Rebuilderd

Rebuilderd 是一个用于二进制软件包的独立验证系统。它允许通过在相同的环境中重复构建步骤来验证预编译的软件包，然后验证该软件包是否相同。目前，仅可以验证 Arch Linux 软件包。

如果您运行或考虑运行重建器，请随时加入 #archlinux-reproducible IRC 频道。

安装

安装 rebuilderd 软件包。

配置

单机

在单机上，您只需启用 rebuilderd.service 和工作进程服务：rebuilderd-worker@workername.service。

之后，您可以通过运行以下命令来验证 rebuilderd 是否使用单个工作进程正确运行

# rebuildctl status

如果您收到错误，提示找不到身份验证 Cookie，您可能需要将自己添加到 rebuilderd 用户组。

继续下一节以同步我们的工作进程可以重建的软件包。

多节点重建器

要运行多节点重建器网络，我们至少需要两台服务器

rebuilderd 守护进程

这个守护进程只需要很少的资源（CX11 实例就足够了），它跟踪所有软件包，协调工作进程并将结果提供给客户端。此守护进程应使用 HTTPS 设置。

rebuilderd 工作进程

此服务器运行实际的构建。此服务器应至少具有 16 GiB 内存，如果要构建所有软件包，则应接近 32 GiB。

工作进程需要使用密钥注册密钥 (worker.signup_secret) 向守护进程进行身份验证。此密钥可以使用 pwgen -1s 32 生成。

您还可以生成第二个密钥以远程使用 rebuildctl (auth.cookie)。这是可选的，您也可以在将自己添加到 rebuilderd 组后在服务器上运行 rebuildctl。

/etc/rebuilderd.conf

## Configuration for http daemon
[http]
## The address to bind to. This is 127.0.0.1:8484 by default.
bind_addr = "0.0.0.0:8484"
## If you use a reverse proxy, use this header instead of the actual connecting ip.
## Make sure the reverse proxy has filters in place to prevent spoofing issues.
#real_ip_header = "X-Real-IP"
## Set a default endpoint for rebuildctl. This is especially useful for the sync timer.
#endpoint = "http://127.0.0.1:8484"

## A random cookie for administration is generated at startup and written to /var/lib/rebuilderd/auth-cookie
## You can set this to a fixed value here. Use `pwgen -1s 32` to generate one.
## rebuildctl is searching for this cookie in ~/.config/rebuilderd.conf, /etc/rebuilderd.conf and
## /var/lib/rebuilderd/auth-cookie in that order.
#[auth]
#cookie = "INSECURE"

## The auth cookie above is only used for the default endpoint.
## You can use different endpoints with `rebuildctl -H https://rebuilder.example.com status`,
## In that case you need to configure a section below if you want to attach a cookie.
#[endpoints."https://rebuilder.example.com"]
#cookie = "INSECURE"

## IMPORTANT: in production, make sure either `authorized_workers` or `signup_secret` is configured.
[worker]
## If we have a fixed set of workers we can allow-list the keys here.
#authorized_workers = ["key1", "key2"]
## If we want to spawn new workers dynamically we can configure a sign up secret below.
## Use `pwgen -1s 32` to generate one.
signup_secret = "INSECURE"

#[schedule]
## Configure the delay to automatically retry failed rebuilds in hours. The
## default is 24h, this base is multiplied with the number of rebuilds, so the
## first retry would happen after 24h, the second retry would happen 48h after the
## first retry and the third retry would happen 72h after the second retry. There
## is no upper limit of retries, if you can't afford frequent retries it's
## recommended to set this to a high value like 168 (1 week) or higher.
## Successful rebuilds are not retried.
#retry_delay_base = 24

启动 并 启用 rebuilderd.service。

接下来，我们前往我们的工作进程机器来设置它们。也安装 rebuilderd 并编辑 /etc/rebuilderd-worker.conf

/etc/rebuilderd-worker.conf

## The rebuilderd to connect to
endpoint = "https://rebuilder.example.com" # or http://rebuilder.example.com:8484
## The server would either allowlist our key or require a signup secret
signup_secret = "INSECURE-CHANGE-ME"

[build]
#timeout = 86400 # 24 hours
## Set a maximum build log limit in bytes (default: none).
## When reaching this limit the log is truncated but the rebuilder backend is *not* terminated.
max_bytes = 10485760 # 10 MiB
## By default build output is forwarded to stdout/stderr.
## This can be disabled by settings this to true.
#silent = true

[diffoscope]
## Generate and attach diffs with diffoscope when rebuilding
enabled = true
## Pass additional arguments to diffoscope. Use wisely, some options might not work well.
#args = ["--max-container-depth", "2", "--fuzzy-threshold", "0"]
## Set a timeout in seconds after which diffoscope is terminated (default: 3600)
#timeout = 600 # 10 minutes
## Set a maximum diffoscope output limit in bytes (default: none).
## When reaching this limit, diffoscope is terminated and the output is truncated.
max_bytes = 41943040 # 40 MiB

我们可以多次启动工作进程单元以进行并发重建（如果机器有足够的资源）。我们将从仅启动一个工作进程（并将其命名为 0）开始，方法是启动/启用 rebuilderd-worker@0.service

同步软件包以重建

默认情况下，重建器设置不会执行任何操作，除非您显式配置从何处同步软件包。同步配置文件在 /etc/rebuilderd-sync.conf 中配置。配置文件名称应该是唯一的。您可以使用 maintainer 选项将其配置为仅构建特定维护者的软件包。默认情况下，它会导入所有维护者的软件包。

## rebuild all of core
[profile."archlinux-core"]
distro = "archlinux"
suite = "core"
architecture = "x86_64"
source = "https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch"

## rebuild extra packages of specific maintainers, or whitelist packages by name.
## If no filter is set, all packages are imported, if both filters are set the package only
## has to match one of them to be included.
#[profile."archlinux-extra"]
#distro = "archlinux"
#suite = "extra"
#architecture = "x86_64"
#source = "https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch"
#maintainers = ["somebody"]
#pkgs = ["some-pkg", "python-*"]
#excludes = ["tensorflow*"]

之后，您可以启用 rebuilderd-sync@archlinux-core.timer 以自动同步配置文件。

Ansible 剧本

在 Arch Linux 的 基础设施仓库 中可以找到带有 rebuilderd 角色的 Ansible 剧本。以此作为灵感，因为 Ansible 仓库在很大程度上取决于 Arch Linux 基础设施的设置方式。

技巧与提示

重新排队失败的构建

从 rebuilderd 0.5.0 开始，失败的构建将自动重试，延迟时间会逐渐增加。您可以使用以下命令立即重试软件包

# rebuildctl pkgs requeue --suite core --status BAD

在旧版本中，您必须使用此命令将所有失败的构建再次添加到队列中

# rebuildctl pkgs ls --distro archlinux --suite core --status BAD --json | jq -r '.[].name' | xargs -L1 rebuildctl queue push archlinux core

同步后移除套件

目前，使用 rebuildctl 无法在同步一次后移除整个套件。但是，可以通过在移除同步配置文件之前设置不匹配任何软件包的过滤器来实现此目的。例如，添加以下维护者过滤器将有效地从 rebuilderd 中移除 core 套件。

[profile."archlinux-core"]
distro = "archlinux"
suite = "core"
architecture = "x86_64"
source = "https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch"
maintainers = ["nonexistent"]

软件包重建器

使用 Rebuilderd 的重建器。