909-546-4700

2017-12-26 build Vyos 1.2 from source

This document describes one mechanism to build a bootable Vyos iso from the Vyos github source code repository. This procedure adds some debian packages (iptraf, google-authenticator, and haveged) that are not in the official Vyos builds. It rebuilds all the Vyos code from source so it does not depend on any pre-built binaries from vyos.net.

Start with a Centos 6 workstation with the virtualization package and tools. Really, anything that can do KVM virtualization should work.

Download debian-8.9.0-amd64-netinst.iso (sha256sum is fd11d34f8abf1663a33cc10a9ed998160866ef94072d442159bcfa1438be70d4) from https://cdimage.debian.org/cdimage/archive/8.9.0/amd64/iso-cd/debian-8.9.0-amd64-netinst.iso. Use that in virt-manager to create a VM.

type linux, version wheezy or later
2G memory, 20G disk
advanced, type KVM, arch x86_64
graphic install
install std system utilities, and ssh server

On your workstation:

# define build machine
target=root@XXX
targetdir=/home/carl/vyos/updates

# copy ssh key
ssh-copy-id -i $target

# copy the script to your build machine
scp build.8.vyos $target:/tmp

# run phase 1 to finish debian setup
ssh $target 'cd /home/carl/vyos; bash /tmp/build.vyos phase1'

# you could save the vm disk at this point

# copy patches
ssh $target mkdir -p $targetdir
for p in *.git.patch; do
    i=$(basename $p .git.patch)
    logger "copy patch for package $i"
    scp -pq $p $target:/$targetdir
done
ssh $target ls -al $targetdir

# run phase 2 to build iso from source
ssh $target 'cd /home/carl/vyos; bash /tmp/build.vyos phase2' >build.log

# fetch the iso
f=$(ssh $target "echo /home/carl/vyos/vyos-build/build/vyos-*.iso")
b=$(basename "$f")
scp $target:$f .
mv build.log $b.build.log

build.8.vyos 2017-12-26

function logger() {
    d=$(date)
    echo " "
    echo "*** $d $1"
}

function phase1 {
    # starting with debian-8.9.0-amd64-netinst.iso md5sum=45cb6f0f1123d265d82614b9d4093c76
    # starting with debian-8.9.0-i386-netinst.iso  md5sum=55ef45f51cdfd424d4fa2b3c911d6f08
    # gui install
    # languages = english
    # setup strong root and user passwords
    # set your timezone
    # software selection = ONLY ssh server and standard utilities
    # install grub on /dev/vda
    # reboot - disconnect cdrom, boot from vda
    # login as root
    # fn=/etc/ssh/sshd_config
    # sed -i -r -e 's/^(#|)PermitRootLogin.*$/PermitRootLogin yes/g' $fn
    # systemctl enable ssh.service
    # systemctl restart ssh.service

    # on host machine:
    #    h=host$n
    #    ssh-keygen -R $h
    #    ssh-copy-id -i root@$h
    #    ssh root@$h

    cd /tmp
    logger "import vyos keys"
    key=0x0694A9230F5139BF834BA458FD220285A0FE6D7E
    gpg --keyserver pgp.mit.edu --recv-keys $key
    gpg --armor --export $key >./vyos.maintainers.key
    apt-key add ./vyos.maintainers.key

    logger "these dependencies were discovered building lithum on debian 6"
    logger "we assume they have not changed much for debian 8"

    logger "install build dependencies"
    apt-get -y install git autoconf automake dpkg-dev syslinux genisoimage devscripts

    logger "install undocumented dependencies found by submod-clean"
    apt-get -y install autogen bison cdbs flex gawk gcc-multilib \
        hardening-wrapper indent iptables-dev libapt-pkg-dev libatm1-dev \
        libattr1-dev libboost-filesystem-dev libcap-dev \
        libc-ares-dev libcurl4-openssl-dev \
        libdaemon-dev libdb-dev libdb-dev libdevmapper-dev libedit-dev \
        libexpat1-dev libfreetype6-dev libglib2.0-dev libgmp3-dev libkrb5-dev \
        libldap2-dev libncurses5-dev libnetfilter-conntrack-dev \
        libnfnetlink-dev libpam0g-dev libpcap0.8-dev libpci-dev \
        libperl-dev libpgm-dev libpopt-dev libreadline-dev libsensors4-dev \
        libsnmp-dev libssl-dev libtool libusb-dev \
        libwrap0-dev libxml2-dev libzmq-dev lynx pkg-config python-all-dev \
        python-setuptools quilt ruby uuid-dev xfonts-unifont zlib1g-dev

    logger "install undocumented dependencies found by build attempts"
    logger "keep the local version of the kernel config file"
    apt-get -y install kernel-package dkms doxygen libcunit1-dev libdumbnet-dev \
        libfuse-dev libgtk2.0-dev libgtkmm-3.0-dev libicu-dev libnotify-dev \
        libx11-dev libxinerama-dev libxss-dev libxtst-dev dh-autoreconf \
        xmlto mscgen graphviz python-pygments xmlstarlet asciidoc source-highlight

    logger "install undocumented dependencies found by lithium build attempts"
    apt-get -y install libcluster-glue-dev cluster-glue-dev libbz2-dev swig \
        libgnutls28-dev libopenhpi-dev libopenipmi-dev liblzo2-dev \
        libpkcs11-helper1-dev libsqlite3-dev \
        libsysfs-dev libpcsclite-dev

    logger "install documented dependencies for vyos 1.2 builds"
    apt-get -y install live-build pbuilder python3-pystache

    logger "install undocumented dependencies found by previous build attempts"
    apt-get -y install squashfs-tools module-init-tools dh-systemd subversion \
        acl adduser dmsetup insserv libaudit-common libaudit1 \
        libbz2-1.0 libcap2 libcap2-bin libcryptsetup4 libdb5.3 libdebconfclient0 \
        libdevmapper1.02.1 libgcrypt20 libgpg-error0 libkmod2 libncursesw5 \
        libprocps3 libsemanage-common libsemanage1 libslang2 libsystemd0 \
        libudev1 libustr-1.0-1 procps systemd systemd-sysv udev \
        debian-archive-keyring gnupg gpgv libapt-pkg4.12 libreadline6 libstdc++6 \
        libusb-0.1-4 readline-common \
        python3-setuptools python3-lxml

    logger "add backports"
    echo "deb http://ftp.debian.org/debian jessie-backports main" >>/etc/apt/sources.list
    apt-get update

    logger "add dependencies for building system packages modified for vyos"
    apt-get -y install gnat gprbuild
    apt-get -y install libpcap-dev libpq-dev libmysqlclient-dev libgeoip-dev librabbitmq-dev libjansson-dev librdkafka-dev libnetfilter-log-dev
    apt-get -y install libgtkmm-2.4-dev libprocps-dev libmspack-dev libxerces-c-dev libxml-security-c-dev
    apt-get -y install libmysqld-dev
    apt-get -y install libmnl-dev libnetfilter-cthelper0-dev libnetfilter-cttimeout-dev libnetfilter-queue-dev
    apt-get -y install default-libmysqlclient-dev
    apt-get -y install libnl-3-dev libnl-genl-3-dev
    apt-get -y install libfcgi-dev clearsilver-dev libgcrypt20-dev network-manager-dev libnm-glib-vpn-dev libnm-util-dev gperf

    logger "look for pending upgrades"
    apt-get upgrade
}

function phase2 {
    arch=$(dpkg --print-architecture)
    flavor=amd64-vyos
    [ $arch == "i386" ] && flavor=586-vyos

    logger "look for pending upgrades for arch $arch"
    apt-get upgrade

    logger "setup git clone, building flavor $flavor from branch $branch"
    git clone https://github.com/vyos/vyos-build.git
    cd vyos-build
    git checkout $branch

    p=vyos-build
    if [ -f ../updates/$p.git.patch ]; then
        logger "patch package $p"
        git apply ../updates/$p.git.patch
    fi

    logger "add some utilities to the final iso"
    fn=data/live-build-config/package-lists/vyos-utils.list.chroot
    echo "iptraf"                      >>$fn

    logger "add missing submodules"
    git submodule add https://github.com/vyos/conntrack-tools packages/conntrack-tools
    git submodule add https://github.com/vyos/ddclient packages/ddclient
    git submodule add https://github.com/vyos/eventwatchd packages/eventwatchd
    git submodule add https://github.com/vyos/hvinfo packages/hvinfo
    git submodule add https://github.com/vyos/igmpproxy packages/igmpproxy
    git submodule add https://github.com/vyos/live-boot packages/live-boot
    git submodule add https://github.com/vyos/net-snmp packages/net-snmp
    git submodule add https://github.com/vyos/pmacct packages/pmacct
    git submodule add https://github.com/vyos/radvd packages/radvd
    git submodule add https://github.com/vyos/vyatta-biosdevname packages/vyatta-biosdevname
    git submodule add https://github.com/vyos/vyatta-iproute packages/vyatta-iproute
    git submodule add https://github.com/vyos/vyatta-quagga packages/vyatta-quagga
    git submodule add https://github.com/vyos/vyos-keepalived packages/vyos-keepalived
    git submodule add https://github.com/vyos/vyos-open-vm-tools packages/vyos-open-vm-tools
    git submodule add https://github.com/vyos/vyos-opennhrp packages/vyos-opennhrp
    git submodule add https://github.com/vyos/vyos-replace packages/vyos-replace
    git submodule add https://github.com/vyos/vyos-strongswan packages/vyos-strongswan
    ./configure

    logger "fetch source from vyos"
    git submodule init
    git submodule update
    for i in packages/*; do
        if [ -e "$i/.git" ]; then
            p=$(basename "$i")
            logger "select branch $branch for package $p"
            pushd "$i"
            git checkout $branch
            if [ $? -eq 1 ]; then
                git checkout master
            fi
            if [ -f ../../../updates/$p.git.patch ]; then
                logger "patch package $p"
                git apply ../../../updates/$p.git.patch
            fi
            popd
        fi
    done

    logger "show active branches"
    for i in packages/*; do
        if [ -e "$i/.git" ]; then
            (cd $i; b=$(git branch | grep '^\*'); echo $i "$b")
        fi
    done

    # https://wiki.vyos.net/wiki/Rebuild_VyOS_kernel_Step#VyOS_1.2.x
    (
        logger "vyos-kernel missing debian/control file"
        cd packages/vyos-kernel
        make x86_64_vyos_defconfig
    )

    logger "kill off packages that would be built, but not part of the iso"
    for i in vyatta-cron; do
        [ -d packages/$i ] && rm -rf packages/$i && echo "remove package $i"
    done

    logger "rebuild some packages needed to build the rest"
    apt-get -y remove libsnmp-dev
    for i in packages/net-snmp; do
        p=$(basename $i)
        if [ -e "$i/.git" ]; then
            pushd $i
            b=$(git branch | cut -c3-)
            logger "building source package $p on branch $b"
            dpkg-buildpackage -us -uc -b >vyos.build.log 2>&1
            cat vyos.build.log
            pp=$(grep 'dpkg-deb: building package' vyos.build.log | awk '{print $6}' | cut -c5- | rev | cut -c3- | rev)
            for pb in $pp; do
                if [ -f "../$pb" ]; then
                    echo "built binary $pb from source $p"
                else
                    echo "failed to build binary $pb from source $p"
                fi
            done
            [ -z "$pp" ] && echo "failed to build binary from source $p"
            popd
        fi
    done

    logger "kill off the debug packages"
    echo packages/*-dbg_*.deb
    rm -f packages/*-dbg_*.deb

    logger "install some rebuilt packages"
    PKGS="
        packages/*snmp*.deb
    "
    dpkg -i $PKGS

    logger "rebuild all packages from source"
    for i in packages/*; do
        p=$(basename $i)
        if [ -e "$i/.git" ]; then
            pushd $i
            b=$(git branch | cut -c3-)
            logger "building source package $p on branch $b"
            if [ "$p" == "vyos-kernel" ]; then
                emp=/tmp/empty
                echo "" >$emp
                for i in {1..200}; do echo "" >>$emp; done
                LOCALVERSION="" make-kpkg --rootcmd fakeroot --initrd --append_to_version -$flavor --revision=4.4.95-1+vyos1+current1 kernel_image >vyos.build.log <$emp 2>&1
            else
                dpkg-buildpackage -us -uc -b >vyos.build.log 2>&1
            fi
            cat vyos.build.log
            pp=$(grep 'dpkg-deb: building package' vyos.build.log | awk '{print $6}' | cut -c5- | rev | cut -c3- | rev)
            for pb in $pp; do
                if [ -f "../$pb" ]; then
                    echo "built binary $pb from source $p"
                else
                    echo "failed to build binary $pb from source $p"
                fi
            done
            [ -z "$pp" ] && echo "failed to build binary from source $p"
            popd
        fi
    done

    logger "kill off the debug packages"
    echo packages/*-dbg_*.deb
    rm -f packages/*-dbg_*.deb

    logger "build the new iso"
    ./configure
    make iso >iso.build.log 2>&1
    cat iso.build.log

    logger "find vyos packages that were not built from source"
    pushd build
        fn=chroot.packages.install
        egrep 'vyos|vyatta' $fn | while read p v; do
            pp=$(echo $p | cut -d: -f1)
            deb=$(ls ../packages/${pp}_*.deb 2>/dev/null)
            [ -z "$deb" ] && echo "need source for $pp"
        done
    popd
    grep '^Get.*packages.vyos.net' iso.build.log | egrep -v 'InRelease| Packages '

    logger "done, iso in $(pwd)/build"
    ls -al build/*iso
}


case "$1" in
    phase*)
        branch=current
        $1 2>&1 | tee /tmp/$1.log.txt
        ;;
esac

vyatta-cfg-firewall.git.patch 2017-12-26

From e21c1c13426c9ccc03c20a224500156cc4cb51d4 Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Tue, 26 Dec 2017 11:04:38 -0800
Subject: [PATCH 1/1] Revert "Revert "Added support for local PBR to gen-interface-policy-templates.pl""

This reverts commit c48f11fa1b0d6a7b196f9750ef82625dea1aba58.
This adds local PBR again.
---
 gen-interface-policy-templates.pl |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl
index a86c5d6..afea8cf 100755
--- a/gen-interface-policy-templates.pl
+++ b/gen-interface-policy-templates.pl
@@ -107,12 +107,16 @@ sub gen_firewall_template {
 #
 my %table_help_hash = (
     "route"      => "IPv4 policy route",
+    "local-route" => "IPv4 policy route of local traffic",
     "ipv6-route" => "IPv6 policy route",
+    "ipv6-local-route" => "IPv6 policy route of local traffic",
 );
 
 my %config_association_hash = (
     "route"      => "\"policy route\"",
+    "local-route" => "\"policy local-route\"",
     "ipv6-route" => "\"policy ipv6-route\"",
+    "ipv6-local-route" => "\"policy ipv6-local-route\"",
 );
 
 # Generate the template file at the leaf of the per-interface firewall tree.
@@ -120,10 +124,10 @@ my %config_association_hash = (
 # ruleset on an interface for a particular ruleset type and direction.
 #
 sub gen_template {
-    my ( $if_tree, $table, $if_name ) = @_;
+    my ( $if_tree, $direction, $table, $if_name ) = @_;
 
     if ($debug) {
-        print "debug: table=$table\n";
+        print "debug: table=$table direction=$direction\n";
     }
 
     my $template_dir =
@@ -147,16 +151,16 @@ allowed: local -a params
 	echo -n "\${params[@]}"
 create: ifname=$if_name
 	sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
-		update \$ifname in \$VAR(@) $config_association_hash{$table}
+		update \$ifname $direction \$VAR(@) $config_association_hash{$table}
 
 update:	ifname=$if_name
 	sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
-		update \$ifname in \$VAR(@) $config_association_hash{$table}
+		update \$ifname $direction \$VAR(@) $config_association_hash{$table}
 
 
 delete:	ifname=$if_name
 	sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
-		delete \$ifname in \$VAR(@) $config_association_hash{$table}
+		delete \$ifname $direction \$VAR(@) $config_association_hash{$table}
 EOF
 
     close $tp
@@ -173,8 +177,10 @@ foreach my $if_tree ( keys %interface_hash ) {
     }
 
     gen_firewall_template($if_tree);
-    gen_template( $if_tree, "route", $if_name );
-    gen_template( $if_tree, "ipv6-route", $if_name );
+    gen_template( $if_tree, "in", "route", $if_name );
+    gen_template( $if_tree, "out", "local-route", $if_name );
+    gen_template( $if_tree, "in", "ipv6-route", $if_name );
+    gen_template( $if_tree, "out", "ipv6-local-route", $if_name );
 }
 
 print "Done.\n";
-- 
1.7.1

vyatta-cfg-qos.git.patch 2017-11-29

commit 3d6ff01715671c645c6d9ffa372aa9d521c71e72
Author: Carl Byington <carl@five-ten-sg.com>
Date:   Tue Nov 21 15:52:09 2017 -0800

    convert string to int before bitwise and operation

diff --git a/lib/Vyatta/Qos/Match.pm b/lib/Vyatta/Qos/Match.pm
index c8078b6..f08c317 100644
--- a/lib/Vyatta/Qos/Match.pm
+++ b/lib/Vyatta/Qos/Match.pm
@@ -184,9 +184,9 @@ sub filter {
             # IPv6 : match u16 0x0000 ~MAXLEN at 4
             if ($$p{maxlen}) {
                 if ( $proto eq 'ip' ) {
-                    printf " match u16 0x0000 %#.4x at 2", (hex('0xFFFF') & ~($$p{maxlen}));
+                    printf " match u16 0x0000 %#.4x at 2", 0xffff & ~int($$p{maxlen});
                 } elsif ( $proto eq 'ipv6' ) {
-                    printf " match u16 0x0000 %#.4x at 4", (hex('0xFFFF') & ~($$p{maxlen}));
+                    printf " match u16 0x0000 %#.4x at 4", 0xffff & ~int($$p{maxlen});
                 }
             }
             # TCP Flags :
From 47b894073e6fccbc257dbec8bf01e093d0ee264d Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Wed, 29 Nov 2017 13:03:40 -0800
Subject: [PATCH 1/1] tc filter syntax changed

---
 lib/Vyatta/Qos/TrafficLimiter.pm |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Vyatta/Qos/TrafficLimiter.pm b/lib/Vyatta/Qos/TrafficLimiter.pm
index c98727e..7a7d2c8 100644
--- a/lib/Vyatta/Qos/TrafficLimiter.pm
+++ b/lib/Vyatta/Qos/TrafficLimiter.pm
@@ -82,8 +82,8 @@ sub commands {
 
     foreach my $class (@$classes) {
 	my $id = $class->{id};
-	my $police = " police rate " . $class->{rate}
-		   . " action drop burst " . $class->{burst};
+	my $police = " action police rate " . $class->{rate}
+		   . " conform-exceed drop burst " . $class->{burst};
 
 	if ($id == 0) {
 	    $id = $maxid + 1;
-- 
1.7.1

vyatta-op.git.patch 2017-11-21

commit 5957a4b3442092381c44a05226435a5d5f6dd63c
Author: Carl Byington <carl@five-ten-sg.com>
Date:   Tue Nov 21 07:34:11 2017 -0800

    fix changelog date format

diff --git a/debian/changelog b/debian/changelog
index 8faac25..8d8625e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,7 +4,7 @@ vyatta-op (0.14.0+vyos2+current3) unstable; urgency=medium
     information is removed.
   * Added 'show tech-support private' which contains non redacted output
 
- -- Christian Poessinger <christian@poessinger.com>  Sun Oct 29 15:36:45 2017 +0100
+ -- Christian Poessinger <christian@poessinger.com>  Sun, 29 Oct 2017 15:36:45 +0100
 
 vyatta-op (0.14.0+vyos2+current2) unstable; urgency=medium
 

vyos-build.git.patch 2017-12-04

From d940990081d429c027c60609565ebf9e50e062c3 Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Wed, 29 Nov 2017 10:45:09 -0800
Subject: [PATCH 1/1] add google-authenticator to the iso

---
 .../hooks/99-google_authenticator.chroot           |    7 +++++++
 .../package-lists/vyos-utils.list.chroot           |    1 +
 2 files changed, 8 insertions(+), 0 deletions(-)
 create mode 100644 data/live-build-config/hooks/99-google_authenticator.chroot

diff --git a/data/live-build-config/hooks/99-google_authenticator.chroot b/data/live-build-config/hooks/99-google_authenticator.chroot
new file mode 100644
index 0000000..7f0b9a0
--- /dev/null
+++ b/data/live-build-config/hooks/99-google_authenticator.chroot
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo I: setup google authenticator
+
+sed -i -e '1iauth       required     pam_google_authenticator.so nullok' /etc/pam.d/sshd
+sed -i -e 's/^ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
+
diff --git a/data/live-build-config/package-lists/vyos-utils.list.chroot b/data/live-build-config/package-lists/vyos-utils.list.chroot
index 98d6a75..8eab280 100644
--- a/data/live-build-config/package-lists/vyos-utils.list.chroot
+++ b/data/live-build-config/package-lists/vyos-utils.list.chroot
@@ -13,3 +13,4 @@ nano
 vim-tiny
 screen
 minicom
+libpam-google-authenticator
-- 
1.7.1

From 3d08cae7441e1b020ea821ec13ab30814a886677 Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Wed, 29 Nov 2017 16:19:22 -0800
Subject: [PATCH 1/1] fix permissions on chroot script

---
 0 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 data/live-build-config/hooks/99-google_authenticator.chroot

diff --git a/data/live-build-config/hooks/99-google_authenticator.chroot b/data/live-build-config/hooks/99-google_authenticator.chroot
old mode 100644
new mode 100755
-- 
1.7.1

From cc69b09921474f2053cc76030e87c9e1b773ba19 Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Fri, 1 Dec 2017 10:48:05 -0800
Subject: [PATCH 1/1] google authenticator might need qrencode to avoid leaking the generated key to google.com/chart

---
 .../package-lists/vyos-utils.list.chroot           |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/data/live-build-config/package-lists/vyos-utils.list.chroot b/data/live-build-config/package-lists/vyos-utils.list.chroot
index 8eab280..661089e 100644
--- a/data/live-build-config/package-lists/vyos-utils.list.chroot
+++ b/data/live-build-config/package-lists/vyos-utils.list.chroot
@@ -14,3 +14,4 @@ vim-tiny
 screen
 minicom
 libpam-google-authenticator
+qrencode
-- 
1.7.1

From 6a7273395c18ee989c7fa8c6746a51e0ce677297 Mon Sep 17 00:00:00 2001
From: Carl Byington <carl@five-ten-sg.com>
Date: Mon, 4 Dec 2017 14:42:50 -0800
Subject: [PATCH 1/1] add haveged so daemons have a reliable entropy source

---
 .../package-lists/vyos-utils.list.chroot           |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/data/live-build-config/package-lists/vyos-utils.list.chroot b/data/live-build-config/package-lists/vyos-utils.list.chroot
index 661089e..bbd585c 100644
--- a/data/live-build-config/package-lists/vyos-utils.list.chroot
+++ b/data/live-build-config/package-lists/vyos-utils.list.chroot
@@ -15,3 +15,4 @@ screen
 minicom
 libpam-google-authenticator
 qrencode
+haveged
-- 
1.7.1