Here you go ...

[pittagurneyi]

vyos-build repo

I would like to spare you some of the pain I went through:

equuleus.tar.txt
sagitta.tar.txt
current.tar.txt

Adjust the parts marked with TODO to match your system!

In theory you can apply them with git am if I recall correctly, but as I've removed some stuff from the headers, you might need to use patch instead.

vyos-strongswan repo

Clone the vyos-strongswan repo and apply this patch for the equuleus branch:

diff --git a/Jenkinsfile b/Jenkinsfile
index 46c680430..4c5eda8ec 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -21,6 +21,8 @@
 
 // Start package build using library function from https://github.com/c-po/vyos-build
 def buildCmd = """ 
+sudo apt-get update
+sudo apt-get install -y libcurl4-openssl-dev
 dpkg-buildpackage -b -us -uc -tc
 autoreconf -i
 ./configure --enable-python-eggs

vyos-xe-guest-utilities repo

Furthermore the vyos-xe-guest-utilities repo has no sagitta branch, create it by copying the equuleus one.

Jenkins

Jenkins Global Configuration

• Manage -> System -> Shell executable: /bin/bash
• Manage -> System -> Environment Variables:
  • BASH_ENV: /home/vyos_bld/.profile
  • ENV: /home/vyos_bld/.profile
  • APTREPO_FULLPATH_ON_WEBSERVER: /home/sentrium/web/dev.packages.vyos.net/public_html/repositories
  • ARM64_BUILD_DISABLED: true
  • DOCKER_REGISTRY_URL: https://yours-here:5000
  • ISOSTORE_FULLPATH_ON_WEBSERVER: ~/web/dev.packages.vyos.net/public_html/isos

Create the directories beforehand, otherwise it will probably fail.

Remember that docker containers don't inherit the /etc/hosts of the host system, so when DNS names are used a DNS server must have the records.

For the following special configuration is required:

• vyos-build-docker
  • Jenkinsfile: Jenkinsfile.docker
• vyos-cloud-init
  • Advanced Clone Behavior: Fetch Tags active
• vyos-1x
  • Advanced Clone Behavior: Fetch Tags active

I'm using the Git Filter by name (with wildcards) behaviour with Include set to * and Exclude to:

t*-* T*-* */* *feature* *patch* *PR* crux master

Jenkins Plugins

Jenkins Plugins I installed:

• Docker plugin
• Docker Pipeline
• AWS Credentials
• Copy Artifacts
• SSH Agent
• Pipeline Utility Steps
• Pipeline: AWS Steps (provides withAWS)
• View Job Filters

Added also, though only 3-4 of these manually selected, the rest are dependencies, don't know if required or not:

• Config File Provider
• External Monitor Job Type
• Run Condition
• Oracle Java SE Development Kit Installer
• SSH server
• Command Agent Launcher
• Infrastructure plugin for Publish Over X
• JSch dependency
• Publish Over SSH
• Loading plugin extensions

Their Package versions

Some versions of packages that they used can't be built now as the dependencies of modules that are pulled in at build time, for example when running go builds, now conflict with older software versions present in the docker build environment.

Jenkinsfile.docker and Jenkinsfile for iso building

You can use the vyos-build's Jenkinsfile.docker as "Jenkinsfile" in a multi-branch project to build the docker vyos-build image. vyos-build's Jenkinsfile builds the iso. It can also be used. Make sure you select the Smoketests. I had quite a hard time to get it to not fail. They will run a long time, i mean plan in 2h+ for an iso + smoketest run.

For me a workstation Xeon platform created nothing but problems with the threading/timing selftests that strongswan runs. Running it on an Epyc platform with all energy savings deactivated the problems were just gone.

Regarding the failures:

current smoketests

fail at TPM stage with No module named 'vyos.util', which is due to the following missing patch to fix a bug:

/usr/libexec/vyos/vyos-config-encrypt.py

-from vyos.util import ask_input
+from vyos.util.io import ask_input

As I have no wish to also clone vyos-utils or vyos-1x or wherever that was a part of, I'll just wait till it is fixed.

sagitta smoketests

Ran fine the last run.

equuleus smoketests

sometimes fail due to:

DEBUG - test_dhcp_vrf (main.BondingInterfaceTest) ... FAIL

https://vyos.dev/T6025
T6025 smoketest: bonding: test fails every once in a while

Happens sometimes, reruns typically have no issues.

Out-of-memory

If the memory of the virtual machines started for smoketests is not big enough, you'll get out-of-memory errors.

Check that the ones I set aren't too high for your system. Also, it starts multiple VMs concurrently, so ... 10G of system memory for the build VM won't be enough. I just set it to 100G, gave it 32 cores and let it run ... No idea what the minimum is. There is also the bit about CPU cores the script detects and cuts in half. That was a bit rough in my case with 32 cores, so I set a hard limit (see patches).

Results

I was able to build both equueleus and sagitta stable images with smoketests succeeding. The equuleus one I installed on a R630 server and ran the smoketest successfully via:

sudo vyos-smoketest |& tee smoketest-$(date +%F-%H%M-%S).log

Java + SSL Truststore

If you want to use SSL you might need to add your root CA to the Java truststore for all jenkins and build vms:

sudo mkdir /usr/local/share/ca-certificates/your-ca
sudo cat <<'EHLO' > /usr/local/share/ca-certificates/your-ca/your-ca.crt
...
EHLO

sudo update-ca-certificates

systemctl restart jenkins

Localstack

Should you think about using localstack as a local AWS repository, stop now. Only the pro version allows for persistent data storage, otherwise everything you upload there is gone after a reboot/restart of localstack.

That is why I switched to ssh for iso upload.

Local docker registry

Both the basic authentication directly via the docker registry nor the nginx and apache2 recipes provided by the documentation have a functioning separation between docker push and pull requests, meaning one can't be unauthenticated while the other requires it. We'll have to disable it or add docker login commands to vars/buildPackages.groove.

I just disabled it.

Jenkins built agent VM

If you use a build agent VM, use SSH to start the agent and not the java .jar thing that Jenkins tells you to. That created some problems for me, though I can't recall what it was at the moment.

Iproute2

Regarding your question about the iproute2 stuff, they have a modified package that adds macsec commands (iirc). Otherwise functionality will be broken and smoketests related to it will fail.

Uncron

Used by the Jenkinsfile ssh commands to trigger reprepro jobs:

apt install opam socat

su - <your-user>

# Yes, modify ~/.profile.
opam init
eval $(opam env --switch=default)
opam install lwt lwt_ppx logs containers
eval $(opam env)

git clone https://github.com/vyos/uncron.git
cd uncron
dune build
exit

cp /home/<your-user>/uncron/_build/install/default/bin/uncron /usr/local/sbin/

# https://github.com/vyos/uncron/blob/main/data/uncron.service
cat <<'EHLO' > /etc/systemd/system/uncron.service
[Unit]
Description=Command Queue Service
After=auditd.service systemd-user-sessions.service time-sync.target

[Service]
EnvironmentFile=/etc/uncron.conf
ExecStart=/usr/local/sbin/uncron
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
User=<ssh-apt-push-user>
Group=<ssh-apt-push-user-group>
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
EHLO

touch /etc/uncron.conf

systemctl daemon-reload
systemctl enable --now uncron.service

cp /home/<your-user>/uncron/src/uncron-add /usr/local/bin/
chmod +x /usr/local/bin/uncron-add

Well, I took two solutions you used that were more elegant than mine, I hope you won't mind. Worked them in there in the last two hours while removing hardcoded DNS entries and migrating to more Jenkins environment variables. So far it seems to be working, but that part I haven't tested extensively.

[dd010101]

Nice, that's wild! I will try to look through it and see how did you solve those missing ones. I see you like more "just make it work" than I did!

[pittagurneyi]

Well, it took me quite a few days to get it all running, knowing absolutely nothing about Jenkins or how VyOS is built. So that was a steep learning curve and I just wanted to get things done, because I was running out of time.

[pittagurneyi]

Well they took some packages from the Nvidia networking operating system cumulus, so that is one thing. There is also one package repository in which they don't have the current branch, so you need to build master there, but that is okay, because they have the correct @current library set inside, so it lands correctly.

[dd010101]

Yea, same for me, I didn't know Jenkins week before. I was just using docker to build ISOs - no knowledge about the packages or build system, so a lot learning for me as well.

You did make run like everything, that's crazy! I don't even think about dealing with the "current" or docker-vyos or the vm stuff.

Also it's crazy that vyos requires so many patches to make work! Looks like they just hope they don't need to rebuild what they have I guess since 1/3 is broken...

[pittagurneyi]

Yeah, I'm quite happy it now builds itself and I just have to rebase it :)

Hm, there are some things where I'm unsure whether it is missing knowledge or if those things were left out on-purpose.

For example the go environment variables that they write to ~/.bashrc. It has a filter in there, by debian default, that prevents sourcing the file if run non-interactively, which Jenkins does. So you don't get $PATH or the other environment variables you need for building. That was a hard one to track down. And the bash working regarding that stuff is, like hard...

Go to https://blog.flowblok.id.au/2013-02/shell-startup-scripts.html and scroll to the image under Implementation, then figure out how Jenkins messes with things and how they built their docker build-vm. That is a nightmare.

EDIT: I ended up just removing that check in the docker build process in vyos-build/docker/Dockerfile and adding those two ENV and BASH_ENV environment variables to Jenkins. Also make it run with /bin/bash instead of accidentally with /bin/sh, as started that way it uses POSIX compatible startup mechanics.

[pittagurneyi]

Here is my list of Jenkins projects with the branches that I successfully built. I named the packages in vyos-build/packages as vyos-build-<pkg>:

hvinfo
hvinfo » current
hvinfo » equuleus
hvinfo » sagitta
ipaddrcheck
ipaddrcheck » current
ipaddrcheck » equuleus
ipaddrcheck » sagitta
libnss-mapuser
libnss-mapuser » current
libnss-mapuser » equuleus
libnss-mapuser » sagitta
libnss-tacplus
libnss-tacplus » current
libnss-tacplus » sagitta
libpam-radius-auth
libpam-radius-auth » current
libpam-radius-auth » equuleus
libpam-radius-auth » sagitta
libvyosconfig
libvyosconfig » current
libvyosconfig » equuleus
libvyosconfig » sagitta
live-boot
live-boot » current
live-boot » equuleus
live-boot » sagitta
mdns-repeater
mdns-repeater » equuleus
udp-broadcast-relay
udp-broadcast-relay » current
udp-broadcast-relay » equuleus
udp-broadcast-relay » sagitta
vyatta-bash
vyatta-bash » current
vyatta-bash » equuleus
vyatta-bash » sagitta
vyatta-biosdevname
vyatta-biosdevname » current
vyatta-biosdevname » equuleus
vyatta-biosdevname » sagitta
vyatta-cfg
vyatta-cfg » current
vyatta-cfg » equuleus
vyatta-cfg » sagitta
vyatta-cfg-firewall
vyatta-cfg-firewall » equuleus
vyatta-cfg-qos
vyatta-cfg-qos » equuleus
vyatta-cfg-quagga
vyatta-cfg-quagga » equuleus
vyatta-cfg-system
vyatta-cfg-system » current
vyatta-cfg-system » equuleus
vyatta-cfg-system » sagitta
vyatta-cfg-vpn
vyatta-cfg-vpn » equuleus
vyatta-cluster
vyatta-cluster » equuleus
vyatta-config-mgmt
vyatta-config-mgmt » equuleus
vyatta-conntrack
vyatta-conntrack » equuleus
vyatta-nat
vyatta-nat » equuleus
vyatta-op
vyatta-op » current
vyatta-op » equuleus
vyatta-op » sagitta
vyatta-op-firewall
vyatta-op-firewall » equuleus
vyatta-op-qos
vyatta-op-qos » equuleus
vyatta-op-quagga
vyatta-op-vpn
vyatta-op-vpn » equuleus
vyatta-wanloadbalance
vyatta-wanloadbalance » current
vyatta-wanloadbalance » equuleus
vyatta-wanloadbalance » sagitta
vyatta-zone
vyatta-zone » equuleus
vyos-1x
vyos-1x » current
vyos-1x » equuleus
vyos-1x » sagitta
vyos-build
vyos-build » current
vyos-build » equuleus
vyos-build » sagitta
vyos-build-amazon-cloudwatch-agent
vyos-build-amazon-cloudwatch-agent » current
vyos-build-amazon-cloudwatch-agent » equuleus
vyos-build-amazon-cloudwatch-agent » sagitta
vyos-build-aws-gateway-load-balancer-tunnel-handler
vyos-build-aws-gateway-load-balancer-tunnel-handler » current
vyos-build-aws-gateway-load-balancer-tunnel-handler » sagitta
vyos-build-ddclient
vyos-build-ddclient » current
vyos-build-ddclient » sagitta
vyos-build-docker
vyos-build-docker » current
vyos-build-docker » equuleus
vyos-build-docker » sagitta
vyos-build-dropbear
vyos-build-dropbear » current
vyos-build-dropbear » equuleus
vyos-build-dropbear » sagitta
vyos-build-ethtool
vyos-build-ethtool » current
vyos-build-ethtool » sagitta
vyos-build-frr
vyos-build-frr » current
vyos-build-frr » equuleus
vyos-build-frr » sagitta
vyos-build-hostap
vyos-build-hostap » current
vyos-build-hostap » equuleus
vyos-build-hostap » sagitta
vyos-build-hsflowd
vyos-build-hsflowd » current
vyos-build-hsflowd » sagitta
vyos-build-iproute2
vyos-build-iproute2 » equuleus
vyos-build-isc-dhcp
vyos-build-isc-dhcp » current
vyos-build-isc-dhcp » sagitta
vyos-build-keepalived
vyos-build-keepalived » current
vyos-build-keepalived » equuleus
vyos-build-keepalived » sagitta
vyos-build-linux-kernel
vyos-build-linux-kernel » current
vyos-build-linux-kernel » equuleus
vyos-build-linux-kernel » sagitta
vyos-build-minisign
vyos-build-minisign » equuleus
vyos-build-ndppd
vyos-build-ndppd » current
vyos-build-ndppd » sagitta
vyos-build-netfilter
vyos-build-netfilter » current
vyos-build-netfilter » equuleus
vyos-build-netfilter » sagitta
vyos-build-ocserv
vyos-build-ocserv » equuleus
vyos-build-opennhrp
vyos-build-opennhrp » current
vyos-build-opennhrp » sagitta
vyos-build-openvpn-otp
vyos-build-openvpn-otp » current
vyos-build-openvpn-otp » sagitta
vyos-build-owamp
vyos-build-owamp » current
vyos-build-owamp » sagitta
vyos-build-pam_tacplus
vyos-build-pam_tacplus » current
vyos-build-pam_tacplus » sagitta
vyos-build-pmacct
vyos-build-pmacct » current
vyos-build-pmacct » sagitta
vyos-build-pyhumps
vyos-build-pyhumps » current
vyos-build-pyhumps » sagitta
vyos-build-python3-inotify
vyos-build-python3-inotify » equuleus
vyos-build-radvd
vyos-build-radvd » current
vyos-build-radvd » sagitta
vyos-build-strongswan
vyos-build-strongswan » current
vyos-build-strongswan » sagitta
vyos-build-telegraf
vyos-build-telegraf » current
vyos-build-telegraf » equuleus
vyos-build-telegraf » sagitta
vyos-build-vpp
vyos-build-vpp » current
vyos-build-vpp » equuleus
vyos-build-vpp » sagitta
vyos-build-wide-dhcpv6
vyos-build-wide-dhcpv6 » current
vyos-build-wide-dhcpv6 » equuleus
vyos-build-wide-dhcpv6 » sagitta
vyos-cloud-init
vyos-cloud-init » current
vyos-cloud-init » equuleus
vyos-cloud-init » sagitta
vyos-http-api-tools
vyos-http-api-tools » equuleus
vyos-http-api-tools » master
vyos-http-api-tools » sagitta
vyos-nhrp
vyos-nhrp » equuleus
vyos-opennhrp
vyos-opennhrp » equuleus
vyos-strongswan
vyos-strongswan » equuleus
vyos-user-utils
vyos-user-utils » current
vyos-user-utils » equuleus
vyos-user-utils » sagitta
vyos-utils
vyos-utils » equuleus
vyos-utils » master
vyos-utils » sagitta
vyos-world
vyos-world » current
vyos-world » equuleus
vyos-world » sagitta
vyos-xe-guest-utilities
vyos-xe-guest-utilities » current
vyos-xe-guest-utilities » equuleus
vyos-xe-guest-utilities » sagitta

Make sure you create Views in Jenkins, by default only the "All" view exists, otherwise keeping track of it all is a real problem:

• Name: Failures
  • Job Filter: Subdirectories recursive
  • GitHub Branch Jobs Only
  • Job-Status: Failed, unstable, aborted
• Name: Overview
  • Job Filter: Subdirectories recursive
  • GitHub Branch Jobs Only
  • Select Jobs by regular expression: .*
• Name: Running
  • Job Filter: Subdirectories recursive
  • GitHub Branch Jobs Only
  • Select Jobs by regular expression: .*
  • Build-Status: currently building; Filter type: Exclude non-matching: remove jobs, that don't match this filter

[pittagurneyi]

Well at least we are having fun ;)

[pittagurneyi]

Nice find - I assume the bashrc solution was migrated from old script that was run interactively (or maybe this policy change with debian?).

Nah, that is normal it seems. The problem is that they wrote it to the one file that is hard to source non-interactively. Go look at that nice image in the link I provided.

[pittagurneyi]

VyOS Package Repository

See https://wiki.debian.org/DebianRepository/SetupWithReprepro.

# Used to create a local apt repository index, called via ssh from Jenkins.
apt-get install -y reprepro

sudo useradd -d /home/sentrium -s /bin/bash sentrium
sudo mkdir /home/sentrium
sudo chown sentrium:sentrium /home/sentrium
sudo -u sentrium mkdir -p /home/sentrium/web/dev.packages.vyos.net/public_html/repositories

sudo cat <<'EHLO' > /etc/ssh/sshd_config.d/9999999999user-restriction.conf
AllowUsers sentrium <your-normal-ssh-user>
EHLO

sudo systemctl restart sshd

cd
# Empty passphrase
ssh-keygen -t ed25519 -f sentrium-ssh-key
mkdir -p /home/sentrium/.ssh
cat sentrium-ssh-key.pub > /home/sentrium/.ssh/authorized_keys
chmod 600 /home/sentrium/.ssh/authorized_keys
chown sentrium:sentrium -R /home/sentrium/.ssh


# You need to login as the user directly via SSH, otherwise the TTY
# doesn't belong to the user sentrium and the gpg gen-key command fails
# with no permissions when requesting the password.
ssh sentrium@<vyos-build-host>
# Generate OpenPGP keys for signing packages.
gpg --full-gen-key

# Copy the [E] encryption subkey fingerprint (last one in the list)
# and place it below at "SignWith:".
gpg --list-secret-key --with-subkey-fingerprint

# Grab here for file "vyos-build-pkgs.key.chroot" (need it for the source modification):
gpg --armor --export-options export-minimal --export <key-id>
exit


# Continuing normally
su - sentrium

sigkey="place in here from above ..."
for repo in sagitta crux equuleus current
do
    repopath=~/web/dev.packages.vyos.net/public_html/repositories/"$repo"
    mkdir -p "$repopath"/conf
    cat <<EHLO > "$repopath"/conf/distributions
Origin: <vyos-pkghost-domainname>
Label: <vyos-pkghost-domainname>
Codename: $repo
Architectures: source i386 amd64
Components: main
Description: Apt repository for VyOS $repo
SignWith: $sigkey
EHLO

done

Jenkins -> Manage -> Credentials -> Global -> Add Credentials:

• Type: SSH Username and private key
• ID: SSH-dev.packages.vyos.net
• Username: sentrium
• Private Key: Content of sentrium-ssh-key

Jenkins -> Manage -> Configure -> Global Properties -> Environment Variables -> Add:

(depending on whether you are using DNS or not)

• DEV_PACKAGES_VYOS_NET_HOST: sentrium@<vyos-pkghost-domainname>
• DEV_PACKAGES_VYOS_NET_HOST: sentrium@<ip>

Add nginx site:

cat <<'EHLO' > /etc/nginx/sites-available/pkgs
server {
    listen 80;
    server_name <vyos-pkghost-domainname>;

    # Define the root directory for your static files
    root /home/sentrium/web/dev.packages.vyos.net/public_html;

    # Configure access to static files
    location / {
        autoindex on;
        try_files $uri $uri/ =404;
    }

    location ~ /(.*)/conf {
        deny all;
    }

    location ~ /(.*)/db {
        deny all;
    }

    # Additional configuration options can be added here

    # Define access log and error log locations
    access_log /var/log/nginx/pkgs.access.log;
    error_log /var/log/nginx/pkgs.error.log;

    # Add any other server-specific configurations here

}
EHLO

cd /etc/nginx/sites-enabled && ln -s ../sites-available/pkgs


# Uncomment the following line:
vim /etc/nginx/nginx.conf

server_names_hash_bucket_size 64;


systemctl restart nginx

@dd010101: See above for vyos-build-pkgs.key.chroot which is one of the TODO's.

[pittagurneyi]

@dd010101 may i ask "what" was just deleted? i'd like to know for context ...

[pittagurneyi]

Before I forget, don't think about building by git tags via Jenkins or another way. That leads to problems because the built packages will be put into a repository named according to the git tag, i.e. you get the repository 1.3.7, while most of your packages are in equuleus. That leads to lots of problems. Just see that you build it all when they stop making changes in the LTS repositories. Best chance we have of getting a nice image that is as close to the original as possible.

[pittagurneyi]

Just a note, debian removed the backports for the buster debian version, even from their archive server, somewhere end of April iirc. As a result I had to build some more dependencies sometimes for the equuleus branch, as they weren't any longer available.

[dd010101]

I found this as well with vyos-xe-guest-utilities where they built sagitta package from current branch but their script will try to put it in current... So this is my solution - https://github.com/dd010101/vyos-jenkins?tab=readme-ov-file#uncron :D

There is no way to get replicate of their release since the versions of vyos are basically timestamp of the build. One would need to build the ISO in the time when they do otherwise you have version that is ahead by the time you get to built it from the time they built it. As there is no global tag that would say 1.3.7 has these versions of these repositories, the build gets whats available at that time... So there is not point to make build to match the build of vyos, it's simply random...

[pittagurneyi]

I mean sure, that is one way to do it :)

As I'm using uncron because of concurrency problems otherwise, because my Jenkins build VM is set to 8 concurrent tasks, that wasn't an option. But of course there are other ways. I'll just hope the number of necessary workarounds will be reduced with time ...

Doesn't this mean you can't build current as it is a hardcoded symlink to sagitta ... ? ;)

[dd010101]

Just a note, debian removed the backports for the buster debian version, even from their archive server, somewhere end of April iirc. As a result I had to build some more dependencies sometimes for the equuleus branch, as they weren't any longer available.

I didn't find any problems when building equuleus tho... Like the ISO build works fine with debian apt.

I mean sure, that is one way to do it :)

Well you can use the power of telepathy to sync your start of build with theirs and yes then you wound get 1:1 copy. but otherwise you don't know what versions they use since there are no tags, just commits.

Doesn't this mean you can't build current as it is a hardcoded symlink to sagitta ... ? ;)

Oh well... I didn't plan to support current since you can build current anyway the official way. So it's only the stable branches.

[pittagurneyi]

@veduco

diff -rupN source/debian/autoreconf.before libtacplus-map/debian/autoreconf.before

Regarding the result, the files that were added are from the vyos git repo, correct?

Is it possible that they are from the previous version that was initially commited and potentially go unused, because we use the debian folder to build the package?

[veduco]

@veduco

diff -rupN source/debian/autoreconf.before libtacplus-map/debian/autoreconf.before

Regarding the result, the files that were added are from the vyos git repo, correct?

Is it possible that they are from the previous version that was initially commited and potentially go unused, because we use the debian folder to build the package?

I'm afraid I don't know how to answer this one.
The source directory is the tarball, the libtacplus-map is vyos' repo clone.

Maybe this helps?

[20:19:35 root@828b4c5b1e28 libtacplus-map {0}]# md5sum *
335a96a3b51c8fd0c35f4c43f6bfce6e  AUTHORS
12c43605244c0558c35bc26fdc28f06f  auto.sh
2b55e3d90434f47baf35606b268a705e  ChangeLog
f745023ee955f1052c0e66505ea50691  configure.ac
7d9203ccba9820476f62cda4e545bfc5  COPYING
md5sum: debian: Is a directory
454ad07273e629aef0c4a81e3a2f4364  dumpmap.c
f882149a85f326c4f69897062728ff81  Makefile.am
19d07f816ef83c662a27f71f3f3efc78  map_tacplus_user.c
c852697739735ede8026a065b11dcf3e  map_tacplus_user.h
07baf39672827d3de1565792c1d7f3c1  NEWS
8a9ba257aab874e97c804d49a2b889b0  README
3ecd89cc5919da1e3c94d44f92c7a7d3  tacplus.sudo
[20:19:40 root@828b4c5b1e28 libtacplus-map {1}]# md5sum debian/*
c7814e5eae994f8db76af697e0d21ffa  debian/autoreconf.before
16758f682f122699d4064dc0c2234a69  debian/changelog
7c5aba41f53293b712fd86d08ed5b36e  debian/compat
009c7a0018eee729754754c548952fcf  debian/control
4268d00f328f97bacb29504235bccfaf  debian/copyright
0d061179c013ea9f91e4a74d2ce980dd  debian/libtacplus-map1.debhelper.log
ec7168691aed17edc21f72afdc89c00a  debian/libtacplus-map1.install
bd6fa09db9b1941d30d74f29947dbcac  debian/libtacplus-map1.postinst
ddeef4eb2c80bc7fc8ed7b5c5f548edd  debian/libtacplus-map1.symbols
0d061179c013ea9f91e4a74d2ce980dd  debian/libtacplus-map-dev.debhelper.log
c87b2ee84b2d689adb095c5422434c8e  debian/libtacplus-map-dev.install
1bb79a512d98d7bf882948134ad90227  debian/README.source
8a899b6bc74d50f0d53645d36c53e968  debian/rules
md5sum: debian/source: Is a directory
[20:19:48 root@828b4c5b1e28 libtacplus-map {1}]# md5sum debian/source/*
2542b79651fab56d0ebfff75a0fdf7be  debian/source/format

and from upstream tarball:

[20:21:03 root@828b4c5b1e28 temp {0}]# cd source/
[20:21:05 root@828b4c5b1e28 source {0}]# md5sum *
335a96a3b51c8fd0c35f4c43f6bfce6e  AUTHORS
12c43605244c0558c35bc26fdc28f06f  auto.sh
2b55e3d90434f47baf35606b268a705e  ChangeLog
md5sum: config: Is a directory
f745023ee955f1052c0e66505ea50691  configure.ac
7d9203ccba9820476f62cda4e545bfc5  COPYING
md5sum: debian: Is a directory
454ad07273e629aef0c4a81e3a2f4364  dumpmap.c
f882149a85f326c4f69897062728ff81  Makefile.am
19d07f816ef83c662a27f71f3f3efc78  map_tacplus_user.c
c852697739735ede8026a065b11dcf3e  map_tacplus_user.h
07baf39672827d3de1565792c1d7f3c1  NEWS
8a9ba257aab874e97c804d49a2b889b0  README
3ecd89cc5919da1e3c94d44f92c7a7d3  tacplus.sudo
[20:21:06 root@828b4c5b1e28 source {1}]# md5sum config/*
22aa295bf5320aec7fba6756ff11058a  config/lt~obsolete.m4
064af1799febaa676203302bbf359180  config/ltoptions.m4
fa2891f9060865871cbbaa1c6e2d96f4  config/ltsugar.m4
d936fd6b2025c9b5322f826117d7f30c  config/ltversion.m4
[20:21:14 root@828b4c5b1e28 source {0}]# md5sum debian/*
16758f682f122699d4064dc0c2234a69  debian/changelog
7c5aba41f53293b712fd86d08ed5b36e  debian/compat
009c7a0018eee729754754c548952fcf  debian/control
4268d00f328f97bacb29504235bccfaf  debian/copyright
ec7168691aed17edc21f72afdc89c00a  debian/libtacplus-map1.install
bd6fa09db9b1941d30d74f29947dbcac  debian/libtacplus-map1.postinst
ddeef4eb2c80bc7fc8ed7b5c5f548edd  debian/libtacplus-map1.symbols
c87b2ee84b2d689adb095c5422434c8e  debian/libtacplus-map-dev.install
1bb79a512d98d7bf882948134ad90227  debian/README.source
8a899b6bc74d50f0d53645d36c53e968  debian/rules
md5sum: debian/source: Is a directory
[20:21:17 root@828b4c5b1e28 source {1}]# md5sum debian/source/*
2542b79651fab56d0ebfff75a0fdf7be  debian/source/format

seems that the diff is just that debian/autoreconf.before exists in the vyos repo.
Checksums on the files match.

Ah, and this is likely simply an artifact of me using my script to check it out which hits the build process.

Yep, confirmed.
So, the only actual difference between libtacplus-map tarball and vyos' repo is the presence of the config directory in the tarball.

[pittagurneyi]

If I compare it and remove .git and .gitignore from the vyos git repo and config/ from the source directory, then I get this:

$ diff -rupN source/ libtacplus-map

So except for the options directory, they appear to be identical as well?

EDIT: In consequence my Jenkinsfile and build therefore could be identical and "fine", correct?

[veduco]

I don't see an options directory related to libtacplus-map in vyos' repo, nor the tarball.

I was able to confirm that it was my script entering the build process that added that file.
A naked git clone has no diff except the config dir being present in the tarball.

Yes, your Jenkins script is effectively right.
It would just seem to be better practice to use vyos' repo as we do with the other packages.

But let's be honest: the package is deprecated. There's a near 0 chance that it changes, but non-0.

[pittagurneyi]

@veduco Thanks for pointing the repos out and helping compare them!

But let's be honest: the package is deprecated. There's a near 0 chance that it changes, but non-0.

I mean I'm not totally opposed, but at the same time they haven't changed those packages in a while (added by Cumulus Linux as deb package to their repo at May 18 2022; added to vyos sagitta repo with date 2023-09-25 18:36:21). There are lots of newer versions available from Cumulus Linux iirc.

EDIT: Also, what is to be done about the vyos git repos without proper branches? Manually checkout a specific commit and then manually update it every once in a while? Because we can't yet be sure that newer versions added there are actually for sagitta ...

EDIT2: So perhaps just wait a bit and let them - hopefully - clean it up then change it. Acceptable?

[dd010101]

Manually checkout a specific commit and then manually update it every once in a while?

Doesn't matter - if you rewrite master to sagitta or commit to sagitta after a while, basically the same thing. Because if they make changes then they would want to fix the branch issue and then you have correct branch to switch to.

It's good practice not to rely on totally unpinned sources, thus I did use commits for now: https://github.com/dd010101/vyos-missing/blob/sagitta/packages/libnss-tacplus/build.sh

[pittagurneyi]

Sure, until they have sorted the branch issues, then I propose we just follow the branch, like we do for all other vyos packages ... Less work for us. I don't think they introduce as many breaking changes (or "wrong" versions in this case) as happens with their main repos.

[dd010101]

@veduco
You seem to follow vyos development for longer than us since you have knowledge even before the change happened and overall knowledge of vyos development. You are contributor or you are following for fun? You are assembling your own repository from individual packages instead of using Jenkins automation?

[veduco]

I'm just an enthusiast that was irritated to not be able to update a piece of software at the heart of my network.
I have a github action that is able to build any one of or all of the packages in various granularities to seed a repo, and then build an iso if desired. It also requires no maintenance/forking of their repositories for me.

As interesting and meaningful as the smoketests may be, I'm not set to run those as in the 2+ years of building images, I never have, and with 1.4 approaching actual GA and moving to LTS, I'd expect the number of changes to drop as well as the time between meaningful changes in builds to increase. It's a risk I'm willing to accept given the HA environment I have.

I just didn't want to learn Jenkins at the time and having it scripted allows me quick access to do stuff on the side.
Shoot, for me, moving to Jenkins would only amplify the frustrations of dealing with changes somewhere, such as the FRR patch implementation upstream that broke VyOS' patches downstream, or the procps missing issue (vyos-build@59242a4bf2), or any one of the other issues that turned out to not be my fault, trying to track that down, all while having no confidence in the build system. You guys are trailblazers for sure.

edit: actually, thinking.. how do you guys handle custom build flavors?

[dd010101]

I see so the build action does fix the potentional issues before build where we're forced to fork? I guess you wouldn't even have many of the issues since they were related to reprepro and other not build related steps.

You would still need to have some maintenance in terms of the build actions isn't that right? Since the Jenkinsfiles contain small but some part of the build. The build commands may change as well as pinned commits. This was mine motivation to learn Jenkins since I didn't have idea of the scope, how complicated the Jenkinsfiles were but now I see most of them are simple.

I don't think anything would stop you from running smoketests, you just don't see the motivation to do so? I have good experience with the stability of vyos builds without smoketests as well but I do wait fair bit before I jump on next stable just because the router is the last thing I want to debug. You are using redundant routers with different vyos versions as your HA?

I'm sure going without Jenkins has its own benefits in terms that you can do what you want not what vyos team uses so it's completly valid way if you know how to build packages and obviously you don't have issue with that. I see Jenkins as good ready made solution that will handle everything for you once you have it going. If you can manage (or want or enjoy) to make your own system then perhaps Jenkins would only stay in your way.

I didn't use those new build flavors yet. I'm injecting debian live hooks into vyos-build to modify the image as I see fit before building ISO, this was the only way with crux and equuleus and it works with sagitta as well so I didn't see the need to investigate the toml flavors.

[pittagurneyi]

Depending on the amount of modifications you are doing and the, perhaps somewhat limited, times packages change for a LTS release, your Github Actions sound like a nice solution.

I'm not really worried about Jenkins though.

• It's installed using the official docker image, meaning they handle all of their database/config migrations automatically inside when you upgrade the container. So normally there should be nothing we need to do, with some rare exceptions perhaps.
• I only need to touch package definitions, i.e. the Jenkinsfile url/source location in Jenkins, when vyos changes the path of the packages, but then I guess so do you.
• I have a very limited set of patches that modify the vyos library functions and their main vyos-build Jenkinsfile and Jenkinsfile.docker, so keeping that rebased is not a problem. The files aren't complicated at all once you get an idea of how they work.

When my server is on I'm doing other tasks on it as well, which take longer than 2-3 hours, so running a few iso builds and smoketests all by pressing three start buttons in Jenkins isn't an issue at all.

Most of the package definitions, i.e. the Jenkinsfile with the build instructions inside, I never needed to touch, meaning I have no work to do when they update them. For them all the necessary modifications are in one library function/file in vyos-build.

All in all I see far less maintenance overhead as if I were to use any other method than their CI solution, which they maintain.

If I want to do modifications, I can just create a branch like sagitta-mod1 in my repo and make whatever changes I like to the build scripts including adding packages, etc. It will then only require the same rebase from the vyos repo as the main branches do. The last few I did in the last week were no problem at all. Git rebase also automatically detected when they removed the patches for frr, so my commits that did the same were just skipped while rebasing, nothing manual required at all.

Shoot, for me, moving to Jenkins would only amplify the frustrations of dealing with changes somewhere, such as the FRR patch implementation upstream that broke VyOS' patches downstream, or the procps missing issue (vyos-build@59242a4bf2), or any one of the other issues that turned out to not be my fault, trying to track that down, all while having no confidence in the build system. You guys are trailblazers for sure.

Well, we aren't really modifying the build process, because we only interfere with the code that stores the files/images and everything else remains untouched. That means we are using the exact same build process as VyOS is - of course at the moment theirs is quite broken so we had to fix it. Therefore we know for sure that if something is wrong, it isn't our fault - unless of course one of the missing packages we added gives us problems, but I believe the chances aren't that great.

So if the smoketest fails, which just runs automatically as part of the process of building the iso, I know to just try again later. No problem for me.

Or, as Jenkins stores the build artifacts, you can just look at the history of builds for your branch and pick the iso image of a certain build and download it from Jenkins. So if the smoketest fails and the iso is not uploaded via ssh (in my case) to the snapshot directory I created for it, then it is not lost, I just have to manually retrieve it. For all the ones in my snapshot folder I know that the smoketest succeeded.

Just wanted to explain my thought process behind my decision.

[pittagurneyi]

We could even add a Jenkins parameter for the iso build process to add modifications or packages. The packages one is easy. From the Jenkinsfile in vyos-build you see that it has pipeline parameters configured, which you can set when building, i.e. you have a web form you can fill in for these values/checkboxes:

    parameters {
        string(name: 'BUILD_BY', defaultValue: '[email protected]', description: 'Builder identifier (e.g. [email protected])')
        string(name: 'BUILD_VERSION', defaultValue: env.BASE_VERSION + 'ISO8601-TIMESTAMP', description: 'Version number (release builds only)')
        booleanParam(name: 'BUILD_PUBLISH', defaultValue: false, description: 'Publish this build to downloads.vyos.io and AWS S3')
        booleanParam(name: 'BUILD_SMOKETESTS', defaultValue: true, description: 'Include Smoketests in ISO image')
        booleanParam(name: 'BUILD_SNAPSHOT', defaultValue: false, description: 'Upload image to AWS S3 snapshot bucket')
    }

The documentation for it is here https://www.jenkins.io/doc/book/pipeline/syntax/:

The parameters directive provides a list of parameters that a user should provide when triggering the Pipeline. The values for these user-specified parameters are made available to Pipeline steps via the params object, refer to the Parameters, Declarative Pipeline for its specific usage.

There is quite a bit more, I just don't want to paste it all here.

From their example, we have the following choices of parameter type:

    parameters {
        string(name: 'PERSON', defaultValue: 'Mr Jenkins', description: 'Who should I say hello to?')
        text(name: 'BIOGRAPHY', defaultValue: '', description: 'Enter some information about the person')
        booleanParam(name: 'TOGGLE', defaultValue: true, description: 'Toggle this value')
        choice(name: 'CHOICE', choices: ['One', 'Two', 'Three'], description: 'Pick something')
        password(name: 'PASSWORD', defaultValue: 'SECRET', description: 'Enter a password')
    }

They are then used in the build process (Jenkinsfile from vyos-build again):

                    def CUSTOM_PACKAGES = ''
                    if (params.BUILD_SMOKETESTS)
                        CUSTOM_PACKAGES = '--custom-package vyos-1x-smoketest'

Now we have multiple options, use a string or text field, and make the user add packages with comma/newline/space separation, then split and trim it and add it in a loop to the CUSTOM_PACKAGES.

Done.

Then you can flexibly add packages via Jenkins as well.

Of course we could also add more stuff here, like additional package sources, etc. we'd of course then have to do a bit more modification of the build process, but it wouldn't be very hard to do.

Like one text field for apt repo sources.list entries. Another one for priorities, if you want to build using your modified images from that other repo (that is how that works, right? I don't use apt-based systems that often). Then adding a build suffix in the filename, so you know what you've built.

And all the while Jenkins does all the heavy lifting for you.

[dd010101]

I use the debian live hooks (the data/live-build-config/hooks directories) to customize instead of --custom-package because that gives you access to everything at every stage of the live-build. For example I want extra kernel module that I need to build for the vyos kernel (and it's not available from apt), that's not possible just with --custom-package (unless you make your own package for everything) thus I write shell script and put it into data/live-build-config/hooks/live and then my script runs inside the chroot when image is being built and I can build the module as you would do it normally on running system.

I have script that watches for releases by vyos team (like they release 1.3.7), then it pull latest vyos-build for given branch, builds vyos-build docker image (applies some patches depending how vyos-build is broken, in past it was for example broken gem dependency for ruby), injects my shell script to data/live-build-config/hooks and builds ISO. The ISO builder then executes my shell scripts in different stages of the build process to do whatever I want.

The hooks are very easy, very flexible and very powerful - that's what the vyos-build uses to do everything - you can include some additional file, you can change some files, configure some things, you can install packages from whatever repository, you can build inside the chroot, basically you can anything and everything. This is why I don't even need the toml flavors, the live-build hooks are the most powerful tool to modify the imagine.

Could you do this via Jenkins? You could but why would I?

This is nice example to see how different people see different ways to be the best depending on where they did start.

I started with my own ISO build thus I don't see the point why I would use Jenkins for that since I already have something that works as best it could, I'm using it for many years since the crux release, I know it has very low maintenance and infinite flexibility. Thus I see Jenkins as good fit for the packages part but not for the ISO or smoketest part - I can do that on my own just as well.

Veduco started with everything so he doesn't have reason to use Jenskins at all.

Perhaps you want to use Jenkins for everything because that's what did you started with.

At the end you basically execute some script at some point and how you do it and how the script looks like doesn't really matter. Thus I see my half-Jenkins, yours full-Jenkins or Veduco's no-Jenkins as the same thing, just different people have different starting experiences and taste. I see how Jenkins saves you work but I also see how Jenkins imposes restrictions and some learning curve to overcome but for sure it's easier to learn than to learn what I did need to know to build my own solution and that's why I would recommend Jenkins for someone who starts from beginning and doesn't have experience with this sort of stuff but if you already have solution - should you migrate to Jenkins? No, you would just be changing things for the sake of changing them and that's pointless, you would exchange some advantage for another disadvantage.

[pittagurneyi]

... Like I said in my comment before last, I just create a different branch in vyos-build if I want to modify more. Obviously parametrizing Jenkinsfile only works for more general tasks. But you can create new branches in your vyos-build that Jenkins detects and you can start the iso build via Jenkins for that branch you modified via a simple click as well. You can even create tags and build them, whatever you want.

If you now want to run make iso or what it was called or press a button in Jenkins is up to you.

I only wanted to point out, that it helps automate stuff.

Were I to work on multiple branches in my vyos-build, just had one variant finished, pushed to github/gitlab, go to Jenkins, click discover repository, click build your-branch. While it does that you can do other work in other branches and building and publishing the iso to the correct location is all handled by Jenkins. Depending on the amount of workers your build server is configured with you can let it create multiple variations concurrently. Otherwise you'd have the build process open in a shell somewhere.

All our approaches are entirely valid and I didn't express my ideas for customization as a way to discourage you to use yours. That is precisely why I added the line at the end

Just wanted to explain my thought process behind my decision.

EDIT: @dd010101: In general, please always assume that me expressing my opinion is in no way a criticism of your way of working. I never mean to offend you and you seem to like taking things personally.

[dd010101]

You explained your thoughts and so did I, so you don't take the things I say as against you. I would agree that what you saying about Jenkins is perfectly fine way to go about it. I wanted explain what I see as the best way to create customized ISO and to add some balance to the Jenkins discussion.