pfSense compile requirements for 3rd party software
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
Is my next step to run this?
./build.sh none
I kicked that off (and sorted out all the missing packages it needed) and would prefer to know if that isn't the right command before I let it run too long to find out otherwise.
I run this command to build the package tree:
./build.sh --update-pkg-repo -a amd64.amd64
That will build all the packages for AMD64/Intel architectures. You can just execute the shell script with no arguments to see all the available options like this:
./build.sh
I just rebuilt the jail in my RELEASE builder since I had to update it to the latest FreeBSD 12.3 with the recent 2.6.0 pfSense release, and it took about as long as yours. Much longer than I remembered from the past.
-
Thanks again, it appears to be running.
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
Thanks again, it appears to be running.
Some of the packages will take a long time to build, particularly the Rust language one. Just be patient. On my builder VM, Rust takes over 4 hours by itself. And it needs lots of RAM (more than 8 GB). What I did was create a very large extra swap partition for it to use during that build. Makes it take longer, but my ESXi host only has 32 GB of RAM to share among my active VMs.
If Rust fails to build, it will probably be due to resource limits. If that happens, simply kick off the same build again (use the same command) and the process will pick up where it left off. It is smart enough not to rebuild everything from scratch every time.
So if you see any package fail during the process, just let it keep going until the job stops. Then you can run it again to rebuild any failures. Like I said, most times the failures are due to resource exhaustion in my minimal builder VM.
-
That's good to know, I only gave the VM 8 gig, so I will expect the failures. So first build is a multiday event by the sound of it? ;)
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
That's good to know, I only gave the VM 8 gig, so I will expect the failures. So first build is a multiday event by the sound of it? ;)
Possibly, or at least a very long first day. After that, assuming you don't change any of the other ports' source code, each time you kick off a build it will only build your
miniupnpd
package (if you change theMakefile
version) and a couple of small pfSense packages that are rebuilt on each run (these have timestamp info for the current build). -
I've narrowed the build down to just 4 errors now, almost there.
[00:00:31] [01] [00:00:03] Finished databases/sqlite3@default | sqlite3-3.35.5_1,1: Failed: fetch [00:03:15] [01] [00:02:44] Finished databases/mysql57-client | mysql57-client-5.7.34: Failed: fetch [00:37:23] [01] [00:00:03] Finished net-mgmt/zabbix52-agent | zabbix52-agent-5.2.6: Failed: fetch [00:38:53] [01] [00:01:30] Finished security/stunnel | stunnel-5.59,1: Failed: fetch
The logs are showing 404 errors on the downloads. Seems like these aren't being hosted anymore. Any suggestions on what to do abut this?
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
I've narrowed the build down to just 4 errors now, almost there.
[00:00:31] [01] [00:00:03] Finished databases/sqlite3@default | sqlite3-3.35.5_1,1: Failed: fetch [00:03:15] [01] [00:02:44] Finished databases/mysql57-client | mysql57-client-5.7.34: Failed: fetch [00:37:23] [01] [00:00:03] Finished net-mgmt/zabbix52-agent | zabbix52-agent-5.2.6: Failed: fetch [00:38:53] [01] [00:01:30] Finished security/stunnel | stunnel-5.59,1: Failed: fetch
The logs are showing 404 errors on the downloads. Seems like these aren't being hosted anymore. Any suggestions on what to do abut this?
In your specific use case, I don't think these failures matter. So just ignore them. So long as none of the impacted ports are dependencies of
miniupnpd
, then their failure to build won't matter. I think you were interested in building justminiupnpd
.Now at some point you will want to update your builder to 2.6.0 (RELENG_2_6_0 is the official branch name). But if the firewall you are testing on is at 2.5.2, then you want to keep your builder on the same version. The failures are likely the result of the older Ports tree which was based on FreeBSD-12.2.
FYI -- my RELEASE builder is just now finishing up the final packages for RELENG_2_6_0.
-
Where are the resulting packages being placed? I've scoured the whole hard drive, and cannot find them. They must not have a .pkg extension.
I think I can fix the other errors by placing the files it needs in /portdistfiles. The logs indicate it checks there after giving up on a direct download, but its good to know that doesn't matter.
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
Where are the resulting packages being placed? I've scoured the whole hard drive, and cannot find them. They must not have a .pkg extension.
The packages are put in
/usr/local/poudriere/data/packages/{release}
. So navigate to that directory and then in it will be symlinks. The symlink that contains the package files is named/All
. -
@bmeeks said in pfSense compile requirements for 3rd party software:
files is named /All.
Thanks! I have a binary I can test now. :)
-
My favorite tool for connecting to my builders, browsing around there, and transferring files back and forth to my Windows PC is WinSCP.
-
My build worked, all those pesky ioctl errors are gone!
So now I am trying to change the source code, but not quite fully understanding this environment.
I figured I'd have to switch to this directory:
/usr/local/poudriere/ports/pfSense_v2_5_2/net/miniupnpd
In there I can run "make extract", edit my code in the work folder, and then run the "make makepatch". Seems to work as desired.
I edited the version in the Makefile in that same directory, and when I ran the full build from the main build dir as before, it cleaned out the old miniupnpd I built earlier, but failed to build the new one. It fails because the first thing it tries to do is download the dist file with the new version, which doesn't exist.
What's the trick here?
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
My build worked, all those pesky ioctl errors are gone!
So now I am trying to change the source code, but not quite fully understanding this environment.
I figured I'd have to switch to this directory:
/usr/local/poudriere/ports/pfSense_v2_5_2/net/miniupnpd
In there I can run "make extract", edit my code in the work folder, and then run the "make makepatch". Seems to work as desired.
I edited the version in the Makefile in that same directory, and when I ran the full build from the main build dir as before, it cleaned out the old miniupnpd I built earlier, but failed to build the new one. It fails because the first thing it tries to do is download the dist file with the new version, which doesn't exist.
What's the trick here?
Yea, I would not do the extraction in the build directory. That is a magic ZFS file system. I would instead use the native ports path of
/usr/ports/net/miniupnpd
. Do all of your work there, and then produce the patch diff file. Copy that single diff file to the/files
subdirectory of the port on the builder.When changing the
Makefile
version, don't change the major or minor version. Instead, use the PORTREVISION tag. Here is an example from an old Suricata GUI package:PORTNAME= pfSense-pkg-suricata PORTVERSION= 6.0.3 PORTREVISION= 4
If there is no PORTREVISION tag in your file, add it and start at 1 and increment by 1 for each build. That will produce a package file with an underscore on the end of the port name followed by the port revision. So this example
Makefile
produced a package named pfSense-pkg-suricata-6.0.3_4. -
@bmeeks
Thanks again so very much for all the help.
I think I am finally there. That last bit was the final hurdle. The build is fully clean of errors, and the app runs cleanly at runtime.I can see my own debug messages, and miniupnpd is working as well as it does with the package that ships with 2.5.2.
That was a process, but worth it. Thanks again to @jimp as well for helping out with the patching commands.
My progress on actually getting miniupnpd to work behind a double NAT will be over here:
https://forum.netgate.com/topic/169773/miniupnp-full-cone-double-natincorrectly-adding-rules/8?_=1644582288930
I'll make one additional post here soon, to capture the whole process, step by step. Just need to write/clean it up.
Cheers!
-
@bmeeks
What do you folks use for an IDE to make browsing through C code easier than grepping? Or perhaps, do you use an IDE? -
@encrypt1d said in pfSense compile requirements for 3rd party software:
@bmeeks
What do you folks use for an IDE to make browsing through C code easier than grepping? Or perhaps, do you use an IDE?I personally have never been too fond of IDEs. I did once work for a short time in one of the Microsoft tools when I was doing Windows-related development where I worked.
I started programming at the literal 1s and 0s of raw machine language, then graduated to assembly. Not much in the way of IDE for that . I later moved on to C, C++, C#, a touch of Java, and then some PL/SQL while working with- and administering- some Oracle databases.
These days I do only PHP for the GUI code in the Snort and Suricata packages, and then C for making customizations in the underlying binaries.
-
@encrypt1d said in pfSense compile requirements for 3rd party software:
What do you folks use for an IDE to make browsing through C code easier than grepping? Or perhaps, do you use an IDE?
I use UltraEdit on Linux and Windows for most things. Not really as a full IDE, mostly as a code editor with lots of nice features. On systems where I don't have a license for that I use Kate, Notepad++, or TextMate.
-
Thanks.
Really just looking for something that speeds up GUI browsing on FreeBSD, not a full IDE. Tracing function calls is much easier that way.
I was a developer for the first 10 years of my career, and miss those tools (C on VXWorks with a proprietary IDE, then moved on to C++/Visual Studio, Java/Eclipse etc). They were multimillion line code repos, so grep just didn't cut it. I googled around bit, but it gets religious fast. -
One other thing I forgot to mention about the incremental building during development/troubleshooting is that I found it easier to do my initial work totally within the
/usr/ports/*
tree and leave the Poudriere tree alone at first. This way I can run a quickmake
in the/usr/ports/*
directory to check for stupid C syntax errors or other coding oversights I may generate with my changes. You get immediate feedback of errors there via the console.When you run the
./build.sh
script to fire off the build within the package builder, any compilation errors are buried in a corresponding log file down in the/usr/local/poudriere/
tree. You can find the log, but it's a bit of effort.So I do my initial compile in the regular
/usr/ports/
tree to make sure my code compiles successfully. Then, if it does, I will copy my patch diff over to the Poudriere tree and kick off the package builder so I get a package I can copy over to pfSense and actually execute. -
As promised, below is a full summary of everything I needed to do to get pfSense FreeBSD port builds working in an unofficial non-Netgate environment.
Why? My motivation was simple, and that was to develop a code fix to an issue within a package that pfSense uses, and has been broken since 2.4.5 for some configurations.
Note - only Netgate may produce official builds with the pfSense product ID. These steps are for debugging and exploratory purposes only.
Steps:
- Build a VM and install FreeBSD
- Install package dependencies
- Clone the git repos
- Edit the build.conf
- Edit the builder_common.sh
- Run the build setup
- Prepare the Poudriere environment
- Build ports
- Change code and build new package versions
Step 1) Build a VM
-
Use your favorite virtualization software to create a FreeBSD compatible VM with as many cores and as much RAM as you can throw at it. I used 4 CPUs, and 24 GB (eventually). My initial VM had 8GB which was insufficient.
-
Download the FreeBSD ISO corresponding to your pfSense revision, in this case 2.5.2 is build on FreeBSD 12.2 STABLE.
-
Boot the VM with the FreeBSD ISO you downloaded, and be sure to use ZFS for the filesystem! I selected to include the Ports Tree and the System Source Tree in my install. You cannot create a jail on a non-ZFS filesystem.
Step 2) Install package dependencies
You will need these packages to get started.
Running as root:pkg install git pkg install poudriere pkg install rsync pkg install screen pkg install nginx
Step 3) Clone the git repos
Make a build folder, such as /build, change to it, and then start cloning.mkdir /build cd /build cd /build;git clone https://github.com/pfsense/pfsense.git cd /build/pfsense;git checkout RELENG_2_5_2 cd /build;git clone https://github.com/pfsense/FreeBSD-ports.git cd /build/FreeBSD-ports;git checkout RELENG_2_5_2
You now have the following folders:
/build/pfsense /build/FreeBSD-ports
4) Edit the build.conf
In the folder /build/pfsense:cp build.conf.sample build.conf
Then edit the build.conf file and ensure you use the following options set:
export PRODUCT_NAME="pfSense" export BUILD_AUTHORIZED_BY_NETGATE=yes export FREEBSD_REPO_BASE=https://github.com/pfsense/FreeBSD-src.git export FREEBSD_BRANCH="RELENG_2_5_2" export PKG_REPO_SERVER_DEVEL="pkg+https://beta.pfsense.org/packages" export PKG_REPO_SERVER_RELEASE="pkg+https://pkg.pfsense.org" export PKG_REPO_SERVER_STAGING="pkg+https://pkg.pfsense.org" export SKIP_FINAL_RSYNC=YES
5) Edit the builder_common.sh script
This file is in:/build/pfsense/tools/builder_common.sh
You want to make 2 changes, the first is to comment out the following:
# if [ "${PRODUCT_NAME}" = "pfSense" -a -n "${GNID_REPO_BASE}" ]; then # echo ">>> Obtaining gnid sources..." # ${BUILDER_SCRIPTS}/git_checkout.sh \ # -r ${GNID_REPO_BASE} \ # -d ${GNID_SRC_DIR} \ # -b ${GNID_BRANCH} # fi
Next comment out this line:
#pkg install ${PRODUCT_NAME}-builder
6) Run the build setup
cd /build/pfsense ./build.sh --setup
If anything fails, you'll have to determine the reason. Assuming the previous instructions have been followed everything should be fine.
7) Prepare the Poudriere environment
Now the really long command. This creates the Poudriere jail environment for building the ports. This took 11 hours on a core i7-11800H with an NVME SSD. Unfortunately it does not update the screen with any progress info.cd /build/pfsense ./build.sh --setup-poudriere
8) Build ports
We're now ready to try building the port tree, which failed on the first go due to missing package dependencies for me.cd /build/pfsense ./build.sh --update-pkg-repo -a amd64.amd64
I was missing these packages, you might be missing others:
sysutils/vmdktool emulators/qemu-user-static archivers/gtar textproc/xmlstarlet
They were not available in my repo for a simple "pkg install" command, so I compiled and installed them from the ports tree we cloned earlier:
cd /build/FreeBSD-ports/sysutils/vmdktool/;make package pkg install /build/FreeBSD-ports/sysutils/vmdktool/work/pkg/vmdktool-1.4.pkg cd /build/FreeBSD-ports/emulators/qemu-user-static/;make package pkg install /build/FreeBSD-ports/emulators/qemu-user-static/work/pkg/qemu-user-static-3.1.0_12.pkg cd /build/FreeBSD-ports/archivers/gtar; make package pkg install /build/FreeBSD-ports/archivers/gtar/work/pkg/gtar-1.34.pkg cd /build/FreeBSD-ports/textproc/xmlstarlet; make package pkg install /build/FreeBSD-ports/textproc/xmlstarlet/work/pkg/xmlstarlet-1.6.1.pkg
After that, the build ran but a number failed due to missing dist files it wasn't able to fetch. You can see exactly what it is trying to fetch from the repos in the build logs (one for each package) it points you to in the output. Mine was missing the following files:
sqlite-src-3350500.zip zabbix-5.2.6.tar.gz mysql-boost-5.7.34.tar.gz stunnel-5.59.tar.gz
I found them on the internet and placed them in:
/usr/ports/distfiles
After this, the build moved on. Then the "rust" package failed to build due to resource exhaustion (remember my original machine only had 8 GB RAM). I upped the VM RAM to 24 GB and then it passed. If you have less memory, keep trying - theoretically it should eventually finish.
Now the build ran to completion. It does fail on the signature step, but that's expected since we don't have the environment to sign the build (nor should we!).
9) Change code and build new package versions
Changing the code is a bit tricky, and one needs to be cautious on how it all works.
a) Extract the source
b) Copy it elsewhere and make your change
c) Copy it back
d) Make your patch
e) Copy your patch to the jail
f) Update your port revision to trigger a compile
g) Test your code on a pfSense non-production firewalla) Extract the Source
We will assume our package name is "foo"cd /build/FreeBSD-ports/foo make clean make extract
This places the source code in (the x's are a version number)
/build/FreeBSD-ports/foo/work/foo-x.x/
b) Copy your code elsewhere
Find the source files you want to change and make 2 copies of each to somewhere outside of this folder (the "work" folder gets deleted each time you run "make clean" so you want to keep your changes safe and sound somewhere else).cp source1.c /tmp/source1.c cp source1.c /tmp/source1.c.orig cp source1.c /tmp/source1.h cp source1.c /tmp/source1.h.orig
The .orig files are needed for patching later (do not change them), and the .c/.h files are where you make your changes. This step is only done once for each new file you change.
c) After editing, copy these files back
cp /tmp/source1.c /build/FreeBSD-ports/foo/work/foo-x.x/ cp /tmp/source1.c.orig /build/FreeBSD-ports/foo/work/foo-x.x/ cp /tmp/source1.h /build/FreeBSD-ports/foo/work/foo-x.x/ cp /tmp/source1.h.orig /build/FreeBSD-ports/foo/work/foo-x.x/
d) Make the patch (or just do test compiles)
cd /build/FreeBSD-ports/foo/ make makepatch #Creates the diff file OR make package #test compile
The makepatch command creates patch (diff) files (with names like patch-source1.c) in
/build/FreeBSD-ports/foo/files/
e) Copy the patches to the jail
Now in order to have the port build see the patch, copy them here. Your folder may be named differently depending on your release./usr/local/poudriere/ports/pfSense_v2_5_2/net/miniupnpd/files/
f) Edit the Makefile
Edit the Makefile for your port, for example:vi /usr/local/poudriere/ports/pfSense_v2_5_2/foo/Makefile
Change the port revision, and increase it by 1, for example:
PORTREVISION=2
g) Build your patched port
Run your build again, it should now create a new package for your patched codecd /build/pfsense ./build.sh --update-pkg-repo -a amd64.amd64
If all went well, your package is in (or a similar folder):
/usr/local/poudriere/data/packages/pfSense_v2_5_2_amd64-pfSense_v2_5_2/All/
Copy it to your test firewall (best not to test in production right?)
From an ssh shell on the firewall, you can replace the package with:pkg add -f foo.x.x.txz
If you need to revert to the original package from the distro:
pkg delete -f foo pkg install foo
A note on building iterations of your package:
I found it was best to script the synchronization of the files I was changing, and the copying of the patch files, so I can start with a known baseline for every pass. The idea is this:make clean
make extract
copy my changed and .orig files over the freshly extracted code
remove old patch files from poudriere jail folder and the working port folder
make makepatch
copy new patch files to poudriere jail folder
Uprev the Port revision
BuildAnd that's it. Thanks again to @bmeeks and @jimp for helping me with this.