Could someone provide a helping hand for building an template with the qubes-builder v1 or v2?
This is my writeup of what I have tried so far:
### start a dispVM based on fedora-40-xfce
# get qubes-builderv2
git clone https://github.com/QubesOS/qubes-builderv2/
cd qubes-builderv2
less README.md
# install dependencies
sudo dnf install gnupg git createrepo rpm-build make wget rpmdevtools python3-sh dialog rpm-sign dpkg-dev debootstrap python3-pyyaml devscripts perl-Digest-MD5 perl-Digest-SHA
sudo dnf install $(cat dependencies-fedora.txt)
sudo dnf install qubes-gpg-split
# add an extra layer of complexity
sudo usermod -aG docker user
sudo systemctl start docker
sudo su user
tools/generate-container-image.sh docker fedora-39-x86_64
# instead of using the docker container you can set the executor to local
ln -s example-configs/archlinux.yml builder.yml
nano builder.yml
# get the sources
./qb template fetch
# do not succeed
ls -al artifacts/
If I do a
./qb template fetch prep build
the python-scripts break while trying to find the non existent sources to prepare. Obviously.
Likely I’m missing just a small detail here. I also tried to build the alpine-template with builder v1 and didn’t succeed, either. So I might open a different thread for that.
Thanks for your suggestions. As there are no example-configs for debian/fedora in the qubes-builderv2 repository I tried archlinux.yml and kali.yml. Kali’s yml should be similiar to a config for debian. However, both setups fail to fetch their sources.
I git cloned qubes-infrastructure-mirrors in the parent directory, read it’s README.md, ran the install procedures, went back to qubes-builderv2 and did a
git submodule update --init
before giving
./qb template fetch
another try. Without success. ./artifacts/sources stays empty.
# use the local executor for now
cp example-configs/qubes-os-r4.2.yml ./
cp example-configs/archlinux.yml ./
sed -i 's/type: docker/type: local/g' *.yml
sed -i 's/type: qubes/type: local/g' *.yml
# fetch prerequisites
./qb --builder-conf qubes-os-r4.2.yml -c builder-rpm -c builder-debian -c qubes-release package fetch
# fetch archlinux
./qb --builder-conf archlinux.yml -c builder-archlinux package fetch
Fetching the suggested prerequisites works. Fetching builder-archlinux gives me an error about mamarek’s public key missing. Which is in my keyring and has trust level 5.
[qb] Running stage 'fetch'
[qb.fetch.meta-packages.fetch] Using executor local:/tmp/139204932805472b59669f9/builder to run '['bash', '-c', 'cd /tmp/139204932805472b59669f9/builder&&/tmp/139204932805472b59669f9/builder/plugins/fetch/scripts/get-and-verify-source.py https://github.com/qubesos/qubes-meta-packages.git /tmp/139204932805472b59669f9/builder/meta-packages /tmp/139204932805472b59669f9/builder/keyring /tmp/139204932805472b59669f9/builder/plugins/fetch/keys --git-branch main --minimum-distinct-maintainers 1']'.
[qb.fetch.meta-packages.fetch] --> Verifying tags...
[qb.fetch.meta-packages.fetch] ERROR: CalledProcessError(1, ['git', '-c', 'gpg.program=/usr/bin/gpg-sq', '-c', 'gpg.minTrustLevel=fully', 'verify-tag', '--raw', '--', 'e668e776cc837a7e02a1a3dd6728559cc510ffcf']); stderr: [GNUPG:] NEWSIG
[qb.fetch.meta-packages.fetch] [GNUPG:] ERRSIG 063938BA42CFA724 1 8 00 1716690838 9 0064428F455451B3EBE78A7F063938BA42CFA724
[qb.fetch.meta-packages.fetch] [GNUPG:] NO_PUBKEY 063938BA42CFA724
[qb.fetch.meta-packages.fetch]
[qb.fetch.meta-packages.fetch] ---> Invalid tag e668e776cc837a7e02a1a3dd6728559cc510ffcf.
[qb.fetch.meta-packages.fetch] Not enough distinct tag signatures. Found 0, mandatory minimum is 1.
[qb] An error occurred: Failed to run
gpg-sq is available in my disposable qube. However, either the pubkey or gpg-sq seem to be missing in the build environment.
# use the docker executor for now
cp example-configs/archlinux.yml ./
sed -i 's/type: qubes/type: docker/g' *.yml
# add maintainer's public key to archlinux.yml
sed -i '5i\ maintainers:\n # marmarek\n - '"'"'0064428F455451B3EBE78A7F063938BA42CFA724'"'"'' archlinux.yml
After adding marmarek’s public key fingerprint to archlinux.yml the build process runs through quite far.
And then the script errors out because it is missing qubes-vm-dependencies.
One of the reasons why I like to use Arch is it’s simple and transparent architecture.
I like and use a lot ArchLinux, no need to convince me . But in the qubes-builder context, Debian and Fedora are massively used, so I (simply) think their build processes are much more stable.
As soon as I find enough time I will get this working. At least I have identified the next missing lines in the archlinux.yml. If those are the last missing pieces I’m confident to get the build process through.
When I get it running I will publish a complete writeup in the community guide section.
AlpineLinux is very intriguing also. To build that template might be less or might be more challenging. We’ll see.
[qb] An error occurred: archlinux: Failed to prepare template.
[qb]
Traceback (most recent call last):
File "/home/user/qubes-builderv2/qubesbuilder/plugins/template/__init__.py", line 612, in run
executor.run(
File "/home/user/qubes-builderv2/qubesbuilder/executors/container.py", line 238, in run
raise ExecutorError(msg)
qubesbuilder.executors.ExecutorError: Failed to run 'sudo mkdir -p -- /builder /builder/build /builder/plugins /builder/distfiles&&sudo chown -R -- user:user /builder&&make -C /builder/plugins/template prepare build-rootimg' (status=2).
The above exception was the direct cause of the following exception:
qubes-vm-dependencies, qubes-vm-recommended and qubes-vm-repo are not present in ./artifacts/sources/ and not mentioned in neither example-configs nor tests.
Yes, yes, very cool. I haven’t used the qubes-builder v1 for quite some time, but remember to have similar problems. Before proceeding I would like to determine if the configs are missing stuff (like marmarek’s public key) or I am missing preparation steps.
. But in the qubes-builder context, Debian and Fedora are massively used, so I (simply) think their build processes are much more stable.