Freedombone

logo.png

Continuous Integration system

rock64.jpg

What follows are instructions for how to set up a Rock64 ARM board to do continuous builds of Freedombone images. At present this only works for ARM images, since some Debian packages are only available for x86.

Why Rock64?

It's cheap. It has a reasonably powerful CPU which isn't vulnerable to spectre. You can get a version of it with 4GB RAM.

The down side is that like all 64bit ARM boards currently it has proprietary boot blobs (see Rockchip firmware). There isn't really any escaping from that at present. This system won't be especially security sensitive since it won't contain any personal data and will usually only be available within the local network.

Having a fairly powerful CPU means that it can build multi-gigabyte images within a reasonable amount of time, rather than taking days as it would on slower systems. And being an ARM board electrical power consumption is still low, so it's not going to put much of a ding in anyone's solarpunk energy budget.

Inventory

The hardware you'll need is:

  • Rock64 (preferably not the Pro version which is Spectre vulnerable)
  • SSD
  • USB3 to SATA adaptor
  • 5v 2-3A Mains power supply with 3.5mm barrel plug
  • Cat5/6 ethernet patch cable

A 64GB SSD is about the smallest you can get away with if you want to build all of the images. If you just want to build one or two images then you could go lower than that.

In the below image there's also an Atheros wifi dongle plugged in, but you don't need that for the this system.

rock64_ssd.jpg

Setup of image

Download the SPI flash utility and copy it to a microSD card, replacing /dev/sdX with the drive corresponding to the microSD.

wget https://github.com/ayufan-rock64/linux-u-boot/releases/download/2017.09-rockchip-ayufan-1033-gdf02018479/u-boot-flash-spi-rock64.img.xz
unxz u-boot-flash-spi-rock64.img.xz
sudo dd bs=1M if=u-boot-flash-spi-rock64.img of=/dev/sdX conv=fdatasync,sync,noerror

Now you will need to obtain the debian stretch image for the Rock64 and copy it to the SSD. There are various ways to do this. If you have a desktop machine you can connect the SSD that way, or you can use the USB to SATA adaptor with a laptop. Replace /dev/sdX with the drive for the SSD.

image_version='0.7.11'
image_build_version=1075
wget https://github.com/ayufan-rock64/linux-build/releases/download/$image_version/stretch-minimal-rock64-$image_version-$image_build_version-arm64.img.xz
unxz stretch-minimal-rock64-$image_version-$image_build_version-arm64.img.xz
sudo dd bs=1M if=stretch-minimal-rock64-$image_version-$image_build_version-arm64.img of=/dev/sdX conv=fdatasync,sync,noerror

Plug the microSD card into the Rock64.

Connect the SSD via the adaptor and plug it into the USB3 socket.

Connect the Rock64 to your internet router using the ethernet cable.

Plug in the power lead.

You will notice the white LED blink off and then on again for one second.

Now the SPI has been flashed. Unplug the power and remove the microSD card.

Reconnect the power. The board should now boot from the SSD.

From another system - maybe your laptop - login with:

ssh rock64@rock64

or if that doesn't work try:

ssh rock64@rock64.local

username: rock64 password: rock64

Then change the password:

passwd

Set an ssh key to login with, which is more secure than using a password:

mkdir ~/.ssh
nano ~/.ssh/authorized_keys

Paste in your ssh public key and save.

Then disable password logins.

sudo su
nano /etc/ssh/ssh_config

Uncomment and set:

ForwardX11 no
PasswordAuthentication no

Now update the system:

apt-get update
apt-get upgrade

Install the basic packages you'll need. Possibly you might want vim instead of emacs, or just stick with nano.

apt-get install git build-essential nginx python-xmpp emacs man unattended-upgrades xz-utils apt-listchanges

To avoid possible attacks where the adversary knows the default ssh host keys, regenerate them as follows:

rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
systemctl restart ssh

Set your time zone:

dpkg-reconfigure tzdata

Then reboot

reboot

Install Freedombone build tools

Log back in with:

ssh rock64@rock64

or

ssh rock64@rock64.local

Prepare your system to make freedombone images:

cd ~/
git clone https://code.freedombone.net/bashrc/freedombone
cd ~/freedombone
git checkout stretch
sudo make install
freedombone-image --setup debian

Setup the CI system

If you just want to test the system with a single build then run:

sudo freedombone-ci setuptest

Otherwise to install the full build system:

sudo freedombone-ci setup

To view build results in a non-Tor browser navigate to http://rock64 or http://rock64.local. Selecting the icon on the left side of the page will go to the downloads section so that you can download images.

If you later need to remove the CI system:

sudo freedombone-ci remove
Back to top | E-mail me