暂时上游还是缺少包:
sudo debootstrap --arch=loong64 --variant=buildd --verbose --include=fakeroot,build-essential --components=main --keyring=/etc/apt/trusted.gpg.d/debian-ports-archive-2023.gpg --resolve-deps --extra-suites=unreleased unstable /home/buildd/build http://ftp.ports.debian.org/debian-ports
注意这里的debootstrap使用,可以使用--extra-suites=unreleased
,但是diy的话这里需要魔改一下。
首先应该看一下这个wiki: https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84
可以根据wiki
通过这个wiki,我们反向理解,并且我加上自己真实案例予以说明。
S老师给我做了一个名为msg.asc
的加密消息,其内容应该就是s老师给我的签名key。
cat msg.asc
-----BEGIN PGP MESSAGE-----
...
...
这就是加密的消息。下面是重点,我们需要使用--decrypt
选项将这个加密消息进行解密:
vimer@dev:~/tmp$ gpg --decrypt msg.asc
gpg: encrypted with 4096-bit RSA key, ID 66681FECEFF9AC75, created 2022-04-09
"Bo YU <[email protected]>"
...
Hi,
please find attached the user id
Bo YU <[email protected]>
of your key 954E6A70100598A2 signed by me.
If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. You can import
the signatures by running each through `gpg --import`.
Note that I did not upload your key to any keyservers. If you want this
new signature to be available to others, please upload it yourself.
With GnuPG this can be done using
gpg --keyserver hkp://pool.sks-keyservers.net --send-key 954E6A70100598A2
...
------------=_1689674421-10093-0
Content-Type: application/pgp-keys;
name="0x954E6A70100598A2.1.signed-by-0xxxxxxxx.asc"
Content-Disposition: attachment;
filename="0x954E6A70100598A2.1.signed-by-0xxxxxx.asc"
Content-Transfer-Encoding: 7bit
Content-Description: PGP Key 0x954E6A70100598A2, uid Bo YU <[email protected]>
(1), signed by 0xxxxxxxxxxx
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----
注意,这个PUBLIC KEY BLOCK
的内容才是最重要的内容,我的做法是copy出来保存到一个xx.asc文件,然后再 import
.
vimer@dev:~/tmp$ gpg --import sun.asc
gpg: key 954E6A70100598A2: 1 signature not checked due to a missing key
gpg: key 954E6A70100598A2: "Bo YU <[email protected]>" 1 new signature
gpg: Total number processed: 1
gpg: new signatures: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
vimer@dev:~/tmp$ gpg --keyserver keyserver.ubuntu.com --send-keys 100598A2
gpg: sending key 954E6A70100598A2 to hkp://keyserver.ubuntu.com
Update:
change private domain
sudo mmdebstrap --arch=riscv64 --include=fakeroot,build-essential,ca-certificates,apt-transport-https sid sid-riscv64-revyos-sbuild.tar.xz "deb [trusted=yes] ** revyos-addons main" "deb [trusted=yes] **/revyos-base sid main contrib non-free"
```bash mkdir -p tmp/rv64-chroot cd tmp/rv64-chroot/ sudo tar -xvf ../../sid-riscv64-revyos-sbuild.tar.xz sudo chroot .
3. make image
# 根据需要确定
```bash
sudo virt-make-fs --partition=gpt --type=ext4 --size=6G tmp/rv64-chroot/ rootfs.img
qemu-system-riscv64 -nographic -machine virt -m 1.9G \
-bios /usr/lib/riscv64-linux-gnu/opensbi/generic/fw_jump.elf \
-kernel /usr/lib/u-boot/qemu-riscv64_smode/uboot.elf \
-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-device,rng=rng0 \
-append "console=ttyS0 rw root=/dev/vda1" \
-device virtio-blk-device,drive=hd0 -drive file=rootfs.img,format=raw,id=hd0 \
-device virtio-net-device,netdev=usernet -netdev user,id=usernet,hostfwd=tcp::22222-:22
user: root psswd: riscv64
为了后面修复一些debci的bug,故把maintainer的一些嘱咐放在这里。后面再来反复看。
---
17:16 < vimer> I know what it's like. Because I also want to know which packages can trigger system's crash.:)
17:19 < vimer> how to implement the code for monitoring purposes? I mean, I can try it but I maybe need some help
17:21 -KGB-2:#debci- autopkgtest pipeline Simon McVittie 555974 * [26 minutes and 48 seconds] failed (quicktests: success; tests-sid:
failed; tests-stable: success; test-docker: success; test-lxc: success; test-podman: success; test-schroot: success;
test-unshare: success)
17:21 < elbrus> vimer: to be honest, I don't know exactly; we use munin and the main node in our infrastructure connects to the workers to
retrieve the data (if I'm correct). The munin code on the main node would need to know how to connect via the proxy somehow
17:22 < elbrus> terceiro: your new test for the global timeout seems flaky; it has failed already three times since you merged the code
17:22 < vimer> elbrus: fair enough. thanks.
17:22 < elbrus> you know where our deploy code lives, right?
17:23 < elbrus> salsa.debian.org/ci-team/debian-ci-config/
17:23 < elbrus> https://salsa.debian.org/ci-team/debian-ci-config/
17:23 < elbrus> I *think* all munin stuff is here: https://salsa.debian.org/ci-team/debian-ci-config/-/tree/master/cookbooks/munin
17:25 < elbrus> *Probably* this needs more intellegence:
https://salsa.debian.org/ci-team/debian-ci-config/-/blob/master/cookbooks/munin/templates/hosts.conf.erb
17:25 < elbrus> to be fair, we currently also can't monitor armhf and armel
17:25 < elbrus> because they are on IP6 and our main node only has IP4
17:26 < elbrus> also there we could proxy, because they are VM's on an host that has IP4
17:29 < vimer> ok, I'll take a closer look at the code you gave me. thanks again
---
需要构建2个repo: 1个amd64 (包含fakeroot), 3个all amd64: 思路: 首先是创建amd64的repo, then创建快照,最后合并快照。
repo amd64:
# 1
aptly repo create -architectures amd64 -comment 'for riscv32 sbuild-creatchroot' -component main -distribution sid amd64-tmp
Local repo [amd64-tmp]: for riscv32 sbuild-creatchroot successfully added. You can run ‘aptly repo add amd64-tmp …’ to add packages to repository.
# 2
aptly repo add amd64-tmp tmp/fakeroot_1.31-1.2_amd64.deb
# 3. 从 repo 创建一个snapshot:
aptly snapshot create yubos-reboostrap-0605-amd64 from repo amd64-tmp
Snapshot yubos-reboostrap-0605-amd64 successfully created.
## You can run 'aptly publish snapshot yubos-reboostrap-0605-amd64' to publish snapshot as Debian repository.
# 4.
aptly snapshot merge yubos-reboostrap-new-20230606 yubos-reboostrap-new-20230605 yubos-reboostrap-0605-amd64
## 必须新建一个 snapshot
# 5.
aptly publish snapshot -distribution="sid" yubos-reboostrap-new-20230606 yubos-reboostrap/20230606
// yubos-reboostrap-new-20230606 必须是已经存在snapshot, 也就是上一步命令中执行的。
## all snapshot
## aptly publish snapshot --architectures="all" -distribution="sid" yubos-base-all yubos-reboostrap/base-all //
# 6.
ln -s /home/a/.aptly/public/yubos-reboostrap/20230606/ /srv/ftp.debian.org/root/yubos-rebootstrap-test
1. aptly repo create -architectures all -comment 'all for riscv32 sbuild-creatchroot' -component main -distribution sid all-tmp
```
Local repo [all-tmp]: all for riscv32 sbuild-creatchroot successfully added.
You can run 'aptly repo add all-tmp ...' to add packages to repository.
```
2. add all packages to all-tmp
3. aptly snapshot create yubos-base-all from repo all-tmp
4. aptly snapshot merge yubos-reboostrap-rv32-all-0608 yubos-reboostrap-new-20230605 yubos-base-all
5. aptly publish snapshot -distribution="sid" yubos-reboostrap-rv32-all-0608 yubos-reboostrap/20230608
6. ln -s /home/a/.aptly/public/yubos-reboostrap/20230608/ /srv/ftp.debian.org/root/yubos-rebootstrap-test
下面是当时的一些印迹,故放在这里以防万一哪天会用到的:
1.
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=riscv32 \
--include=debian-ports-archive-keyring,ca-certificates,apt \
--make-sbuild-tarball=/srv/sid-riscv32-sbuild.tgz \
sid /tmp/chroots/sid-riscv32-sbuild/ \
http://vimer.f3322.net:63017/yubos-rebootstrap-repo/
// 可以更换 yubos-repo
2.
sudo sbuild-shell sid-riscv32-sbuild
echo "deb [trusted=yes] http://vimer.f3322.net:63017/yubos-rebootstrap-repo/ sid main" >
/etc/apt/sources.list
echo "deb [trusted=yes] http://vimer.f3322.net:63017/yubos-base-all/ sid main" >
/etc/apt/sources.list
// 首先创建 amd64
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=amd64 \
--include=debian-ports-archive-keyring,ca-certificates \
--make-sbuild-tarball=/srv/sid-amd64-sbuild.tgz \
sid /tmp/chroots/sid-amd64-sbuild/ \
https://mirror.iscas.ac.cn/debian/
//更换 rootfs
sudo mmdebstrap --arch=amd64 --variant=buildd \
--include=fakeroot,build-essential,ca-certificates,apt-transport-https,eatmydata \
sid sid-amd64-yubos-sbuild.tar.xz \
"deb [trusted=yes] http://home.revy.cn:36013/yubos-base/ sid main " \
"deb [trusted=yes] http://vimer.f3322.net:63017/yubos-base-all/ sid main"
//
sudo mv sid-amd64-yubos-sbuild.tar.xz /srv
//
backup:
```bash
# aptly issue:
a@debian:~$ aptly snapshot drop yubos-reboostrap-new-20230606
Snapshot `yubos-reboostrap-new-20230606` is published currently:
* ./sid [amd64, riscv32] publishes {main: [yubos-reboostrap-new-20230606]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-reboostrap-0605-amd64'}
ERROR: unable to drop: snapshot is published
这种情况只能删除 `sid`
a@debian:~$ aptly publish drop sid
Removing /home/a/.aptly/public/dists...
Removing /home/a/.aptly/public/pool...
如果这样的话,可以这样删除:
a@debian:~$ aptly publish list Published repositories:
Published repository has been removed successfully.
aptly 的使用
https://www.cnblogs.com/cookie1026/p/17039327.html
...
sudo sbuild-createchroot --debootstrap=mmdebstrap --arch=riscv32 --include=debian-ports-archive-keyring,ca-certificates,apt --make-sbuild-tarball=/srv/sid-riscv32-sbuild.tgz sid /tmp/chroots/sid-riscv32-sbuild/ http://vimer.f3322.net:63017/yubos-rebootstrap-exp
mkdir /tmp/chroots/sid-riscv32-sbuild/
...
a@debian:~$ aptly publish drop sid yubos-reboostrap/20230614
Removing /home/a/.aptly/public/yubos-reboostrap/20230614/dists...
Removing /home/a/.aptly/public/yubos-reboostrap/20230614/pool...
Published repository has been removed successfully.
a@debian:~$ aptly snapshot list
List of snapshots:
* [yubo-base-part-all-exp]: Snapshot from local repo [all-tmp]: all for riscv32 sbuild-creatchroot
* [yubos-base-all]: Snapshot from local repo [all-tmp]: all for riscv32 sbuild-creatchroot
* [yubos-base-full-all]: Snapshot from mirror [debian-all]: https://mirror.iscas.ac.cn/debian/ sid
* [yubos-reboostrap-0608-amd64]: Snapshot from local repo [amd64-tmp]: amd64 for riscv32 sbuild-creatchroot
* [yubos-reboostrap-20230604]: Snapshot from mirror [yubos-reboostrap]: http://127.0.0.1:8000/ rebootstrap
* [yubos-reboostrap-exp-20230614]: Merged from sources: 'yubo-base-part-all-exp', 'yubos-reboostrap-rv32-0614-exp'
* [yubos-reboostrap-new-20230605]: Snapshot from local repo [yubos-rebootstrap]
* [yubos-reboostrap-rv32-0614-exp]: Snapshot from local repo [yubos-rebootstrap]
* [yubos-reboostrap-rv32-all-0608]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-base-all'
* [yubos-rebootstrap-rv32-all-amd64]: Merged from sources: 'yubos-reboostrap-rv32-all-0608', 'yubos-reboostrap-0608-amd64'
To get more information about snapshot, run `aptly snapshot show <name>`.
a@debian:~$ aptly snapshot drop yubos-reboostrap-exp-20230614
Snapshot `yubos-reboostrap-exp-20230614` has been dropped.
a@debian:~$ aptly snapshot drop yubos-reboostrap-rv32-0614-exp
Snapshot `yubos-reboostrap-rv32-0614-exp` has been dropped.
aptly 的一些常见操作:
a@debian:~/packages/sail$ aptly repo list
List of local repos:
* [all-tmp]: all for riscv32 sbuild-creatchroot (packages: 16)
* [amd64-tmp]: amd64 for riscv32 sbuild-creatchroot (packages: 2)
* [riscv64-tmp-all]: for Debian sid ROS2 on riscv64 all packages (packages: 87)
* [riscv64-tmp]: for Debian sid ROS2 on riscv64 (packages: 1022)
* [sail-tmp]: sail for debian (packages: 36)
* [yubos-rebootstrap] (packages: 618)
a@debian:~/packages/sail$ aptly repo show sail-tmp
Name: sail-tmp
Comment: sail for debian
Default Distribution: sid
Default Component: main
Number of packages: 36
删除 package
a@debian:~/packages/sail$ aptly repo remove sail-tmp libsail-ocaml-dev
Loading packages...
[-] libsail-ocaml-dev_0.17.1-1_amd64 removed
添加 package
aptly repo add sail-tmp package-name
aptly是基于 snapshot 发布东西的:
a@debian:~/packages/sail$ aptly snapshot create sail-for-debian-amd64-0228 from repo sail-tmp
Snapshot sail-for-debian-amd64-0228 successfully created.
You can run 'aptly publish snapshot sail-for-debian-amd64-0228' to publish snapshot as Debian repository.
思路就是基于 repo 进行 package的更新, 通过snapshot进行发布。然后我们看一下 已 public 的snapshot有哪些:
发布 repo
a@debian:~/packages/sail$ aptly publish snapshot -distribution="sid" sail-for-debian-amd64-0303 sail-for-debian/20240303
Loading packages...
Generating metadata files and linking package files...
Finalizing metadata files...
Signing file 'Release' with gpg, please enter your passphrase when prompted:
Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
Snapshot sail-for-debian-amd64-0303 has been successfully published.
Please setup your webserver to serve directory '/home/a/.aptly/public' with autoindexing.
Now you can add following line to apt sources:
deb http://your-server/sail-for-debian/20240303/ sid main
Don't forget to add your GPG key to apt with apt-key.
You can also use `aptly serve` to publish your repositories over HTTP quickly.
a@debian:~/packages/sail$ aptly publish list
Published repositories:
* revyos-11-06/11-06/sid [riscv64] publishes {main: [revyos-ros2]: Merged from sources: 'revyos-ros2-11-6', 'revyos-ros2-11-6-all'}
* sail-for-debian/20240227/sid [amd64] publishes {main: [sail-for-debian-amd64-0227]: Snapshot from local repo [sail-tmp]: sail for debian}
* yubos-reboostrap/20230604/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-20230604]: Snapshot from mirror [yubos-reboostrap]: http://127.0.0.1:8000/ rebootstrap}
* yubos-reboostrap/20230605/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-new-20230605]: Snapshot from local repo [yubos-rebootstrap]}
* yubos-reboostrap/20230608/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-rv32-all-0608]: Merged from sources: 'yubos-reboostrap-new-20230605', 'yubos-base-all'}
* yubos-reboostrap/2023060801/sid [amd64, riscv32] publishes {main: [yubos-rebootstrap-rv32-all-amd64]: Merged from sources: 'yubos-reboostrap-rv32-all-0608', 'yubos-reboostrap-0608-amd64'}
* yubos-reboostrap/20230617/sid [amd64, riscv32] publishes {main: [yubos-reboostrap-exp-20230617]: Merged from sources: 'yubo-base-part-all-exp', 'yubos-reboostrap-rv32-0617-exp'}
* yubos-reboostrap/base-full-all/sid (origin: Debian) [all] publishes {main: [yubos-base-full-all]: Snapshot from mirror [debian-all]: https://mirror.iscas.ac.cn/debian/ sid}
然后把 publish的 ln
到 server
【转载来自文末】
sudo systemctl status fail2ban
创建两个默认的配置文件/etc/fail2ban/jail.d/defaults-debian.conf和/etc/fail2ban/jail.conf
我们不建议直接修改这些文件,因为更新Fail2ban时它们可能会被覆盖。
Fail2ban将按以下顺序读取配置文件。每个.local文件都会覆盖.conf文件中的设置。 /etc/fail2ban/jail.conf,/etc/fail2ban/jail.d/.conf 。/etc/fail2ban/jail.local,/etc/fail2ban/jail.d/.local
配置Fail2ban的最简单方法是将复制jail.conf为jail.local,然后修改.local文件。你也可以从头开始构建.local配置文件。
bantime,findtime和maxretry选项的值定义了禁止时间和禁止条件。bantime是禁止持续的时间。findtime是设置失败次数之间的持续时间。
https://www.myfreax.com/install-configure-fail2ban-on-debian-10/
一个有用的用法是:
sudo fail2ban-client status sshd
有一个文件是专门控制 sshd
的,忘了找到出处了。