GUIDE: Creating a chroot (to make drivers/packages etc.) on a working system
-
I was trying to upgrade the igb driver and needed an environment to compile the driver in on FreeBSD. So on my existing pfsense box, I just make a chroot and built the driver in there.
Here's how it was done.
mkdir -p /mnt/data/freebsd mkdir /freebsd mount_nullfs /mnt/data/freebsd /freebsd mkdir /freebsd/chroot cd /freebsd /usr/local/bin/rsync -av ftp-archive.freebsd.org::FreeBSD-Archive/old-releases/amd64/8.1-RELEASE/base/ 8.1-RELEASE_amd64_base cat 8.1-RELEASE_amd64_base/base.?? | tar --unlink -xpzvf - -C chroot cp /etc/resolv.conf chroot/etc/ cp /etc/localtime chroot/etc/ mount -t devfs devfs chroot/dev/ chroot chroot/ freebsd-update fetch install
Now the chroot is made and populated, enter the chroot
chroot /freebsd/chroot/ tcsh
Then install the source tree, as per http://www.cyberciti.biz/faq/freebsd-install-kernel-source-code/
(install src > base and sys, be sure to set the configure>options kernel name to not nclude -p6 at the end)
Use ftp://ftp-archive.freebsd.org///mirror/FreeBSD-Archive/old-releases/amd64/ as the FTP location when it asks
sysinstall
Then do what you want from there. Here's how I compiled the igb driver,
mkdir -p /usr/src/igb cd /usr/src/igb setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/ pkg_add -r wget /usr/local/bin/wget http://downloadmirror.intel.com/15815/eng/igb-2.2.3.tar.gz tar xvf igb-2.2.3.tar.gz cd igb-2.2.3/src make make install
Then I exited the chroot and copied the driver into place,
exit cp chroot/usr/src/igb/igb-2.2.3/src/if_igb.ko /boot/kernel kldload /boot/kernel/if_igb.ko echo 'if_igb_load="YES"' >> /boot/loader.conf.local
I hope that helps anyone else looking to do the same.
-
And it's all a colossally bad idea to do on the firewall. We don't include compiler tools for a reason, it's a security risk that isn't mitigated in any way by a chroot.
Setting up a VM is free and easy these days, just grab virtualbox or similar and install from an iso in there, then compile and copy to the firewall.
-
-
It's been discussed many times here on the forum, list, etc. It's a security risk, and also unnecessary bloat. If you need more detail than that, search around on here and it'll turn up.