GUIDE: Creating a chroot (to make drivers/packages etc.) on a working system

  • I was trying to upgrade the igb driver and needed an environment to compile the driver in on FreeBSD. So on my existing pfsense box, I just make a chroot and built the driver in there.

    Here's how it was done.

    mkdir -p /mnt/data/freebsd
    mkdir /freebsd
    mount_nullfs /mnt/data/freebsd /freebsd
    mkdir /freebsd/chroot
    cd /freebsd
    /usr/local/bin/rsync -av 8.1-RELEASE_amd64_base
    cat 8.1-RELEASE_amd64_base/base.?? | tar --unlink -xpzvf - -C chroot
    cp /etc/resolv.conf chroot/etc/
    cp /etc/localtime chroot/etc/
    mount -t devfs devfs chroot/dev/
    chroot chroot/ freebsd-update fetch install

    Now the chroot is made and populated, enter the chroot

    chroot /freebsd/chroot/ tcsh

    Then install the source tree, as per

    (install src > base and sys, be sure to set the configure>options kernel name to not nclude -p6 at the end)

    Use as the FTP location when it asks


    Then do what you want from there. Here's how I compiled the igb driver,

    mkdir -p /usr/src/igb
    cd /usr/src/igb
    setenv PACKAGESITE
    pkg_add -r wget
    tar xvf igb-2.2.3.tar.gz
    cd igb-2.2.3/src
    make install

    Then I exited the chroot and copied the driver into place,

    cp chroot/usr/src/igb/igb-2.2.3/src/if_igb.ko /boot/kernel
    kldload /boot/kernel/if_igb.ko
    echo 'if_igb_load="YES"' >> /boot/loader.conf.local

    I hope that helps anyone else looking to do the same.

  • Rebel Alliance Developer Netgate

    And it's all a colossally bad idea to do on the firewall. We don't include compiler tools for a reason, it's a security risk that isn't mitigated in any way by a chroot.

    Setting up a VM is free and easy these days, just grab virtualbox or similar and install from an iso in there, then compile and copy to the firewall.

  • @jimp:

    And it's all a colossally bad idea to do on the firewall.

    Care to elaborate why?

  • Rebel Alliance Developer Netgate

    It's been discussed many times here on the forum, list, etc. It's a security risk, and also unnecessary bloat. If you need more detail than that, search around on here and it'll turn up.

Log in to reply