Debian Chroot

From Crypto++ Wiki
Jump to: navigation, search

Debian provides a rich testing environment by way of Ports and QEMU/Chroot environments. The ports are lightweight VMs, and they include X32, IBM S/390, ARM Hard Floats (ARMHF) (used by BeagleBoards), ARM EABI (ARMEL) (used by Android), PowerPC, MIPS and MIPSEL (used for SGI and DEC workstations). This page will provide recipes for installing them for testing purposes.

There are two distinct components used for this testing. First is the host system, and it can run Debian 8/Jessie Stable, Testing or Unstable distributions. The second component is the guest, and it must run Debian 8/Jessie Unstable distribution. If you fail to use Unstable for a guest, then you will receive errors similar to Failed getting release file http://ftp.ports.debian.org/debian-ports/dists/jessie/Release.

There is a downside to using ports and chroots. The guest binary images are native to the guest instruction set architecture (not the host ISA). The programs are interpreted so things run up to 10x slower than a native host program. If possible, you should consider using real hardware to make the testing proceed faster.

Debian 8

The host or base system is a Debian 8 x86_64 machine and can use Debian Unstable, Testing or Unstable. The host can run on real hardware, or it can run in a VM like KVM, VirtualBox or VMware. The processor should provide SLAT or hardware assisted virtualization (AMD-V or Intel VT-X).

The QEMU and Chroot guests must use Debian Unstable, and not Stable or Testing. If you fail to using Unstable, then you will receive errors similar to Failed getting release file http://ftp.ports.debian.org/debian-ports/dists/jessie/Release. If you encounter your error, then /etc/apt/sources.list needs to be modified to use Unstable.

After you install the Debian host system, be sure to run the following on the host to avoid a constant stream of warnings in guests because LC_ALL is not set:

debian-host# apt-get install locales
debian-host# dpkg-reconfigure locales
(complete the process)

Debootstrap

Debootstrap is installed on the host and used to ease the management of installing the QEMU/Chroot environment. There are five packages needed to provide a QEMU guest.

debian-host# apt-get install qemu qemu-user-static binfmt-support debootstrap debian-ports-archive-keyring

After binfmt is installed, you can list the environments available with the following. All QEMU related commands are executed as root, so be sure to perform a su - or sudo su -.

debian-host$ su -
Enter password: ...

# update-binfmts --display | grep interpreter
 interpreter = /usr/bin/qemu-aarch64-static
 interpreter = /usr/bin/qemu-microblaze-static
 interpreter = /usr/bin/qemu-arm-static
 interpreter = /usr/bin/qemu-m68k-static
 interpreter = /usr/bin/qemu-ppc64abi32-static
 interpreter = /usr/bin/qemu-ppc64le-static
 interpreter = /usr/bin/qemu-sparc-static
 interpreter = /usr/bin/qemu-sparc64-static
 interpreter = /usr/bin/qemu-sh4-static
 interpreter = /usr/bin/qemu-mips64el-static
 interpreter = /usr/bin/qemu-sh4eb-static
 interpreter = /usr/bin/qemu-sparc32plus-static
 interpreter = /usr/bin/qemu-ppc64-static
 interpreter = /usr/bin/qemu-mipsel-static
 interpreter = /usr/bin/qemu-ppc-static
 interpreter = /usr/bin/qemu-alpha-static
 interpreter = /usr/bin/qemu-cris-static
 interpreter = /usr/bin/qemu-mips-static
 interpreter = /usr/bin/qemu-mips64-static
 interpreter = /usr/bin/qemu-s390x-static
 interpreter = /usr/bin/qemu-armeb-static

QEMU/Chroot Guest

The recipes to create a chroot are provide below. There's lots of them, so they were provided at the end of the document. Simply pick a recipe, and copy/paste it into host the command line.

The chroot's are simply filesystem branches stored in root's home directory:

debian-host# cd
debian-host# pwd
/root

# ls -l
drwxr-xr-x 20 root root      4096 Sep 10 06:43 debian-armel
drwxr-xr-x 20 root root      4096 Oct  5 14:27 debian-armhf
drwxr-xr-x 21 root root      4096 Aug 30 18:32 debian-s390x
drwxr-xr-x 21 root root      4096 Oct  9 16:12 debian-unstable
drwxr-xr-x 21 root root      4096 Aug 20 15:21 debian-x32

Entering a Guest

After the lightweight VM is created, you enter the guest with chroot debian-{arch}. Remember to elevate:

debian-host$ sudo su -
Password: ...

debian-host# chroot debian-s390
debian-guest#
(You are now in the lightweight VM)

Once in the QEMU/Chroot guest, the next step is to enable Ports keyring:

debian-guest# apt-get install debian-ports-archive-keyring

All guests must use Unstable (and not Stable nor Testing). Modify /etc/apt/sources.list as required. You should replace jessie or stable with sid or unstable. After the replacement, be sure to perform apt-get update && apt-get dist-upgrade in the guest:

debian-guest# cat /etc/apt/sources.list
deb http://ftp.ports.debian.org/debian-ports unstable main

If you need to modify sources.list and you don't have your editor of choice, try:

debian-guest# echo "deb http://ftp.debian.org/debian unstable main" > /etc/apt/sources.list

Once the Keyring is installed and Unstable is enabled, perform the necessary upgrades. Upgrades in the guest are similar to the host based system, but you will have to fetch them manually on occasion.

debian-guest# apt-get update
...
debian-guest# apt-get distro-upgrade
...

Filesystems

You can also mount the host /proc filesystem with the following. Also see mount dev, proc, sys in a chroot environment? on Super User.

mount -t proc proc proc/
mount --rbind /sys sys/ 
mount --rbind /dev dev/ 

You can also add an entry to mount.defaults (the Chroot equivalent to /etc/fstab).

Guest Software

Issue the following commands to fetch common development tools. You have to do it for each guest testing environment.

# apt-get install locales build-essential gcc g++ gdb make subversion git wget curl zip unzip

GDB may or may not work in a guest. If you find a GDB bug related to a platform, then please be sure to file a bug report with GDB so the Sourceware folks fix it. Also file a bug report at Debian, and reference the upstream bug. The Debian report is required so the Debian folks know they have a break that needs fixing.

Emacs users will have to install Emacs in each chroot. emacs-nox is a good choice because the window-ing gear is not available. At over 100 MB its still bloated, but its smaller than it could be. Alternately, you can build a small footprint Emacs by following Minimal emacs24 installation on Super User.

Recipes

The following are copy and paste recipes to create the guest test environments. It should be executed on the host after elevating with su - or su - root. After executing a recipe, chroot into the guest environment and install the necessary software as detailed above.

The recipes below use the {debian-archive-keyring.gpg,http://ftp.debian.org/debian} or {debian-ports-archive-keyring.gpg,http://ftp.ports.debian.org/debian-ports} pair. The keyring and release file location come in pairs.

All guests must use Unstable (and not Stable nor Testing). Modify /etc/apt/sources.list as required. You should replace jessie or stable with sid or unstable. After the replacement, be sure to perform apt-get update && apt-get dist-upgrade in the guest.

X32 is an interesting platform that is a mix of X64 machine with X86 assembly language and X64 registers. To use X32, you must boot your kernel with the command line option syscall.x32=y. Debian 8 kernels provide support for the option out-of-the-box, and you can add it to GRUB_CMDLINE_LINUX or GRUB_CMDLINE_LINUX (see /etc/defaults/grub).

ARM64

qemu-debootstrap --arch=arm64 --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-arm64 http://ftp.ports.debian.org/debian-ports

ARMHF

qemu-debootstrap --arch=armhf --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-armhf http://ftp.ports.debian.org/debian-ports

ARMEL

ARMEL is a Debian port, but it does not use the ports URL.

qemu-debootstrap --arch=armel --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-armel http://ftp.debian.org/debian

M68K

m68k is in progress so it uses the ports URL. If you receive an error Release signed by unknown key (key id B4C86482705A2CE1), then see Unknown key B4C86482705A2CE1 below.

qemu-debootstrap --arch=m68k --keyring /usr/share/keyrings/debian-ports-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-m68k http://ftp.ports.debian.org/debian-ports

MIPS

MIPS is a Debian port, but it does not use the ports URL.

qemu-debootstrap --arch=mips --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-mips http://ftp.ports.debian.org/debian

MIPSEL

MIPSEL is a Debian port, but it does not use the ports URL.

qemu-debootstrap --arch=mipsel --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-mipsel http://ftp.ports.debian.org/debian

S/390x

qemu-debootstrap --arch=s390x --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-s390x http://ftp.ports.debian.org/debian-ports

Sparc64

Sparc64 is in progress so it uses the ports URL. If you receive an error Release signed by unknown key (key id B4C86482705A2CE1), then see Unknown key B4C86482705A2CE1 below.

qemu-debootstrap --arch=sparc64 --keyring /usr/share/keyrings/debian-ports-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-sparc64 http://ftp.ports.debian.org/debian-ports

X32

Be sure to boot your kernel with the command line option syscall.x32=y. Note this recipe uses debootstrap, and not qemu-debootstrap

debootstrap --arch=x32 --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster unstable debian-x32 http://ftp.ports.debian.org/debian-ports

Unstable

New releases of Crypto++ enter Debian system via Unstable. Also see Debian Unstable | Life Cycle on Debian's wiki.

qemu-debootstrap --arch=amd64 --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster sid debian-unstable http://ftp.ports.debian.org/debian-ports

Testing

Once Crypto++ satisfies the requirements of Debian's Unstable branch, it is moved to Debian Testing. Also see Debian Testing | How Testing Works on Debian's wiki.

qemu-debootstrap --arch=amd64 --keyring /usr/share/keyrings/debian-archive-keyring.gpg \
  --variant=buildd --exclude=debfoster testing debian-testing http://ftp.ports.debian.org/debian-ports

Unknown key B4C86482705A2CE1

Debian's package system has a chronic problem of missing signing keys, and inability to update the system once installed (if it installs in the first place). You will experience the goodness with errors like Release signed by unknown key (key id B4C86482705A2CE1) and failures in Apt. If you find yourself fighting the Debian package system, you should (1) know you are not alone, and (2) visit bug reports like 826043 and 842307.

According to the 826043 bug, you are supposed to be able to fix it with one of the following. We know for certain the suggestions do not work under Debian Hurd (i386). We don't expect it to work in other places either, like Sparc64.

apt-get install --reinstall debian-archive-keyring

Or

apt-get install --reinstall debian-ports-archive-keyring

Or

dpkg --force-depends -P debian-archive-keyring
dpkg -i /var/cache/apt/archives/debian-archive-keyring*

Or

cd /
apt-get update

Or

cd ~
apt-get update

Running Apt with --no-check-gpg and --allow-unauthenticated does not work either.

Acknowledgements

Many thanks to László Böszörményi, Adam Borowski and Michael Tokarev of the Debian project. They were very helpful with installation and configuration of the QEMU/Chroot environments. http://ftp.ports.debian.org/debian-ports