Skip to content

Latest commit

 

History

History
175 lines (130 loc) · 4.29 KB

setup-tails.md

File metadata and controls

175 lines (130 loc) · 4.29 KB

Setting up a tails worker

Most of this is taken from the Building a Tails image instructions. This has been tested on debian bullseye. The instructions are assumed to be executed by a regular user which is allowed to sudo to root without a password (otherwise the tails build wouldn't be non-interactive).

If you're running this in a VM you need to make sure you have nested virtualization setup because the tails build itself is also creating VMs.

Install required packages for tails:

sudo apt install \
    curl \
    sudo \
    dpkg-dev \
    psmisc \
    git \
    gpg \
    gpg-agent \
    rake \
    libvirt-daemon-system \
    dnsmasq-base \
    ebtables \
    faketime \
    pigz \
    qemu-system-x86 \
    qemu-utils \
    vagrant \
    vagrant-libvirt \
    vmdb2

Installing

If rebuilderd isn't packaged for your operating system, you need to install rust and compile rebuilderd from source:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
sudo apt install liblzma-dev pkg-config libzstd-dev libsqlite3-dev gcc
git clone https://github.com/kpcyrd/rebuilderd
cd rebuilderd
make
sudo make install

Note: the permissions on contrib/confs/rebuilderd.conf need to be set more strictly if you're planning to add secrets to this file, by default the file doesn't contain any sensitive information.

Starting the daemon and worker

With systemd

Start the daemon and a worker:

sudo systemctl enable --now rebuilderd rebuilderd-worker@0

To manage rebuilderd you need access to /var/lib/rebuilderd/, for now check everything is working correctly by runnig:

sudo rebuildctl status

This should show one worker that's currently idle.

You can add yourself to the rebuilderd group so you don't need to run rebuildctl with sudo:

sudo adduser "$(whoami)" rebuilderd

You need to re-login for this to work. Check it worked correctly like this:

id
rebuildctl status

If the output of id doesn't list the rebuilderd group then rebuildctl status is going to fail too.

Manually

You can skip this section if you've setup rebuilderd to to run with systemd.

Open a new terminal to run the rebuilderd daemon in the background. Be aware that rebuilderd creates data in the working directory:

mkdir ~/rebuilderd-data
cd ~/rebuilderd-data
rebuilderd -c /etc/rebuilderd.conf -v

Open another terminal and start a worker, you have to add yourself to the right groups first:

for group in kvm libvirt libvirt-qemu ; do
   sudo adduser "$(whoami)" "$group"
done

You need to re-login afterwards, verify you're in the right groups:

id

Then run the worker. Be aware that the worker creates data in the working directory:

mkdir ~/rebuilderd-worker
cd ~/rebuilderd-worker
rebuilderd-worker connect http://127.0.0.1:8484

Starting the rebuild

Import the current tails version into rebuilderd:

rebuildctl pkgs sync-profile --sync-config /etc/rebuilderd-sync.conf tails

Verify it worked, this should show two images in "unknown" state:

rebuildctl pkgs ls --distro tails

You can monitor the build queue like this, it's going to indicate when the job has started:

CLICOLOR_FORCE=1 watch -c rebuildctl queue ls --head

It's going to take a few moments for the worker to pickup the job. You can speed this up by restarting the worker.

If you're using systemd you can monitor the build log with journalctl

sudo journalctl -fu rebuilderd-worker@0

You might need to troubleshoot the first few attempts, there's a "Known issues and workarounds" section in the Tails build instructions.

If something went wrong it's going to occasionally retry after a while, you can cause an immediate requeue like this:

rebuildctl pkgs requeue --reset --distro tails

If you're stuck there's an irc channel at ircs://irc.oftc.net:6697/#reproducible-builds. You're also welcome to tell us about your instance if you got it to work!

Systemd units to do this automatically can be found in contrib/systemd/. Instructions on how to configure everything are currently only available in the Arch Linux wiki.