On Feb 14, 2012, at 8:44 AM, John Burrell wrote:
Has anyone written a script or scripts which automate the lfs build using
MSB's package user system?
I have a build-system for LFS.
It builds the whole thing, chapters 5, 6, 7, 8, and--ha--9.
It does not, however, use the MSB package system. But, I'm very interested in
the install-as-package-user system, it would be awesome if someone wanted to
hack that on. Having said that, has anyone verified that it doesn't create
security risks that might be outweighed by installation as root? I've read the
paper; I understand it helps alleviate issues with installs; I'd also like to
know from the people who've tried it if there any vulnerabilities created.
I've used a hacked version of the package user system for some time now and I
like it a lot. It's very easy to control what gets installed and to catch
Makefiles which trample all over your system. Just take a look at cups to see
what I mean.
I've got a project on github you can play with. It doesn't require any user
interaction beyond an initial script that asks for certain answers before the
build starts.
I've built lfs a few times and I'm not doing it again manually, so can anyone
help me? If not I'll write it myself, but I don't want to reinvent the wheel.
You're welcome to look at my stuff. I'd be happy to look at patches, if you
want to put MSB on top of it. Shouldn't be too hard with my setup:
https://github.com/qrux/xlapp
You'll want to note that I make assumptions about your host system:
* It uses Grub Legacy.
* /boot is a separate partition from the current root or /mnt/lfs.
* /mnt/lfs is a separate partition.
* You want a vanilla LFS install, which does not create a ramdisk.
* Your glibc is fairly current (supports $n$ password hashing).
Also, my build system is geared toward a user who ultimately wants to install
Xen on the bare-metal, and then run the machine as a virtualized cluster.
That's what all the additional stuff is, most of which you can completely
ignore if you just want an LFS build.
It has two build modes; it can run a quick build, where it doesn't run most
of the time-consuming regression checks in chapter 6. And a full build,
where it does run those same tests. It has a nice feature where you can open
another window (on host system), and run a script called 'scan' which tells you
which packages have been built and how much total time has been taken. The
original window--the one you build in--doesn't generate any output, (to reduce
CPU usage, particularly if you're SSH'ed in to the host, as I am), but instead
writes to a log file. In fact, scan just scans that log file every once in a
while for an update.
My system goes on to install a few packages beyond vanilla LFS:
* bc
* openssl
* wget
* CA-certs
* tcp_wrappers
* sysstat
* openssh
These packages are just enough to allow you to SSH in (bc is needed by openssl,
and wget is needed by CA-certs--which is needed by ssl/ssh, tcp-wrappers is
usable by openssh--and had nice scripts to ameliorate brute-force attacks).
Strictly speaking, sysstat isn't a necessary part of this sequence, and may be
refactored out in the future.
In addition, the opening configuration script asks for an SSH key to install,
so you can SSH in as root. I realize this is outside of vanilla LFS (indeed, I
installed these packages from the BLFS instructions). But, I will probably
never remove these from my core install (aside from probably sysstat).
It also installs these packages:
* which
* ntp
* cpio
* hdparm
* net-tools
* bonnie++
* xlapp-watchdog
I may refactor these out, since I'm sure some people won't want them. The last
one is my own...It reverts /boot/grub/menu.lst to boot the host system in the
event that no one shuts off the watchdog within 30 seconds (the interval is
easily changed). For me, running this build in a dim colo setting means that
sometimes a boot script gets borked. It's nice to have a way to reboot the
system.
TL;DR - Feel free to hack on it. It's 99.9% shell-scripting, so nothing funky
like Python, Java, etc. I'd be quite interested to see if MSB can be grafted
on, at which point, if it doesn't create vulnerabilities, I'd like to merge
that in. It's still a work-in-progress for me, and I'd quite like someone else
to take a look!
HTH,
Q
--
http://linuxfromscratch.org/mailman/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/lfs/faq.html
Unsubscribe: See the above information page
