HOWTO cre­ate a new linux_base port

FreeB­SD is in need of a new linux_base port. It is on my TODO list since a long time, but I do not get the time to cre­ate one. I still do not have the time to work on a new one, but when you read this, I man­aged to get the time to cre­ate a HOWTO which describes what needs to be done to cre­ate a new linux_base port.

I will not describe how to cre­ate a new linux_base port from scratch, I will just describe how you can copy the last one and update it to some­thing new­er based upon the exist­ing infra­struc­ture for RPM packages.

Spe­cif­ic ques­tions which come up dur­ing port­ing a new Lin­ux release should be asked on freebsd-emulation@FreeBSD.org,  there are more peo­ple which can answer ques­tions than here in my blog. I will add use­ful infor­ma­tion to this HOWTO if necessary.

In the easy case most of the work is search­ing the right RPMs and their depen­den­cies to use, and to cre­ate the plist.

Why do we need a new linux_base port?

The cur­rent linux_base port is based upon Fedo­ra 10, which is end of life since Decem­ber 2009. Even Fedo­ra 13 is already end of life. Fedo­ra 16 is sup­posed to be released this year. From a sup­port point of view, Fedo­ra 15 or maybe even Fedo­ra 16 would be a good tar­get for the next linux_base port. Oth­er alter­na­tives would be to use an extend­ed life­time release of anoth­er RPM based dis­tri­b­u­tion, like for exam­ple Cen­tOS 6 (which seems to be based upon Fedo­ra 12 with back­ports from Fedo­ra 13 and 14). Using a Lin­ux release which is told to be sup­port­ed for at least 10 years, sounds nice from a FreeB­SD point of view (only minor changes to the lin­ux ports in such a case, instead of cre­at­ing a com­plete new linux_base each N+2 releas­es like with Fedo­ra), but it also means addi­tion­al work if you want to cre­ate the first linux_base port for it.

The mys­ter­ies you have to con­quer if you want to cre­ate a new linux_base port

What we do not know is, if Fedo­ra 1516, Cen­tOS 6, or any oth­er Lin­ux release will work in a sup­port­ed FreeB­SD release. There are two ways to find this out.

The first one is to take an exist­ing Lin­ux sys­tem, chroot into it (either via NFS or after mak­ing a copy into a direc­to­ry of a FreeB­SD sys­tem), and to run a lot of pro­grams (acrore­ad, skype, shells, scripts, …). The LTP test­suite is not that much use­ful here, as it will test most­ly ker­nel fea­tures, but we do not know which ker­nel fea­tures are manda­to­ry for a giv­en user­land of a Lin­ux release.

The sec­ond way of test­ing if a giv­en Lin­ux release works on FreeB­SD is to actu­al­ly cre­ate a new linux_base port for it and test it with­out chrooting.

The first way is faster, if you are only inter­est­ed in test­ing if some­thing works. The sec­ond way pro­vides an easy to set­up test­bed for FreeB­SD ker­nel devel­op­ers to fix the Lin­ux­u­la­tor so that it works with the new linux_base port. Both ways have their mer­its, but it is up to the per­son doing the work to decide which way to go.

The meat: HOWTO cre­ate a new linux_base port

First off, you need a sys­tem (or a jail) with­out any linux_base port installed. After that you can cre­ate a new linux_base port (= lbN), by just mak­ing a copy of the lat­est one (= lbO). In lbN you need to add lbO as a CONFLICT, and in all oth­er exist­ing linux_base ports, you need to add lbN as a conflict.

Change the PORTNAME, PORTVERSION, reset the PORTREVISION in lbN, and set LINUX_DIST_VER  to the new Linux-release ver­sion in the lbN Make­file (this is used in PORTSDIR/Mk/bsd.linux-rpm.mk and PORTSDIR/Mk/bsd.linux-apps.mk).

If you do not stay with Fedo­ra, there is some more work to do before you can have a look at chos­ing RPMs for instal­la­tion. You need to have a look at PORTSDIR/Mk/bsd.linux-rpm.mk and add some cas­es for the new LINUX_DIST you want to use. Do not for­get to set LINUX_DIST in the lbN Make­file to the name of the dis­tri­b­u­tion you use. You also need to aug­ment the LINUX_DIST_VER check in PORTSDIR/Mk/bsd.linux-rpm.mk with some LINUX_DIST con­di­tion­als. If you are lucky, the direc­to­ry struc­ture for down­loads is sim­i­lar to the Fedo­ra struc­ture, and there is not a lot to do here.

When this is done, you can have a look at the BIN_DISTFILES vari­able in the lbN Make­file. Try to find sim­i­lar RPMs for the new Lin­ux release you want to port. Some may not be avail­able, and it may also be the case that dif­fer­ent ones are need­ed instead. I sug­gest to first work with the ones which are avail­able (make make­sum, test install and cre­ate plist). After that you need to find out what the replace­ment RPMs for non-existing ones are. You are on your own here. Search around the net, and/or have a look at the depen­den­cies in the RPMs of lbO to deter­mine if some­thing was added as a depen­den­cy of some­thing else or not (if not, for­get about it ATM). When you man­aged to find replace­ment RPMs, you can now have a look at the depen­den­cies of the RPMs in lbN. Do not add blind­ly all depen­den­cies, not all are need­ed in FreeB­SD (the linux_base ports are not sup­posed to cre­ate an envi­ron­ment which you can chroot into, they are sup­posed to aug­ment the FreeB­SD sys­tem to be able to run Lin­ux pro­grams in ports like they where FreeB­SD native pro­grams). What you need in the linux_base ports are libraries, con­fig and data files which do not exist in FreeB­SD or have a dif­fer­ent syn­tax than in FreeB­SD (those con­fig or data files which are just in a dif­fer­ent place, can be sym­linked), and basic shell com­mands (which com­mands are need­ed or not… well… good ques­tion, in the past we made deci­sions what to include based upon prob­lem reports from users). Now for the things which are not avail­able and where not added as a depen­den­cy. Those are things which are either used dur­ing install, or where use­ful to have in the past. Find out by what it was replaced and have a look if this replace­ment can eas­i­ly be used instead. If it can be used, add it. If not, well… bad luck, we (the FreeB­SD com­mu­ni­ty) will see how to han­dle this somehow.

If you think that you have all you need in BIN_DISTFILES, please update SRC_DISTFILES accord­ing­ly and gen­er­ate the dis­t­file via  make ‑DPACKAGE_BUILDING make­sum to have the check­sums of the sources (for legal rea­sons we need them on our mirrors).

The next step is to have a look at REMOVE_DIRS, REMOVE_FILES and ADD_DIRS if some­thing needs to be mod­i­fied. Most of them are there to fall back to the cor­re­spond­ing FreeB­SD directories/files, or because they are not need­ed at all (REMOVE_*). Do not remove direc­to­ries from ADD_DIRS, they are cre­at­ed here to fix some edge con­di­tions (I do not remem­ber exact­ly why we had to add them, and I do not take the time ATM to search in the CVS history).

If you are lucky, this is all (make sure the plist is cor­rect). If you are not lucky and you need to make some mod­i­fi­ca­tions to files, have a look at the do-build tar­get in the Make­file, this is the place where some changes are done to cre­ate a nice user experience.

If you arrive here while cre­at­ing a new linux_base port, lean back and feel a bit proud. You man­aged to cre­ate a new linux_base port. It is not very well test­ed at this moment, and it is far from every­thing which needs to be done to have the com­plete Lin­ux infra­struc­ture for a giv­en Lin­ux release, but the most impor­tant part is done. Please noti­fy freebsd-emulation@FreeBSD.org and call for testers.

What is missing?

The full Lin­ux­u­la­tor infra­struc­ture for the FreeB­SD Ports Col­lec­tion has some more ports around a linux_base port. Most of the infra­struc­ture for this is han­dled in Mk/bsd.linux-apps.mk.

UPDATE: I got some time to write how to update the Linux-infrastructure ports.

Rants about JASS (Solaris Secu­ri­ty Toolkit)

Recent­ly I switched to a new client where the Solaris Secu­ri­ty Toolk­it (JASS) is exten­sive­ly used. I am now in the process of updat­ing some things, among them are JET and JASS. As part of this work I reeval­u­ate the local JASS mod­i­fi­ca­tions. Pre­vi­ous­ly a cus­tom JASS pack­age was used, but in case JASS is updat­ed by Ora­cle at some point in time (and an update is real­ly need­ed, see below), this would need some amount of work to find out the dif­fer­ences and to for­ward port them to the new ver­sion. If every­thing is well doc­u­ment­ed, this should not be hard to do, but the per­son doing the work also needs to find the up-to-date docs.

To make it more easy I decid­ed to change this. I now install the offi­cial JASS pack­age via JET togeth­er with the lat­est patch for it, and then let JET copy our mod­i­fi­ca­tions over the installed pack­age. Instead of mod­i­fy­ing exist­ing dri­vers, I cre­at­ed our own dri­vers with a ref­er­ence to the dri­ver which served as a base.

While doing this I encoun­tered sev­er­al short­com­ings of JASS on Solaris 10.

There are sev­er­al FS based checks which do not make sense to do for the FS of zones in a glob­al zone (at least not the way I use JASS, so maybe a con­fig­urable way of chang­ing the behav­ior should serve for every­one). If zones are installed in /zones, you do not need to check for files with­out valid UIDs (you sure­ly find a lot of files, as the users are defined inside the zones and not in the glob­al zone) or sim­i­lar things (even not for world writable files, as the zones are installed in a root-access-only sub­tree and inside the zones there may be oth­er secu­ri­ty con­straints con­fig­ured inside JASS, read: it is the respon­si­bil­i­ty of JASS inside the zone to do this). An easy solu­tion would be to exclude those FS which con­tain zones (and as we only have one sub­tree, I just hard­cod­ed this in sev­er­al scripts).

I also miss the pos­si­bil­i­ty (maybe I over­looked a sim­ple way) for the ssh check to lim­it the Allow­Root­Lo­gin to spe­cif­ic hosts. JASS only checks yes or no, but can not lim­it it to spe­cif­ic hosts (e.g. via “Match IP/hostname”). Often you do not need to per­mit root-logins (RBAC/sudo/…), but some­times it is the only way to han­dle a par­tic­u­lar edge-case (or to speed up an action dra­mat­i­cal­ly), and in such cas­es you do not want to allow root-logins more than necessary.

Not much free time…

I am work­ing for a new client now, where I have more things to take care about. This reduces a bit the pos­si­bil­i­ty to write some inter­est­ing things here.

There are some things I would like to doc­u­ment here, some more expe­ri­ences with Android and cus­tom cer­tifi­cates, some things about Solaris, and oth­er stuff. Unfor­tu­nate­ly the day has only 24 hours.