We re-use the Vagrant-based build system we have created for developers.

This system generates the needed Vagrant basebox before each build unless it is already available locally. By default such generated baseboxes are cached on each ISO builder forever, which is a waste of disk space: in practice only the most recent baseboxes are used. So we take advantage of the garbage collection mechanisms provided by the Tails Rakefile:

• We use the rake basebox:clean_old task to delete obsolete baseboxes older than some time. Given we switch to a new basebox at least for every major Tails release, we've set this expiration time to 4 months.

• We also use the rake clean_up_libvirt_volumes task to remove baseboxes from the libvirt volumes partition. This way we ensure we only host one copy of a given basebox in the .vagrant.d directory of the Jenkins user $HOME.

The cleanup_build_job_leftovers script ensures a failed basebox generation process does not break the following builds due to leftovers. However, now that we have moved from vmdebootstrap to vmdb2, which seems way better at cleaning up after itself, we might need less clean up, or maybe none at all.

For security reasons we use nested virtualization: Vagrant starts the desired ISO build environment in a virtual machine, all this inside a Jenkins "slave" virtual machine.

On lizard we set the Tails extproxy build option and point http_proxy to our existing shared apt-cacher-ng.