2 files changed, 453 insertions, 10 deletions

diff --git a/continuous_integration.mdwn b/continuous_integration.mdwn
index c9ab9bd..9d9162f 100644
--- a/continuous_integration.mdwn
+++ b/continuous_integration.mdwn
@@ -3,21 +3,39 @@
 [[!meta date="2016-02-06T11:38:14Z"]]
 
 
-[[!toc]] The CI system is a jenkins
-instance on <http://ci.netsurf-browser.org/>
+[[!toc]] 
 
-The old discussion on [[Autobuilder requirements|continuous_integration/autobuilder_requirements]] —
-lists requirements for the new autobuilder.
+The CI system is a jenkins instance accessed at <http://ci.netsurf-browser.org/>
 
 ## Master
 
 The master instance is a VPS provided by Mythic beasts.
 
-A VPN between it and all the build slaves provides a network where no
-machines are publicly accessible. This is in addition to the ssh based
-tunnels used to copy data between CI nodes.
+A VPN between the master node and all the build slaves provides a
+network where no machines are publicly accessible.
 
-The Jenkins install on the master server is a snapshot release version
+The network uses OpenVPN to create a LAN which other systems
+connect. The [[virtual host server|virtual_host_server]] instances are
+all bridged to the LAN on a single openVPN link. All the physical
+nodes for Mac OS X, armhf etc. are bridged via Vincents router through
+a single openvpn link. The scaleway and other nodes connect with
+separate openvpn connections.
+
+The master node also runs a dnsmasq instance which provides name
+service and DHCP for the CI LAN. The dnsmasq config file has static
+mappings for the CI slaves DHCP responses using 192.168.211.100 for CI
+worker 0 and so on up the range to 192.168.211.130 for worker 30
+
+All virtual machines use locally administered MAC adresses in the
+0E:xx:xx:xx:x:xx prefix range.
+
+  - 0e:00:00:00:01:xx used for phoenix VM host
+  - 0e:00:00:00:02:xx used for arrch64vmhost VM host
+  - 0e:00:00:00:03:xx used for scaleway VM host
+
+In addition ssh based tunnels are used to copy data between CI nodes.
+
+The Jenkins install on the master server is a snapshot release version.
 
 ## Slave
 
@@ -25,9 +43,11 @@ The majority of the build slaves are provided by our own
 [[virtual host server|virtual_host_server]] excepting operating
 systems which cannot be virtualised (principally MAC OS X).
 
-### [[Continuous Integration Debian Jessie Setup|continuous_integration/debian_jessie_setup]]
+### [[Continuous Integration Debian 9 (Stretch) Setup|continuous_integration/debian_stretch_setup]]
+
+### [[Continuous Integration Debian 8 (Jessie) Setup|continuous_integration/debian_jessie_setup]] - Obsolete
 
-### [[Continuous Integration Debian Wheezy Setup|continuous_integration/debian_wheezy_setup]]
+### [[Continuous Integration Debian 7 (Wheezy) Setup|continuous_integration/debian_wheezy_setup]] - Obsolete
 
 ### [[Continuous Integration OpenBSD Setup|continuous_integration/openbsd_setup]]
 
@@ -38,3 +58,7 @@ systems which cannot be virtualised (principally MAC OS X).
 ### [[Continuous Integration Mac OS X Snow Leopard Setup|continuous_integration/mac_os_x_snow_leopard_setup]]
 
 ### [[Continuous Integration Mac OS X Yosemite Setup|continuous_integration/mac_os_x_yosemite_setup]]
+
+## Historical
+
+The old discussion on [[Autobuilder requirements|continuous_integration/autobuilder_requirements]] lists requirements for the new autobuilder.
diff --git a/continuous_integration/debian_stretch_setup.mdwn b/continuous_integration/debian_stretch_setup.mdwn
new file mode 100644
index 0000000..12a91cf
--- /dev/null
+++ b/continuous_integration/debian_stretch_setup.mdwn
@@ -0,0 +1,419 @@
+[[!meta title="Continuous Integration Debian Stretch Setup"]]
+[[!meta author="Kyllikki"]]
+[[!meta date="2017-05-28T12:46:14Z"]]
+
+
+[[!toc]]
+
+Debian 9 (Stretch) OS install
+------------------------------
+
+### amd64 VDS install from media
+
+[[Virtual server setup|virtual_host_server]]
+
+Install minimal system from netinst CD (attached when VDS is created on
+phoenix) Config options:
+
+-   In the "role" selection select "ssh server" and "system utilities" only.
+-   The whole disc default partitioning is fine
+-   The base user the install insists on creating should be the netsurf user.
+-   Boot loader in MBR
+
+Once installed:
+
+-   install sudo package and add netsurf user to sudo group
+-   edit /etc/default/grub
+
+`GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"`
+
+`# update-grub2`
+
+### arm64 VDS install
+
+[[ARM64 virtual server setup|virtual_host_server_arm64]]
+
+Once installed:
+
+-   create netsurf user
+-   install sudo package and add netsurf user to sudo group
+-   edit /etc/inittab comment pty 3 through 6 and uncomment serial T0
+-   enable backports
+
+`echo "deb `[`http://http.debian.net/debian`](http://http.debian.net/debian)` stretch-backports main" > /etc/apt/sources.list.d/backports.list`  
+`apt-get update`
+
+-   install updated kernel
+
+`apt-get install linux-image-4.3.0-0.bpo.1-arm64`
+
+### Banana Pi
+
+This system is a dual core ARMv7 allwinner using the armhf ABI
+
+Used the install SD media from
+[[http://www.igorpecovnik.com/2014/09/07/banana-pi-debian-sd-image/ Igor Pecovnik|http///www.igorpecovnik.com/2014/09/07/banana-pi-debian-sd-image/_igor_pecovnik]]
+
+-   unzip and write raw file to full size SD card.
+
+Once installed:
+
+-   first login as root:1234 which will need to be immediately changed
+-   use the nand-sata-install script and moved the install to sata disc.
+    The drive needs to be a clean drive with a recognised partition
+    table (DOS or GPT) and a single partition where the OS will be
+    installed.
+-   edit /etc/init.d/armhwinfo to remove the toilet dynamic MOTD banner
+-   (re)move /etc/bash.bashrc.custom as it issues a lot of unnecessary
+    commands
+-   adduser netsurf
+-   change /etc/apt/sources.list to point at a local mirror
+-   apt-get update
+-   apt-get upgrade
+-   install sudo package and add netsurf user to sudo group
+
+### Raspberry Pi 2
+
+This system is a quad core ARMv7 Broadcom using the armhf ABI
+
+Used install media from [[http://sjoerd.luon.net/posts/2015/02/debian-stretch-on-rpi2/ Sjored|http///sjoerd.luon.net/posts/2015/02/debian-stretch-on-rpi2/_sjored]]
+
+-   unpack onto micro SD card with bmap-tools
+
+`On any debian-based linux type "sudo apt-get install bmap-tools" and install it.`  
+`Then type "sudo bmaptool copy --nobmap 'yourlocation/stretch-rpi2.img' /dev/sdx" (Change yourlocation to the location of the .img file and sdx for the letter where the SD is mounted, if you don't know it type "sudo fdisk -l" and look for it).`
+
+Once installed:
+
+-   first login as root:debian which will need to be immediately changed
+-   Prevent package FLASH-KERNEL UPDATING FROM OFFICIAL REPO WITH APT
+    PINNING
+
+`'touch /etc/apt/preferences.d/flash-kernel' create a new file`  
+`'vi /etc/apt/preferences.d/flash-kernel' edit it an add the following lines to it:`  
+`Package: flash-kernel`  
+`Pin: origin repositories.collabora.co.uk`  
+`Pin-Priority: 1000`  
+`'apt-cache policy flash-kernel' check if the package is pinned`
+
+-   change /etc/apt/sources.list to point at a local mirror
+-   apt-get update
+-   apt-get upgrade
+-   adduser netsurf
+-   install sudo package and add netsurf user to sudo group
+
+### Orange Pi PC
+
+This system is a quad core ARMv7 allwinner H3 using the armhf ABI
+
+Used "mini" install media from
+[[http://www.orangepi.org/orangepibbsen/forum.php?mod=viewthread&tid=342 loboris|http///www.orangepi.org/orangepibbsen/forum.php?mod=viewthread&tid=342_loboris]]
+
+-   unpack image and write to micro SD card and configure as per loboris
+    instructions, careful installation steps are not immediately obvious
+
+Once installed:
+
+-   first login as orangepi:orangepi which will need to be immediately
+    changed
+
+`* superuser available via sudo -i`
+
+-   change /etc/apt/sources.list to point at a local mirror
+-   apt-get update
+-   apt-get upgrade
+-   alter orangepi user to netsurf by editing
+
+`/etc/group (dont forget to replace orangepi on the sudo group)`  
+`/etc/passwd`  
+`/etc/shadow`  
+`mv /home/orangepi /home/netsurf`
+
+Packaged CI worker install
+--------------------------
+
+Do a base OS install
+
+The recommended hostname for CI workers is "nsciworker17" this allows us
+to clearly identify CI worker nodes. Note historically we have used
+"cislave1" which has been objected to by several users. See
+[[changing hostname|https://wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this.
+
+On master jenkins use "manage nodes" to create new node. Ensure "remote
+fs root" is set to /var/lib/jenkins add variable JENKINS\_HOME set to
+/var/lib/jenkins
+
+Note: replace arm64 with architecture name as required (armhf etc.)
+
+As superuser:
+
+-   create jenkins user
+
+`adduser --system --group --home /var/lib/jenkins/ --disabled-login jenkins`
+
+-   Add CI server repo to slave apt sources
+
+`echo "deb `[`http://ci.netsurf-browser.org/debian/`](http://ci.netsurf-browser.org/debian/)` stretch/amd64/" >> /etc/apt/sources.list.d/netsurf-browser.list`
+
+-   update repos
+
+`apt-get update`
+
+-   install ns-ci-worker package. accept the large package list and the
+    unsigned package install for gcovr and ns-ci-slave
+
+`apt-get install ns-ci-worker`
+
+-   edit /etc/default/ns-ci-worker to set the correct url and secret parameters
+-   ensure /opt is setup correctly to allow toolchains to be built on the node 
+
+`mkdir -p /opt/netsurf`  
+`chown jenkins:jenkins /opt/netsurf`
+
+-   become jenkins user
+
+`su -s/bin/bash - jenkins`
+
+-   create ssh keypair (accept defaults - no password)
+
+`ssh-keygen -t rsa -C "netsurf@nsciworker17.netsurf-browser.org"`
+
+-   copy .ssh/id\_rsa.pub from worker to jenkins master node and append
+    to /home/netsurf/.ssh/authorized\_keys
+
+`scp /home/jenkins/.ssh/id_rsa.pub netsurf@ci.netsurf-browser.org:nsciworker17_id_rsa.pub`
+
+-   exit jenkins user shell
+-   start CI worker daemon
+
+`/etc/init.d/ns-ci-worker start`
+
+
+Pbuilder setup
+--------------
+
+This allows a worker to build Debian packages. The worker should be
+installed as a normal CI worker node and then:
+
+as superuser on node:
+
+-   apt-get install pbuilder
+-   addgroup pbuilder
+-   addgroup jenkins pbuilder
+-   create /etc/sudoers.d/pbuilder
+
+`jenkins         ALL = NOPASSWD:/usr/sbin/pbuilder`
+
+-   visudo and alter Defaults
+
+`Defaults        env_reset,env_keep="DIST ARCH"`
+
+-   replace /etc/pbuilderrc
+
+`# this is your configuration file for pbuilder.`  
+`# the file in /usr/share/pbuilder/pbuilderrc is the default template.`  
+`# /etc/pbuilderrc is the one meant for overwriting defaults in`  
+`# the default template`  
+`#`  
+`# read pbuilderrc.5 document for notes on specific options.`  
+`# List of Debian suites.`  
+`DEBIAN_SUITES=("sid", "stretch", "stretch", "wheezy", "squeeze")`  
+``  
+`# List of Ubuntu suites.`  
+`UBUNTU_SUITES=("vivid" "utopic" "trusty" "saucy" "raring" "quantal" "precise" "oneiric" "natty" "lucid" "hardy")`  
+``  
+`# Mirrors to use. Update these to your preferred mirror.`  
+`DEBIAN_MIRROR="ftp.uk.debian.org"`  
+`UBUNTU_MIRROR="mirrors.kernel.org"`  
+``  
+`# set a default distribution if none is used.`  
+`: ${DIST:="$(lsb_release --short --codename)"}`  
+``  
+`# set the architecture to the host architecture if none set.`  
+`: ${ARCH:="$(dpkg --print-architecture)"}`  
+``  
+`NAME="$DIST"`  
+`if [ -n "${ARCH}" ]; then`  
+`    NAME="$NAME-$ARCH"`  
+`    DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}")`  
+`fi`  
+`BASETGZ="/var/cache/pbuilder/$NAME-base.tgz"`  
+`DISTRIBUTION="$DIST"`  
+`BUILDRESULT="/var/cache/pbuilder/$NAME/result/"`  
+`APTCACHE="/var/cache/pbuilder/$NAME/aptcache/"`  
+`BUILDPLACE="/var/cache/pbuilder/build/"`  
+``  
+`if $(echo ${DEBIAN_SUITES[@]} | grep -q $DIST); then`  
+`    # Debian configuration`  
+`    MIRRORSITE="http://$DEBIAN_MIRROR/debian/"`  
+`    COMPONENTS="main contrib non-free"`  
+`    if $(echo "$STABLE_CODENAME stable" | grep -q $DIST); then`  
+`        OTHERMIRROR="$OTHERMIRROR | deb $MIRRORSITE $STABLE_BACKPORTS_SUITE $COMPONENTS"`  
+`    fi`  
+`elif $(echo ${UBUNTU_SUITES[@]} | grep -q $DIST); then`  
+`    # Ubuntu configuration`  
+`    MIRRORSITE="http://$UBUNTU_MIRROR/ubuntu/"`  
+`    COMPONENTS="main restricted universe multiverse"`  
+`else`  
+`    echo "Unknown distribution: $DIST"`  
+`    exit 1`  
+`fi`
+
+The architecture is assumed to be the native one from
+
+`dpkg --print-architecture`
+
+This can be set by passing ARCH to pbuilder (useful for i386 maybe?)
+
+for each distribution this node will build for:
+
+-   create pbuilder result directory and set ownership permissions
+
+`mkdir -p /var/cache/pbuilder/stretch-armhf/result`  
+`chown root:pbuilder /var/cache/pbuilder/stretch-armhf/result`  
+`chmod g+w /var/cache/pbuilder/stretch-armhf/result`
+
+-   become jenkins user
+
+`su -s/bin/bash - jenkins`
+
+-   create pbuilder base for distribution
+
+`sudo DIST=stretch pbuilder create`
+
+-   if desired additional packages and config can be made to the base
+    with
+
+`sudo DIST=stretch pbuilder login --save-after-login`
+
+distcc worker node
+------------------
+
+Do a basic OS install but \*not\* a CI worker setup.
+
+A recommended hostname for distcc worker is something like "cicpu0" this
+allows us to use systems as processing node for other purposes than just
+distcc in future. See debians
+[[https://wiki.debian.org/HowTo/ChangeHostname changing hostname|https///wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this.
+
+The Netsurf repository has necessary updated packages in it and can be
+accessed by doing the following:
+
+-   Add CI server repo to worker apt sources
+
+`echo "deb `[`http://ci.netsurf-browser.org/builds/debian/`](http://ci.netsurf-browser.org/builds/debian/)` stretch/amd64/" >> /etc/apt/sources.list`
+
+-   update repos
+
+`apt-get update`
+
+-   use apt to install these packages:
+
+`build-essential`  
+`gcc`  
+`clang`  
+`distcc`
+
+-   edit /etc/default/distcc
+
+`STARTDISTCC="true"`  
+`ALLOWEDNETS="192.168.211.0/24"`  
+`LISTEN="0.0.0.0"`  
+`JOBS="8"`
+
+-   start the service
+
+`service distcc start`
+
+-   ensure the client has hosts set to use the new worker
+
+Manual CI worker install
+------------------------
+
+Caution these instructions may not be up to date.
+
+### required packages
+
+The Netsurf repository has necessary updated packages in it and can be
+accessed by doing the following:
+
+-   Add CI server repo to slave apt sources
+
+`echo "deb `[`http://ci.netsurf-browser.org/builds/debian/`](http://ci.netsurf-browser.org/builds/debian/)` stretch/amd64/" >> /etc/apt/sources.list`
+
+-   update repos
+
+`apt-get update`
+
+use apt to install these packages:
+
+`openjdk-7-jre-headless `  
+`screen `  
+`build-essential`  
+`ccache`  
+`clang`  
+`git`  
+`pkg-config`  
+`check`  
+`doxygen`  
+`libjson0-dev (from our repo - needs bugfixes `[`http://ci.netsurf-browser.org/builds/debian/`](http://ci.netsurf-browser.org/builds/debian/)`)`  
+`libexpat1-dev`  
+`libxml-perl`  
+`libxml-xpath-perl`  
+`lcov`  
+`gcovr (from our repo)`  
+`gperf`  
+`flex`  
+`bison`  
+`libpng-dev`  
+`libjpeg-dev`  
+`libmozjs185-dev`  
+`libglib2.0-dev`  
+`libcurl4-openssl-dev`  
+`liblcms1-dev`  
+`libxml2-dev`  
+`librsvg2-dev`  
+`libmng-dev`  
+`libgtk2.0-dev`  
+`libmozjs-dev`
+
+### config
+
+-   on master jenkins use "manage nodes" to create new node. Ensure
+    "remote fs root" is set to /home/netsurf/jenkins
+-   create netsurf user
+-   as netsurf user:
+    -   wget <http://ci.netsurf-browser.org/jenkins/jnlpJars/slave.jar>
+    -   run screen
+    -   create jenkins-slave.sh
+
+`#!/bin/bash`  
+  
+`java -Djava.awt.headless=true -jar slave.jar -jnlpUrl `[`http://ci.netsurf-browser.org/jenkins/computer/chimera/slave-agent.jnlp`](http://ci.netsurf-browser.org/jenkins/computer/chimera/slave-agent.jnlp)` -secret 0123456789abcdef01234567890abcdef`
+
+-   -   run jenkins-slave.sh
+    -   create new screen tab
+    -   create ssh keypair (accept defaults - no password)
+
+`ssh-keygen -t rsa -C "netsurf@cislave0.netsurf-browser.org"`
+
+-   -   copy .ssh/id\_rsa.pub from slave to jenkins master node and
+        append to /home/netsurf/.ssh/authorized\_keys
+
+`scp ci.netsurf-browser.org:.ssh/id_rsa.pub .id_rsa.pub`  
+`cat id_rsa.pub >> .ssh/authorized_keys`
+
+-   -   copy .ssh/id\_rsa.pub from master node to slave and append to
+        /home/netsurf/.ssh/authorized\_keys
+    -   create reverse-ssh.sh (change tunnel port number!)
+
+`#!/bin/sh`  
+  
+`ssh -R 22224:localhost:22 netsurf@ci.netsurf-browser.org 'bash -c "while true; do echo .; sleep 60; done"'`
+
+-   -   run reverse-ssh.sh
+    -   on the master create a shell script to use the ssh tunnel
+        connection, thus firewalls etc are moot as long as the slave can
+        connect to the master
+
+`ssh netsurf@localhost -p 22223`