Geekly Articles each Day
📜 ⬆️ ⬇️

Compact installation of FreeBSD 10 for a certification authority

Once there was a need for a subordinate, within the framework of the existing infrastructure of a certification center for 'off-site' use - the creation of temporary technological certificates during various trips. It was necessary to make it mobile and reasonable, for these purposes, protected. The variant with a bootable USB flash drive with some * nix + openssl and a typical usage scenario was recognized as acceptable - we reboot the computer at hand, insert the USB flash drive, boot from it, work, pull out the USB flash drive, reboot the computer. The secret keys of the CA, its configuration files, key files for two-factor authentication can be transferred to separate media.

Began to select the distribution * nix. The requirements were as follows:


As a result, two distributions reached the final - Alpine Linux and OpenBSD. Everything would be fine, and it would not make sense to write this article, as the requirements for the operating system EXTREMELY have been clarified - full support for Russian text in Unicode in the system console was required. On input and output.
')
All right, sailed. Both finalists dropped out of the competition. Alpine Linux because of its compact C library, and OpenBSD ... well, it has other strengths. However, this requirement allowed a different look at the available distributions, and FreeBSD unexpectedly turned out to be the favorite. The vt console driver (formerly known as newcons) supports Unicode out of the box, Russian fonts are bundled, the above criteria are implemented in sum quite fully. Bonus can realize the possibility of offline binary system updates on a flash drive.

Began to study the possibility of a compact installation in standard ways. Finished sets - tinybsd, nanobsd, picobsd impressed as “old, ancient, even ancient”. Only the calculations of sectors, heads, cylinders for different types of flash drives in picobsd ... Straight times MFM, RLL, ST-506 ...

The creations of individual enthusiasts, various miniBSD, easyBSD, mfsBSD looked more interesting, but in the end it was still decided to play the good Dr. Frankenstein.

In this example, we will make a bootable USB flash drive with:




I emphasize - a demo example, it includes everything that is possible. In real life, the above possibilities are applied, of course, selectively. It makes little sense to mount one partition in memory, and the other, live from the same flash drive. And yes, it will not be too similar to "kernel + systemd + shell + openssl", but the goal was not to fit everything onto a floppy disk. Times are not. And with fdformat.com and 800.com will not fit ... Therefore, in addition to the programs, without which it can not do, programs that can be useful - for working with text, with disks, with archives were left. In addition, to ensure the stated possibility of updating the system, it is impossible to spoil it strongly (to collapse everything into one crunchgen binary and stick it into the kernel) - otherwise it does not recognize freebsd-update.

Looking ahead - the size of the system in the maximum configuration (two cores + two images) will be 48 MB, and in the minimum (one core + one image) - 7â…“ MB. No installed packages.

The ability to select the kernel when booting turned out to be very convenient for debugging - if something does not work, then alternately loading with different kernels and in the same way the system can be identified in the assembly of which the problem is - the kernel or the world.

So, let's begin.

Our flash drive will be based on FreeBSD 10.1-RELEASE. You can, of course, -STABLE, but then freebsd-update will not work with binary updates. In the process of work, we will compile the world and the kernel, install them in a separate directory, configure the system, delete unnecessary files, and then make .iso and .img. Nothing complicated.

Create a working environment. It is possible in the gland, but easier in the virtual machine. Download FreeBSD-10.1-RELEASE-i386, install it, and when you select system components, enable the installation of source texts. Tree ports and games are not needed. Boot, go as root.

Training


Everything will be done as root.

For convenience, we will set several environment variables, they will be used further in the text. The root user has the default shell csh, so in /root/.login we add:
$ echo "setenv BASE /root/caBSD" >> /root/.login $ echo "setenv WORKDIR /root/caBSD/_work" >> /root/.login

Yes, our crafts will call caBSD caBSD

Update the system to the latest patchlevel
 $ freebsd-update fetch $ freebsd-update install $ reboot

The kernel, the world and the sources have been updated. Reboot.

Create a directory / root / caBSD and working subdirectories in it.
 $ mkdir -p ${BASE}/{conf,tools,pkg.local} $ mkdir -p ${WORKDIR}/{vanilla,custom,mnt}

/ root / caBSD / _work / - the main working directory, $ {WORK}. Subdirectories in it:
vanilla / - here we configure the root of the future system, installworld, installkernel
mnt / - temporary mount point
custom / - we will create .iso / .img images from the contents of this directory

Compile the world and the core


Create a configuration file for our kernel. At the stage of debugging we use a configuration based on GENERIC and consisting of several lines:
tools / CABSD-DEV
 # # tools/CABSD-DEV include GENERIC ident CABSD-DEV #   makeoptions NO_MODULES=1 #    sc nodevice sc nodevice vga #     ,      options TMPFS # Efficient memory filesystem options GEOM_ELI # Disk encryption. device crypto # core crypto support options NO_SWAPPING # Disable swapping of stack pages


Here we take the GENERIC kernel, disable syscons (vt becomes the console driver by default), enable three modules — that’s enough to test the system load.

Then, when everything works, you can use the minimum kernel. For it, we take the GENERIC file of the kernel, delete everything unnecessary (periodically compiling and checking whether .iso is loaded or not), leaving the necessary and incomprehensible. The configuration file of our working kernel began to look like this:
tools / CABSD
 # # tools/CABSD cpu I486_CPU cpu I586_CPU cpu I686_CPU ident CABSD makeoptions NO_MODULES=1 # Don't compile modules options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options FFS # Berkeley Fast Filesystem #options SOFTUPDATES # Enable FFS soft updates support #options UFS_ACL # Support for access control lists options MD_ROOT # MD is a potential root device options ROOTDEVNAME=\"ufs:/dev/md0\" # The root device and filesystem type can be compiled in options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options TMPFS # Efficient memory filesystem #options NULLFS # NULL filesystem #options PROCFS # Process filesystem (requires PSEUDOFS) #options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options GEOM_ELI # Disk encryption. options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options COMPAT_FREEBSD7 # Compatible with FreeBSD7 #options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI #options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options PROCDESC # Support for process descriptors #options INCLUDE_CONFIG_FILE # Include this file in kernel options NO_SWAPPING # Disable swapping of stack pages # To make an SMP kernel, the next two lines are needed options SMP # Symmetric MultiProcessor Kernel device apic # I/O APIC device cpufreq # CPU frequency control # Bus support. device acpi device pci #device eisa # Floppy drives #device fdc # USB support https://www.freebsd.org/doc/en/books/handbook/usb-disks.html device scbus # SCSI bus (required for ATA/SCSI) device da # Direct Access (disks) device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device ehci # EHCI PCI->USB interface (USB 2.0) device xhci # XHCI PCI->USB interface (USB 3.0) device usb # USB Bus (required) device umass # Disks/Mass storage - Requires scbus and da device cd # CD device ukbd # Keyboard device ahci # AHCI-compatible SATA controllers device ata # Legacy ATA/SATA controllers options ATA_STATIC_ID # Static device numbering #device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA #device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard #      kbdcontrol (keymap, keyrate) device kbdmux # keyboard multiplexer # vt is the new video console driver device vt device vt_vga options TERMINAL_NORM_ATTR=(FG_GREEN|BG_BLACK) options MAXCONS=4 # number of virtual consoles # Number of initial kernel page table pages used for early bootstrap. # This number should include enough pages to map the kernel, any # modules or other data loaded with the kernel by the loader, and data # structures allocated before the VM system is initialized such as the # vm_page_t array. Each page table page maps 4MB (2MB with PAE). #   ,      #options NKPT=31 device crypto # core crypto support # Pseudo devices. device loop # Network loopback device random # Entropy device #device padlock_rng # VIA Padlock RNG device rdrand_rng # Intel Bull Mountain RNG #device ether # Ethernet support device md # Memory "disks" # EOF


Create a configuration file for compiling the world. We read man src.conf, write down all WITHOUT_ to the file and study it thoughtfully. There comes an understanding that not one, but as many as two configuration files will be needed - one for buildworld, the second plus for installworld.
tools / worldbuild.conf
 # # tools/worldbuild.conf # WITHOUT_ACCT= WITHOUT_ACPI= WITHOUT_AMD= WITHOUT_APM= WITHOUT_ARM_EABI= WITHOUT_ASSERT_DEBUG= WITHOUT_AT= WITHOUT_ATM= WITHOUT_AUDIT= WITHOUT_AUTHPF= #     tools/worldinstall.conf #      # WITHOUT_BINUTILS= WITHOUT_BLUETOOTH= WITHOUT_BMAKE= WITHOUT_BSD_CPIO= WITHOUT_BSNMP= WITHOUT_CALENDAR= WITHOUT_CAPSICUM= WITHOUT_CDDL= WITHOUT_CLANG= WITHOUT_CLANG_EXTRAS= WITHOUT_CLANG_FULL= WITHOUT_CPP= #  ,    libcrypt  geli  openssl # WITHOUT_CRYPT= WITHOUT_CTM= WITHOUT_CXX= WITHOUT_DICT= WITHOUT_EXAMPLES= WITHOUT_FDT= WITHOUT_FLOPPY= WITHOUT_FMTREE= #  ,     # WITHOUT_FORTH= #  ,     # WITHOUT_FREEBSD_UPDATE= WITHOUT_GAMES= WITHOUT_GCC= WITHOUT_GCOV= WITHOUT_GDB= WITHOUT_GNU= WITHOUT_GNUCXX= WITHOUT_GNU_SUPPORT= WITHOUT_GPIB= WITHOUT_GPIO= WITHOUT_GROFF= WITHOUT_GSSAPI= WITHOUT_HTML= WITHOUT_HYPERV= WITHOUT_ICONV= WITHOUT_INET= WITHOUT_INET_SUPPORT= WITHOUT_INET6= WITHOUT_INET6_SUPPORT= WITHOUT_INFO= #     tools/worldinstall.conf # WITHOUT_INSTALLLIB= WITHOUT_IPFILTER= WITHOUT_IPFW= WITHOUT_IPX= WITHOUT_IPX_SUPPORT= WITHOUT_JAIL= WITHOUT_KDUMP= WITHOUT_KERBEROS= WITHOUT_KERBEROS_SUPPORT= WITHOUT_KERNEL_SYMBOLS= WITHOUT_LDNS= WITHOUT_LDNS_UTILS= #  ,    # WITHOUT_LEGACY_CONSOLE= #       amd64,    i386 # WITHOUT_LIB32= WITHOUT_LIBCPLUSPLUS= #  ,    . #   ,    # WITHOUT_LOCALES= WITHOUT_LOCATE= WITHOUT_LPR= WITHOUT_LS_COLORS= WITHOUT_MAIL= WITHOUT_MAILWRAPPER= WITHOUT_MAKE= WITHOUT_MAN= WITHOUT_MAN_UTILS= # libncurces   /usr/bin/vi  jupp  . # WITHOUT_NCURSESW= WITHOUT_NDIS= WITHOUT_NETCAT= WITHOUT_NETGRAPH= WITHOUT_NETGRAPH_SUPPORT= WITHOUT_NIS= WITHOUT_NLS= WITHOUT_NLS_CATALOGS= WITHOUT_NMTREE= WITHOUT_NS_CACHING= WITHOUT_NTP= WITHOUT_OPENSSH= #   ,  openssl   , #     .     #  openssl   # WITHOUT_OPENSSL= WITHOUT_PAM_SUPPORT= WITHOUT_PC_SYSINSTALL= WITHOUT_PF= WITHOUT_PKGBOOTSTRAP= WITHOUT_PMC= WITHOUT_PORTSNAP= WITHOUT_PPP= WITHOUT_PROFILE= WITHOUT_QUOTAS= WITHOUT_RCMDS= WITHOUT_RCS= #  /rescue    WITHOUT_RESCUE= WITHOUT_ROUTED= WITHOUT_SENDMAIL= WITHOUT_SHAREDOCS= WITHOUT_SOURCELESS= WITHOUT_SOURCELESS_UCODE= WITHOUT_SOURCELESS_HOST= WITHOUT_SSP= WITHOUT_SVNLITE= # syscons   ,    newcons - vt(4) WITHOUT_SYSCONS= WITHOUT_SYSINSTALL= #     tcsh # WITHOUT_TCSH= WITHOUT_TELNET= WITHOUT_TESTS= WITHOUT_TEXTPROC= #     tools/worldinstall.conf #      # WITHOUT_TOOLCHAIN= WITHOUT_UNBOUND= WITHOUT_USB= WITHOUT_UTMPX= #  , vt      # WITHOUT_VT= WITHOUT_WIRELESS= WITHOUT_WIRELESS_SUPPORT= WITHOUT_WPA_SUPPLICANT_EAPOL= WITHOUT_ZFS= #  ,  tz  . #   ,    # WITHOUT_ZONEINFO=



tools / worldinstall.conf
 # # tools/worldinstall.conf # # Set to not install binutils (as, c++-filt, gconv, ld, nm, objcopy, objdump, readelf, size and strip) WITHOUT_BINUTILS= # Set this if you do not want to install optional libraries. For example when creating a nanobsd(8) image. WITHOUT_INSTALLLIB= # Set to not install programs used for program development, compilers, debuggers etc. The option does not work for build targets. # When set, it also enforces the following options: # WITHOUT_BINUTILS, WITHOUT_CLANG, WITHOUT_CLANG_EXTRAS, WITHOUT_CLANG_FULL, WITHOUT_GCC, WITHOUT_GDB WITHOUT_TOOLCHAIN=


With these options, we disable compilation of both clang and gcc.

We start compilation. In the first step, let's cheat a little. When compiling the world, a lot of time is spent on compiling the compiler, but we also have a ready one in the base system. Also just updated. We will use it. Set variables

 $ setenv CC `whereis -bq clang` $ setenv CPP `whereis -bq clang-cpp` $ setenv CXX `whereis -bq clang++`

Create a symbolic link to the CABSD kernel configuration file in the appropriate directory (in this example, skip the debugging step with CABSD-DEV, we will immediately make the final version of the kernel).

 $ ln -sf ${BASE}/tools/CABSD /usr/src/sys/i386/conf

Compile. Additional options like '-j N' optional

 $ cd /usr/src # rm -rf /usr/obj #  $ make buildworld USER=IT HOSTNAME=hq.example.net SRCCONF=${BASE}/tools/worldbuild.conf __MAKE_CONF=/dev/null #  $ make buildkernel USER=IT HOSTNAME=hq.example.net SRCCONF=${BASE}/tools/worldbuild.conf __MAKE_CONF=/dev/null KERNCONF=CABSD $ cd ${BASE}

The USER and HOSTNAME parameters are decorative - you can specify something of your own, so that in the new system at boot, with uname -a, and in other places, you can display the proud “IT@hq.example.net” and not “root @ localhost”.

Now install the system in the working directory. Please note that between the compilation and installation stages you should not update the system by freebsd-update or turn off the parameters in the worldbuild.conf file.

 $ cd /usr/src #  .         __MAKE_CONF -     . $ make installworld DESTDIR=${WORKDIR}/vanilla SRCCONF=${BASE}/tools/worldbuild.conf __MAKE_CONF=${BASE}/tools/worldinstall.conf #  etc $ make distribution DESTDIR=${WORKDIR}/vanilla SRCCONF=${BASE}/tools/worldbuild.conf __MAKE_CONF=${BASE}/tools/worldinstall.conf #     $ make installkernel DESTDIR=${WORKDIR}/vanilla SRCCONF=${BASE}/tools/worldbuild.conf __MAKE_CONF=${BASE}/tools/worldinstall.conf KERNCONF=CABSD #   , GENERIC -    /boot/kernel   #     $ mkdir -p ${WORKDIR}/vanilla/tmp/boot/kernel #   800   .   . $ cp -p /boot/kernel/{kernel,*.ko} ${WORKDIR}/vanilla/tmp/boot/kernel/ $ chflags -R noschg ${WORKDIR}/vanilla $ cd ${BASE}

If you do not include the WITHOUT_RESCUE = option when compiling the world, then we can replace the files in bin, sbin, usr / bin, usr / sbin with their analogs from rescue, although the expediency of this is not obvious. The whole system is on the same partition, when loaded, mounted in memory - therefore, options with unmounted usr are practically excluded, and the point of replacement can only be in the ability to reduce the size of the system by deleting libraries that have become unnecessary because the programs using them replaced by a statically linked rescue. However, the savings must be calculated, and in our example we will not compile the rescue.

If you replace, then you can use the script (peeped in mfsBSD)
tools / _linkrescue.sh
 #!/bin/csh # # tools/_linkrescue.sh cd ${WORKDIR}/vanilla echo "Before:" du -hc bin sbin usr/bin usr/sbin rescue foreach FILE (`ls rescue`) if ( -f bin/${FILE} ) then ln -f rescue/${FILE} bin/${FILE} else if ( -f sbin/${FILE} ) then ln -f rescue/${FILE} sbin/${FILE} else if ( -f usr/bin/${FILE} ) then ln -f rescue/${FILE} usr/bin/${FILE} else if ( -f usr/sbin/${FILE} ) then ln -f rescue/${FILE} usr/sbin/${FILE} endif end echo "After:" du -hc bin sbin usr/bin usr/sbin rescue cd ${BASE}


Install packages


For the convenience of our CA’s operators, we will install a file manager. Popular mc is 158 MB, mc-light is 6 MB, deco is 217 Mb with all dependencies. If you install from ports, you probably could have slightly reduced the size with the help of compilation options, but in the packages there was a compact console file manager clex - 0.3 MB, which we will install.

The second point is an editor with Unicode support. Formally, by the letter of the assignment, support was provided - the Russian text can be entered into the console on the csh command line (echo hi), also displayed (cat / usr / bin / help), but I wanted to ensure more comfortable work with the texts - which one any file, keep records, you never know. The complete / usr / bin / ee Russian text in the Unicode file shows as "-PM-7M-PM-? M", / usr / bin / vi shows everything correctly (although it requires the libncursesw library, so you have to turn off the WITHOUT_NCURSESW = option in the tools /worldbuild.conf), / rescue / vi - "\ xd0 \ xb7 \ xd0 \ xb0".

In the packages there were several small editors with Unicode support, in particular: puff, displaying the text as “write ~ Au to about ~ @ az” (in the original “write to image”); le - good for everyone, but requires a C ++ library; and jupp, which shows everything correctly, and, like vi, requires libncurses. And jupp is a redesigned version of the joe editor, but if the original joe from the packages draws 49 MB of dependencies, then jupp is the size of vi.

And all the problems with ed ee and puff only with the display of Russian letters, when you type "blindly" everything is saved correctly.

As a result, the problem of choosing between complete vi and jupp from packages was shifted onto the shoulders of potential users who voted for jupp - I liked the syntax highlighting and the relative friendliness of the editor.

Install misc / clex and editors / jupp. Some custom packages can be put in the $ {BASE} /pkg.local/ directory, they will be added during installation.

 #      -   ,  # ,  ,     chroot . #  pkg    $ pkg -N || env ASSUME_ALWAYS_YES=YES pkg bootstrap #       ${WORKDIR},         $ mkdir -p ${WORKDIR}/pkg.db $ setenv PKG_DBDIR ${WORKDIR}/pkg.db #   $ pkg-static update #     ${WORKDIR}/vanilla,     chroot $ mkdir -p ${WORKDIR}/vanilla/tmp/pkg.files/All #  ,   . $ pkg-static fetch --output ${WORKDIR}/vanilla/tmp/pkg.files --dependencies --yes misc/clex editors/jupp $ unsetenv PKG_DBDIR #      (${BASE}/pkg.local). #   -    $ install -m 0644 ${BASE}/pkg.local/* ${WORKDIR}/vanilla/tmp/pkg.files/All #     ,         $ rm -f ${WORKDIR}/vanilla/var/db/pkg/local.sqlite #   $ cd ${WORKDIR}/vanilla $ find tmp/pkg.files/All/* -type f -exec pkg-static -c ${WORKDIR}/vanilla add {} \; $ cd ${BASE}

Configure the system


In the chroot environment, create the user 'ca'. To be able to mount devices, add to the operator group. We use csh as shell, the WITHOUT_TCSH option in tools / worldbuild.conf is not enabled.

 $ chroot ${WORKDIR}/vanilla pw useradd ca -c "Certification authority operator" -m -G operator -s /bin/csh #       UID  GID (  1001:1001,   ...) $ chroot ${WORKDIR}/vanilla id -u ca > ${WORKDIR}/ca.uid $ chroot ${WORKDIR}/vanilla id -g ca > ${WORKDIR}/ca.gid #   UTF-8    $ echo "setenv MM_CHARSET UTF-8" >> ${WORKDIR}/vanilla/home/ca/.login $ echo "setenv LANG en_US.UTF-8" >> ${WORKDIR}/vanilla/home/ca/.login #    path     (       /ca) #  ,       openssl -   ,  . $ echo "set path = (/sbin /bin /usr/sbin /usr/bin /usr/local/sbin /usr/local/bin /ca)" >> ${WORKDIR}/vanilla/home/ca/.cshrc # vi   ,    EDITOR $ echo "setenv EDITOR jupp" >> ${WORKDIR}/vanilla/home/ca/.cshrc #   ,     $ echo "setenv OPENSSL_CONF /ca/conf/ca.conf" >> ${WORKDIR}/vanilla/home/ca/.login $ echo "setenv CA_OID 1.3.6.1.4.1.nnnnn" >> ${WORKDIR}/vanilla/home/ca/.login

We also have the conf / ca.sh script, which we will run in the chroot environment from under the user 'ca' to perform some actions in the user's home directory with its permissions.

conf / ca.sh
 #!/bin/sh -ex ## # conf/ca.sh ## cd ~ #   -  'ca'  -  # 1.       clex mkdir -p ~/.config/clex cat << EOF > ~/.config/clex/config # # CLEX configuration file # CMD_F3=more -- $f CMD_F4=jupp -- $f CMD_F5=cp -ir -- $f $2 CMD_F6=mv -i -- $f $2 CMD_F7=mkdir -- CMD_F8=rm -- $f EOF # 2.     vi #cat << EOF > ~/.nexrc #set verbose showmode #set nomesg #EOF # 3.   .logout,    touch .logout


This script must be run before cleaning the system, while $ {WORKDIR} / vanilla still has su.

 #  conf/ca.sh   r-xr-xr-x  ${WORKDIR}/vanilla/home/ca $ install -m 0555 -o root -g wheel conf/ca.sh ${WORKDIR}/vanilla/home/ca/ #  $ chroot ${WORKDIR}/vanilla su - ca -c /home/ca/ca.sh #  $ rm -f ${WORKDIR}/vanilla/home/ca/ca.sh

We create configuration files. All files are in the $ {BASE} / conf directory, from where we will install them in the right places.
conf / fstab
 ## # conf/fstab ## /dev/md0 / ufs rw 0 0 # 50   /tmp. tmpfs /tmp tmpfs rw,mode=1777,size=50m,noexec 0 0 # noauto /dev/gpt/ca /ca ufs rw,noauto,noatime 0 0 /dev/gpt/keys.eli /ca.keys ufs ro,noauto,noatime 0 0 /dev/gpt/exchange /ca.certs msdosfs rw,longnames,-u=ca,-g=ca,-m=0640,-M=0750,noauto,noatime 0 0


The root partition is mounted from mfs, and / tmp to tmpfs. You can not mount / tmp separately, leave it in the root partition, but then when creating a flash drive you need to allocate more free space for it inside the system image. When updating the / tmp system, freebsd-update is used to extract files, the largest of them in our configuration is the GENERIC kernel, about 17 MB, so this section is best not to do very small.

The / dev / gpt / ca section is designed for scripts and configuration files of our CA, /dev/gpt/keys.eli - section / dev / gpt / keys encrypted with geli with private keys, / dev / gpt / exchange - FAT section for exchange with external systems. We mount it with the support of long names, but without the support of their conversion - a fundamental decision was made to use only ASCII characters in the file names in this section. Therefore, we compile both the system and the kernel without the support of iconv.

We do not automatically mount these sections at the start (noauto parameter), since for some problems (three times incorrectly entered password for geli, for example, which will not allow creating keys.eli section) we will be thrown into single-user mode. The operator will have shock and moral injury. Therefore, these sections will be mounted into the userpace of the user 'ca', for which we will include it in the operator group during the creation and with the settings of devfs and sysctl (below) we will grant the necessary permissions.

Please note that the fstab partition with keys for the CA is mounted in read-only mode, so you should remember to remount it for writing before creating the keys (mount -u -o rw /dev/gpt/keys.eli).

 #     .    , #    CD       $ echo "mount /dev/gpt/ca" >> ${WORKDIR}/vanilla/home/ca/.login $ echo "mount /dev/gpt/keys.eli" >> ${WORKDIR}/vanilla/home/ca/.login $ echo "mount /dev/gpt/exchange" >> ${WORKDIR}/vanilla/home/ca/.login #   $ echo "umount /dev/gpt/ca" >> ${WORKDIR}/vanilla/home/ca/.logout $ echo "umount /dev/gpt/keys.eli" >> ${WORKDIR}/vanilla/home/ca/.logout $ echo "umount /dev/gpt/exchange" >> ${WORKDIR}/vanilla/home/ca/.logout

Please note - if the .login and .cshrc files already existed in the user directory 'ca', and we could add there without fear of damage to the owner or rights, then the .logout file was not created when the user entered. Therefore, if we don’t want its owner to be root: ca, you need to create it from under user ca, at least using the conf / ca.sh script

Now we will provide our ca user with the ability to mount third-party flash drives and partitions on our flash drive (with CA settings, keys, sharing section).

conf / devfs.rules
 ## # conf/devfs.rules ## [localrules=5] #     # '/dev/'   add path 'gpt/*' group operator mode 0660 #     add path 'da*' group operator mode 0660


The flash drive will be split using GPT, its sections will be addressed by labels of the form / dev / gpt / label

conf / sysctl.conf
 ## # conf/sysctl.conf ## # allow regular users to mount file systems vfs.usermount=1


Set the variable in sysctl.conf

conf / ttys
 ## # conf/ttys ## # # $FreeBSD: releng/10.1/etc/etc.i386/ttys 267236 2014-06-08 17:50:07Z nwhitehorn $ # @(#)ttys 5.1 (Berkeley) 4/17/89 # console none unknown off secure #    'ca' ttyv0 "/usr/libexec/getty CA" xterm on secure #   'root' ttyv1 "/usr/libexec/getty Pc" xterm on secure


For the system console, at startup, we launch two terminals (both should be xterm). The first one is with the autologin of the user 'ca' (see the description of gettytab below), the second one for 'root', the usual entry with a password request.

conf / gettytab
 ## # conf/gettytab ## # $FreeBSD: releng/10.1/etc/gettytab 241708 2012-10-18 22:20:02Z peterj $ # from: @(#)gettytab 5.14 (Berkeley) 3/27/91 # default:\ :cb:ce:ck:lc:fd#1000:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:\ :if=/etc/issue: P|Pc|Pc console:\ :ht:np:sp#9600: #     'ca' CA:\ :al=ca:tc=Pc:


In the settings, we leave only a few sections - default, Pc - for the user 'root' and create a new section CA, in which we write the user login 'ca', and the rest is inherited from Pc and default.

Next, create an issue file in which we will remind you to check the set time on the computer from which you downloaded. Internet is not provided by design, so if necessary we will install the watch manually. Fortunately, for a given CA the accuracy of plus or minus a minute is absolutely not critical.

conf / issue
 ====^^^=^^=^^=^^=^^== ==   ==


We take the file etc / defaults / rc.conf, copy to our conf / and begin to disable everything unnecessary.

conf / rc.conf
 ## # conf/rc.conf ## # # $FreeBSD: releng/10.1/etc/defaults/rc.conf 273188 2014-10-16 22:00:24Z hrs $ ############################################################## ### Important initial Boot-time options #################### ############################################################## rc_debug="NO" # Set to YES to enable debugging output from rc.d rc_info="YES" # Enables display of informational messages at boot. devd_enable="NO" # Run devd, to trigger programs on device tree changes. devd_flags="" # Additional flags for devd(8). gptboot_enable="YES" # GPT boot success/failure reporting. # GELI disk encryption configuration. geli_devices="gpt/keys" # List of devices to automatically attach in addition to # GELI devices listed in /etc/fstab. geli_tries="" # Number of times to attempt attaching geli device. # If empty, kern.geom.eli.tries will be used. geli_default_flags="" # Default flags for geli(8). geli_autodetach="YES" # Automatically detach on last close. # Providers are marked as such when all file systems are # mounted. # Example use. #geli_devices="da1 mirror/home" #geli_da1_flags="-p -k /etc/geli/da1.keys" #geli_da1_autodetach="NO" #geli_mirror_home_flags="-k /etc/geli/home.keys" fsck_y_enable="NO" # Set to YES to do fsck -y if the initial preen fails. fsck_y_flags="" # Additional flags for fsck -y #       ,     "NO" background_fsck="NO" # Attempt to run fsck in the background where possible. ############################################################## ### Network configuration sub-section ###################### ############################################################## ### Basic network and firewall/security options: ### hostname="root2sub1" # Set this! hostid_enable="NO" # Set host UUID. #network_interfaces="lo0" # List of network interfaces (or "auto"). #ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration. network_interfaces="" # List of network interfaces (or "auto"). ### Network daemon (miscellaneous) ### hostapd_enable="NO" # Run hostap daemon. syslogd_enable="NO" # Run syslog daemon (or NO). ### IPv6 options: ### ip6addrctl_enable="NO" # Set to YES to enable default address selection ipv6_network_interfaces="none" # List of IPv6 network interfaces # (or "auto" or "none"). ############################################################## ### Mail Transfer Agent (MTA) options ###################### ############################################################## # Settings for /etc/rc.sendmail and /etc/rc.d/sendmail: sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO). ############################################################## ### Miscellaneous administrative options ################### ############################################################## #   ,   'ca'    devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing # devfs(8) rules. devfs_system_ruleset="localrules" # The name (NOT number) of a ruleset to apply to /dev devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to # apply (must be mounted already, ie fstab(5)) devfs_load_rulesets="YES" # Enable to always load the default rulesets cron_enable="NO" # Run the periodic job daemon. crashinfo_enable="NO" # Automatically generate crash dump summary. kern_securelevel_enable="NO" # kernel security level (see security(7)) kern_securelevel="-1" # range: -1..3 ; `-1' is the most insecure # Note that setting securelevel to 0 will result # in the system booting with securelevel set to 1, as # init(8) will raise the level when rc(8) completes. update_motd="NO" # update version info in /etc/motd (or NO) entropy_file="NO" # Set to NO to disable caching entropy through reboots. # /var/db/entropy-file is preferred if / is not avail. dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot newsyslog_enable="NO" # Run newsyslog at startup. mixer_enable="NO" # Run the sound mixer. ############################################################## ### System console options ################################# ############################################################## #keyboard="" # keyboard device to use (default /dev/kbd0). keymap="ru.win" # keymap in /usr/share/{syscons,vt}/keymaps/* (or NO). keyrate="fast" # keyboard rate to: slow, normal, fast (or NO). #keybell="NO" # See kbdcontrol(1) for options. Use "off" to disable. #keychange="NO" # function keys default values (or NO). #cursor="NO" # cursor type {normal|blink|destructive} (or NO). #scrnmap="NO" # screen map in /usr/share/syscons/scrnmaps/* (or NO). #font8x14="NO" # font 8x14 from /usr/share/{syscons,vt}/fonts/* (or NO). #font8x8="NO" # font 8x8 from /usr/share/{syscons,vt}/fonts/* (or NO). blanktime="NO" # blank time (in seconds) or "NO" to turn it off. moused_nondefault_enable="NO" # Treat non-default mice as enabled unless # specifically overriden in rc.conf(5). # ,        font8x16="xxx.fnt"


A section with geli_ parameters will be needed later. Register the hostname. Specify the parameters for devfs - so that our local rules for mounting flash drives are snagged. It should be borne in mind that freebsd-update does not work when kern.securelevel> 0 is set. And finally, in the System console options section, we will configure switching to Russian and keyboard properties. We don’t specify the Russian font file here - if we have our own, then we’ll add it later, if we don’t have our own, then let the system be

conf / hosts
 ## # conf/hosts ## 127.0.0.1 localhost


Let it be.

conf / termcap
 # # conf/termcap # # @(#)termcap.src 8.2 (Berkeley) 11/17/93 # $FreeBSD: releng/10.1/share/termcap/termcap.src 267734 2014-06-22 16:48:21Z gavin $ xterm|X11 terminal emulator:\ :tc=xterm-new: # To add a termcap entry under FreeBSD for a new terminal type, insert # the entry in the appropriate location in /etc/termcap then issue this # command: # # cap_mkdb /etc/termcap # xterm-clear:\ :te=\E[?1049l:ti=\E[?1049h:\ :tc=xterm-new: xterm-new|modern xterm:\ :@7=\EOF:@8=\EOM:F1=\E[23~:F2=\E[24~:K2=\EOE:Km=\E[M:\ :k1=\EOP:k2=\EOQ:k3=\EOR:k4=\EOS:k5=\E[15~:k6=\E[17~:\ :k7=\E[18~:k8=\E[19~:k9=\E[20~:k;=\E[21~:kI=\E[2~:\ :kN=\E[6~:kP=\E[5~:kd=\EOB:kh=\EOH:kl=\EOD:kr=\EOC:ku=\EOA:\ :tc=xterm-basic: # # This chunk is used for building the VT220/Sun/PC keyboard variants. xterm-basic|modern xterm common:\ :am:bs:km:mi:ms:ut:xn:AX:\ :Co#8:co#80:kn#12:li#24:pa#64:\ :AB=\E[4%dm:AF=\E[3%dm:AL=\E[%dL:DC=\E[%dP:DL=\E[%dM:\ :DO=\E[%dB:LE=\E[%dD:RI=\E[%dC:UP=\E[%dA:ae=\E(B:al=\E[L:\ :as=\E(0:bl=^G:cd=\E[J:ce=\E[K:cl=\E[H\E[2J:\ :cm=\E[%i%d;%dH:cs=\E[%i%d;%dr:ct=\E[3g:dc=\E[P:dl=\E[M:\ :ei=\E[4l:ho=\E[H:im=\E[4h:is=\E[!p\E[?3;4l\E[4l\E>:\ :kD=\E[3~:kb=^H:ke=\E[?1l\E>:ks=\E[?1h\E=:kB=\E[Z:le=^H:md=\E[1m:\ :me=\E[m:ml=\El:mr=\E[7m:mu=\Em:nd=\E[C:op=\E[39;49m:\ :rc=\E8:rs=\E[!p\E[?3;4l\E[4l\E>:sc=\E7:se=\E[27m:sf=^J:\ :so=\E[7m:sr=\EM:st=\EH:\ :ue=\E[24m:up=\E[A:us=\E[4m:ve=\E[?12l\E[?25h:vi=\E[?25l:vs=\E[?12;25h: # # END OF TERMCAP # ------------------------


Let's make a trimmed version of the termcap file, leaving only xterm * terminals there - this will significantly reduce the size of termcap.db.

conf / freebsd-update.conf
 ## # conf/freebsd-update.conf ## # $FreeBSD: releng/10.1/etc/freebsd-update.conf 258121 2013-11-14 09:14:33Z glebius $ # Trusted keyprint. KeyPrint 800651ef4b4c71c27e60786d7b487188970f4b4169cc055784e21eb71d410cc5 # Server or server pool from which to fetch updates. ServerName update.FreeBSD.org # Components of the base system which should be kept updated. Components world kernel # Directory in which to store downloaded updates and temporary # files used by FreeBSD Update. WorkDir /mnt # When installing a new kernel perform a backup of the old one first # so it is possible to boot the old kernel in case of problems. BackupKernel no


In our case, the USB flash drive with updates will be mounted in / mnt. When updating the kernel, we do not save the old one.

Driven by philanthropy to potential system operators who are not at all professional FreeBSD users, we will create several more files:

conf / motd
     'help'    - Ctrl+Shift


And two files - help and manpath, which we then place in usr / bin

conf / help
 #!/bin/sh ## # conf/help ## cat << EOF      mfs2: $ mount /dev/gpt/system /mnt $ mdconfig -a -t vnode -f /mnt/mfs2 -u 1 $ mount /dev/md1 /media ...   /mdia ... $ umount /media $ mdconfig -d -u 1 $ umount /mnt   MS DOS (as root) $ mount_msdosfs -u ca -g ca -m 0640 -M 0750 -l /dev/da1s1 /mnt (as user) $ mount_msdosfs -m 0640 -M 0750 -l /dev/da1s1 ~/mnt   DOS  (CR/LF)  Unix : $ tr -d '\r' < in.txt > out.txt    (as root) $ date .      memory disk $ mount -t tmpfs -o size=100m tmpfs ~/mnt EOF


Since the man pages will not be included, we will do a little help.

conf / manpath
 #!/bin/sh ## # conf/manpath ## #      WITHOUT_MAN=,   manpath ,      whereis echo ""


The second file, manpath, is a stub for bypassing the incorrect behavior of the whereis utility, which, even if you specify a binary-only search ('-b'), fails when you unsuccessfully attempt to call the manpath utility, which is not in our system because of the compilation of the world with option WITHOUT_MAN =.

So, install our files from conf / to $ {WORKDIR} / vanilla and continue to configure

 #  etc #        $ install -m 0644 -o root -g wheel conf/{devfs.rules,freebsd-update.conf,fstab,gettytab} ${WORKDIR}/vanilla/etc/ $ install -m 0644 -o root -g wheel conf/{hosts,issue,motd,rc.conf,sysctl.conf,ttys} ${WORKDIR}/vanilla/etc/ #  usr/bin $ install -m 0555 -o root -g wheel conf/{help,manpath} ${WORKDIR}/vanilla/usr/bin/ #  usr/share/misc $ install -m 0644 -o root -g wheel conf/termcap ${WORKDIR}/vanilla/usr/share/misc/ #   . $ tzsetup -s -C ${WORKDIR}/vanilla Asia/Yekaterinburg #         ,    #  Windows,        ,   UTC. # Empty file. Its presence indicates that the machine's CMOS clock is set to local time. $ touch ${WORKDIR}/vanilla/etc/wall_cmos_clock #    root ( ) $ pw -V ${WORKDIR}/vanilla/etc usermod root -h 0

, keyrus, habrahabr.ru/post/137544 keyrus.bdf .

 $ vtfontcvt tools/keyrus.bdf keyrus.fnt $ install -m 0444 -o root -g wheel keyrus.fnt ${WORKDIR}/vanilla/usr/share/vt/fonts/ $ echo 'font8x16="keyrus.fnt"' >> ${WORKDIR}/vanilla/etc/rc.conf


. , , , . handbook, . , — loader' , . ${WORKDIR}/vanilla , ${WORKDIR}/custom.

 #    custom/boot/    loader_default.conf      # boot/kernel/ -   GENERIC ,  boot/kernel.cabsd/ -    $ mkdir -p ${WORKDIR}/custom/boot/{defaults,kernel,kernel.cabsd} #   #  ()  $ cp -p ${WORKDIR}/vanilla/boot/kernel/kernel ${WORKDIR}/custom/boot/kernel.cabsd/ #  (GENERIC)  $ cp -p ${WORKDIR}/vanilla/tmp/boot/kernel/kernel ${WORKDIR}/custom/boot/kernel/

. . : mff, mmf, ffmm
  1. caBSD core with the first image of the system
  2. core GENERIC with modules and system first image
  3. GENERIC core with modules and second system image

The first option will be the default configuration, and we assume that usually the user will work in it.

We will have three configuration files for the loader - loader.conf for the first configuration, loader_gen1.conf and loader_gen2.conf - for the GENERIC kernel with the first and second way, respectively, differing only in the image file name. So,

conf / loader.conf
 ## # conf/loader.conf ## #    () autoboot_delay="5" #     mfs_load="YES" mfs_type="md_image" #     mfs1 (   gzip,   .gz  ) mfs_name="/mfs1" #       /boot/${kernel}/${bootfile} kernel="kernel.cabsd" # /boot sub-directory containing kernel and modules #bootfile="kernel" # Kernel name (possibly absolute path) #kernel_options="" # Flags to be passed to the kernel #     newcons: # https://www.freebsd.org/cgi/man.cgi?query=vt(4) #   caBSD    sc,    vt,     . #   GENERIC   ,   UTF-8  . #    kern.vty=vt # Enable halt keyboard combination. kern.vt.kbd_halt=1 # Enable power off key combination. kern.vt.kbd_poweroff=1 # Enable reboot key combination, usually Ctrl+Alt+Del. kern.vt.kbd_reboot=1 # Enable debug request key combination, usually Ctrl+Alt+Esc. kern.vt.kbd_debug=0 # Enable panic key combination. kern.vt.kbd_panic=0


In loader.conf, we specify the parameters for the first boot option — the caBSD kernel and the mfs1 image (we will create it a little later). It must be borne in mind that during our configuration of the menu, the parameters specified in this file will be inherited by the configuration files for the second and third options. That is, if something strange is written in loader.conf, like kernel_options = "- s" - loading in single user mode, then all three options will be loaded into it. Therefore, the doubtful variables specified in loader.conf will be overwritten (reset) in loader_gen * .conf

conf / loader_gen1.conf
 ## # conf/loader_gen1.conf ## # #      - GENERIC    mfs1. # ,   loader.conf     mfs_name="/mfs1" tmpfs_load="YES" #geom_eli_load="YES" exec=".( Loading GENERIC kernel and mfs1 root image ) cr" kernel="kernel" # /boot sub-directory containing kernel and modules bootfile="kernel" # Kernel name (possibly absolute path) kernel_options="" # Flags to be passed to the kernel



conf / loader_gen2.conf
 ## # conf/loader_gen2.conf ## # #      - GENERIC    mfs2. # ,   loader.conf     mfs_name="/mfs2" tmpfs_load="YES" #geom_eli_load="YES" exec=".( Loading GENERIC kernel and mfs2 root image ) cr" kernel="kernel" # /boot sub-directory containing kernel and modules bootfile="kernel" # Kernel name (possibly absolute path) kernel_options="" # Flags to be passed to the kernel


Go to the boot menu. A superficial examination of the vanilla / boot / *. 4th configuration files with the forth language constructs caused sadness and discouragement - why all of these inverted constructions, why it was impossible to write something simple and clear, for example:

PROC START ();
ON MODULE HEAD;
DRAW (“RAMKA1”);
CONCLUSION: "Welcome to caBSD";
...
OFF MODULE HEAD;
;

Eeeh ...

Fortunately, good people (yes, they will be rewarded during the following reincarnations) put simple examples into / usr / share / examples / bootforth, slightly changing the following loader.rc and menuconf.4th:

conf / loader.rc
 \ \ conf/loader.rc \ \ Example of the file which is automatically loaded by /boot/loader on startup. \ $FreeBSD: releng/10.1/share/examples/bootforth/loader.rc 87636 2001-12-11 00:49:34Z jhb $ include /boot/loader.4th s" /boot/screen.4th" O_RDONLY fopen dup fload fclose s" /boot/frames.4th" O_RDONLY fopen dup fload fclose s" /boot/menuconf.4th" O_RDONLY fopen dup fload fclose initialize drop cr main_menu



conf / menuconf.4th
 \ \ conf/menuconf.4th \ \ Simple greeting screen, presenting basic options. \ XXX This is far too trivial - I don't have time now to think about something more fancy... :-/ \ $FreeBSD: releng/10.1/share/examples/bootforth/menuconf.4th 65480 2000-09-05 16:30:09Z dcs $ : title f_single \   - whxy 60 11 10 4 box 30 4 at-xy ." Welcome to caBSD " me ; : menu 2 fg 15 7 at-xy ." 1. Start caBSD kernel and first root image (auto)" 15 8 at-xy ." 2. Start GENERIC kernel and first root image" 15 9 at-xy ." 3. Start GENERIC kernel and second root image" 15 10 at-xy ." 4. Reboot" me ; : tkey ( d -- flag | char ) seconds + begin 1 while dup seconds u< if drop -1 exit then key? if drop key exit then repeat ; : prompt 14 fg 15 13 at-xy ." Enter your option (1,2,3,4): " 10 tkey dup 32 = if drop key then dup 0< if \       . drop 49 then dup emit me ; : help_text 10 17 at-xy ." * Choose 1 to proceed with standard bootstrapping." 10 18 at-xy ." * Choose 2 or 3 to run special configuration file." 10 19 at-xy ." * Choose 4 in order to warm boot your machine." 10 21 at-xy ." * Anyway you have few seconds to interrupt boot," 10 22 at-xy ." change parameters and type 'boot' to continue" ; : (reboot) 0 reboot ; : main_menu begin 1 while clear f_double 79 23 1 1 box title menu help_text prompt cr cr cr dup 49 = if drop 1 25 at-xy cr ." Proceeding with standard boot. Please wait..." cr 0 boot-conf exit then dup 50 = if drop 1 25 at-xy cr ." Loading /boot/loader_gen1.conf. Please wait..." cr s" /boot/loader_gen1.conf" read-conf 0 boot-conf exit then dup 51 = if drop 1 25 at-xy cr ." Loading /boot/loader_gen2.conf. Please wait..." cr s" /boot/loader_gen2.conf" read-conf 0 boot-conf exit then dup 52 = if drop 1 25 at-xy cr ['] (reboot) catch abort" Error rebooting" then 15 12 at-xy ." Key " emit ." is not a valid option!" 15 13 at-xy ." Press any key to continue..." key drop repeat ;


As a result, we have drawn such a boot menu:



Continue the installation. Taking everything from $ {WORKDIR} / vanilla / boot

 #  ,   .4th   (    ,  beastie.4th  brand.4th -   ) $ cp -p ${WORKDIR}/vanilla/boot/{loader,loader.help,*.rc,*.4th} ${WORKDIR}/custom/boot $ cp -p ${WORKDIR}/vanilla/boot/defaults/loader.conf ${WORKDIR}/custom/boot/defaults $ rm -f ${WORKDIR}/custom/boot/{beastie.4th,brand.4th} #    loader*.conf  conf/  boot $ install -m 0644 -o root -g wheel conf/{loader,loader_gen1,loader_gen2}.conf ${WORKDIR}/custom/boot/ $ install -m 0644 -o root -g wheel conf/{loader.rc,menuconf.4th} ${WORKDIR}/custom/boot/ #     GPT,      . $ cp -p ${WORKDIR}/vanilla/boot/{pmbr,gptboot,cdboot} ${WORKDIR}

. caBSD «makeoptions NO_MODULES=1», . GENERIC . , . , geom_eli.ko, boot/loader_gen1.conf 'geom_eli_load=«YES»', , . . mfs- , mfs1:/etc/rc.d/geli, . — /boot/kernel mfs1:/.

, :

  1. , ${WORKDIR}/custom/boot/kernel, init, rc- — ${WORKDIR}/vanilla/boot/modules (. 'module_path="/boot/modules"' boot/defaults/loader.conf)
  2. (). - rc- ( etc/rc.d/geli) (iso/img) /boot/kernel/ mfs1:/boot/modules

. .

 #  ''   GENERIC .    #    .  , tmpfs.ko    mfs  $ cp -p ${WORKDIR}/vanilla/tmp/boot/kernel/tmpfs.ko ${WORKDIR}/custom/boot/kernel $ strip ${WORKDIR}/custom/boot/kernel/tmpfs.ko #     /boot,    installkernel   $ rm -rf ${WORKDIR}/vanilla/boot #       $ mkdir -p ${WORKDIR}/vanilla/boot/modules #  ''  - geom_eli.ko     crypto.ko $ cp -p ${WORKDIR}/vanilla/tmp/boot/kernel/{geom_eli,crypto}.ko ${WORKDIR}/vanilla/boot/modules $ strip ${WORKDIR}/vanilla/boot/modules/{geom_eli,crypto}.ko #  /boot,         $ rm -rf ${WORKDIR}/vanilla/tmp/boot #    $ ls -l ${WORKDIR}/custom/boot/{kernel,kernel.cabsd}/kernel $ strip ${WORKDIR}/custom/boot/{kernel,kernel.cabsd}/kernel $ strip --remove-section=.note --remove-section=.comment ${WORKDIR}/custom/boot/{kernel,kernel.cabsd}/kernel #   # freebsd-update     GENERIC ,      - #      .     . . $ gzip -9 -f ${WORKDIR}/custom/boot/kernel.cabsd/kernel # kgzip -o ${WORKDIR}/custom/boot/kernel.cabsd/kernel ${WORKDIR}/custom/boot/kernel.cabsd/kernel # gzip -9 -f ${WORKDIR}/custom/boot/kernel/kernel $ ls -l ${WORKDIR}/custom/boot/{kernel,kernel.cabsd}/kernel*

. gzip kgzip. , - .

caBSD : — 3.9 , — 1.8 , kgzip , ~9 gzip.

GENERIC : — 17 , gzip — 7.5 , kgzip — 6.8 . . . , 19: 8.2: 6.8 . , . GENERIC - . , - strip .


Despite the noticeable minimization of our system due to the use of options when compiling the world, there are still many places where we can put our hands. And we will do the following:
  1. Specify in files tools / files2delete_ * files and directories that need to be deleted.
  2. We specify in the file tools / files2keep exceptions to paragraph 1 - the files that need to be saved
  3. Archiving files from p. 2
  4. Delete the files and directories from paragraph 1
  5. Recover saved files from archive

The obvious advantages of such a multi-way combination:



tools/files2keep
 # # tools/files2keep # etc/rc.d/DAEMON etc/rc.d/FILESYSTEMS etc/rc.d/LOGIN etc/rc.d/NETWORKING etc/rc.d/SERVERS etc/rc.d/adjkerntz etc/rc.d/devfs etc/rc.d/dmesg etc/rc.d/geli etc/rc.d/geli2 etc/rc.d/gptboot etc/rc.d/hostname etc/rc.d/initrandom etc/rc.d/ldconfig etc/rc.d/mountcritlocal etc/rc.d/postrandom etc/rc.d/random etc/rc.d/root etc/rc.d/securelevel etc/rc.d/syscons etc/rc.d/sysctl etc/pam.d/login #etc/pam.d/other etc/pam.d/passwd etc/pam.d/system usr/libexec/getty usr/share/locale/en_US.UTF-8 usr/share/locale/ru_RU.UTF-8 #usr/share/misc/init.ee usr/share/misc/termcap usr/share/vt/keymaps/ru.kbd usr/share/vt/keymaps/ru.shift.kbd usr/share/vt/keymaps/ru.win.kbd usr/share/zoneinfo/Asia/Yekaterinburg usr/share/zoneinfo/Europe/Moscow usr/share/zoneinfo/UTC usr/local/etc/joe/syntax/conf.jsf usr/local/etc/joe/syntax/csh.jsf usr/local/etc/joe/syntax/diff.jsf usr/local/etc/joe/syntax/sh.jsf


. :

Now we will make lists of deleted files and directories. Blank lines, as well as lines with the first '#' character are ignored.

tools / files2delete_bin
 # # tools/files2delete_bin # bin/chio bin/domainname bin/ed bin/pax sbin/bsdlabel sbin/camcontrol sbin/ccdconfig sbin/comcontrol sbin/ddb sbin/dhclient sbin/dhclient-script sbin/dump sbin/dumpon sbin/etherswitchcfg sbin/fdisk sbin/fsirand sbin/gbde sbin/ggatec sbin/ggated sbin/ggatel sbin/gvinum sbin/hastctl sbin/hastd sbin/ifconfig sbin/iscontrol sbin/kldconfig sbin/kldunload sbin/mksnap_ffs sbin/mount_fusefs sbin/mount_nfs sbin/nfsiod sbin/nos-tun sbin/nvmecontrol sbin/ping sbin/resolvconf sbin/restore sbin/route sbin/savecore sbin/sconfig sbin/setkey sbin/spppcontrol sbin/swapctl usr/bin/asa usr/bin/banner usr/bin/brandelf usr/bin/chat usr/bin/chfn usr/bin/chkey usr/bin/colldef usr/bin/cpasswd usr/bin/cpuset usr/bin/crontab usr/bin/csup usr/bin/ctlstat usr/bin/dialog usr/bin/dtc usr/bin/ee usr/bin/elf2aout usr/bin/elfdump usr/bin/fetch usr/bin/file usr/bin/finger usr/bin/ftp usr/bin/gcore usr/bin/gencat usr/bin/ipcrm usr/bin/ipcs usr/bin/iscsictl usr/bin/keylogin usr/bin/keylogout usr/bin/ktrace usr/bin/ktrdump usr/bin/lam usr/bin/lastcomm usr/bin/leave usr/bin/lockf usr/bin/look usr/bin/lorder usr/bin/m4 usr/bin/mandoc usr/bin/mesg usr/bin/mkdep usr/bin/mkfifo usr/bin/mklocale usr/bin/mt usr/bin/netstat usr/bin/newgrp usr/bin/nfsstat usr/bin/pagesize usr/bin/passwd usr/bin/pr usr/bin/protect usr/bin/rctl usr/bin/revoke usr/bin/rpcinfo usr/bin/rs usr/bin/rup usr/bin/rusers usr/bin/rwall usr/bin/send-pr usr/bin/showmount usr/bin/smbutil usr/bin/sockstat usr/bin/stdbuf usr/bin/su usr/bin/tabs usr/bin/talk usr/bin/tcopy usr/bin/tee usr/bin/tftp usr/bin/tip usr/bin/tsort usr/bin/units usr/bin/unvis usr/bin/vis usr/bin/vmstat usr/bin/wall usr/bin/what usr/bin/whois usr/bin/write usr/sbin/adduser usr/sbin/arp usr/sbin/asf usr/sbin/automountd usr/sbin/binmiscctl usr/sbin/boot0cfg usr/sbin/bootparamd usr/sbin/bootpef usr/sbin/bootptest usr/sbin/bsdconfig usr/sbin/bsdinstall usr/sbin/callbootd usr/sbin/cdcontrol usr/sbin/chroot usr/sbin/ckdist usr/sbin/clear_locks usr/sbin/cpucontrol usr/sbin/crashinfo usr/sbin/cron usr/sbin/ctladm usr/sbin/ctld usr/sbin/dconschat usr/sbin/digictl usr/sbin/dumpcis usr/sbin/etcupdate usr/sbin/fifolog_create usr/sbin/fifolog_reader usr/sbin/fifolog_writer usr/sbin/fwcontrol usr/sbin/getfmac usr/sbin/getpmac usr/sbin/i2c usr/sbin/ifmcstat usr/sbin/inetd usr/sbin/iscsid usr/sbin/keyserv usr/sbin/kgmon usr/sbin/kgzip usr/sbin/lptcontrol usr/sbin/memcontrol usr/sbin/mergemaster usr/sbin/mfiutil usr/sbin/mixer usr/sbin/mlxcontrol usr/sbin/mount_smbfs usr/sbin/mountd usr/sbin/moused usr/sbin/mptable usr/sbin/mptutil usr/sbin/mtest usr/sbin/newsyslog usr/sbin/nfscbd usr/sbin/nfsd usr/sbin/nfsdumpstate usr/sbin/nfsrevoke usr/sbin/nfsuserd usr/sbin/nmtree usr/sbin/nologin usr/sbin/pciconf usr/sbin/periodic usr/sbin/powerd usr/sbin/procctl usr/sbin/quot usr/sbin/rarpd usr/sbin/rmt usr/sbin/rmuser usr/sbin/rpc.lockd usr/sbin/rpc.statd usr/sbin/rpc.umntall usr/sbin/rpcbind usr/sbin/rtprio usr/sbin/services_mkdb usr/sbin/setfib usr/sbin/setfmac usr/sbin/setpmac usr/sbin/sicontrol usr/sbin/smbmsg usr/sbin/snapinfo usr/sbin/spkrtest usr/sbin/spray usr/sbin/syslogd usr/sbin/sysrc usr/sbin/tcpdchk usr/sbin/tcpdmatch usr/sbin/tcpdrop usr/sbin/tcpdump usr/sbin/timed usr/sbin/timedc usr/sbin/traceroute usr/sbin/trpt usr/sbin/ugidfw usr/sbin/vipw usr/sbin/wake usr/sbin/watch usr/sbin/watchdog usr/sbin/zdump usr/sbin/zic usr/sbin/zzz # vi usr/bin/vi


Clean the bin, sbin, usr / bin, usr / sbin. When deleting files, hard links to them are automatically searched and deleted.

tools / files2delete_etc
 # # tools/files2delete_etc # etc/X11 etc/auto_master etc/autofs etc/bluetooth etc/crontab etc/ddb.conf etc/defaults/bluetooth.device.conf etc/defaults/periodic.conf etc/devd etc/devd.conf etc/dhclient.conf etc/disktab etc/dumpdates etc/ftpusers etc/gss etc/hosts etc/hosts.allow etc/hosts.equiv etc/inetd.conf etc/libalias.conf etc/mac.conf etc/mail etc/mtree etc/netconfig etc/netstart etc/networks etc/newsyslog.conf etc/newsyslog.conf.d etc/nsmb.conf etc/ntp etc/pam.d #etc/pam.d/passwd etc/pccard_ether etc/periodic etc/phones etc/pkg etc/ppp etc/rc.bsdextended etc/rc.d etc/rc.firewall etc/rc.initdiskless etc/rc.resume etc/rc.sendmail etc/rc.suspend etc/remote etc/rpc etc/security etc/skel etc/ssh etc/ssl etc/syslog.conf etc/termcap.small etc/zfs


Clean etc. Please note - the entire etc / rc.d is deleted, and the necessary start-up rc-scripts will be restored from the previously created archive.

tools / files2delete_lib
 # # tools/files2delete_lib # lib/libalias.so.7 lib/libalias_cuseeme.so lib/libalias_dummy.so lib/libalias_ftp.so lib/libalias_irc.so lib/libalias_nbt.so lib/libalias_pptp.so lib/libalias_skinny.so lib/libalias_smedia.so lib/libbegemot.so.4 lib/libcam.so.6 lib/libgcc_s.so.1 lib/libipsec.so.4 lib/libpcap.so.8 lib/libreadline.so.8 lib/libthr.so.3 lib/libulog.so.0 libexec/resolvconf # OpenSSL IBM 4758 CCA hardware engine support usr/lib/engines/lib4758cca.so # OpenSSL AEP hardware engine support usr/lib/engines/libaep.so # OpenSSL Atalla hardware engine support usr/lib/engines/libatalla.so # OpenSSL CHIL hardware engine support usr/lib/engines/libchil.so # OpenSSL CryptoSwift hardware engine support usr/lib/engines/libcswift.so # OpenSSL Nuron hardware engine support usr/lib/engines/libnuron.so # OpenSSL SureWare hardware engine support usr/lib/engines/libsureware.so # OpenSSL UBSEC hardware engine support usr/lib/engines/libubsec.so usr/lib/private usr/lib/libBlocksRuntime.so.0 usr/lib/libalias.so usr/lib/libauditd.so.5 usr/lib/libbegemot.so usr/lib/libbsm.so.3 usr/lib/libcam.so usr/lib/libcurses.so usr/lib/libcursesw.so usr/lib/libdwarf.so.3 usr/lib/libexecinfo.so.1 usr/lib/libfetch.so.6 usr/lib/libform.so.5 usr/lib/libformw.so.5 usr/lib/libgcc_s.so usr/lib/libgomp.so.1 usr/lib/libhistory.so.8 usr/lib/libipsec.so usr/lib/libmagic.so.4 usr/lib/libmemstat.so.3 usr/lib/libmenu.so.5 usr/lib/libmenuw.so.5 usr/lib/libpanel.so.5 usr/lib/libpanelw.so.5 usr/lib/libpcap.so usr/lib/libproc.so.2 usr/lib/libpthread.so usr/lib/libradius.so.4 usr/lib/libreadline.so usr/lib/librt.so.1 usr/lib/librtld_db.so.2 usr/lib/libsmb.so.4 usr/lib/libstdbuf.so.1 usr/lib/libstdthreads.so.0 usr/lib/libtacplus.so.5 usr/lib/libtermcap.so usr/lib/libtermcapw.so usr/lib/libtermlib.so usr/lib/libtermlibw.so usr/lib/libthr.so usr/lib/libthread_db.so.3 usr/lib/libtinfo.so usr/lib/libtinfow.so usr/lib/libugidfw.so.4 usr/lib/libutempter.so usr/lib/libvgl.so.6 usr/lib/libwrap.so.6 usr/lib32 usr/libdata usr/libexec


Libraries. The most responsible file. PAM modules from usr / lib are in a separate file

tools / files2delete_local
 # # tools/files2delete_local # usr/local/libdata usr/local/man usr/local/share usr/local/etc/joe/charmaps usr/local/etc/joe/syntax


If you put the packages, you can clean usr / local

tools / files2delete_pam
 # # tools/files2delete_pam # usr/lib/pam_chroot.so usr/lib/pam_deny.so usr/lib/pam_echo.so usr/lib/pam_exec.so usr/lib/pam_ftpusers.so usr/lib/pam_group.so usr/lib/pam_guest.so #usr/lib/pam_lastlog.so #usr/lib/pam_login_access.so #usr/lib/pam_nologin.so #usr/lib/pam_opie.so #usr/lib/pam_opieaccess.so usr/lib/pam_passwdqc.so usr/lib/pam_permit.so usr/lib/pam_radius.so usr/lib/pam_rhosts.so usr/lib/pam_rootok.so #usr/lib/pam_securetty.so #usr/lib/pam_self.so usr/lib/pam_tacplus.so #usr/lib/pam_unix.so


PAM modules.

tools / files2delete_var
 # # tools/files2delete_var # var/account var/at var/audit var/authpf var/crash var/cron var/db/hyperv var/db/ipf var/db/pkg var/db/ports var/db/portsnap var/games var/heimdal var/mail var/msgs var/run/ppp var/run/wpa_supplicant var/rwho var/spool var/unbound var/yp


You can read man hier and clean the var hierarchy from unnecessary empty directories. For beauty.

tools / files2delete_other
 # # tools/files2delete_other # usr/games usr/include usr/share/bsdconfig usr/share/dtrace usr/share/examples usr/share/info # keys? usr/share/keys usr/share/locale usr/share/man usr/share/mdocml usr/share/misc usr/share/nls usr/share/openssl usr/share/skel usr/share/tabset usr/share/vi usr/share/vt/keymaps usr/share/zoneinfo


We clean everything else, mostly usr / share

It should be noted:

Getting started.

 #   ,       $ rm -f keepfiles.tar #  ,   tools/files2keep $ tar --create --file keepfiles.tar --directory ${WORKDIR}/vanilla --dereference --files-from tools/files2keep #        . #     ,       for,    ,   #     ,         : $ cat tools/files2delete_bin | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla -samefile ${WORKDIR}/vanilla/% -exec rm -rf {} \; #    -samefile $ cat tools/files2delete_etc | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; $ cat tools/files2delete_local | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; $ cat tools/files2delete_other | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; $ cat tools/files2delete_pam | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; $ cat tools/files2delete_lib | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; $ cat tools/files2delete_var | egrep -v '(^#|^\s*$)' | xargs -I % -t -L 1 find ${WORKDIR}/vanilla/% -exec rm -rf {} \; #    $ tar --extract --file keepfiles.tar --verbose --directory ${WORKDIR}/vanilla $ rm -f keepfiles.tar

— .

rc- etc/rc.d, . , 'etc/rc.d' , -, files2delete_other. . , :

 $ find / -type f -amin -15 > /ca.certs/files-keep $ find / -type f -not -amin -15 > /ca.certs/files-delete

So lists with “cold” files and “hot” files used in the boot process, whose atime has changed in the last fifteen minutes, were obtained. If we hadn’t cleaned up the rc-scripts beforehand, then the list of “hot” files would have included many clearly unnecessary ones - such as ifconfig and the like.

Once again, a file search was performed after updating the system with the help of freebsd-update - this made it possible to identify the necessary programs for its work, sometimes unobvious, such as join, tr, touch.

From the list of "cold" files formed lists:

According to the results of cleaning the system, a flash drive was made, in which all files from bin, sbin, usr / bin, usr / sbin were run in order to detect gross errors. It was discovered that poweroff is trying to call wall to alert users; clear wants tput (necessary command, tput had to be returned to the system); and the crutch for whereis we provided for earlier. Of course, issuing "usage:" did not require any unobvious libraries to be used by programs, but it was possible to note in the statements that "everything starts." Well, then, practice - the criterion of truth.

Create an image of the system


Final cleaning of $ {WORKDIR} / vanilla

 #     /usr. $ find ${WORKDIR}/vanilla/usr -type d -empty -delete #     $ chroot ${WORKDIR}/vanilla find -L / -type l -exec rm -f {} \; #    $ rm -rf ${WORKDIR}/vanilla/tmp/pkg.files #   pkg $ rm -rf ${WORKDIR}/pkg.db #      $ rm -f ${WORKDIR}/vanilla/var/db/pkg/local.sqlite #  termcap db $ chroot ${WORKDIR}/vanilla cap_mkdb /usr/share/misc/termcap #  'nologin'       -    # ,  372 ,      'false' #   freebsd-update  .        $ ln -f ${WORKDIR}/vanilla/usr/bin/false ${WORKDIR}/vanilla/usr/sbin/nologin #      $ mkdir -p -m 0700 ${WORKDIR}/vanilla/{ca,ca.keys,ca.certs} #    $ mkdir -p -m 0700 ${WORKDIR}/vanilla/home/ca/mnt #   $ chroot ${WORKDIR}/vanilla chown ca:ca /ca /ca.keys /ca.certs /home/ca/mnt #  mfs .  ()      ,     # ,    freebsd-update.   makefs   : # -b free-blocks - Ensure that a minimum of 'free-blocks' free blocks (512 bytes) exist in the image # -f free-files - Ensure that a minimum of 'free-files' free files (inodes) exist in the image # -o fs-options - Set file system specific options # -t fs-type - Create an 'fs-type' file system image #  .  1   ,        $ makefs -b 1m -f 100 -o label=sysimg1 -t ffs ${WORKDIR}/custom/mfs1 ${WORKDIR}/vanilla #    ,  . $ gzip -9 -f ${WORKDIR}/custom/mfs1 #  .  10      . $ makefs -b 10m -f 100 -o label=sysimg2 -t ffs ${WORKDIR}/custom/mfs2 ${WORKDIR}/vanilla

Create a CD


The practical benefits of burning to CD-ROM are dubious - it’s still more practical than flash drives, but it’s very convenient to use this image to test the previous steps of designing our system, especially booting. They made an iso image, slipped it to the same qemu, tried to boot - they looked, and how.
 $ makefs -t cd9660 -o bootimage=i386\;${WORKDIR}/cdboot,label=caBSD,no-emul-boot,rockridge caBSD-10.1-i386.iso ${WORKDIR}/custom #  $ ls -l caBSD-10.1-i386.iso

Create a USB flash drive


Here we come to the final stage - creating an img image for writing to a USB flash drive.

We will have the following structure:
  1. The section for exchanging with external systems is for recording .csr and unloading .crt, type ms-basic-data, size 1 MB. We are doing it first so that it can be seen in Windows without additional gestures (7, on XP and not checked below)
  2. Boot GPT partition, freebsd-boot, 64 Kb
  3. Main partition with / boot, kernels and mfs images, freebsd-ufs, about the size of the contents of $ {WORKDIR} / custom
  4. , freebsd-ufs, 1
  5. , freebsd-ufs, 1 . , .. geli


 #     $ rm -f caBSD-10.1-i386.img caBSD-10.1-i386.txt #        uid/gid  'ca' #            ,  chroot  , #      'ca'     id $ set CA_UID=`cat ${WORKDIR}/ca.uid` $ set CA_GID=`cat ${WORKDIR}/ca.gid` #   ${WORKDIR}/custom ( ). $ set SYSSIZE=`du -sm ${WORKDIR}/custom | cut -f 1` #   .       , #       UFS    . $ set SYSSIZE=`expr ${SYSSIZE} + 3` #     .  GENERIC   17 .   freebsd-update #    .    "BackupKernel yes"  freebsd-update.conf,     # .      /boot/kernel  tmpfs,  , , #     .    30   .   $ set SYSSIZE=`expr ${SYSSIZE} + 30` #       (system + exchange + ca + keys) $ set IMGSIZE=`expr ${SYSSIZE} + 1 + 1 + 1` #    img  $ dd if=/dev/zero of=caBSD-10.1-i386.img count=${IMGSIZE} bs=1m #    md  $ set MDDEVICE=`mdconfig -a -t vnode -f caBSD-10.1-i386.img`

md , img , — «ls /dev/md*» «mdconfig -d -u N», 'N' md . , ${MDDEVICE}



 #  ,  man gpart $ gpart create -s GPT ${MDDEVICE} # Embed GPT bootstrap code into a protective MBR: $ gpart bootcode -b ${WORKDIR}/pmbr ${MDDEVICE} # Create a dedicated freebsd-boot partition that can boot FreeBSD from a freebsd-ufs partition, # and install bootstrap code into it. We uses 88 blocks (44 kB) so the next partition will be # aligned on a 64 kB boundary. The boot partition itself is aligned on a 4 kB boundary #        4k -    SSD    . #   . $ gpart add -b 40 -s 1m -t ms-basic-data -l exchange ${MDDEVICE} $ gpart add -a 4k -s 64k -t freebsd-boot -l boot ${MDDEVICE} $ gpart add -a 4k -s ${SYSSIZE}m -t freebsd-ufs -l system ${MDDEVICE} $ gpart add -a 4k -s 1m -t freebsd-ufs -l ca ${MDDEVICE} $ gpart add -a 4k -t freebsd-ufs -l keys ${MDDEVICE} #     ,      1  # ,   $ gpart show ${MDDEVICE} #     $ gpart backup ${MDDEVICE} > caBSD-10.1-i386.txt $ unset SYSSIZE IMGSIZE 


 #    #   "-F 32",   FAT32,    - . #     1  - FAT12 $ newfs_msdos -L exchange /dev/gpt/exchange #  .   freebsd-boot  -> "-i 2" $ gpart bootcode -p ${WORKDIR}/gptboot -i 2 ${MDDEVICE} #   # -O - filesystem type; # -n - disable snapshot. Background fsk must be OFF in rc.conf # -o - optimization; # -m - free-space. The percentage of space reserved from normal users; #  -U   -   , -t    -   SSD $ newfs -O2 -n -o space -m 0 -L system /dev/gpt/system #   $ newfs -O2 -n -o space -m 0 -L ca /dev/gpt/ca #  .         #         .    #     (user key + company key) #   /dev/gpt/keys,    # -a Enable data integrity verification (authentication) using the given algorithm # -B File name to use for metadata backup # -s Change decrypted provider's sector size. #   HMAC   ,    .  ,     #   -      ,    .    HMAC  #   .          $ geli init -B caBSD-10.1-i386.gelibak -s 4096 /dev/gpt/keys #     ,  .     . #  ,     . $ cat caBSD-10.1-i386.gelibak | b64encode caBSD-10.1-i386.gelibak >> caBSD-10.1-i386.txt #     '-r' - Attach read-only provider.   #              #     -  geli_default_flags="-r"  rc.conf.  'ro'  fstab $ geli attach /dev/gpt/keys #    /dev/gpt/keys.eli      # (dd if=/dev/random of=/dev/gpt/keys.eli bs=4096),     ,     #  .   (4k)    ,     geli init #  ( keys.eli) $ newfs -O2 -n -o space -m 0 -L gelikeys /dev/gpt/keys.eli # ,       df -h  : Filesystem Size Used Avail Capacity Mounted on /dev/md0 14M 13M 690K 95% / devfs 1.0K 1.0K 0B 100% /dev tmpfs 50M 4.0K 50M 0% /tmp /dev/gpt/ca 828K 240K 588K 29% /ca /dev/gpt/keys.eli 720K 4.0K 716K 1% /ca.keys /dev/gpt/exchange 999K 6.5K 992K 1% /ca.certs 


 # [keys]   ,    geli.   , #        $ mount /dev/gpt/keys.eli ${WORKDIR}/mnt #      "  " $ touch ${WORKDIR}/mnt/.created-keys.eli #     'ca' $ chown -R ${CA_UID}:${CA_GID} ${WORKDIR}/mnt #  $ umount ${WORKDIR}/mnt $ geli detach /dev/gpt/keys.eli # [exchange].    # -m maximum file permissions for files # -M maximum file permissions for directories $ mount_msdosfs -u ${CA_UID} -g ${CA_GID} -m 0640 -M 0750 -l /dev/gpt/exchange ${WORKDIR}/mnt #   UFS ,        . #  ,   fstab.       $ touch ${WORKDIR}/mnt/.created-exchange $ umount ${WORKDIR}/mnt # [ca]         . # ,    tools/ca.tar.gz. $ mount /dev/gpt/ca ${WORKDIR}/mnt $ tar --extract --gunzip --no-same-permissions --file tools/ca.tar.gz --directory ${WORKDIR}/mnt #    rw-r----- $ chmod -R u=rw,g=r,o= ${WORKDIR}/mnt/* #  conf  rwxr-x--- $ chmod u=rwx,g=rx,o= ${WORKDIR}/mnt/conf #   rwxr-x--- $ chmod u=rwx,g=rx,o= ${WORKDIR}/mnt/*.sh $ touch ${WORKDIR}/mnt/.created-ca $ chown -R ${CA_UID}:${CA_GID} ${WORKDIR}/mnt $ umount ${WORKDIR}/mnt # [system]     $ mount /dev/gpt/system ${WORKDIR}/mnt #   $ cp -av ${WORKDIR}/custom/. ${WORKDIR}/mnt/ $ umount ${WORKDIR}/mnt #    $ mdconfig -d -u ${MDDEVICE} $ unset MDDEVICE CA_UID CA_GID #  $ ls -l caBSD-10.1-i386.img


FreeBSD . , , .

${WORKDIR}. , , — DVD — , , , , . , ${WORKDIR} .

— , .

— freebsd-update kern.bootfile, . — GENERIC .

 $ cd ${BASE} #  GENERIC ,  ,  freebsd-update     # gunzip ${WORKDIR}/custom/boot/kernel/kernel.gz #  custom     /boot,      GENERIC    # -b basedir - Operate on a system mounted at basedir # -d workdir - Store working files in workdir # -f conffile - Read configuration options from conffile $ freebsd-update fetch -b ${WORKDIR}/custom -d ${WORKDIR}/mnt -f ${WORKDIR}/vanilla/etc/freebsd-update.conf #      $ freebsd-update fetch -b ${WORKDIR}/vanilla -d ${WORKDIR}/mnt -f ${WORKDIR}/vanilla/etc/freebsd-update.conf

(?), FreeBSD 10.1 , . — . , - , , .

, , ${WORKDIR}/mnt. files , , -install. SHA256 "${WORKDIR}/custom" "${WORKDIR}/vanilla". , '-b' /mnt . , , . :

 $ cd ${WORKDIR}/mnt #         /media/sys #         $ ln -s `echo ${WORKDIR}/custom | sha256 -q`-install ${WORKDIR}/mnt/`echo /media/sys | sha256 -q`-install #     -  /media/mfs $ ln -s `echo ${WORKDIR}/vanilla | sha256 -q`-install ${WORKDIR}/mnt/`echo /media/mfs | sha256 -q`-install #  $ tar -cvf ${BASE}/update.tar . $ cd ${BASE}

. , FAT.

caBSD, — GENERIC mfs2 . root.

 #      , /mnt    -   #  /etc/freebsd-update.conf   ,   /media $ mkdir /media/{sys,mfs,flash} #    $ mount /dev/gpt/system /media/sys #  /media/sys    /boot      . #      /dev/md1 (md0   /) $ mdconfig -a -t vnode -f /media/sys/mfs2 -u 1 $ mount /dev/md1 /media/mfs #       /media/flash $ mount_msdosfs -l /dev/da1s1 /media/flash #       ,      tmpfs #    $ du -h /media/flash/update.tar #      $ mount -t tmpfs -o size=100m tmpfs /mnt #    /mnt $ tar -xvf /media/flash/update.tar -C /mnt #   (  ) # gunzip /media/sys/boot/kernel/kernel.gz # freebsd-update       ,    $ sysctl kern.bootfile="/media/sys/boot/kernel/kernel" #   $ freebsd-update install -b /media/sys -d /mnt #  .   . #      -       # gzip -9 /media/sys/boot/kernel/kernel #   $ freebsd-update install -b /media/mfs -d /mnt #    $ umount /media/flash $ umount /mnt $ umount /media/mfs $ mdconfig -d -u 1 $ umount /media/sys $ rmdir /media/{sys,mfs,flash} $ reboot # ,     #  $ freebsd-version 10.1-RELEASE-p12 $ openssl version OpenSSL 1.0.1l-freebsd 15 Jan 2015


Everything.

— , openssl req ..., openssl ca ..., . pki-tutorial, .

Related Links:

Russian Unicode, wiki.freebsd.org/Newcons unix1.jinr.ru/~lavr/vt/vtcons.html
— habrahabr.ru/post/137544
OpenSSL PKI Tutorial — pki-tutorial.readthedocs.org
mfsBSD, mfsbsd.vx.sk
EasyBSD, www.fbsd-dev.org
FreeWDE, rop.gonggri.jp/?p=269

UPD:

— cabsd.abrca.net/cabsd-1.0.zip

Source: https://habr.com/ru/post/262151/

More articles:


All Articles