Will manually built/installed packages on OPNsense break with OPNsense updates?

Started by ownerer, October 21, 2020, 09:44:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 21, 2020, 09:44:47 AM Last Edit: October 30, 2020, 06:56:45 AM by ownerer
Hi,

for a number of reasons that are not important here, I want to run some VMs in Bhyve on my OPNsense box (homelab).

Since setting this up needs to happen outside OPNsense default features, building the libraries from the ports tree etc, my question here becomes: what happens when an OPNsense update is installed? Is there a chance that the Bhyve setup will break somehow, and if so, how likely is that to happen and are there ways to minimize those chances or perhaps avoid that scenario entirely (other than just not doing this kind of thing on an OPNsense box obviously)?

I suppose this question could be generalized to any scenario where one needs/wants to run additional packages that need to be manually built and installed from the ports tree.

PS: I'm aware of the controversy around adding a virtualization layer to a firewall OS, adding tons of libraries, code, and as a consequence potential attack vectors etc
To anyone feeling the need to raise these concerns, I say: duly noted, I appreciate it and I do understand, but this is not the point of this topic  :)
October 30, 2020, 06:57:04 AM #1
Anyone?
October 30, 2020, 01:18:35 PM #2
Short answer: yes. Long answer:

FreeBSD has long held the belief that "ports and packages" do not mix and that you should either use binary packages or completely build your software from ports and deal with updates manually. In terms of OPNsense that is not easily possible so in order to make sure your stuff still works:

When installing from the ports tree lock your own packages from the GUI or using pkg-lock to avoid upgrade surprises. If OPNsense updates will not finish for this reason later on, unlock the custom packages and rebuild them cleanly agains the latest ports tree and then lock them again.


Cheers,
Franco
November 01, 2020, 05:22:19 PM #3
Hmm, interesting!

I was unaware of the package locking functionality!
I'm not at all well versed in things BSD btw, I'll just mention that too. I'm just tinkering here  :P

So to be clear, in case of Bhyve for example, I would build it from the ports tree and then I should be able to find it in the package list in the OPNsense GUI and lock it there?

I assume this does the same as using pkg-lock, as described in the manual?

Just making sure I understand correctly :)
November 03, 2020, 01:46:55 PM #4
Well, bhyve is already installed in the OS (like Hyper-V is installed in Windows).

If you run VMs that is entirely up to you. In this case you can run FreeBSD VMs in there and you have no ports/packages issues whatsover.


Cheers,
Franco
Print
Go Up Pages1
User actions