On Fri, May 15, 2015 at 09:11:47AM -0400, RD Thrush wrote: > > - you should set up a build user on every host that wants to build things. > > That build user does NOT need sudo rights. It does NOT need network access. > > The build_user needs more than default limits (I saw "unable to fork" in the > build logs). I use a class (w/ probably overly generous limits) for this > user, ie: > dpb:\ > :datasize-cur=7600M:\ > :datasize-max=infinity:\ > :stacksize-max=64M:\ > :stacksize-cur=16M:\ > :maxproc-max=1024:\ > :maxproc-cur=512:\ > :openfiles-max=2048:\ > :openfiles-cur=1088:\ > :ignorenologin:\ > :requirehome@:\ > :tc=default:
I'm not at all sure changing rights will change class as well... It's probably best if the defaults for root are accurate :( I have a second possibility, which is to set up the build users as chrooted directly, so that they will end up in the right directory. Of course, we still need root->root ssh, but the build users could be slightly "simpler". I have no solution for local host... would be cool if we had a kind of mechanism to handle login caps in perl, or as a system utility... > > dpb itself creates some shared directories. It does so as root and changes > > ownership accordingly. In case of NFS setups where root does not have all > > access, set DROPPRIV=1 in your hosts file. > > I didn't see this in dpb(1) so haven't been using it. I believe root has > full access to the shared NFS resource, ie.: > x6v64:build/packages 86>sudo su -l root > x6v64:/root 11#mount | grep nas3/work > nas3:/work on /nas3/work type nfs (nodev, nosuid, v3, udp, timeo=100, > retrans=101) > x6v64:/root 12#ls -l /nas3/work/OpenBSD/packages/amd64 Yeah, it's not documented, as well as DIRMODE, because I'm not 100% sure I don't want to make this per-user. In any case, I'm aware of some cluster setups where some directories are obtained thru NFS client on the master dpb host, and where it would be better to not maproot to distant root... That's the exact situation this is supposed to address...
