mount /repos
If you have a jail, add to ops:/etc/fstab:
/repos /iocage/jails/161ff0bb-d210-11e6-8598-09c38a1965bd/root/repos nullfs rw,late 0 0
and:
mount /iocage/jails/161ff0bb-d210-11e6-8598-09c38a1965bd/root/repos
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment