GUIDE: Creating a chroot (to make drivers/packages etc.) on a working system



  • I was trying to upgrade the igb driver and needed an environment to compile the driver in on FreeBSD. So on my existing pfsense box, I just make a chroot and built the driver in there.

    Here's how it was done.

    
    mkdir -p /mnt/data/freebsd
    mkdir /freebsd
    mount_nullfs /mnt/data/freebsd /freebsd
    mkdir /freebsd/chroot
    cd /freebsd
    /usr/local/bin/rsync -av ftp-archive.freebsd.org::FreeBSD-Archive/old-releases/amd64/8.1-RELEASE/base/ 8.1-RELEASE_amd64_base
    cat 8.1-RELEASE_amd64_base/base.?? | tar --unlink -xpzvf - -C chroot
    cp /etc/resolv.conf chroot/etc/
    cp /etc/localtime chroot/etc/
    mount -t devfs devfs chroot/dev/
    chroot chroot/ freebsd-update fetch install
    
    

    Now the chroot is made and populated, enter the chroot

    
    chroot /freebsd/chroot/ tcsh
    
    

    Then install the source tree, as per http://www.cyberciti.biz/faq/freebsd-install-kernel-source-code/

    (install src > base and sys, be sure to set the configure>options kernel name to not nclude -p6 at the end)

    Use ftp://ftp-archive.freebsd.org///mirror/FreeBSD-Archive/old-releases/amd64/ as the FTP location when it asks

    
    sysinstall
    
    

    Then do what you want from there. Here's how I compiled the igb driver,

    
    mkdir -p /usr/src/igb
    cd /usr/src/igb
    setenv PACKAGESITE http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/
    pkg_add -r wget
    /usr/local/bin/wget http://downloadmirror.intel.com/15815/eng/igb-2.2.3.tar.gz
    tar xvf igb-2.2.3.tar.gz
    cd igb-2.2.3/src
    make
    make install
    
    

    Then I exited the chroot and copied the driver into place,

    
    exit
    cp chroot/usr/src/igb/igb-2.2.3/src/if_igb.ko /boot/kernel
    kldload /boot/kernel/if_igb.ko
    echo 'if_igb_load="YES"' >> /boot/loader.conf.local
    
    

    I hope that helps anyone else looking to do the same.


  • Rebel Alliance Developer Netgate

    And it's all a colossally bad idea to do on the firewall. We don't include compiler tools for a reason, it's a security risk that isn't mitigated in any way by a chroot.

    Setting up a VM is free and easy these days, just grab virtualbox or similar and install from an iso in there, then compile and copy to the firewall.



  • @jimp:

    And it's all a colossally bad idea to do on the firewall.

    Care to elaborate why?


  • Rebel Alliance Developer Netgate

    It's been discussed many times here on the forum, list, etc. It's a security risk, and also unnecessary bloat. If you need more detail than that, search around on here and it'll turn up.


Locked