Markus Wernig wrote:
Dear list
I have a couple of 4.1 firewalls that I would like to upgrade to 4.2.
Before taking them online again I'd like to deploy the openssl patch
from
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/002_openssl.patch
I feel your pain. Others have dissed on you for not having compile tools
on your hosts and assume you're doing it for security reasons. I don't
know your reason, but I only have compile tools on my build system. I
create binary patches (see script below) and distribute across the
network. Who the hell wants 20 (# of servers in my network) builds
cranking on all your machines in the network? What a nightmare. What if
they all fail? Worse yet, what if one fails? Someone is going to say,
"script/automate it." Screw that. Now you need to figure out how to make
the sources available to all the hosts, initiate the build, make sure
the build didn't fail, etc.
Another reason I don't have compile tools on some of my servers is
because they won't fit. Many of my dedicated systems use 256MB flash drives.
The third reason to keep crap off your servers, including compiler
tools, is that potentially that extra stuff could be exploitable. If it
is, then you have to patch it too. Just extra work.
Being perimeter firewalls, those systems don't have compile tools
installed. I would thus need to pre-compile libssl on a 4.2 buildhost
and deploy it onto the firewalls. I've been looking through the
documentation but did not find a "good" way to do this, because
openssl is not a package, but part of the base system.
OpenBSD makes if very easy to create binary patches. I wrote a script
below that automates most of the process. I have been using this script
for a while and it works pretty good. The good thing about this is that
it only creates a binary patch of executables and files that were
affected by the source patch. This also has the benefit of touching only
a small portion of the installed system, which can be helpful when you
are monitoring for trojan horses.
The alternative, which someone else mentioned, is just make a release.
This is straightforward and officially supported. See release(8).
Is there any way other than tar - scp - untar after compiling libssl?
thx for any pointers
/markus
I will apologize in advance for the screwed spacing/tabbing.
#!/bin/sh
#
# Builds kernel and userland from the /usr/src tree. The script sets up the
# build environment then kicks the user to a shell to manually patch the
# source. When in userland build mode, the user is also asked to build and
# install using the instructions specified in the official OpenBSD
patch. After
# the user exits the work shell, this script will build the kernel or
create a
# binary userland patch depending on the operation mode.
#
# BUGS
# Does not build or make binary patches for the X system.
#
usage()
{
cat <<- EOF
usage: $APP {-k | -u} [-h] [-p patch-name]
-k : kernel build mode; makes GENERIC & GENERIC.MP kernels
-u : userland build mode; makes binary patches
-p : embedded in the newly built kernel/patch filenames
-h : help
EOF
exit $1
}
APP=${0##*/}
REL=`uname -r`
ARCH=`uname -m`
Mode=0
PatchName=
KernCfgs='GENERIC GENERIC.MP'
while getopts p:kuh i
do case $i in
k) Mode=1 ;;
u) Mode=2 ;;
p) PatchName=-$OPTARG ;;
h) usage 0 ;;
*) echo "$APP: cmdline parse error."
usage 1
esac
done
[ $Mode -ne 0 ] || usage 1
TDIR=`mktemp -d /var/tmp/${APP}.XXXXXXX` || exit 1
trap 'rm -rf $TDIR 2>/dev/null || sudo rm -rf $TDIR' EXIT
if [ $Mode -eq 1 ]
then KDIR=`mktemp -d /var/tmp/kernels-XXXXXXX` || exit 1
cat <<- EOF
=== Kernel Build Rules ===
- Patch the kernel source.
- Type "exit" when complete.
- The kernels ($KernCfgs) will automatically build.
=== Command Sequence Hint ===
$ cd /usr/src
$ ftp -Vo -
ftp://ftp.openbsd.org/pub/OpenBSD/patches/$REL/$ARCH/<patch> | patch -p0
$ exit
EOF
$SHELL
for k in $KernCfgs
do mkdir $TDIR/$k
cd $TDIR/$k
cp /sys/arch/$ARCH/conf/$k .
config -s /sys -b . $k
make clean && make depend && make || exit 1
mv bsd $KDIR/bsd.$k$PatchName
rm -rf $TDIR/$k &
done
cat <<- EOF
The kernels have been built and can be found in "$KDIR".
Install your kernel safely:
# ln -f /bsd /bsd.old
# cp $KDIR/<new-kernel> /bsd.tmp
# mv /bsd.tmp /bsd
EOF
else export BSDOBJDIR=$TDIR/obj _DESTDIR=$TDIR/dest
readonly BSDOBJDIR _DESTDIR
mkdir $BSDOBJDIR $_DESTDIR
cd /usr/src/etc
sudo env DESTDIR=$_DESTDIR make distrib-dirs >/dev/null
cd $_DESTDIR
sudo mtree -c -k type > ../dest.mtree
cat <<- EOF
=== Userland Build Rules ===
- Manually patch and rebuild the affected sources according to
the patch instructions.
- Set "DESTDIR=\$_DESTDIR" on the command line for ALL make
install targets!
- Type "exit" when complete.
=== Command Sequence Hint ===
$ cd /usr/src
$ ftp -Vo -
ftp://ftp.openbsd.org/pub/OpenBSD/patches/$REL/$ARCH/<patch> | patch -p0
$ cd <thing that needs building>
$ make obj && make cleandir && make depend && make && sudo make
DESTDIR=\$_DESTDIR install
$ exit
EOF
$SHELL
cd $_DESTDIR
sudo mtree -f ../dest.mtree > ../tmp.mtree
[ -s ../tmp.mtree ] || { echo "Nothing installed in
\$_DESTDIR."; exit 1; }
PATCH=`mktemp /var/tmp/patch$PatchName.tgz-XXXXXXX` || exit 1
echo -n "\nCreating binary patch '$PATCH'..."
sudo mtree -f ../dest.mtree | grep '^extra:' | cut -d' ' -f2 |
tar czf $PATCH -I - && echo OK || echo FAILED
fi
