Skip to content

customized chroot builds

Jump to bottom Edit New page
sysfu edited this page Feb 15, 2016 · 129 revisions

This guide takes the user step by step through the process of building and customizing an OpenBSD installation inside of a chroot, and then building a flashrd image from it.

Why would I want to do this?

It can be hard or impossible to compile and build custom software on resource constrained embedded systems. This method allows you to do all the heavy lifting on a more powerful system, after which you can deploy an image with all the system and userland software updates already integrated.

Create and update the base chroot system

  • install a current release of OpenBSD if you don't already have access to one. The build system must match the architecture of the target system, i.e. use an OpenBSD i386 build system if the target platform is i386.

  • patch the system
    sudo ftp -o /usr/local/sbin/openup https://stable.mtier.org/openup; sudo chmod +x /usr/local/sbin/openup; sudo openup

  • edit fstab to allow chrooting to a separate OpenBSD operating system folder located on /home partition
    sudo vi /etc/fstab

  • remove the "nodev" option from the /home partition mount line. This allows the chroot /dev/tty device to be created.

  • save /etc/fstab and then remount the '/home' filesystem
    sudo mount -u -o dev /home

  • or simply reboot

  • Install git and clone the flashrd software
    cd ~; sudo pkg_add git; git clone https://github.com/yellowman/flashrd.git

  • install the OpenBSD system sources. (This takes a while, so pick the fastest mirror available and find something else to do while it runs)
    cd /usr; sudo cvs -d anoncvs@anoncvs1.usa.openbsd.org:/cvs -q get -rOPENBSD_5_8 src

  • create two folders; one for the OpenBSD chroot system and one for the extracted flashrd image files, then change into the 'chrbsd' dir before downloading install sets
    mkdir ~/{chrbsd,imgfiles}; cd ~/chrbsd

Download, verify and extract the install sets

  • Now set some variables with the download URL and filenames to make life easier
    export MIR=http://mirrors.sonic.net/openbsd/5.8/i386 SETS='base58.tgz man58.tgz comp58.tgz xbase58.tgz' SIG='SHA256 SHA256.sig'

  • Use these variables in a 'for loop' to automate the download process
    for i in $SETS; do ftp $MIR/$i; done; for i in $SIG; do ftp $MIR/$i; done

  • Check file integrity of downloaded install sets by first verifying the SHA256 checklist signature
    signify -V -p /etc/signify/openbsd-58-base.pub -m SHA256

  • Then verify the SHA256 checksum for each install set tarball
    sha256 -C SHA256 $SETS

  • extract set tarballs preserving permissions and attributes, then remove tarballs and signature files
    for i in $SETS; do sudo pax -rvzf $i -p e; done; rm *.tgz SHA256*

  • Unpack remaining etc.tgz files from /usr/share/sysmerge/ like so:
    cd ~/chrbsd; pax -rvzf ~/chrbsd/usr/share/sysmerge/etc.tgz -p e

  • prepare extracted system install set folder for chroot by creating devices
    cd ~/chrbsd/dev; sudo ./MAKEDEV std

  • copy openup to chroot system
    sudo cp /usr/local/sbin/openup ~/chrbsd/usr/local/sbin/

  • copy pkg.conf to chroot system
    sudo cp /etc/pkg.conf ~/chrbsd/etc/

  • enter the chroot system
    sudo chroot ~/chrbsd /bin/ksh

  • fix name resolution
    echo "nameserver 213.73.91.35" > /etc/resolv.conf

  • patch chroot system with latest updates using openup
    openup

  • remove the openup binpatch files from /var to conserve space
    rm -rf /var/db/binpatch/*

  • install desired software from packages (add or remove packages to this command as needed)
    pkg_add dnstop drill pftop toprump rsync iperf dnscrypt-proxy

  • Manually add any users and groups needed to run services. dnscrypt-proxy example:
    groupadd -g 688 _dnscrypt-proxy
    useradd -c 'dnscrypt-proxy user' -d /var/empty -g 688 -s /sbin/nologin -u 688 _dnscrypt-proxy

build and install custom software from source

  • Create a working 'src' directory and change into it
    mkdir /usr/local/src; cd /usr/local/src

LibreSSL

  • set variables for the download mirror and filenames
    export mirror=http://mirrors.sonic.net/openbsd/LibreSSL files='libressl-2.3.2.tar.gz SHA256 SHA256.sig libressl.pub'

  • run for loop to download files
    for i in $files; do ftp $mirror/$i; done

  • verify libressl.pub key string matches the one published on github https://github.com/libressl-portable/portable/blob/master/libressl.pub

  • verify SHA256 checklist signature
    signify -V -p libressl.pub -m SHA256

  • verify the checksum for tarball
    sha256 -C SHA256 libressl-2.3.2.tar.gz

  • Extract and build the software
    pax -rvzf libressl-2.3.2.tar.gz; cd libressl-2.3.2; ./configure; make check; make install

  • remove source files and rename older openssl binary
    rm -rf /usr/local/src/*; mv /usr/bin/openssl /usr/bin/openssl2.2.2

  • create symlink for new binary
    ln -sf /usr/local/bin/openssl /usr/bin/openssl

OpenVPN

  • create tun adapter
    touch /etc/hostname.tun0
  • install dependency, download source and build with flags to pickup lzo2 library pkg_add -iv lzo2; ftp -o - https://swupdate.openvpn.org/community/releases/openvpn-2.3.10.tar.gz | pax -rvz
    cd openvpn-2.3.10; env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure --sysconfdir=/etc; make; make install

OpenSMTPD

  • download source tarball, SHA256 checksum, and opensmtpd.pub signify key
    cd /usr/local/src; ftp https://www.opensmtpd.org/archives/opensmtpd-5.7.3p2.tar.gz
    ftp https://www.opensmtpd.org/archives/opensmtpd-5.7.3p2.sum.sig
    ftp -o /etc/signify/opensmtpd.pub https://www.opensmtpd.org/archives/opensmtpd.pub
  • Verify opensmtpd.pub key string matches twitter post https://twitter.com/OpenSMTPD/status/613257722574839808
  • Verify and extract checksum from opensmtpd-5.7.3p2.sum.sig file. This will create a new 'opensmtpd-5.7.3p2.sum' file
    signify -V -e -p /etc/signify/opensmtpd.pub -m opensmtpd-5.7.3p2.sum
  • Use that file to verify sha256 checksum of the opensmtpd-5.7.3p2.tar.gz tarball
    sha256 -C opensmtpd-5.7.3p2.sum opensmtpd-5.7.3p2.tar.gz
  • extract and build
    pax -rvzf opensmtpd-5.7.3p2.tar.gz; cd opensmtpd-5.7.3p2/smtpd; env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" make; make install

Tor

  • extract and build
    cd /usr/local/src; ftp -o - https://www.torproject.org/dist/tor-0.2.7.6.tar.gz | pax -rvz
    cd tor-0.2.7.6; ./configure --sysconfdir=/etc --with-openssl-dir=/usr/local --disable-gcc-hardening --disable-asciidoc; make check; make install

Proxychains-ng

  • install build tools
    pkg_add git gmake
  • clone and build
    git clone -b openbsd https://github.com/rofl0r/proxychains-ng.git; cd proxychains-ng/
    ./configure --prefix=/usr/local --sysconfdir=/etc; gmake && gmake install

Cleanup

  • remove build tools
    pkg_delete git gmake
  • remove source files
    cd /root; rm -rf /usr/local/src/*
    exit

build a flashrd image from the customized OpenBSD chroot system

cd ~/flashrd; sudo ./flashrd ~/chrbsd

  • customize the flashrd image with things like com0 port, dns server, hostname, etc
    sudo cfgflashrd -i flashimg.i386-<date> -c 38400 -o onetime.tgz -t US/Pacific \
    -dns 213.73.91.35 -ntp us.pool.ntp.org -hostname flashrd.local ~/chrbsd/

New installations: writing the image direct to a CF card

  • insert a flash storage card and then run the following command to determine the media sector size
    dmesg|grep sectors
  • Note number of sectors for the flash device and use that value in this command
    cd ~/flashrd; sudo growimg -l <flash-device-sectors> flashimg.i386-<date>
  • You'll see some output like this:
    Grow completed. New 1923MB image is located at /tmp/growimg.cAelkm
  • Optionally copy or move the re-sized image file out of /tmp for longer term storage and safekeeping
    sudo mv /tmp/growimg.cAelkm ~/openbsd-5.8-flashrd-2GB.img
  • write the re-sized image directly to the flash device. /dev/rsd3c might not be the correct device on your system! Use dmesg | grep sd to find the correct device
    sudo dd if=/tmp/growimg.cAelkm of=/dev/rsd3c bs=1M

Upgrade installations: extracting bsd, openbsd.vnd, var.tar, and copying to /flash dir

  • extract bsd, openbsd.vnd, and var.tar files from the flashrd image and move them to 'imgfiles' dir
    sudo vnconfig vnd0 ~/flashrd/flashimg.i386-<date>
    sudo mount /dev/vnd0a /mnt; cp /mnt/bsd /mnt/openbsd.vnd /mnt/var.tar ~/imgfiles
    sudo umount /mnt; sudo vnconfig -u vnd0

  • move the files from ~/imgfiles on the build system to /flash/new dir on an existing flashrd system using scp
    scp ~/imgfiles/* user@flashrd.tld:/flash/new/

  • SSH into the existing flashrd system and create a list of files to back up which must survive the upgrade reboot:
    echo "/etc/hostname.* /etc/myname /etc/ssh /etc/passwd /etc/master.passwd /etc/pwd.db /etc/spwd.db /etc/pf.conf /etc/resolv.conf /etc/rc.conf.local /etc/group /etc/mail /var/unbound /var/nsd /etc/rc.flashrd.sub /etc/dhcpd.conf /etc/sysctl.conf /etc/ntpd.conf /etc/bgpd.conf /etc/rc.d/dnscrypt_proxy /etc/dhclient.conf" > /root/onetime-filelist

  • Use the pax utility to archive them in /flash/onetime.tgz

  pax -wz -s ',^/,,' -f /flash/onetime.tgz `cat /root/onetime-filelist`

  • Pax switches explained: -w (write) -z (gzip) -s ',^/,,' (strips leading slash) -f (.tgz archive filename)

  • move existing bsd | openbsd.vnd | var.tar files to /flash/old
    mv /flash/{bsd,openbsd.vnd,var.tar} /flash/old/

  • move the updated system files from /flash/new to /flash as per the [flashrd FAQ] (http://www.nmedia.net/flashrd/flashrd-faq.html) and reboot
    mv /flash/new/* /flash/; reboot

First boot

  • login and sync the system time
    rdate -v us.pool.ntp.org

  • set gateway
    vi /etc/mygate

  • update pkg.conf
    vi /etc/pkg.conf

Add a custom footer
Add a custom sidebar
Clone this wiki locally