freebsd 网络设置

The author selected the to receive a donation as part of the program.

作者选择了“ 作为“ 计划的一部分来接受捐赠。

介绍 (Introduction)

is a job scheduling system commonly used for the purpose of continuous integration (CI). CI is a software development practice that typically comprises automatically building and testing your software on a regular basis and for every change. While it’s commonly used as a CI platform, Buildbot can also be used for any automated task that runs on a computer. Buildbot’s task execution configuration includes four components:

是通常用于持续集成 (CI)的作业调度系统。 CI是一种软件开发实践，通常包括定期针对每次更改自动构建和测试软件。 尽管Buildbot通常用作CI平台，但它也可以用于计算机上运行的任何自动化任务。 Buildbot的任务执行配置包括四个组件：

• Change sources: these detect changes – such as those in a Git repository – and notify schedulers about them

  变更源 ：这些变更检测到变更(例如，Git存储库中的变更)，并通知调度程序

• Schedulers: schedulers trigger builders according to incoming changes

  调度程序 ：调度程序根据传入的更改触发构建器

• Builders: these contain the actual build steps, such as compilation of a software project

  生成器 ：这些包含实际的生成步骤，例如软件项目的编译

• Reporters: reporters use the build results to send failure emails or other notifications

  记者 ：记者使用构建结果发送失败电子邮件或其他通知

Buildbot functions through at least one Buildbot master which runs and checks all build configuration and other settings, and distributes the actual builds to its workers. Additionally, the master offers a browser-based user interface subcomponent which, if enabled, is used to trigger or view builds and check status reports and other settings. There are also one or more Buildbot workers which connect to the master and receive commands, namely to run builds.

Buildbot通过至少一个Buildbot主机运行，该主机运行并检查所有构建配置和其他设置，并将实际的构建分发给其工作人员。 此外，母版提供了基于浏览器的用户界面子组件，如果启用了该子组件，则可用于触发或查看构建以及检查状态报告和其他设置。 还有一个或多个Buildbot工作者连接到主服务器并接收命令，即运行构建。

In this guide, you will use FreeBSD jails to install and run each Buildbot component in a separate, isolated environment. You’ll then serve Buildbot using the Nginx web server and access its web interface using a web browser on your local machine. After completing this guide, you will have a working setup with a sample project build, ready to extend for your own CI or other use cases.

在本指南中，您将使用FreeBSD监狱在单独的隔离环境中安装和运行每个Buildbot组件。 然后，您将使用Nginx Web服务器为Buildbot服务，并使用本地计算机上的Web浏览器访问其Web界面。 在完成本指南之后，您将拥有一个带有示例项目构建的工作设置，可以为您自己的CI或其他用例进行扩展。

先决条件 (Prerequisites)

Before you begin this guide, you will need:

在开始本指南之前，您需要：

• A server running FreeBSD 11.2, although newer and older supported versions of FreeBSD should work as well. If you’re new to working with FreeBSD, you may find it helpful to customize this server by following our guide on .

  运行FreeBSD 11.2的服务器，尽管较新和较旧的受支持的FreeBSD版本也应能正常工作。 如果您是不熟悉FreeBSD的新手，则可以通过遵循我们的指南来定制该服务器。

• Nginx installed on your server. Read how to set this up by following our guide on .

  Nginx安装在您的服务器上。 阅读有关指南来进行设置。

If you want to host the Buildbot web interface using secure HTTPS, you’ll also need the following:

如果您想使用安全的HTTPS托管Buildbot网络界面，则还需要满足以下条件：

• A registered domain name that you own and control. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.).
  您拥有和控制的注册域名。 如果您还没有注册域名，则可以使用众多域名注册商之一(例如Namecheap，GoDaddy等)注册一个。

• A DNS A Record that points your domain to the public IP address of your server. This is required because of how Let’s Encrypt validates that you own the domain it’s issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. You can follow for details on how to add this. Throughout this tutorial, we will use example.com as an example domain name.

  一个DNS A记录 ，它将您的域指向服务器的公共IP地址。 这是必需的，因为“让我们加密”如何验证您拥有要为其颁发证书的域。 例如，如果要获取example.com的证书，则该域必须解析到您的服务器，验证过程才能正常进行。 您可以按照获取有关添加方法的详细信息。 在本教程中，我们将使用example.com作为示例域名。

• An SSL/TLS certificate for your domain. Follow to set this up.

  您的域的SSL / TLS证书。 按照进行设置。

第1步–为Buildbot主和工人设置Jails (Step 1 – Setting up Jails for the Buildbot Master and Worker)

Because Buildbot allows external contributers to run code on your system, it’s recommended that you isolate its various components to prevent arbitrary or malicious code from taking up your server’s resources. In this tutorial, you will do this using FreeBSD jails.

由于Buildbot允许外部贡献者在您的系统上运行代码，因此建议您隔离其各个组件，以防止任意或恶意代码占用服务器资源。 在本教程中，您将使用FreeBSD监狱来做到这一点。

Similar to LXC, Docker, and other container mechanisms, FreeBSD jails offer lightweight isolation from the host system. Processes running inside a jail can only access the resources to which the jail was already granted access; otherwise, they behave like any other FreeBSD environment. Jails share the same kernel but typically run on a filesystem that has a copy of the FreeBSD base system, which may be any version of FreeBSD compatible with the host kernel. For most workloads, performance differences between running a task on the host versus in a jail are not noticeable.

与LXC，Docker和其他容器机制相似，FreeBSD监狱提供了与主机系统的轻量级隔离。 在监狱中运行的进程只能访问已被授予监狱访问权限的资源。 否则，它们的行为类似于任何其他FreeBSD环境。 Jails共享相同的内核，但通常在具有FreeBSD基本系统副本的文件系统上运行，该文件系统可以是与主机内核兼容的任何版本的FreeBSD。 对于大多数工作负载，在主机上运行任务与在监狱中运行任务之间的性能差异并不明显。

Several external software packages exist to help with the creation and management of FreeBSD jails. Since none of them are the de facto standard, we will use the operating system’s built-in .

存在一些外部软件包来帮助FreeBSD jail的创建和管理。 由于它们都不是事实上的标准，因此我们将使用操作系统的内置 。

First, we want to create a separate network interface for the system’s jails. In jails, the kernel rewrites network connections to the first IPv4/IPv6 address assigned to the jail. For example, if the first assigned IP address is public and a service in the jail listens on 127.0.0.1:1234, port 1234 will be publicly accessible. The is to have a separate network interface for jails. We will follow this recommendation of cloning the primary loopback interface (lo0) into a separate interface (lo1). We’ll use the network 10.0.0.0/24, but any other non-overlapping network will work as well.

首先，我们要为系统的监狱创建一个单独的网络接口。 在监狱中，内核将网络连接重写为分配给监狱的第一个IPv4 / IPv6地址。 例如，如果第一个分配的IP地址是公共的，并且监狱中的服务在127.0.0.1:1234侦听，则端口1234将是可公开访问的。 是为监狱建立一个单独的网络接口。 我们将遵循将主环回接口( lo0 ) 克隆到单独接口( lo1 )中的建议。 我们将使用网络10.0.0.0/24 ，但是任何其他不重叠的网络也可以使用。

Begin by configuring a cloned interface to be created on boot. This sysrc command writes a rule to the /etc/rc.conf file but doesn’t create the interface itself:

首先，配置要在启动时创建的克隆接口。 此sysrc命令将规则写入/etc/rc.conf文件，但不创建接口本身：

Next, create the network interface with the following command:

接下来，使用以下命令创建网络接口：

You can check the interface state and IP with:

您可以使用以下方法检查接口状态和IP：

Output   
   lo1: flags=8008
    
      metric 0 mtu 16384    options=600003
     
          nd6 options=21
      
           groups: lo
      
     
    

The output shows that the interface exists, but has no IP addresses listed and attached to it yet. Its flag LOOPBACK means that this interface is only available locally and does not represent an actual hardware device.

输出显示该接口存在，但尚未列出并附加任何IP地址。 其标志LOOPBACK表示此接口仅在本地可用，并不代表实际的硬件设备。

Next, open up a new configuration file for the master jail using your preferred editor. Here, we will use ee:

接下来，使用您喜欢的编辑器为主监狱打开一个新的配置文件。 在这里，我们将使用ee ：

Then add the following content to the file, which will configure a master jail named buildbot-master:

然后将以下内容添加到文件中，这将配置一个名为buildbot-master的主监狱：

buildbot-master {    host.hostname = buildbot-master.localdomain;    ip4.addr = "lo1|10.0.0.2/24";    path = "/usr/jails/buildbot-master";    exec.start = "/bin/sh /etc/rc";    exec.stop = "/bin/sh /etc/rc.shutdown";    mount.devfs; # need /dev/*random for Python    persist;}

This code assigns a fixed hostname and IP address on the jail network interface, 10.0.0.2, and specifies the root filesystem, /usr/jails/buildbot-master. The exec.start and exec.stop values used here declare that the jail’s start and stop services will behave like boot processes and use the startup and shutdown scripts found in the /etc/ directory. The persist option lets the jail keep running even if all of its processes are finished.

该代码在监狱网络接口10.0.0.2上分配了固定的主机名和IP地址，并指定了根文件系统/usr/jails/buildbot-master 。 此处使用的exec.start和exec.stop值声明，监狱的start和stop服务的行为类似于引导过程，并使用/etc/目录中的启动和关闭脚本。 使用persist选项，即使所有进程都完成了，监狱也可以继续运行。

To learn more about possible master jail settings, check out the manpage.

要了解有关可能的主监狱设置的更多信息，请查看页。

After adding this content, save and exit the editor. If you’re using ee, do this by pressing CTRL+C, typing exit, and pressing ENTER.

添加此内容后，保存并退出编辑器。 如果使用的是ee ，请按CTRL+C ，输入exit ，然后按ENTER 。

The configuration file for the master jail is separate from the global jail configuration file, /etc/jail.conf. Because of this, you will need to add the name of the master jail to the list of known jails:

主监狱的配置文件与全局监狱的配置文件/etc/jail.conf 。 因此，您需要将主监狱的名称添加到已知监狱的列表中：

Then enable any jails listed in jail_list to start automatically on boot:

然后启用jail_list列出的所有jail jail_list在启动时自动启动：

If you already have jails on your system configured with the /etc/jail.conf global file but you haven’t used jail_list before, enabling this setting will mean that only the jails in jail_list will auto-start and you may want to add your existing jails to the list.

如果您的系统上已经配置了/etc/jail.conf全局文件，但您以前没有使用过jail_list ，那么启用此设置将意味着只有jail_list的监狱会自动启动，您可能想要添加现有监狱名单。

Note: If you use the ZFS filesystem, it’s recommended that you create a separate dataset for the jail’s files in order to easily back up, clone, or destroy it later. The following commands assume your zpool to have the standard name zroot. If you aren’t sure of the name of your zpool, you can find it with the following command:

注意：如果使用ZFS文件系统，建议为监狱文件创建一个单独的数据集，以便以后轻松备份，克隆或销毁它。 以下命令假定您的zpool具有标准名称zroot 。 如果不确定zpool的名称，可以使用以下命令找到它：

First, create the parent dataset for all jails:

首先，为所有监狱创建父数据集：

Next, create the master jail’s dataset:

接下来，创建主监狱的数据集：

Next, we will create the master jail’s root directory and extract the FreeBSD system.

接下来，我们将创建主监狱的根目录并解压缩FreeBSD系统。

Ensure the jail’s root filesystem directory exists. If you ran the ZFS commands in the previous note, then this has already been done and you can skip this command:

确保监狱的根文件系统目录存在。 如果您在前一个注释中运行了ZFS命令，那么这已经完成，您可以跳过以下命令：

Then download a FreeBSD 11.2 base system archive. We first install root certificates to trust the download server:

然后下载FreeBSD 11.2基本系统档案。 我们首先安装根证书以信任下载服务器：

This command will prompt you to approve installation of the ca_root_nss package. Do so by pressing y and then ENTER.

该命令将提示您批准ca_root_nss软件包的安装。 通过按y ，然后按ENTER 。

Next, download the archive:

接下来，下载档案：

Extract the contents of this file as the jail’s root filesystem:

提取此文件的内容作为监狱的根文件系统：

This guide describes the process of installing exactly one worker – also contained in a jail – and you will configure it in the same way as you did the master, reusing the base system that you just downloaded. Open up another new configuration file for the worker jail using the ee command:

本指南描述了仅安装一个工作程序(也包含在监狱中)的过程，并且您将以与主服务器相同的方式进行配置，从而重新使用刚刚下载的基本系统。 使用ee命令为工作人员监狱打开另一个新的配置文件：

Add the following content to this file:

将以下内容添加到该文件：

buildbot-worker0 {    host.hostname = buildbot-worker0.localdomain;    ip4.addr = "lo1|10.0.0.3/24";    path = "/usr/jails/buildbot-worker0";    exec.start = "/bin/sh /etc/rc";    exec.stop = "/bin/sh /etc/rc.shutdown";    mount.devfs; # need /dev/*random for Python    persist;}

Looking at these lines, notice how the worker jail has a different hostname, IP, and root filesystem directory from the master. Save and close this file.

查看这些行，请注意工作人员监狱与主机监狱如何具有不同的主机名，IP和根文件系统目录。 保存并关闭此文件。

Again, because we are using a separate jail configuration file instead of the global /etc/jail.conf, add the name to the list of known jails:

同样，因为我们使用的是单独的监狱配置文件，而不是全局的/etc/jail.conf ，所以将名称添加到已知监狱的列表中：

Note: As with the master jail, if you use the ZFS filesystem it’s recommended that you create a separate dataset for the worker jail’s files. Again, the following command creates the worker jail’s dataset and assumes your zpool to have the standard name zroot:

注意：与主监狱一样，如果使用ZFS文件系统，建议为工作监狱的文件创建一个单独的数据集。 同样，以下命令将创建工作人员监狱的数据集，并假设您的zpool具有标准名称zroot ：

Extract the already-downloaded FreeBSD 11.2 base system as you did for the master:

像对主服务器一样提取已下载的FreeBSD 11.2基本系统：

At this point, both jails are configured and contain a FreeBSD base system with no extra packages installed. Let’s start the jails:

至此，两个监狱都已配置完毕，并包含一个FreeBSD基本系统，没有安装额外的软件包。 让我们开始监狱：

Check whether the startup was successful by listing all the running jails on the system with the following command:

通过使用以下命令列出系统上所有正在运行的监狱来检查启动是否成功：

This will return an output similar to the following that shows the jails currently running on your server:

这将返回类似于以下内容的输出，显示服务器上当前正在运行的监狱：

Output   
      JID  IP Address      Hostname                      Path     1  10.0.0.2        buildbot-master.localdomain   /usr/jails/buildbot-master     2  10.0.0.3        buildbot-worker0.localdomain  /usr/jails/buildbot-worker0

This confirms that the jails are running as expected. At this point, however, they have no access to the internet, which means you won’t be able to install the Buildbot packages within them. Continue reading to resolve this.

这确认了监狱正在按预期运行。 但是，此时他们无法访问Internet，这意味着您将无法在其中安装Buildbot软件包。 继续阅读以解决此问题。

第2步–为监狱设置Internet访问 (Step 2 – Setting up Internet Access for the Jails)

Although the master and worker jails are running, both of them are closed off from the internet. Opening them up to the internet is necessary, as they must be able to install packages as well as communicate with one another.

尽管主监狱和工人监狱都在运行，但它们都已从互联网上关闭。 必须将它们开放到Internet，因为它们必须能够安装软件包并相互通信。

To resolve this, copy the host’s DNS resolver configuration to both of the jails:

要解决此问题，请将主机的DNS解析器配置复制到两个监狱中：

Next, route the outgoing internet traffic from the jail. To do this, use IPFW – FreeBSD’s built-in firewall – to set up NAT (network address translation) networking rules. When you complete this step, traffic going out of the jail network will be translated to the public IP address of your host.

接下来，路由从监狱传出的互联网流量。 为此，请使用IPFW(FreeBSD的内置防火墙)来设置NAT(网络地址转换)网络规则。 完成此步骤后，从监狱网络流出的流量将转换为主机的公共IP地址。

If you followed the from the prerequisites, you will already have the firewall configured to allow access to your web server. In that case, some of the below steps will be redundant but there’s no harm in running through them again.

如果您遵循先决条件中 ，则您已经将防火墙配置为允许访问您的Web服务器。 在这种情况下，以下某些步骤将是多余的，但是再次执行这些步骤不会有任何危害。

Warning: Performing erroneous changes to your firewall configuration can render the remote host inaccessible over SSH, so it’s important to ensure that you have an alternative method you can use to log into the machine. For example, if you’re using a server obtained from DigitalOcean, you can access it through the feature.

警告：对防火墙配置执行错误的更改可能会使远程主机无法通过SSH进行访问，因此确保您拥有可用于登录计算机的替代方法非常重要。 例如，如果您使用的是从DigitalOcean获得的服务器，则可以通过功能对其进行 。

To enable access through this feature, set a root password with the following command:

要启用通过此功能的访问，请使用以下命令设置root密码：

Alternatively, you can set a password for your current user with by typing:

或者，您可以通过键入以下内容来为当前用户设置密码：

Include the predefined workstation firewall rules in your rc.conf file with the following command. The workstation rules protect the server but still allow basic services through, such as pinging the host or Dynamic Host Configuration Protocol:

使用以下命令在rc.conf文件中包括预定义的workstation防火墙规则。 workstation规则可保护服务器，但仍允许通过诸如ping主机或动态主机配置协议来执行基本服务：

Next, allow access to the web server ports from the outside world. The following command allows traffic over port 22, for SSH; port 80, allowing Buildbot to be served over HTTP; and port 443, allowing Buildbot to be served over HTTPS. If you’ve secured your server with Let’s Encrypt, then all three of these ports are necessary, but if you haven’t and don’t plan to do so, then you can exclude port 443:

接下来，允许从外部访问Web服务器端口。 以下命令允许通过端口22进行SSH通讯； 端口80 ，允许Buildbot通过HTTP提供服务； 和端口443 ，允许Buildbot通过HTTPS提供服务。 如果您已使用Let's Encrypt保护了服务器的安全，则所有这三个端口都是必需的，但是如果您没有这样做的计划，那么可以排除端口443 ：

Allow access from any IP address to the ports specified in the firewall_myservices directive:

允许从任何IP地址访问firewall_myservices指令中指定的端口：

Configure the firewall to start at boot:

配置防火墙以在启动时启动：

Then start the firewall with basic rules. The following nohup command avoids interruption of the firewall start, and also redirects both stderr and stdout to a temporary log file. This is important so as not to leave firewall rules in an inconsistent state, which can potentially leave your remote host inaccessible over SSH:

然后使用基本规则启动防火墙。 以下nohup命令可避免中断防火墙启动，还将stderr和stdout都重定向到一个临时日志文件。 这很重要，以免使防火墙规则处于不一致的状态，这可能会使远程主机无法通过SSH访问：

If you’re using either the csh or tcsh shells, this redirect will cause Ambiguous output redirect. to appear in your output. If you’re using either of these shells, run sudo nohup service ipfw start >&/tmp/ipfw.log the following instead to start ipfw:

如果您使用的是csh或tcsh shell，则此重定向将导致Ambiguous output redirect. 出现在您的输出中。 如果您使用这些外壳程序中的任何一个，请运行sudo nohup service ipfw start >&/tmp/ipfw.log以下命令来启动ipfw ：

At this point, the firewall service will start and begin protecting the host from connections to unsecured ports.

此时，防火墙服务将启动并开始保护主机，防止其与不安全端口的连接。

Note: If something went wrong or you used a different firewall type, the firewall may not yet know the state of your SSH connection, causing your connection to the server to stall. You can find out by typing something into the shell. During a stalled connection, the characters won’t be printed on the remote side. If this is the case, you can either wait until SSH notices the timeout, or drop out of the hanging terminal by pressing these keys one after another: ENTER, ~, .

注意：如果出现问题或使用其他防火墙类型，则防火墙可能尚不知道SSH连接的状态，从而导致与服务器的连接停止。 您可以通过在外壳中键入一些内容来查找。 在停滞的连接过程中，字符不会被打印在远端。 如果是这样的话，你可以等到SSH注意到超时，或按这些键此起彼伏下降吊终端的出： ENTER ， ~ ， .

After your SSH connection is closed, reconnect to your server from your local machine:

SSH连接关闭后，从本地计算机重新连接到服务器：

If the SSH connection can’t be reestablished, you will need to connect to it using an alternative method. If, for example, you’re using a DigitalOcean Droplet, you could use its feature to log in as your root user with the password you set previously.

如果无法重新建立SSH连接，则需要使用其他方法连接到它。 例如，如果您使用的是DigitalOcean Droplet，则可以使用其功能以您先前设置的密码以root用户身份登录。

Once you’ve regained access deactivate the firewall:

重新获得访问权限后，请停用防火墙：

With the firewall stopped, you’ll be free to debug the problem.

防火墙停止后，您可以自由调试问题。

Next, you need to determine the network interface of the host which connects to the internet. Find this by running:

接下来，您需要确定连接到Internet的主机的网络接口。 通过运行查找：

This command may output a couple different interfaces. The one used by the host to connect to the internet is the one that includes your server’s public IP address. To illustrate, the following example output shows that vtnet0 is the network interface used by the host:

此命令可能会输出几个不同的接口。 主机用来连接到互联网的地址是包含服务器公共IP地址的地址。 为了说明这一点，以下示例输出显示vtnet0是主机使用的网络接口：

Output   
   vtnet0: flags=8843
    
      metric 0 mtu 1500    options=6c07bb
     
          ether 9a:3e:fa:2a:5f:56    hwaddr 9a:3e:fa:2a:5f:56    inet6 fe80::983e:faff:fe2a:5f56%vtnet0 prefixlen 64 scopeid 0x1    inet public_server_ip netmask 0xffffffc0 broadcast broadcast_ip    inet 10.10.0.23 netmask 0xffff0000 broadcast 10.10.255.255    nd6 options=21
      
           media: Ethernet 10Gbase-T 
       
            status: activelo0: flags=8049
        
          metric 0 mtu 16384    options=600003
         
           inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21
          
            groups: lolo1: flags=8049
           
             metric 0 mtu 16384 options=600003
            
              inet 10.0.0.2 netmask 0xffffff00 inet 10.0.0.3 netmask 0xffffff00 inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3 nd6 options=21
             
               groups: lo
             
            
           
          
         
        
       
      
     
    

Make a note of this interface, then configure its name globally:

记下此接口，然后全局配置其名称：

Open up the new firewall configuration script file:

打开新的防火墙配置脚本文件：

Then add the following content to the file, defining the firewall rules for IPFW:

然后，将以下内容添加到文件中，为IPFW定义防火墙规则：

#!/bin/shset -e# Add basic rules as defined by firewall_type, firewall_myservices, etc.. /etc/rc.firewall# External network interfaceext_if="$firewall_nat_interface"# The interface we chose for communication between jailsjail_if="lo1"for interface in "$ext_if" "$jail_if"; do    if [ -z "$interface" ]; then        >&2 echo "Missing network interface"        exit 1    fi    if ! ifconfig $interface >/dev/null 2>&1; then        >2 echo "No such network interface: $interface"        exit 1    fidoneipfw nat 123 config if $ext_ifipfw add 1 allow all from any to any via $jail_ifipfw add 2 nat 123 ip4 from any to any in via $ext_ifipfw add 501 skipto 20000 udp from any to any 53 out via $ext_if keep-stateipfw add 502 skipto 20000 udp from any to any 67 out via $ext_if keep-stateipfw add 503 skipto 20000 tcp from any to any out via $ext_if setup keep-stateipfw add 504 skipto 20000 icmp from any to any out via $ext_if keep-stateipfw add 19999 deny all from any to anyipfw add 20000 nat 123 ip4 from any to any out via $ext_ifipfw add 20001 allow ip from any to any

Here’s what each part of the script does:

这是脚本各部分的作用：

• . /etc/rc.firewall includes the system’s predefined IPFW rules script, which adds basic rules according to your configuration of the firewall_* variables in /etc/rc.conf.

  . /etc/rc.firewall . /etc/rc.firewall包含系统的预定义IPFW规则脚本，该脚本根据您在/etc/rc.conf中对firewall_*变量的配置来添加基本规则。

• The next block checks whether all configured interfaces exist. This is for your safety and quits the script early if there’s a misconfiguration.
  下一个块检查是否所有已配置的接口都存在。 这是出于安全考虑，如果配置错误，请尽早退出脚本。
• • ipfw nat 123 config if $ext_if creates an in-kernel NAT facility with the ID “123” to translate traffic using the public-facing network interface.

    ipfw nat 123 config if $ext_if创建一个ID为“ 123”的内核内NAT工具，以使用面向公众的网络接口转换流量。

  • ipfw add 1 allow all from any to any via $jail_if allows all traffic between the jails. Note that if an allow rule matches, rule processing stops and the packet is allowed to pass.

    ipfw add 1 allow all from any to any via $jail_if jail之间的所有通信。 请注意，如果allow规则匹配，则规则处理将停止并且数据包将被允许通过。

  • ipfw add 2 nat 123 ip4 from any to any in via $ext_if translates all incoming IPv4 packets on the external interface. This is needed as a counterpart to the translation of outgoing packets, as described in the explanation of ipfw add 20000....

    ipfw add 2 nat 123 ip4 from any to any in via $ext_if转换外部接口上的所有传入IPv4数据包。 如ipfw add 20000...的说明中所述，这需要与输出数据包的转换相对应。

  • ipfw add 501 skipto 20000 udp from any to any 53 out via $ext_if keep-state and the following skipto rules define which outbound traffic to allow and to consider for network address translation. If there is a match, processing continues by jumping to rule 20000, which performs NAT. The rule number 501 intentionally comes after the default loopback rules which deny traffic from local-only networks (127.0.0.0/8 and ::1), such as 00300 deny ip from 127.0.0.0/8 to any. Run sudo ipfw list to see the currently active firewall rules (but mind that we did not apply the above changes yet).

    ipfw add 501 skipto 20000 udp from any to any 53 out via $ext_if keep-state并且以下skipto规则定义了允许并考虑进行网络地址转换的出站流量。 如果存在匹配项，则通过跳到执行NAT的规则20000继续进行处理。 规则编号501故意出现在默认环回规则之后，该默认环回规则拒绝来自仅本地网络( 127.0.0.0/8和::1 )的流量，例如00300 deny ip from 127.0.0.0/8 to any 。 运行sudo ipfw list以查看当前活动的防火墙规则(但请注意，我们尚未应用上述更改)。

  • Except for the skipto rules, there is an intentional gap between rules 2 and 19999 where the /etc/rc.firewall script inserts certain basic rules. If none of the above skipto rules match, the basic rules will take care of allowing different types of traffic including loopback, incoming ICMP ping messages, and the ports specified by firewall_myservices.

    除skipto规则外，规则2和19999之间存在故意的差距，其中/etc/rc.firewall脚本会插入某些基本规则。 如果以上skipto规则skipto匹配，则基本规则将负责允许不同类型的通信，包括回送，传入的ICMP ping消息以及firewall_myservices指定的端口。

  • ipfw add 19999 deny all from any to any comes after all the basic rules and ensures the end of non-NAT rule processing, essentially disallowing all traffic that was not matched by a previous allow rule.

    ipfw add 19999 deny all from any to any所有基本规则的所有内容，并确保结束非NAT规则处理，从本质上禁止所有与先前allow规则不匹配的流量。

  • ipfw add 20000 nat 123 ip4 from any to any out via $ext_if translates the address of all outbound IPv4 packets leaving on the external interface. You only need IPv4 here because, in this tutorial, jails are assigned IPv4 addresses exclusively.

    ipfw add 20000 nat 123 ip4 from any to any out via $ext_if转换留在外部接口上的所有出站IPv4数据包的地址。 您在这里只需要IPv4，因为在本教程中，专门为监狱监狱分配了IPv4地址。

  • ipfw add 20001 allow ip from any to any is only required if you have turned off one-pass mode for nat rules, in which case processing will continue after going through the rule 20000, requiring you to explicitly allow those packets through with a separate rule. For the default one-pass mode, the firewall will stop processing at the nat rule and therefore ignore rule 20001.

    ipfw add 20001 allow ip from any to any仅当您为nat规则关闭了一次通过模式时才需要ipfw add 20001 allow ip from any to any ，在这种情况下，处理将在通过规则20000之后继续进行，要求您使用单独的规则显式允许这些数据包通过。 对于默认的一遍模式，防火墙将按照nat规则停止处理，因此将忽略规则20001 。

  The directives starting with ipfw add the actual firewall configuration and rules. Each rule – added in the lines starting with ipfw add – has a number. The firewall uses these numbers to evaluate the rules in sequential order.

  以ipfw开头的指令添加了实际的防火墙配置和规则。 在ipfw add开头的行中添加的每个规则都有一个数字。 防火墙使用这些数字按顺序评估规则。

Save the file and exit the editor.

保存文件并退出编辑器。

Since we want to amend the predefined, basic firewall rules with the rules defined in the ipfw.rules script, we must point to this script in the rc.conf file. The following command will configure the script to execute whenever the firewall starts:

由于我们要使用ipfw.rules脚本中定义的规则来修改预定义的基本防火墙规则，因此必须在rc.conf文件中指向该脚本。 以下命令将配置脚本以在防火墙启动时执行：

This setup uses the in-kernel NAT support of IPFW, so you must tell the system to load the respective kernel module at boot. Additionally, load the module immediately without requiring a reboot:

此设置使用IPFW的内核内NAT支持，因此您必须告诉系统在引导时加载相应的内核模块。 此外，无需重新启动即可立即加载模块：

Restart the firewall to put the extended firewall rules script in effect:

重新启动防火墙，以使扩展防火墙规则脚本生效：

Again, if you’re using the csh shell or one of its derivatives (like tcsh), run sudo nohup service ipfw restart >&/tmp/ipfw.lo instead of the previous command to restart the firewall:

同样，如果您使用的是csh shell或其衍生版本(例如tcsh )，请运行sudo nohup service ipfw restart >&/tmp/ipfw.lo而不是前面的命令来重新启动防火墙：

Check that the firewall rules have been loaded correctly:

检查防火墙规则是否已正确加载：

This lists the firewall rules, followed by a success message:

这列出了防火墙规则，然后显示一条成功消息：

Output   
   Flushed all rules.00100 allow ip from any to any via lo0[...]65500 deny ip from any to anyFirewall rules loaded.

You can also view installed firewall rules at any time using:

您还可以随时使用以下方法查看已安装的防火墙规则：

Output   
   00001 allow ip from any to any via lo100002 nat 123 ip from any to any in via em0[...]65535 deny ip from any to any

With all firewall rules in place, your jails are now able to access the internet. You can check by trying to download a web page from within a jail:

有了所有防火墙规则，您的监狱现在就可以访问Internet。 您可以通过尝试从监狱中下载网页来进行检查：

Output   
       [...]

With that, you’ve successfully prepared both jails to run like a regular operating system, set up internet access for each jail, and started both of them. The next two steps in this tutorial will walk you through installing both the master and worker components and then running them as services.

这样，您就成功地准备了两个监狱，使其像常规操作系统一样运行，为每个监狱设置了互联网访问权限，并启动了这两个监狱。 本教程的后两个步骤将引导您安装主组件和辅助组件，然后将它们作为服务运行。

步骤3 –安装并运行Buildbot Master (Step 3 – Installing and Running the Buildbot Master)

Buildbot’s components are split into several packages. You only need to install the py36-buildbot package to run the master component, but in this guide we will also go over how to install the web interface package, py36-buildbot-www.

Buildbot的组件分为几个软件包。 您只需要安装py36-buildbot软件包即可运行主组件，但是在本指南中，我们还将介绍如何安装Web界面软件包py36-buildbot-www 。

Since we are using jails to segment the various components, start by opening a root shell in the master jail:

由于我们使用监狱来分割各种组件，因此首先在主监狱中打开一个根外壳：

Please note that, in this guide, shell command blocks are marked with a different color if they must be executed within a jail shell. Additionally, the command prompt will reflect which of the jail’s user profiles – either the root or unprivileged buildbot-master user – that commands must be run under.

请注意，在本指南中，如果必须在监狱外壳中执行外壳命令块，则它们会用不同的颜色标记。 另外，命令提示符将反映必须在其下运行哪个监狱用户配置文件( root用户或非特权buildbot-master用户)。

Install the packages:

安装软件包：

If you haven’t yet installed or used the pkg package manager in this jail, it will prompt you to confirm that you allow it to bootstrap itself. To do this, press y and then ENTER. Then, approve installation of the Buildbot packages by again entering y.

如果您尚未在此监狱中安装或使用pkg软件包管理器，它将提示您确认是否允许它自举。 为此，请按y ，然后按ENTER 。 然后，再次输入y批准Buildbot软件包的安装。

Next, create a regular, unprivileged user to run the master service. The following command will assign a random password to this user, but you do not need to remember it since the root user of the host (outside the jail) can change it or become any user within the jail without a password:

接下来，创建一个普通的，没有特权的用户来运行主服务。 以下命令将为该用户分配一个随机密码，但是您无需记住该密码，因为主机的根用户(监狱外)可以更改该密码，也可以成为没有密码的监狱内任何用户：

Following this, create the master directory where you will store the configuration:

然后，创建主目录，您将在其中存储配置：

And give ownership to the service user:

并将所有权授予服务用户：

From this point on, all master-related setup and changes should be executed as the unprivileged user, as this will help to keep ownership and permissions consistent.

从这一点开始，所有与主机相关的设置和更改都应以非特权用户身份执行，因为这将有助于保持所有权和权限的一致性。

Switch over to the the unprivileged user:

切换到非特权用户：

Then use the built-in buildbot utility to create a directory and configuration structure in the specified directory:

然后使用内置的buildbot实用程序在指定目录中创建目录和配置结构：

Unlike other CI software like Jenkins, Buildbot’s behavior is defined directly in its configuration file, which is interpreted with Python. This allows for streamlined versioning of your configuration, while the use of a scripting language allows for the freedom to write custom build configurations and extend existing Buildbot functionalities.

与Jenkins等其他CI软件不同，Buildbot的行为直接在其配置文件中定义，该配置文件由Python解释。 这样可以简化配置的版本控制，而使用脚本语言则可以自由编写自定义构建配置并扩展现有Buildbot功能。

The Buildbot package comes with a sample master configuration file which you can use as a template for your own configuration. Copy over the sample configuration and name it master.cfg:

Buildbot软件包随附一个示例主配置文件，您可以将其用作自己的配置模板。 复制样本配置并将其命名为master.cfg ：

Then open the base configuration file with your preferred text editor. Here, we’ll use ee:

然后使用首选的文本编辑器打开基本配置文件。 在这里，我们将使用ee ：

The configuration file contains a password required for workers to connect to the master. Replace the default pass with a secure password of your choosing. Also, our worker’s name will be worker0, so also replace example-worker with worker0 in both the WORKERS and BUILDERS sections.

配置文件包含工作人员连接到主服务器所需的密码。 替换默认pass与您所选择的安全密码。 同样，我们的工作人员名称将为worker0 ，因此在WORKERS和BUILDERS部分中，还将example-worker替换为worker0 。

When finished, the parts of the file you need to edit will look like this:

完成后，您需要编辑的文件部分将如下所示：

####### WORKERS# ...c['workers'] = [worker.Worker("worker0", "your_secure_password")]# ...####### BUILDERS# ...c['builders'] = []c['builders'].append(    util.BuilderConfig(name="runtests",      workernames=["worker0"],      factory=factory))# ...

Save and close this file, then run the exit command to switch back to the root user within the jail:

保存并关闭此文件，然后运行exit命令以切换回监狱中的root用户：

Because the sample configuration watches the Git repository git://github.com/buildbot/hello-world.git as its change source, you also need to install Git:

由于示例配置将Git存储库git://github.com/buildbot/hello-world.git视为其更改源，因此，您还需要安装Git：

With that, you’ve created the master directory structure and configuration, but the service isn’t running yet. To run Buildbot manually, one could run the command buildbot start from the master directory, /var/buildbot-master. However, this does not take care of boot-time startup or other system-wide configuration. Instead, we will use rc scripts, FreeBSD’s standard method for running services. Specifically, we’ll do so using the service utility.

这样，您已经创建了主目录结构和配置，但是该服务尚未运行。 要手动运行Buildbot，可以从主目录/var/buildbot-master buildbot start运行buildbot命令。 但是，这不涉及启动时启动或其他系统范围的配置。 相反，我们将使用rc脚本 ，这是FreeBSD运行服务的标准方法。 具体来说，我们将使用service实用程序来实现。

For the purposes of this tutorial, we want to enable the service to run at every boot. In the case of jails, this means the start event of the jail. Use the following command to define the location of the master directory:

就本教程而言，我们希望启用该服务以在每次启动时运行。 对于监狱而言，这意味着监狱的开始事件。 使用以下命令定义主目录的位置：

Then specify that the service should run under the buildbot-master user:

然后指定该服务应在buildbot-master用户下运行：

Next, enable the service to run at jail startup:

接下来，启用该服务以在监狱启动时运行：

At the time of writing, the py36-buildbot package has a bug which prevents the service from starting (see ). Until this is fixed, you will need to manually patch the start script by running the following command from your buildbot-master jail:

在撰写本文时， py36-buildbot软件包有一个错误，阻止了服务启动(请参阅 )。 在解决此问题之前，您将需要通过从buildbot-master监狱运行以下命令来手动修补启动脚本：

Then, start the service:

然后，启动服务：

The service should start with no errors. You can verify success by viewing the contents of the log file:

该服务应开始没有错误。 您可以通过查看日志文件的内容来验证成功：

Output   
   2018-06-08 15:14:52+0000 [-] Starting BuildMaster -- buildbot.version: 0.9.112018-06-08 15:14:52+0000 [-] Loading configuration from '/var/buildbot-master/master.cfg'[...]2018-06-08 15:14:52+0000 [-] BuildMaster is running

To return to the host shell, run exit from the jail shell:

要返回主机shell，请从jail shell运行exit ：

You have successfully configured and started the Buildbot master service. The second component, the worker, is required to actually run builds. You will install one worker in the next section inside a second jail and then configure its connection to the master service.

您已成功配置并启动Buildbot主服务。 第二个组件(工作程序)是实际运行构建所必需的。 您将在下一部分中的第二个监狱中安装一个工作程序，然后配置其与主服务的连接。

步骤4 –安装并运行Buildbot Worker (Step 4 – Installing and Running the Buildbot Worker)

Although the Buildbot master is running, no builds can occur since you need at least one worker running. This step is similar to the previous one in that we will set up a separate jail first and then install the service. This time, however, the Buildbot worker component will connect to the master to listen for commands and report results back.

尽管Buildbot主服务器正在运行，但是由于您需要至少一名工人在运行，因此无法进行任何构建。 此步骤与上一个步骤相似，因为我们将首先设置一个单独的监狱，然后再安装该服务。 但是，这一次，Buildbot worker组件将连接到主组件，以侦听命令并向后报告结果。

The instructions in this step are almost identical to the master setup, except that the worker component is part of another package and the only configuration changes you’ll make involve adding details about connecting it to the master and some display information about the worker itself.

此步骤中的说明与主设置几乎相同，除了工作程序组件是另一个软件包的一部分，并且您将进行的唯一配置更改包括添加有关将其连接到主程序的详细信息以及有关工作程序本身的一些显示信息。

Ensure you are in the host shell, not inside a jail. Then open a root shell in the worker jail:

确保您在主机壳中，而不是在监狱中。 然后在工人监狱中打开一个根 shell：

Remember that, in this guide, command blocks are marked with a different color if they must be executed within a jail shell and the command prompts will reflect which user profile the commands should be run under.

请记住，在本指南中，如果必须在监狱外壳中执行命令块，则它们会用不同的颜色标记，并且命令提示符将反映应在哪个用户配置文件下运行命令。

Install the Buildbot worker package with the following command:

使用以下命令安装Buildbot worker软件包：

As this command runs, it will prompt you to confirm whether you want to bootstrap the pkg package management utility. Do so by entering y. It will also ask you to confirm that you approve the installation of the packages, so enter y again when prompted.

运行此命令时，它将提示您确认是否要引导pkg软件包管理实用程序。 输入y 。 它还将要求您确认您已批准安装软件包，因此在出现提示时再次输入y 。

Next, create a regular, unprivileged user to run the worker service:

接下来，创建一个普通的，没有特权的用户来运行工作程序服务：

Then create the worker directory. This is the location where the worker’s configuration, display information, and build directories will be stored:

然后创建工作目录。 这是工作人员的配置，显示信息和构建目录的存储位置：

Give ownership to the service user:

将所有权授予服务用户：

From this point on, all worker-related setup and changes should be executed as the unprivileged user. To that end, switch over to the buildbot-worker user:

从这一点开始，所有与工作人员相关的设置和更改都应以非特权用户身份执行。 为此，请切换至buildbot-worker用户：

Use the built-in buildbot-worker utility to create a directory and configuration structure in the /var/buildbot-worker directory. Specify the master jail’s IP address — 10.0.0.2, which we chose in the previous step — so the worker can connect to it and replace pass with the password you defined in the master configuration file:

使用内置的buildbot-worker实用程序在/var/buildbot-worker目录中创建目录和配置结构。 指定主监狱的IP地址10.0.0.2 (我们在上一步中选择)，以便工作人员可以连接到它，并用您在主配置文件中定义的密码替换pass ：

To finish the setup, fill in a few details about the system administrator and the worker’s purpose:

要完成设置，请填写一些有关系统管理员和工作人员目的的详细信息：

Following this, run the exit command to switch back to the root user within the jail:

之后，运行exit命令以切换回监狱中的root用户：

Because the sample configuration clones the Git repository git://github.com/buildbot/hello-world.git to build the sample project, you also need to install Git within this jail. Note how the Buildbot master also required Git because change sources run on the master. Additionally, the builder uses a test runner called trial which is part of the py27-twisted package, so install this along with git-lite:

因为示例配置克隆了Git存储库git://github.com/buildbot/hello-world.git来构建示例项目，所以您还需要在此监狱中安装Git。 请注意Buildbot主机还需要Git，因为更改源在主机上运行。 此外，构建器使用一个测试运行称为trial其是一部分py27-twisted包，所以沿着安装此git-lite ：

The built-in mechanism for running a worker is buildbot-worker start, which should be run from the worker directory, /var/buildbot-worker. However, this does not take care of boot-time startup and does not ensure that it will run under the correct user. As you did with the master, leverage the packaged rc script by using the service utility, to manage the service.

运行工作程序的内置机制是buildbot-worker start ，应从工作程序目录/var/buildbot-worker 。 但是，这并不能解决启动时的启动问题，也无法确保它将在正确的用户下运行。 与使用主服务器一样，通过使用service实用程序利用打包的rc脚本来管理服务。

Use the following commands to define the worker directory as well as the user and group under which the service should run:

使用以下命令来定义工作目录以及服务应在其下运行的用户和组：

Next, enable the service to run at jail startup:

接下来，启用该服务以在监狱启动时运行：

At the time of writing, the py36-buildbot-worker package has a bug which prevents the service from starting (see ). Until this is fixed, you will need to manually patch the start script by running the following command from your buildbot-worker0 jail:

在撰写本文时， py36-buildbot-worker软件包有一个错误，阻止了该服务的启动(请参阅 )。 在解决此问题之前，您需要通过从buildbot-worker0监狱运行以下命令来手动修补启动脚本：

Finally, start the worker component:

最后，启动worker组件：

The service should start with no errors. You can verify that it was successful by viewing the most recent entries to the log file:

该服务应开始没有错误。 您可以通过查看日志文件的最新条目来验证它是否成功：

If the service started successfully, a message like Connected to 10.0.0.2:9989; worker is ready will appear in the log file. If you forgot to specify a new password earlier in this step, the service will fail to connect to the master. In this case, edit the file /var/buildbot-worker/buildbot.tac and then run service buildbot-worker restart to rectify this issue.

如果服务成功启动， Connected to 10.0.0.2:9989; worker is ready一条消息，例如Connected to 10.0.0.2:9989; worker is ready Connected to 10.0.0.2:9989; worker is ready将出现在日志文件中。 如果您在此步骤的前面忘记指定新密码，则该服务将无法连接到主服务器。 在这种情况下，请编辑文件/var/buildbot-worker/buildbot.tac ，然后运行service buildbot-worker restart以解决此问题。

Once the service starts correctly, drop out to the host shell by running the exit command from the jail shell:

服务正确启动后，通过从jail shell运行exit命令exit到主机shell：

With that, the second jail has been configured and you have all the basic components needed for operating Buildbot. To be readily usable for your users, it’s recommended that you also set up the web-based user interface. Doing so will allow you to control Buildbot and see build results with greater convenience.

这样，第二个监狱已经配置好，您拥有操作Buildbot所需的所有基本组件。 为了便于用户使用，建议您还设置基于Web的用户界面。 这样做将使您能够控制Buildbot并更方便地查看构建结果。

第5步–设置Buildbot Web界面 (Step 5 – Setting Up the Buildbot Web Interface)

Buildbot features a web-based user interface that shows build overviews and results, and allows you to trigger builds manually if a “force” scheduler is configured, as is the case in the sample configuration.

Buildbot具有基于Web的用户界面，该界面显示了构建概述和结果，并允许您在配置了“强制”调度程序的情况下手动触发构建，如在示例配置中一样。

Your master configuration already sets up the www component to serve HTTP over port 8010. In a production setting, you would not serve unencrypted HTTP or open up the non-standard port 8010 to the outside, as this would open your system up to security vulnerabilities. Also, the web interface can be served from any URL path, which means that it does not need to be the only application on your domain. For example, you could serve build outputs or logs to your users. Hence, we will serve the UI to users with a separate web server – Nginx – in order to support HTTPS, protect internal ports, and gain the ability to serve other content alongside the Buildbot web interface.

您的主配置已经设置了www组件，以通过端口8010提供HTTP服务。 在生产环境中，您将不会提供未加密的HTTP或向外部开放非标准端口8010 ，因为这会将系统开放给安全漏洞。 而且，可以从任何URL路径提供Web界面，这意味着它不必是您域中唯一的应用程序。 例如，您可以将构建输出或日志提供给用户。 因此，我们将使用单独的Web服务器Nginx为用户提供UI，以支持HTTPS，保护内部端口并获得与Buildbot Web界面一起提供其他内容的功能。

Open up the Nginx configuration file for editing:

打开Nginx配置文件进行编辑：

Add the following highlighted location blocks within the file’s existing server block:

在文件的现有server块中添加以下突出显示的location块：

. . .http { . . .    server { . . .        location / {            root /usr/local/www/nginx;            index index.html index.htm;        }        location /buildbot/ {            proxy_pass http://10.0.0.2:8010/;        }        location /buildbot/sse/ {            # proxy buffering will prevent sse to work            proxy_buffering off;            proxy_pass http://10.0.0.2:8010/sse/;        }        # required for websocket        location /buildbot/ws {            proxy_http_version 1.1;            proxy_set_header Upgrade $http_upgrade;            proxy_set_header Connection "upgrade";            proxy_pass http://10.0.0.2:8010/ws;            # raise the proxy timeout for the websocket            proxy_read_timeout 6000s;        }        error_page 500 502 503 504 /50x.html;        location = /50x.html {            root /usr/local/www/nginx-dist;        }                . . .    }}

This configuration forwards all requests below the URL path /buildbot/ to the web interface and enables WebSocket support, which is used by the interface to receive updates that it will display such as the log output of a running build.

此配置将URL路径/buildbot/下的所有请求转发到Web界面，并启用WebSocket支持，该接口使用WebSocket接收它将显示的更新，例如正在运行的内部版本的日志输出。

Save and close the Nginx configuration file. Then, reload the Nginx service:

保存并关闭Nginx配置文件。 然后，重新加载Nginx服务：

Open up your preferred web browser on your local machine and access the Buildbot web interface by going to the following URL:

在本地计算机上打开首选的Web浏览器，并通过转到以下URL来访问Buildbot Web界面：

https://example.com/buildbot/

Alternatively, if you did not set up a domain name for your server, you’ll instead need to enter your server’s public IP address, http://your_server_ip/buildbot/.

另外，如果您没有为服务器设置域名，则需要输入服务器的公共IP地址http:// your_server_ip /buildbot/ 。

When you arrive at the interface, you will see an overview similar to the following:

When you arrive at the interface, you will see an overview similar to the following:

The main page may show a warning that the Buildbot URL is misconfigured. This occurs if the hostname provided in the nginx.conf file mismatches what’s listed in master Buildbot configuration. Since build result emails contain links to the Buildbot web interface by default, the master must know the correct URL where it can be reached.

The main page may show a warning that the Buildbot URL is misconfigured. This occurs if the hostname provided in the nginx.conf file mismatches what's listed in master Buildbot configuration. Since build result emails contain links to the Buildbot web interface by default, the master must know the correct URL where it can be reached.

Note that, in our example configurations, we have not set up this email service. If you’re interested in configuring this, see Buildbot’s for more information:

Note that, in our example configurations, we have not set up this email service. If you're interested in configuring this, see Buildbot's for more information:

With that said, to resolve the warning and send emails that contain the correct content, edit the Buildbot master configuration to point to your domain.

With that said, to resolve the warning and send emails that contain the correct content, edit the Buildbot master configuration to point to your domain.

Find the line that begins with c['buildbotURL'] and replace the default option with your domain name, followed by /buildbot/:

Find the line that begins with c['buildbotURL'] and replace the default option with your domain name, followed by /buildbot/ :

####### PROJECT IDENTITY# ...c['buildbotURL'] = 'https://example.com/buildbot/'# ...

Save and close the file. Then, to apply the new configuration, reload the buildbot service:

保存并关闭文件。 Then, to apply the new configuration, reload the buildbot service:

Refresh the Buildbot web interface in your browser, and the warning will disappear.

Refresh the Buildbot web interface in your browser, and the warning will disappear.

Continuous Integration servers often serve other purposes besides CI. For example, a CI server might serve build outputs for FreeBSD packages or logs over HTTPS. It’s therefore recommended that you reserve the URL path /buildbot/ for the web interface. This allows you to host more applications under different paths. For the moment, we will create a simple home page that redirects to the web interface. You can add more links once you implement more use cases for the web server.

Continuous Integration servers often serve other purposes besides CI. For example, a CI server might serve build outputs for FreeBSD packages or logs over HTTPS. It's therefore recommended that you reserve the URL path /buildbot/ for the web interface. This allows you to host more applications under different paths. For the moment, we will create a simple home page that redirects to the web interface. You can add more links once you implement more use cases for the web server.

Run the following command to open an index file in your web root – replacing example.com with your own domain – to create an automatic redirect to the Buildbot web interface:

Run the following command to open an index file in your web root – replacing example.com with your own domain – to create an automatic redirect to the Buildbot web interface:

Note: If you did not follow the and create a new web root for your Nginx configuration, you will instead need to create an index file under the default Nginx web root by running sudo ee /usr/local/www/nginx/index.html.

Note: If you did not follow the and create a new web root for your Nginx configuration, you will instead need to create an index file under the default Nginx web root by running sudo ee /usr/local/www/nginx/index.html .

Replace any existing file content with the following lines:

Replace any existing file content with the following lines:

buildbot

Save and close this file, then enter your domain name or IP address in the URL bar of your browser. It should automatically redirect you to the Buildbot interface.

Save and close this file, then enter your domain name or IP address in the URL bar of your browser. It should automatically redirect you to the Buildbot interface.

You’ve finished the installation of all the Buildbot components, including its web-based control and viewing interface. With all of this in place, let’s run an actual build as specified in the sample configuration which we have set up for the master.

You've finished the installation of all the Buildbot components, including its web-based control and viewing interface. With all of this in place, let's run an actual build as specified in the sample configuration which we have set up for the master.

The builder has a “force” scheduler configured by default, which allows you to trigger your first build. In the web interface, click Builds > Builders > runtests > force > Start Build and see how the build runs. If you see any errors, check the server’s internet connection and whether all the dependent packages were installed as described previously.

The builder has a “force” scheduler configured by default, which allows you to trigger your first build. In the web interface, click Builds > Builders > runtests > force > Start Build and see how the build runs. If you see any errors, check the server's internet connection and whether all the dependent packages were installed as described previously.

You can find the artifacts from this build (and others) by looking at the contents of the build directory:

You can find the artifacts from this build (and others) by looking at the contents of the build directory:

Output   
   build

You have successfully configured a permanently running and versatile CI system and can now begin implementing your own builds.

You have successfully configured a permanently running and versatile CI system and can now begin implementing your own builds.

结论 (Conclusion)

By completing this tutorial, you practiced creating FreeBSD jails and learned some of the basics of the Buildbot automation framework, resulting in a ready-to-use installation. To learn more about Buildbot and its configuration, we encourage you to read through the .

By completing this tutorial, you practiced creating FreeBSD jails and learned some of the basics of the Buildbot automation framework, resulting in a ready-to-use installation. To learn more about Buildbot and its configuration, we encourage you to read through the .

From here, you’re free to implement your own Continuous Integration and automation practices. In order to have a secure, stable and performant setup for production use, you may want to take these optional configuration steps:

From here, you're free to implement your own Continuous Integration and automation practices. In order to have a secure, stable and performant setup for production use, you may want to take these optional configuration steps:

• Use HTTPS only (as explained in this tutorial)
  Use HTTPS only (as explained in this tutorial)

• In the tutorial, you used a separate, host-internal network lo1 for your jails. In this guide, we used ipfw for NAT purposes, but other firewalls have this feature as well. Check out the FreeBSD documentation about . Unless your use case requires otherwise, it is recommended to keep the jail network inaccessible from the outside through the use of NAT or other mechanisms.

  In the tutorial, you used a separate, host-internal network lo1 for your jails. In this guide, we used ipfw for NAT purposes, but other firewalls have this feature as well. Check out the FreeBSD documentation about . Unless your use case requires otherwise, it is recommended to keep the jail network inaccessible from the outside through the use of NAT or other mechanisms.

• Buildbot’s web interface does not require a login or check user permissions by default. To implement these, you will have to enable .

  Buildbot's web interface does not require a login or check user permissions by default. To implement these, you will have to enable .

翻译自:

freebsd 网络设置