[lfs-support] automated lfs package-user

Qrux qrux.qed at gmail.com
Wed Feb 15 14:01:03 PST 2012

On Feb 14, 2012, at 8:44 AM, John Burrell wrote:

> Has anyone written a script or scripts which automate the lfs build using MSB's package user system?

I have a build-system for LFS.

It builds the "whole" thing, chapters 5, 6, 7, 8, and--ha--9.

It does not, however, use the MSB package system.  But, I'm very interested in the install-as-package-user system, it would be awesome if someone wanted to hack that on.  Having said that, has anyone verified that it doesn't create security risks that might be outweighed by installation as root?  I've read the paper; I understand it helps alleviate issues with installs; I'd also like to know from the people who've tried it if there any vulnerabilities created.

> I've used a hacked version of the package user system for some time now and I like it a lot. It's very easy to control what gets installed and to catch Makefiles which trample all over your system. Just take a look at cups to see what I mean.

I've got a project on github you can play with.  It doesn't require any user interaction beyond an initial script that asks for certain answers before the build starts.

> I've built lfs a few times and I'm not doing it again manually, so can anyone help me?  If not I'll write it myself, but I don't want to reinvent the wheel.

You're welcome to look at my stuff.  I'd be happy to look at patches, if you want to put MSB on top of it.  Shouldn't be too hard with my setup:


You'll want to note that I make assumptions about your host system:

	* It uses Grub Legacy.

	* /boot is a separate partition from the current root or /mnt/lfs.

	* /mnt/lfs is a separate partition.

	* You want a "vanilla" LFS install, which does not create a ramdisk.

	* Your glibc is fairly current (supports $n$ password hashing).

Also, my build system is geared toward a user who ultimately wants to install Xen on the bare-metal, and then run the machine as a virtualized cluster.  That's what all the additional "stuff" is, most of which you can completely ignore if you just want an LFS build.

It has two build "modes"; it can run a "quick build", where it doesn't run most of the time-consuming regression checks in chapter 6.  And a "full build", where it does run those same tests.  It has a nice feature where you can open another window (on host system), and run a script called 'scan' which tells you which packages have been built and how much total time has been taken.  The original window--the one you build in--doesn't generate any output, (to reduce CPU usage, particularly if you're SSH'ed in to the host, as I am), but instead writes to a log file.  In fact, scan just scans that log file every once in a while for an update.

My system goes on to install a few packages beyond vanilla LFS:

	* bc
	* openssl
	* wget
	* CA-certs
	* tcp_wrappers
	* sysstat
	* openssh

These packages are just enough to allow you to SSH in (bc is needed by openssl, and wget is needed by CA-certs--which is needed by ssl/ssh, tcp-wrappers is usable by openssh--and had nice scripts to ameliorate brute-force attacks).  Strictly speaking, sysstat isn't a necessary part of this sequence, and may be refactored out in the future.

In addition, the opening configuration script asks for an SSH key to install, so you can SSH in as root.  I realize this is outside of vanilla LFS (indeed, I installed these packages from the BLFS instructions).  But, I will probably never remove these from my core install (aside from probably sysstat).

It also installs these packages:

	* which
	* ntp
	* cpio
	* hdparm
	* net-tools
	* bonnie++
	* xlapp-watchdog

I may refactor these out, since I'm sure some people won't want them.  The last one is my own...It reverts /boot/grub/menu.lst to boot the host system in the event that no one shuts off the watchdog within 30 seconds (the interval is easily changed).  For me, running this build in a dim colo setting means that sometimes a boot script gets borked.  It's nice to have a way to reboot the system.

TL;DR - Feel free to hack on it.  It's 99.9% shell-scripting, so nothing funky like Python, Java, etc.  I'd be quite interested to see if MSB can be grafted on, at which point, if it doesn't create vulnerabilities, I'd like to merge that in.  It's still a work-in-progress for me, and I'd quite like someone else to take a look!


More information about the lfs-support mailing list