bootstrap: hello world!

opnsense-bootstrap(8) is a tool that can completely reinstall a running system in place for a thorough factory reset or to restore consistency of all the OPNsense files. It can also wipe the configuration directory, but won't do that by default. It will automatically pick up the latest available version and build a chain of trust by using current package fingerprints -> CA root certificates -> HTTPS -> OPNsense package fingerprints. What it will also do is turn a stock FreeBSD 10.1-RELEASE into an OPNsense installation, given that UFS was used to install the root file system. This is as close as we get for debating "distribution as a package" in FreeBSD at the moment. Ultimately, no more kernel patches would simplify the procedure. Package manager support for base and kernel will make this even more simple. FreeBSD 11 is what we are aiming for for these reasons. And we'll definitely stick around. But, wait, there's more... What it will likely do at some point in the future is moving an installation from FreeBSD/OPNsense to HardenedBSD/OPNsense or back. The HardenedBSD team is doing great work and we don't see a reason why anyone should be locked out of an eco system just for choosing a different tool. Above all, we value choice. If this tool is a candidate for the FreeBSD ports collection is a different question to be asked. For now I don't think the timing and the scope of only transforming 10.1-RELEASE fits. But as we work on this and test more, we can gradually lift the restrictions. "These go to eleven." :) Cheers, Franco
opnsense · Nov 20, 2015 · e3f63ec · e3f63ec
1 parent a00afc9
commit e3f63ec
Show file tree

Hide file tree

Showing 3 changed files with 202 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
-SCRIPTS=opnsense-update.sh
-MAN=	opnsense-update.8
+SCRIPTS=opnsense-update.sh opnsense-bootstrap.sh
+MAN=	opnsense-update.8 opnsense-bootstrap.8
 
 PREFIX?=${LOCALBASE}
 BINDIR=	${PREFIX}/sbin

diff --git a/opnsense-bootstrap.8 b/opnsense-bootstrap.8
@@ -0,0 +1,76 @@
+.\"
+.\" Copyright (c) 2015 Franco Fichtner <franco@opnsense.org>
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd November 20, 2015
+.Dt OPNSENSE-BOOTSTRAP 8
+.Os
+.Sh NAME
+.Nm opnsense-bootstrap
+.Nd OPNsense bootstrap utility
+.Sh SYNOPSIS
+.Nm
+.Op Fl fy
+.Op Fl n Ar flavour
+.Nm
+.Op Fl v
+.Sh DESCRIPTION
+The
+.Nm
+utility offers a way to reset a compatible system to the latest
+available version of OPNsense.
+It can be used to repair a broken system or transform a matching
+.Fx
+installation.
+Compatibility with
+.Fx
+is subject to change and
+.Ud .
+.Pp
+The options are as follows:
+.Bl -tag -width ".Fl n Ar flavour" -offset indent
+.It Fl f
+Do a full factory reset, removing all previous OPNsense configuration
+files.
+.It Fl n Ar flavour
+Change the package repository to
+.Ar flavour .
+Possible values are
+.Sq LibreSSL
+and
+.Sq OpenSSL .
+The default is
+.Sq OpenSSL .
+.It Fl v
+Print the current version string.
+.It Fl y
+This option omits the confirmation prompt.
+.El
+.Sh EXIT STATUS
+.Ex -std
+.Sh SEE ALSO
+.Xr opnsense-update 8
+.Sh AUTHORS
+.An Franco Fichtner Aq Mt franco@opnsense.org
diff --git a/opnsense-bootstrap.sh b/opnsense-bootstrap.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+
+# Copyright (c) 2015 Franco Fichtner <franco@opnsense.org>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+set -e
+
+WORKDIR="/tmp/opnsense-bootstrap"
+FLAVOUR="OpenSSL"
+ARCH=$(uname -m)
+VERSION="15.7"
+
+DO_FACTORY=
+DO_YES=
+
+while getopts fn:vy OPT; do
+	case ${OPT} in
+	f)
+		DO_FACTORY="-f"
+		;;
+	n)
+		if [ "${OPTARG}" == "LibreSSL" ]; then
+			FLAVOUR=${OPTARG}
+		fi
+		;;
+	v)
+		echo ${VERSION}-${ARCH}
+		exit 0
+		;;
+	y)
+		DO_YES="-y"
+		;;
+	*)
+		echo "Usage: opnsense-bootstrap [-fvy] [-n flavour]" >&2
+		exit 1
+		;;
+	esac
+done
+
+if [ "$(id -u)" != "0" ]; then
+	echo "Must be root."
+	exit 1
+fi
+
+if [ "$(uname -s)" != "FreeBSD" ]; then
+	echo "Must be FreeBSD."
+	exit 1
+fi
+
+if [ "$(uname -r | colrm 13)" != "10.1-RELEASE" ]; then
+	echo "Must be 10.1."
+	exit 1
+fi
+
+if [ "$(uname -m)" != "i386" -a "$(uname -m)" != "amd64" ]; then
+	echo "Must be i386 or amd64"
+	exit 1
+fi
+
+echo "This utility will attempt to turn this installation into the latest"
+echo "OPNsense ${VERSION} release.  All packages will be deleted, the base"
+echo "system and kernel will be replaced, and if all went well the system"
+echo "will automatically reboot."
+
+if [ -z "${DO_YES}" ]; then
+	echo
+	echo -n "Proceed with this action? [y/N]: "
+
+	read YN
+	case ${YN} in
+	[yY])
+		;;
+	*)
+		exit 0
+		;;
+	esac
+fi
+
+echo
+
+export ASSUME_ALWAYS_YES=yes
+
+pkg bootstrap
+pkg install ca_root_nss
+
+mkdir -p ${WORKDIR}/${$}
+cd ${WORKDIR}/${$}
+fetch https://github.com/opnsense/core/archive/stable/${VERSION}.zip
+unzip ${VERSION}.zip
+cd core-stable-${VERSION}
+
+pkg delete -fa
+rm -rf /usr/local/etc/pkg
+if [ -n "${DO_FACTORY}" ]; then
+	rm -rf /conf/*
+fi
+
+make bootstrap DESTDIR= FLAVOUR=${FLAVOUR}
+pkg bootstrap
+pkg install opnsense
+opnsense-update -bkf
+reboot