Skip to content

customized chroot builds

Jump to bottom Edit New page
Seth edited this page May 7, 2015 · 93 revisions

This guide takes the user step by step through the process of building and customizing an OpenBSD installation inside of a chroot, and then building a flash-rd image from it.

Create and update the base chroot system

  • install a current release of OpenBSD if you don't already have access to one

  • patch the system
    sudo ftp -o /usr/local/sbin/openup https://stable.mtier.org/openup; sudo chmod +x /usr/local/sbin/openup; sudo openup

  • edit fstab to allow chrooting to a separate OpenBSD operating system folder located on /home partition
    sudo vi /etc/fstab

  • remove the "nodev" option from the /home partition mount line. This allows the chroot /dev/tty device to be created.

  • save /etc/fstab and then remount the '/home' filesystem
    sudo mount -u -o dev /home

  • or simply reboot

  • Install git and clone the flashrd software
    cd ~; sudo pkg_add git; git clone https://github.com/yellowman/flashrd.git

  • install the OpenBSD system sources. (This takes a while, so pick the fastest mirror available and find something else to do while it runs)
    cd /usr; sudo cvs -d [email protected]:/cvs -q get -rOPENBSD_5_7 src

  • create two folders; one for the OpenBSD chroot system and one for the extracted flashrd image files, then change into the 'chrbsd' dir before downloading install sets
    mkdir ~/{chrbsd,imgfiles}; cd ~/chrbsd

Download, verify and extract the install sets

  • Critical /etc files like passwd and group appear to be missing from the 5.7 install sets. As a workaround, get them from the etc56.tgz set, then remove the sendmail config junk no longer used from /etc/mail
    ftp -o - http://mirrors.sonic.net/openbsd/5.6/i386/etc56.tgz | sudo pax -rvz -p e; sudo rm ~/chrbsd/etc/mail/*

  • Now set some variables with the download URL and filenames to make life easier
    export MIR=http://mirrors.sonic.net/openbsd/5.7/i386 SETS='base57.tgz man57.tgz comp57.tgz xbase57.tgz' SIG='SHA256 SHA256.sig'

  • Use these variables in a 'for loop' to automate the download process
    for i in $SETS; do ftp $MIR/$i; done; for i in $SIG; do ftp $MIR/$i; done

  • Check file integrity of downloaded install sets by first verifying the SHA256 checklist signature
    signify -V -p /etc/signify/openbsd-57-base.pub -m SHA256

  • Then verify the SHA256 checksum for each install set tarball
    sha256 -C SHA256 $SETS

  • extract set tarballs preserving permissions and attributes, then remove tarballs and signature files
    for i in $SETS; do sudo pax -rvzf $i -p e; done; rm *.tgz SHA256*

  • prepare extracted system install set folder for chroot by creating devices
    cd ~/chrbsd/dev; sudo ./MAKEDEV std

  • copy openup to chroot system
    sudo cp /usr/local/sbin/openup ~/chrbsd/usr/local/sbin/

  • copy pkg.conf to chroot system
    sudo cp /etc/pkg.conf ~/chrbsd/etc/

  • enter the chroot system
    sudo chroot ~/chrbsd /bin/ksh

  • fix name resolution
    echo "nameserver 213.73.91.35" > /etc/resolv.conf

  • patch chroot system with latest updates using openup
    openup

  • remove the openup binpatch files from /var to conserve space
    rm -rf /var/db/binpatch/*

  • install desired software from packages
    pkg_add dnstop drill pftop toprump rsync iperf dnscrypt-proxy # polipo tor whatevs

  • Manually add any users and groups needed to run services. dnscrypt-proxy example:
    groupadd -g 688 _dnscrypt-proxy
    useradd -c 'dnscrypt-proxy user' -d /var/empty -g 688 -s /sbin/nologin -u 688 _dnscrypt-proxy

build and install custom software from source

  • Create a working 'src' directory and change into it
    mkdir /usr/local/src; cd /usr/local/src

OpenVPN

  • create tun adapter
    touch /etc/hostname.tun0
  • install dependency, download source and build with flags to pickup lzo2 library pkg_add -iv lzo2; ftp -o - https://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz | pax -rvz
    cd openvpn-2.3.6; env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure --sysconfdir=/etc; make; make install

OpenSMTPD

  • download source and SHA256 checksum
    cd /usr/local/src; ftp https://www.opensmtpd.org/archives/opensmtpd-5.4.5.tar.gz
    ftp https://www.opensmtpd.org/archives/opensmtpd-5.4.5.sum
  • Verify sha256 checksum
    sha256 -C opensmtpd-5.4.5.sum opensmtpd-5.4.5.tar.gz
  • build
    pax -rvzf opensmtpd-5.4.5.tar.gz; cd opensmtpd-5.4.5/smtpd; make; make install

Tor

  • extract and build
    cd /usr/local/src; ftp -o - https://www.torproject.org/dist/tor-0.2.5.12.tar.gz | pax -rvz
    cd tor-0.2.5.12; ./configure --disable-asciidoc --sysconfdir=/etc; make check; make install

Proxychains-ng

  • install build tools
    pkg_add git gmake
  • clone and build
    git clone -b openbsd https://github.com/rofl0r/proxychains-ng.git; cd proxychains-ng/
    ./configure --prefix=/usr/local --sysconfdir=/etc; gmake && gmake install

Cleanup

  • remove build tools
    pkg_delete git gmake
  • remove source files
    cd /root; rm -rf /usr/local/src/*
    exit

build a flashrd image from the customized OpenBSD chroot system

cd ~/flashrd; sudo ./flashrd ~/chrbsd

  • customize the flashrd image with things like com0 port, dns server, hostname, etc
    sudo cfgflashrd -i flashimg.i386-date -c 38400 -o onetime.tgz -t US/Pacific \
    -dns 213.73.91.35 -ntp us.pool.ntp.org -hostname flashrd.local ~/chrbsd/

New installations: writing the image direct to a CF card

  • insert a flash storage card and then run the following command to determine the media sector size
    dmesg|grep sectors
  • Note number of sectors for flash device and use that value in this command
    cd ~/flashrd;sudo growimg -l <flash-device-sectors> flashimg.i386-<date>
  • You'll see some output like this:
    Grow completed. New 1923MB image is located at /tmp/growimg.cAelkm
  • Optionally copy or move the re-sized image file out of /tmp for longer term storage and safekeeping
    sudo mv /tmp/growimg.cAelkm ~/openbsd-5.7-flashrd-2GB.img
  • write the re-sized image directly to the flash device. /dev/rsd3c might not be the correct device on your system. Use dmesg | grep sd to find the correct device
    sudo dd if=/tmp/growimg.cAelkm of=/dev/rsd3c bs=1M

Upgrade installations: extracting bsd | openbsd.vnd | var.tar and copying to /flash dir

  • extract bsd | openbsd.vnd | var.tar files from the flashrd image and move them to 'imgfiles' dir
    sudo vnconfig vnd0 ~/flashrd/flashimg.i386-<date>
    sudo mount /dev/vnd0a /mnt; cp /mnt/bsd /mnt/openbsd.vnd /mnt/var.tar ~/imgfiles
    sudo umount /mnt; sudo vnconfig -u vnd0

  • move the files from ~/imgfiles on the build system to /flash/new dir on an existing flashrd system using scp
    scp ~/imgfiles/* [email protected]:/flash/new/

  • SSH into the existing flashrd system and create a list of files to back up which must survive the upgrade reboot:
    echo "/etc/hostname.* /etc/myname /etc/ssh /etc/passwd /etc/master.passwd /etc/pwd.db /etc/spwd.db /etc/pf.conf /etc/resolv.conf /etc/rc.conf.local /etc/group /etc/mail /var/unbound /var/nsd /etc/rc.flashrd.sub /etc/dhcpd.conf /etc/sysctl.conf /etc/ntpd.conf /etc/bgpd.conf /etc/rc.d/dnscrypt_proxy /etc/dhclient.conf" > /root/onetime-filelist

  • Use the pax utility to archive them in /flash/onetime.tgz

  pax -wz -s ',^/,,' -f /flash/onetime.tgz `cat /root/onetime-filelist`

  • Pax switches explained: -w (write) -z (gzip) -s ',^/,,' (strips leading slash) -f (.tgz archive filename)

  • move existing bsd | openbsd.vnd | var.tar files to /flash/old
    mv /flash/{bsd,openbsd.vnd,var.tar} /flash/old/

  • move the updated system files from /flash/new to /flash as per the [flashrd FAQ] (http://www.nmedia.net/flashrd/flashrd-faq.html) and reboot
    mv /flash/new/* /flash/; reboot

First boot

  • login and sync the system time
    rdate -v us.pool.ntp.org

  • set gateway
    vi /etc/mygate

  • update pkg.conf
    vi /etc/pkg.conf

Add a custom footer
Add a custom sidebar
Clone this wiki locally