Mechanism for triggering template build

[marmarek]

Right now template build require direct access to build machine. This is bad for various reasons, including:

• lack of transparency
• inability to delegate it

We've using a better mechanism for individual packages for some time. It consists of:

• a script that build and upload to current-testing a package that got new signed version tag
• a script that process signed comment on github to migrate package from current-testing to current (Transparent mechanism for migrating packages from current-testing to current #2573)

This works well for normal packages, lets do something similar for templates.
The problem here is there is no natural place for template version tag - template consists of more than just linux-template-builder - in many cases we need to build new template after just updating individual packages (which doesn't involve any change in linux-template-builder).

I propose using something similar to #2573 for triggering the build too. The work flow would be:

• template maintainer open new issue (in updates-status repository? or here?) with inline-signed command to build the template
• appropriate script verify the signature and proceed to build the template (using make build-template-in-dispvm)
• when build succeed, result is reported to https://github.com/QubesOS/updates-status/issues repository and template is uploaded to online repository
• build failure would be also reported, in https://github.com/QubesOS/build-issues/issues

Open questions:

1. How build trigger command should look like (what we need there)? My current idea:

    build-template QUBES_VERSION TEMPLATE TIMESTAMP
   

   For example: build-template r4.0 fc28+minimal 201805171636

2. Do we need templates-itl-testing and templates-community-testing repositories and upload templates there first? And the use similar workflow to migrate them later to final repositories?

3. Replay protection - in the example above I've added TIMESTAMP (which will be used as %release part of template version) exactly for this reason. The script would verify if it isn't too far in the past. Any better idea?

4. Template package version is pretty meaningless right now (it's template builder version (but not builder plugin - containing most actual building scripts) + timestamp). Maybe we could use this occasion to change this too? For example specify template version manually too? Or build it based on qubes version (3.2.x for templates for Qubes 3.2 etc)?

This all would for example allow @adrelanos to trigger new Whonix template build or @fepitre for Fedora and CentOS, or @ptitdoc for Archlinux, or @unman for Debian.

cc @andrewdavidwong

[andrewdavidwong]

Do we need templates-itl-testing and templates-community-testing repositories and upload templates there first? And the use similar workflow to migrate them later to final repositories?

This would probably be a good idea.

[adrelanos]

qubes-template-whonix-gw-14 4.0.1-201807210556 even though QubesOS/updates-status#609 says it has been uploaded, is not actually available in templates-community-testing.

qubes-template-whonix-gw-14 4.0.1-201807190624 is being downloaded.

Upload failure not detected?

Out of disk space?

https://yum.qubes-os.org/r4.0/templates-community-testing/rpm/ has:

• qubes-template-whonix-gw-14-4.0.1-2018 07130946.noarch.rpm
• qubes-template-whonix-gw-14-4.0.1-2018 07171801.noarch.rpm
• qubes-template-whonix-ws-14-4.0.1-2018 07131452.noarch.rpm
• qubes-template-whonix-ws-14-4.0.1-2018 07171801.noarch.rpm

By the way, all older templates can all be purged to save disk space.

[marmarek]

qubes-template-whonix-gw-14 4.0.1-201807210556 even though QubesOS/updates-status#609 says it has been uploaded, is not actually available in templates-community-testing.

It is, for 3.2 (not 4.0), here: https://yum.qubes-os.org/r3.2/templates-community-testing/rpm/

[adrelanos]

QubesOS/updates-status#572 (comment)

Upload core-agent-linux ec251da5d8e6ed5544e91d92695a41f4d86d43d5 r4.0 current repo

There's was no notification Package for fc28 was built (build log) and uploaded to current repository. Expected?

I guess such a notification if upload actually happened could save a some time in future in case it fails for some reason.

[marmarek]

There's was no notification Package for fc28 was built (build log) and uploaded to current repository. Expected?

Sort of. This is because it wasn't uploaded. Because there was already newer package: QubesOS/updates-status#593

[ptitdoc]

Hello,

Sorry, I did not tested yet but the key D85EE12F967851CCF433515A2043E7ACC1833B9C is good for me for building templates.

[ptitdoc]

Hello,

I'm only starting to test this. I'm not sure where I should create specific archlinux configuration. Should I put it there:
https://github.com/QubesOS/qubes-builder/tree/master/release-configs
or there:
https://github.com/QubesOS/qubes-template-configs/tree/master/R4.0/templates-community

[marmarek]

The latter.

[marmarek]

@unman what key do you want to use for signing build requests? I have two of them:

• C6E2533D976E4B29A82B79CB0C6D15D5E0A9816E
• 4B1F400DF25651B53C4141B38B3F30F9C8C0C2EF

You tried the second one already, but I want explicit confirmation.

[unman]

@marmarek The second is my signing key for Qubes:
4B1F400DF25651B53C4141B38B3F30F9C8C0C2EF

Confirmed here

[marmarek]

Ok, I read this as "use 4B1F400DF25651B53C4141B38B3F30F9C8C0C2EF for build commands access list"

[unman]

Yes, sorry. You've understood my somewhat gnomic comment aright.
Please use key 4B1F400DF25651B53C4141B38B3F30F9C8C0C2EF for access list.

[marmarek]

Done.

[adrelanos]

Using...

REPO_PROXY="" make DISTS_VM="whonix-gateway-16 whonix-workstation-16" template-github

Builds templates for Qubes R4.0.

What's the command for Qubes R4.1?

[adrelanos]

Comment out from builder.conf : RELEASE = 4.0 and

RELEASE=4.1 REPO_PROXY="" make DISTS_VM="whonix-gateway-16 whonix-workstation-16" template-github

[marmarek]

This is all done for quite some time already.