1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
# Contractor -- build software (more) securely
The Contractor lets you build software with less worry that it will
do something bad. This is an ugly proof of concept prototype and
certainly not ready for real use.
This will probably only work on Debian 10 (buster) and later. To use,
you need to have libvirt, virt-install, and vmdb2, and several
gigabytes of disk space, RAM, and CPUs, and fair bit of bandwidth.
Possibly other things.
## Use pre-built images
Warning: the uncompressed files are big. You need at least a few tens
of gigabytes of free disk space. If you build your own images, you can
do with less disk space.
* Clone this source repository:
`git clone https://gitlab.com/larswirzenius/contractor.git`
`cd contractor`
* Download manager and worker VM images and uncompress them:
`curl https://files.liw.fi/contractor/vm.img.xz > vm.img.xz`
`curl https://files.liw.fi/contractor/worker.img.xz > worker.img.xz`
`unxz -v *.img.xz`
* Change the manager to accept your own SSH public (change the key
filename as needed):
`sudo sh -x ./set-authorized-key vm.img ~/.ssh/id*.pub`
* Create a workspace disk image:
`truncate -s 50G workspace.img`
`sudo mkfs -t ext4 workspace.img`
* Create manager VM:
`./vm-libvirt.sh contractor vm.img workspace.img`
This step requires libvirt and virt-installer installed.
## Build everything yourself
[vmdb2]: https://vmdb2.liw.fi/
This step gives you exactly the images you want, but requires having
the [vmdb2][] tool installed.
* Edit Ansible playbook to set `user_pub` to your SSH public key, and
any other things you want to change such as size of the image:
`editor vm.yml`
* Create two VM images (this can take a while):
`sudo ./vm.sh`
* Create the outer, manager VM:
`./vm-libvirt.sh`
## Try the Contractor
The following assumses you have a running Contractor.
* Find out what the IP address of the VM is:
`less /var/lib/libvirt/dnsmasq/virbr0.status`
* Check that the manager VM is accessibler (change IP to yours):
`./contractor -m 192.168.122.63 manager-status`
* Clone the test repo:
`git clone git://git.liw.fi/heippa /tmp/heippa`
* Build (change IP to yours; this will take a while to run):
`./contractor -v -m 192.168.122.63 -v build heippa.yaml`
Add a `--log contractor.log` option to have a log file. It sometimes
helps for debugging. The output from the build commands goes to the
stdout and stderr of contactor, not the log file.
* Hopefully all went well. You can examine the workspace of the build
at `/tmp/heippa-workspace` .
Read contractor.md for more information; formatted versions:
* [HTML](https://files.liw.fi/temp/contractor.html)
* [PDF](https://files.liw.fi/temp/contractor.pdf)
If you think this is project is worthwhile, and would like to help,
please get in touch!
---
title: README for Contractor
author: Lars Wirzenius (liw@liw.fi)
...
|
