Jump to content


From Wikitech

This page contains information on Debian packages (.deb) related to Toolforge.

Debian Packages

Some Toolforge components (e.g. Toolforge CLIs) are deployed using Debian Packages. Each component is packaged separately, the .deb file is uploaded to the a Debian repository running in tools-services-* and from there it is finally installed on the Toolforge bastions.

This is a list of the Debian packages installed on the bastions as of April 2024 (please note this list may change in the future):

Note: When the tools-webservice package is updated, all docker images need to be rebuilt.

Bumping the version

Before building a new version of a package, you need to bump the package version.

Note: before bumping the version, make sure all the changes to the code (bugfixes, new features, etc.) are merged to the main branch. Avoid mixing a version bump and code changes in the same commit.

Using bump_version

Does the component provide a script for it? Check if there's a file utils/bump_version.sh. If there is one, it will take care of everything:

  • updating the debian/changelog file
  • updating the version in setup.py or in other files (depending on the component)
  • creating a new git tag

If the script completes successfully, review the changes with git show and if they look good create a merge request.

If the script fails on macOS with "gbp:error: /src is not a git repository", it's probably because of https://github.com/docker/for-mac/issues/6243, and can be fixed by using osxfs instead of VirtioFS in the Docker for Mac settings


If the bump_version script is not present or is not working correctly, you can bump the version manually:

  • To update the debian/changelog file, you can use: gbp dch --git-author --id-length=7 --since=... . This reads the git log to generate changelog entries.
    • Not on a Debian host? You can run gbp inside Docker:
      docker run -it --rm \
        -v "$(pwd):/mnt" -v "$HOME/.gitconfig:/etc/skel/.gitconfig:ro" \
        -e UID=$(id -u) -e GID=$(id -g) \
        opxhub/gbp:buster \
        bash -c 'gbp dch --git-author --id-length=7'
    • The Docker trick can also be included in a bash init script as a function for your shell so you only need to run gbp and then the rest of the command exactly like on a Debian host
      function gbp() {
        docker run -it --rm -v "$(pwd):/mnt" \
          -v "$HOME/.gitconfig:/etc/skel/.gitconfig:ro" -e UID="$(id -u)" \
          -e GID="$(id -g)" opxhub/gbp:buster bash -c "gbp $*"
  • Update the version in setup.py and in other files where is present (depending on the component)
  • Create a new tag with the format debian/version. Optionally you can create an annotated tag (git tag -a tagname) and add a short annotation, e.g. the output of git shortlog {previoustag}..HEAD

Creating a release in GitLab

After the version bump is merged in GitLab, push the git tag with git push origin {tagname} and create a new release in GitLab by clicking on "Releases", then on "New release".

Note: Before pushing the tag, make sure the local git tag is pointing to the commit in the origin/main branch (sometimes GitLab rebases your commit when the merge request is merged)

Building the package

Most packages have a CI pipeline that will build the .deb file automatically. Click on the pipeline and look for a job named "package:deb". The .deb file can be downloaded clicking on "Download artifacts".

GitLab pipeline showing the package:deb job
The .deb file can be downloaded clicking on "Download artifacts"

If the component does not have a CI pipeline, check if it includes a file utils/build_deb.sh. Otherwise, you can use the wmcs-package-build script (more details below).

Uploading a package

If you built a package or have a package already built that you want to upload, you can scp it to tools-services-* VM, and from there add it to the repository you want it in:

$ scp pack-0.27.0-2.deb tools-services-05.tools.eqiad1.wikimedia.cloud:/tmp
$ ssh tools-services-05.tools.eqiad1.wikimedia.cloud
# check which repositories you want to add the package to
root@tools-services-05:~# aptly repo list
# Add the package to the repo you want
root@tools-services-05:~# aptly repo add buster-toolsbeta /tmp/pack-0.27.0-2.deb
# Publish the package on each of the repos where you added it
root@tools-services-05:~# aptly publish update --skip-signing bullseye-toolsbeta

You should always install a package in the toolsbeta project first and test it works correctly, before installing it in the tools project.

For that, build the package and upload it to the -toolsbeta variants of the aptly repos, e.g. bullseye-toolsbeta.

Once testing is done and you are confident with a given package version, you can copy the packages to the -tools repos:

root@tools-services-05:~# aptly repo copy buster-toolsbeta buster-tools toolforge-webservice_0.XX_all && aptly publish --skip-signing update buster-tools
root@tools-services-05:~# aptly repo copy bullseye-toolsbeta bullseye-tools toolforge-webservice_0.XX_all && aptly publish --skip-signing update bullseye-tools

Installing a package

Packages will not be upgraded automatically by Puppet. You need to manually run apt update && apt install {package_name}.

You can use Cumin to push the change out everywhere:

$ ssh cloudcumin1001.eqiad.wmnet
$ sudo cumin "O{project:tools name:.*-bastion.*}" "apt-get update"
$ sudo cumin "O{project:tools name:.*-bastion.*}" 'DEBIAN_FRONTEND=noninteractive apt-get install -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" toolforge-webservice'


This script used to be the main method to build Toolforge packages, but it is being phased out as we are gradually automating the package builds using CI pipelines.

This is a custom script to automate most of the build & publish steps of the process. You can locate this script in the operations/puppet repo: modules/toolforge/files/wmcs-package-build.py.

The steps are done in order:

  • git stage: create a random directory in the package build server, git clone the source repository and checkout a given branch.
  • sbuild stage: run sbuild to build the debian package.
  • copy stage: copy the resulting .deb packages from the package build server into the aptly server at a random directory.
  • aptly stage: add the .deb packages to a given repo and publish it.
  • backup stage: run rsync from the aptly tree to NFS (optional).
  • cleanup stage: delete random directories created by the script.
user@laptop:~$ modules/toolforge/files/wmcs-package-build.py --help
usage: wmcs-package-build.py [-h] --git-repo GIT_REPO [--git-branch GIT_BRANCH]
                             [--build-dist BUILD_DIST] [--build-host BUILD_HOST] [-a APTLY_DIST]
                             [--aptly-host APTLY_HOST] [-b] [-d]

Utility to build and upload a .deb package to aptly

optional arguments:
  -h, --help            show this help message and exit
  --git-repo GIT_REPO   git repository URL with the source pkg. This script will do a fresh git clone
                        of that repo. Typical value is something like:
  --git-branch GIT_BRANCH
                        git branch to use to build the package from. Defaults to "master"
  --build-dist BUILD_DIST
                        target distribution when building the package with sbuild. Defaults to
  --build-host BUILD_HOST
                        package build host. Typically a VM in CloudVPS with
                        role::wmcs::toolforge::package_builder. Defaults to "tools-package-
  -a APTLY_DIST, --aptly-dist APTLY_DIST
                        target distribution in aptly. The resulting deb package will be uploaded to
                        this distribution and then the repository will be published. Can be specified
                        multiple times for multiple target distributions. If this argument is not
                        provided, no aptly operations will be done. Example: -a stretch-tools -a
  --aptly-host APTLY_HOST
                        aptly server host. Typically a VM in CloudVPS with
                        role::wmcs::toolforge::services. Defaults to "tools-sge-
  -b, --no-backup       If this option is present, this script won't backup aptly data over NFS
  -d, --dry-run         Dry run: only show what this script would do, but don't do it for real

This script is supposed to run from your laptop, and it will start SSH connections to the different servers involved in building and publishing a deb package.

The --help output should have enough information to know what every option does.

You are encouraged to use the --dry-run first to know what the script would do (the actual SSH commands).

Obsolete methods

This information is here only for reference. Use one of the methods listed above instead.


The sbuild tool is a simple and powerful tool to build debian packages.

Our packaging building hosts have sbuild ready to use. The first time you try to use sbuild you should add yourself to the sbuild unix group:

user@tools-package-builder-02:~$ sudo sbuild-adduser $LOGNAME
user@tools-package-builder-02:~$ newgrp sbuild

There should be environments to build packages for the most common distros: jessie, stretch, buster.

You can switch between them easily:

user@tools-package-builder-02:mypackage/$ sbuild -d jessie
user@tools-package-builder-02:mypackage/$ sbuild -d stretch
user@tools-package-builder-02:mypackage/$ sbuild -d buster

Sometimes the build-deps required to clean the source tree are not installed outside the chroot. To workardound this, use the --no-clean-source switch when calling sbuild. Adding extra repos and packages is super easy, check the --extra-repository option in the sbuild manpage.

Additional upstream documentation: https://wiki.debian.org/sbuild

Yuvi's method (debuild)

Bd808's method (pdebuild)

See also