OPNsense Forum

Hi,

I am trying to build opnsense 24.7 for a Nanopi R5S and I need another aarch64 box for it (tried on amd64, always had trouble). So the less packages I have to build, the better.

So I did this:

root@R4S_imagem:/usr/tools/config/24.7 # cat ports.conf | grep "^#"
#ORIGIN                                         IGNORE
#emulators/virtualbox-ose-additions-nox11       arm,aarch64
#net-mgmt/zabbix5-agent                         arm
#net-mgmt/zabbix5-proxy                         arm
#net-mgmt/zabbix6-agent                         arm
#net-mgmt/zabbix6-proxy                         arm
#net-mgmt/zabbix64-agent                                arm
#net-mgmt/zabbix64-proxy                                arm
#net-mgmt/zabbix7-agent                         arm
#net-mgmt/zabbix7-proxy                         arm
#net/asterisk18                                 arm
#net/bird2                                      arm
#net/frr8                                       arm
#net/haproxy28                                  arm
#net/ntopng                                     arm
#net/siproxd                                    arm
#opnsense/py-haproxy-cli                                arm
#security/clamav                                        arm
#security/suricata                              arm
#security/tor                                   arm
#sysutils/apcupsd                               arm
#sysutils/munin-node                            arm
#sysutils/nut                                   arm,aarch64
#www/sarg                                       arm


the plugins.conf is also edited:


root@R4S_imagem:/usr/tools/config/24.7 # cat plugins.conf | grep "^#"
#ORIGIN                                         IGNORE
#net-mgmt/zabbix-agent@zabbix5                  arm
#net-mgmt/zabbix-agent@zabbix6                  arm
#net-mgmt/zabbix-agent@zabbix64                 arm
#net-mgmt/zabbix-agent@zabbix7                  arm
#net-mgmt/zabbix-proxy@zabbix5                  arm
#net-mgmt/zabbix-proxy@zabbix6                  arm
#net-mgmt/zabbix-proxy@zabbix64                 arm
#net-mgmt/zabbix-proxy@zabbix7                  arm
#net/frr                                                arm
#net/haproxy                                    arm
#net/ntopng                                     arm
#net/realtek-re
#net/siproxd                                    arm
#security/clamav                                        arm
#security/tor                                   arm
#sysutils/apcupsd                               arm
#sysutils/apuled                                        arm
#sysutils/munin-node                            arm
#sysutils/nut                                   arm,aarch64
#sysutils/virtualbox                            arm,aarch64
#sysutils/vmware                                        arm
#sysutils/xen                                   arm,aarch64
#www/web-proxy-sso                              arm


but I keep seeing this kind of error:


nstalling zip-3.0_2...
Extracting zip-3.0_2: 100%
Installing py311-duckdb-1.0.0...
`-- Installing py311-pandas-2.0.3_2,1...
|   `-- Installing py311-numpy-1.25.0_7,1...
|   `-- Extracting py311-numpy-1.25.0_7,1: 100%
|   `-- Installing py311-numexpr-2.10.1...
|   `-- Extracting py311-numexpr-2.10.1: 100%
|   `-- Installing py311-bottleneck-1.3.8_1...
|   `-- Extracting py311-bottleneck-1.3.8_1: 100%
|   `-- Installing py311-tzdata-2024.1...
|   `-- Extracting py311-tzdata-2024.1: 100%
|   `-- Installing py311-pytz-2024.1,1...
|   `-- Extracting py311-pytz-2024.1,1: 100%
|   `-- Installing py311-python-dateutil-2.9.0...
|   | `-- Installing py311-six-1.16.0_1...
|   | `-- Extracting py311-six-1.16.0_1: 100%
|   `-- Extracting py311-python-dateutil-2.9.0: 100%
`-- Extracting py311-pandas-2.0.3_2,1: 100%
Extracting py311-duckdb-1.0.0: 100%
=====
Message from py311-pandas-2.0.3_2,1:

--
Install math/py-statsmodels to enable parts of pandas.stats.
Install devel/py-xarray to enable the to_xarray() function.
Installing py311-numpy-1.25.0_7,1...
the most recent version of py311-numpy-1.25.0_7,1 is already installed
Installing py311-pandas-2.0.3_2,1...
the most recent version of py311-pandas-2.0.3_2,1 is already installed
Could not find package: suricata
*** Error code 1

Stop.
make: stopped in /usr/tools/


Can I not build all ports there so it can be faster? How can I do it? :)

Thanks,

none

Without tainting the final image, not really. One of the big offenders is Rust which is implied by Suricata, which is required by the core package.

You could strip all plugins and its dependencies but it's a manual effort.


Cheers,
Franco

If you're okay with not building everything from source, you could prefetch the packages set from my aarch64 repo:

# make prefetch-packages SETTINGS=24.7 VERSION=24.7.r2 MIRRORS=https://opnsense-update.walker.earth

Cheers
Maurice

Quote from: Maurice on July 21, 2024, 12:00:42 AM
If you're okay with not building everything from source, you could prefetch the packages set from my aarch64 repo:

# make prefetch-packages SETTINGS=24.7 VERSION=24.7.r2 MIRRORS=https://opnsense-update.walker.earth

Cheers
Maurice

Hi Maurice,

thanks for the help :)

I can use it now, thanks :)

But as my goal is to build image for the Nanopi R5S, I plan on having it all here. Furthermore, can you point me where I can learn on how to set this kind of repository? I have more then one opnsense on arm64 here, and I build things from time to time.

Thanks :)

none

I'm not aware of a step-by-step tutorial.

Set up a web server. Copy the base, kernel, packages and aux sets from your build system to /FreeBSD:14:aarch64/24.7/sets/. That's all you need for prefetching sets when building images.

If you also want to use the server for installing updates and plugins on running OPNsense aarch64 systems: Extract the packages set to 24.7/MINT/24.7[.x]/latest/. Create a symlink 24.7/latest/ which links to the latest 24.7/MINT/24.7[.x]/latest/ directory.


Cheers
Maurice

Quote from: Maurice on July 30, 2024, 02:40:46 AM
If you also want to use the server for installing updates and plugins on running OPNsense aarch64 systems: Extract the packages set to 24.7/MINT/24.7[.x]/latest/. Create a symlink 24.7/latest/ which links to the latest 24.7/MINT/24.7[.x]/latest/ directory.

This is done for staging and control purposes (like using opnsense-revert). Under normal conditions you can get away with using 24.7/latest/ as a directory to unpack the packages set to. That's how we do it for snapshots anyway and what FreeBSD pkg intended.


Cheers,
Franco

Hello and thanks for you both, Maurice and franco. I kinda created a directory that replicates the files I saw on Maurice's server. That is done, but my opnsense won't use it, complaints about:

pkg: No signature found

and in the end I get the message:

The repository has no fingerprint.

That got me blocked :(

I am now searching the web about how to create the .sig files for the sets and the fingerprint for the server.

I found this thread here: https://forum.opnsense.org/index.php?topic=37702.0, but so far I am yet to solve this:

root@rpi5:/usr/tools # make fingerprint
>>> Executing build step fingerprint on 24.7
root@rpi5:/usr/tools #


The thread suggests it would echo on stdout some code to redirect. Here there is no code :(

Thanks for all the help.

none

You need to create a key pair before building the sets:


cd /usr/tools/
openssl genrsa -out config/24.7/repo.key 4096
openssl rsa -pubout -in config/24.7/repo.key -out config/24.7/repo.pub
make fingerprint


Save the fingerprint to a file. On the machines which are supposed to use the repository for installing updates and plugins, place this file in /usr/local/etc/pkg/fingerprints/OPNsense/trusted.
You can optionally inject the fingerprint file into the OPNsense package during the build process (see my last comment in the thread you linked to). This is useful if your images are used on many systems because you then don't have to manually copy the fingerprint to each machine.

Cheers
Maurice

Hint: you only need fingerprints if you want to feed your builds secure updates. You can also avoid fingerprints and adjust the pkg repo config accordingly.


Cheers,
Franco

Quote from: Maurice on July 30, 2024, 04:54:03 PM
You need to create a key pair before building the sets:

Code Select Expand


cd /usr/tools/
openssl genrsa -out config/24.7/repo.key 4096
openssl rsa -pubout -in config/24.7/repo.key -out config/24.7/repo.pub
make fingerprint


Save the fingerprint to a file. On the machines which are supposed to use the repository for installing updates and plugins, place this file in /usr/local/etc/pkg/fingerprints/OPNsense/trusted.
You can optionally inject the fingerprint file into the OPNsense package during the build process (see my last comment in the thread you linked to). This is useful if your images are used on many systems because you then don't have to manually copy the fingerprint to each machine.

Cheers
Maurice

Thanks Maurice. Do I need to recompile it all so it is signed? If it all needs to be recompiled, I will use for now the way franco said and next build I will add the fingerprint :)

Thanks you both, again ;)

none

No need to recompile:

https://github.com/opnsense/tools?tab=readme-ov-file#using-signatures-to-verify-integrity

Hi guys,

thanks for the help here. it worked just fine, I can build images and update them with no need to a full reinstall :)

I created some simple and not best written scripts to automate this process as a guide for any new comers.

Its available here: https://github.com/matheusber/opnsense

Thanks again for the help.

Franco, what is the process to add new devices?

Thanks again :)

none

PS: if changing the thread subject would help in people finding this repo building, its fine by me ;)

> Franco, what is the process to add new devices?

Just raise a new PR with the device file and we'll check it. It depends on what trickery the device requires and what we can actually accommodate for.


Cheers,
Franco

Quote from: franco on July 30, 2024, 05:26:50 PM
Hint: you only need fingerprints if you want to feed your builds secure updates. You can also avoid fingerprints and adjust the pkg repo config accordingly.


Cheers,
Franco

I wanted to add how I effectively disabled the fingerprint check, since I for one was not able to follow Franco's suggestion immediately.

1. Add URL to content of e.g. sets-24.7.3-aarch64/packages-24.7.3-aarch64.tar as custom mirror under https://opnsense.example.com/ui/core/firmware#settings
2. Login to the shell of your OPNsense instance as root user
3. vi /usr/local/etc/pkg/repos/OPNsense.conf
4. signature_type: "fingerprints"→ signature_type: "none"
5. Mind that the OPNsense.conf file would be overwritten any time you change it under https://opnsense.example.com/ui/core/firmware#settings

I can well imagine this is not the most clean way to disable signature verification.

Using the great info every one collected in this thread to setup fingerprints properly for my builds soon. Thanks for taking the time to share it everyone!

Quote from: none on August 06, 2024, 01:11:04 AM
Hi guys,

thanks for the help here. it worked just fine, I can build images and update them with no need to a full reinstall :)

I created some simple and not best written scripts to automate this process as a guide for any new comers.

Its available here: https://github.com/matheusber/opnsense

Thanks again for the help.

Franco, what is the process to add new devices?

Thanks again :)

none

PS: if changing the thread subject would help in people finding this repo building, its fine by me ;)

Hello friend!

  I have a NanoPi R5S and trying to build OPNsense, I followed the construction files that you made available on github and managed to reach the final step and generate the OPNsense IMG, but when writing to the SDCARD with win32diskimage it does not initialize on the NanoPI R5S, it would have Any steps I missed? Could you provide a working image for the NanoPi R5S that you managed to build?
I'm starting to study OPNsense Tools on github to understand how the build works.

Quote from: tax on September 25, 2024, 04:27:58 PM

Quote from: none on August 06, 2024, 01:11:04 AM
Hi guys,

thanks for the help here. it worked just fine, I can build images and update them with no need to a full reinstall :)

I created some simple and not best written scripts to automate this process as a guide for any new comers.

Its available here: https://github.com/matheusber/opnsense

Thanks again for the help.

Franco, what is the process to add new devices?

Thanks again :)

none

PS: if changing the thread subject would help in people finding this repo building, its fine by me ;)

Hello friend!

  I have a NanoPi R5S and trying to build OPNsense, I followed the construction files that you made available on github and managed to reach the final step and generate the OPNsense IMG, but when writing to the SDCARD with win32diskimage it does not initialize on the NanoPI R5S, it would have Any steps I missed? Could you provide a working image for the NanoPi R5S that you managed to build?
I'm starting to study OPNsense Tools on github to understand how the build works.

Hi tax, sorry for the delay here. Which R5S conf you used? There are two: R5S.conf and R5S_SD.conf. The first just makes an image for R5S that is able to run it using both re nic's (I use the realtek-kmod198 port), and shoud be flashed to an USB media.

If you use R5S_SD.conf, that creates an image for sdcard media. I got it to work but had the unhappy news that not all sdcard are good for it. I myself got one Sandisk 32GB that won't boot opnsense ever, just boot code loops; Same image on a Kingston and Lexar, both 32GB, it all works great. I guess my Sandisk may not be from Sandisk :(

If your issue is on using R5S_SD.conf, then tell here I can try to help you.

The issue I'm working now is that sometimes /boot/loader.conf.local vanishes, and we get to loose both realtek 2.5Gbps nic's.

none