Skip to content

Instantly share code, notes, and snippets.

@utrenkner
Last active February 17, 2022 13:30
Show Gist options
  • Save utrenkner/e0957fb8c1d0e0649b7a3bd7f1aa7624 to your computer and use it in GitHub Desktop.
Save utrenkner/e0957fb8c1d0e0649b7a3bd7f1aa7624 to your computer and use it in GitHub Desktop.
#!/bin/sh
pkg install -y poudriere ccache git-lite
mkdir /var/cache/ccache
# edit poudriere.conf
echo "cache_dir = /var/cache/ccache" >>/usr/local/etc/ccache.conf
echo "CCACHE_DIR=/var/cache/ccache" >> /usr/local/etc/poudriere.conf
echo "ZPOOL=zroot" >> /usr/local/etc/poudriere.conf
# add your poudriere.conf options below
echo "CHECK_CHANGED_OPTIONS=verbose" >> /usr/local/etc/poudriere.conf
echo "CHECK_CHANGED_DEPS=yes" >> /usr/local/etc/poudriere.conf
echo "NOLINUX=yes" >> /usr/local/etc/poudriere.conf
# create poudriere datasets, mountpoints and jail
zfs create -p zroot/poudriere/base/jails/11-STABLE
zfs set mountpoint=/poudriere zroot/poudriere
cd /poudriere/base/jails/11-STABLE
fetch -o /tmp/base.txz https://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/hardenedbsd-11-stable-LAST/base.txz
tar xf /tmp/base.txz
poudriere jail -c -j 11-STABLE -m null -M /poudriere/base/jails/11-STABLE
# Some trickery to get the correct version strings to satisfy poudriere
mkdir -p /usr/local/etc/poudriere.d/jails/11-STABLE
echo "11.2-RELEASE" > /usr/local/etc/poudriere.d/jails/11-STABLE/version
echo 'UNAME_ENV+= UNAME_s=FreeBSD' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo 'UNAME_ENV+= UNAME_r=11.2-RELEASE' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo 'UNAME_ENV+= UNAME_v="${UNAME_s} ${UNAME_r}"' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo '.MAKEFLAGS: ${UNAME_ENV}' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo 'MAKE_ENV+= ${UNAME_ENV}' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo 'CONFIGURE_ENV+= ${UNAME_ENV}' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
echo 'SCRIPTS_ENV+= ${UNAME_ENV}' >> /usr/local/etc/poudriere.d/11-STABLE-current-make.conf
# Get HBSD ports tree and import it into poudriere
git clone https://github.com/HardenedBSD/hardenedbsd-ports.git /usr/ports
mkdir /usr/ports/distfiles
poudriere ports -c -p current -m null -M /usr/ports
# Relax security for package builds - as by @lattera on official build server
echo 'hardening.pax.aslr.status=1' >> /etc/sysctl.conf
echo 'hardening.pax.pageexec.status=1' >> /etc/sysctl.conf
echo 'hardening.pax.mprotect.status=1' >> /etc/sysctl.conf
echo 'hardening.procfs_harden=0' >> /etc/sysctl.conf
echo 'hardening.pax.disallow_map32bit.status=1' >> /etc/sysctl.conf
echo 'security.bsd.hardlink_check_gid=0' >> /etc/sysctl.conf
echo 'security.bsd.hardlink_check_uid=0' >> /etc/sysctl.conf
echo 'debug.debugger_on_panic=0' >> /etc/sysctl.conf
# Reboot to finish
shutdown -r now
@utrenkner
Copy link
Author

First draft of script to set up poudriere on a HardenedBSD server

@utrenkner
Copy link
Author

utrenkner commented Oct 3, 2018

There was a mistake in line 19 (a stray fetch). Fixed in Revision 2.

@utrenkner
Copy link
Author

Version file in line 26 was not written because the directory did not exist yet. Added line 25 to create the path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment