Commit Graph

7717 Commits

Author SHA1 Message Date
Colin Percival
4a93691064 Make EC2 instances use Amazon's NTP service for time synchronization.
Since Amazon provides NTP servers within their network, this should
be far superior to using the default NTP pools; and since the service
is provided by Amazon there's very little risk in enabling it by
default.  (If someone is able to compromise Amazon's NTP servers and
exploit them to attack EC2 instances, they would almost certainly be
able to compromise EC2 instances even without ntpd running...)

MFC after:	1 week
Relnotes:	EC2 instances now keep their clocks synchronized using
		the Amazon Time Sync Service (aka. NTP).
2017-12-05 09:22:14 +00:00
Colin Percival
4ba35bc4db Resurrect r321659: Turn off ChallengeResponseAuthentication for EC2 AMIs.
EC2 instances are normally launched with an SSH public key specified,
which is then used for logging in (by default, as 'ec2-user').  Having
ChallengeResponseAuthentication enabled (as FreeBSD's default sshd_config
does) has no functional effect in a new EC2 instance, since you can't log
in using a password until a password has been set -- but having this
enabled results in alerts from automated scanning tools which can detect
that sshd advertises support for keyboard-interactive logins (since they
can't detect that accounts have no password set).

EC2 users who want to use passwords to log in to their instances will need
to set 'ChallengeResponseAuthentication yes' in FreeBSD 12.0 and later.

Discussed with:	gjb, gtetlow, emaste, des
Requested by:	Amazon
X-MFC:		No
Relnotes:	ChallengeResponseAuthentication is turned off by default in
		Amazon EC2 AMIs.
2017-12-05 09:08:48 +00:00
Glen Barber
30ba43e1a6 Fix port build flags passed to make(1) after r326315, where
it was missed for embedded image builds.

MFC after:	3 days
MFC with:	r326315
Sponsored by:	The FreeBSD Foundation
2017-11-30 20:53:57 +00:00
Glen Barber
c205468e00 Fix an indentation nit.
Sponsored by:	The FreeBSD Foundation
2017-11-30 20:52:01 +00:00
Glen Barber
cd9ef49f4f Correct a comment after r326330.
MFC after:	3 days
MFC with:	r326330
Sponsored by:	The FreeBSD Foundation
2017-11-28 18:08:14 +00:00
Glen Barber
20772e472f Add a comment to release/release.conf.sample documenting
EMBEDDEDPORTS. [1]

Remove and update stale documentation from release(7) while here.

PR:		206344 [1]
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-11-28 18:02:58 +00:00
Glen Barber
27879b9a70 Set DISTDIR and WRKDIRPREFIX when building ports within the
chroot(8) to avoid mtime changes within the ports checkout,
which can cause checksum differences.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-11-28 16:00:27 +00:00
Glen Barber
3103eac6a0 Remove /etc/resolv.conf from virtual machine images, which is
copied from the build host.  It is renamed to /etc/resolv.conf.bak
on boot, so never used anyway.

Noticed by:	peter
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-11-21 18:02:18 +00:00
Glen Barber
2833897f35 Use chroot(8) when invoking realpath(1) when setting BOOTFILES,
otherwise realpath(1) exits due to a nonexistent directory.

Sponsored by:	The FreeBSD Foundation
2017-11-20 15:03:03 +00:00
Brad Davis
6be8e27be0 Add missing call to services_mkdb to build the services.db
Approved by:	gjb
2017-11-19 02:16:11 +00:00
Pedro F. Giffuni
df57947f08 spdx: initial adoption of licensing ID tags.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.

Initially, only tag files that use BSD 4-Clause "Original" license.

RelNotes:	yes
Differential Revision:	https://reviews.freebsd.org/D13133
2017-11-18 14:26:50 +00:00
Glen Barber
f295b9db79 Add general configuration files used by release/release.sh for
big-iron installation images.

MFC after:	3 days
MFC with:	r325948, r325949, r325950, r325951
Sponsored by:	The FreeBSD Foundation
2017-11-17 18:00:52 +00:00
Glen Barber
41edb6080c Fix indentation.
Sponsored by:	The FreeBSD Foundation
2017-11-17 17:40:53 +00:00
Glen Barber
bcccd559e2 Sort variables for consistency.
Sponsored by:	The FreeBSD Foundation
2017-11-17 17:36:45 +00:00
Glen Barber
d025cec625 Sort variables in arm64 SoC configurations.
Remove an unneeded UBLDR_LOADADDR from RPI3.conf.

Sponsored by:	The FreeBSD Foundation
2017-11-17 17:34:52 +00:00
Glen Barber
14dc747a10 Remove stray SRCBRANCH included by mistake.
Sponsored by:	The FreeBSD Foundation
2017-11-17 17:33:06 +00:00
Glen Barber
d294a5246f Only copy /etc/resolv.conf to ${CHROOTDIR} if /etc/resolv.conf does
not already exist within ${CHROOTDIR}.  This allows re-using a build
chroot with CHROOTBUILD_SKIP set to a non-empty value and CHROOTDIR
set to '/' in release.conf.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-11-15 19:14:44 +00:00
Emmanuel Vadot
cac201b866 release: Update u-boot and firmware file for RPI2 target
The u-boot port for RPI-2 was updated to use u-boot-master, this cause
an update in u-boot version to v2017.09 and changing the filename.
The various firmware files for the RPI* are now in a common ports
sysutils/rpi-firmware as they are shared on all the RPI version.

Update the release files to copy the right files from the right location.

Reviewed by:	gjb
MFC after:	3 days
2017-11-15 19:04:23 +00:00
Emmanuel Vadot
e69ce19b6a release: Update u-boot and firmware file for RPI-B target
THe u-boot port for RPI-B was updated to use u-boot-master, this cause
an update in u-boot version to v2017.09 and changing the filename.
The various firmware files for the RPI* are now in a common ports
sysutils/rpi-firmware as they are shared on all the RPI version.

Update the release files to copy the right files from the right location.

Reviewed by:	gjb
MFC after:	3 days
2017-11-15 19:03:06 +00:00
Warner Losh
ca987d4641 Move sys/boot to stand. Fix all references to new location
Sponsored by:	Netflix
2017-11-14 23:02:19 +00:00
Glen Barber
760c3a19e2 Correct the path to the md(4)-backed UFS filesystem for pine64
images.

Boot-tested by:	lidl
Sponsored by:	The FreeBSD Foundation
2017-11-14 14:31:02 +00:00
Glen Barber
d412b1d7bc Update the GUMSTIX image build to use arm/arm TARGET/TARGET_ARCH.
Update the TARGET/TARGET_ARCH matching in release/release.sh and
release/Makefile.mirrors for simplification.

Discussed with:	mmel
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-11-13 19:31:51 +00:00
Glen Barber
bb0c3a6b03 Specify WITH_UNIFIED_OBJDIR in chroot_arm_build_release() to
ensure the output image is created in the correct .OBJDIR.

Sponsored by:	The FreeBSD Foundation
2017-11-06 17:59:04 +00:00
Bryan Drewery
f7ef435bb6 Rework r325076: Just use the pre-existing OBJDIR.
Like was done in usr.sbin/mergemaster in r249906, we can just use
the already-built OBJDIR for install(1).

Sponsored by:	Dell EMC Isilon
2017-11-05 22:29:34 +00:00
Emmanuel Vadot
1883caa7cc release/arm: Do not install ubldr
ubldr is the non-pie version of ubldr.bin, do not install two
copies of the same binary. This will allow us to remove ubldr
in the future.
All the u-boot ports know how to load ubldr.bin

Reviewed by:	gjb (earlier version)
2017-11-03 23:02:57 +00:00
Glen Barber
91fcd6f57c Fix an error in the PINE64.conf, where the ubldr is not needed
and the u-boot needs to be written to the partition with dd(1).

Reported by:	manu
Sponsored by:	The FreeBSD Foundation
2017-11-03 19:32:10 +00:00
Glen Barber
5399c35fcc Add a configuration file for building pine64 SoC images.
Parts obtained from:	crochet
Sponsored by:	The FreeBSD Foundation
2017-11-03 19:08:59 +00:00
Glen Barber
0dd40b17a8 Include TARGET and TARGET_ARCH in chroot_arm_build_release()
make(1) invocations following the OBJDIR restructuring to
ensure the output arm SoC image is in the correct directory.

Sponsored by:	The FreeBSD Foundation
2017-11-03 18:54:25 +00:00
Bryan Drewery
dfa099890c Add option UNIFIED_OBJDIR, on by default, which moves the default build OBJDIR.
This changes the build OBJDIR from the older style of /usr/obj/<srcdir> for
native builds, and /usr/obj/<target>.<target_arch>/<srcdir> for cross builds to
a new simpler format of /usr/obj/<srcdir>/<target>.<target_arch>.  This
new format is used regardless of cross or native build.  It allows
easier management of multiple source tree object directories.

The UNIFIED_OBJDIR option will be removed and its feature made permanent
for the 12.0 release.

Relnotes:	yes (don't note UNIFIED_OBJDIR option since it will be removed)
Prior work:	D3711 D874
Reviewed by:	gjb, sjg
Discussed at:	https://lists.freebsd.org/pipermail/freebsd-arch/2016-May/017805.html
Discussed with:	emaste
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12840
2017-11-01 21:22:05 +00:00
Colin Percival
9d98ae7d5f Add the amazon-ssm-agent package to EC2 AMI builds. This makes it
immediately available on instances which are running without internet
access (or which can't rely on firstboot_pkgs to install it for some
other reason).

Note that this agent is not enabled by default; to enable it, add
amazon_ssm_agent_enable="YES" to /etc/rc.conf, e.g., by placing the lines
	>>/etc/rc.conf
	amazon_ssm_agent_enable="YES"
into the EC2 user-data.  In addition to being enabled, the agent requires
keys to be provided via IAM Roles; users are encouraged to be very careful
in using this functionality due to the inherent vulnerability in the idea
of providing credentials via a service accessible to any process which can
open an HTTP connection.

Requested by:	Amazon
No objection from:	re@
Relnotes:	FreeBSD/EC2 AMIs now include the Amazon EC2 Systems Manager
		(SSM) Agent.
2017-11-01 00:33:54 +00:00
Bryan Drewery
54a03abb68 Run mm-mtree with whatever -j value the build is using.
Reviewed by:	gjb
Sponsored by:	Dell EMC Isilon
Differential Revision:	https://reviews.freebsd.org/D12807
2017-10-31 00:03:29 +00:00
Glen Barber
2170fff8a5 Set a default hostname for virtual machine images.
A recent bug in security/sudo causes segmentation faults when
the system is not configured with a hostname, which causes issues
with some virtual machine setups, notably Vagrant.  Set the default
hostname to the output of 'uname -o'.

Submitted by:	Nicholas Fiorentini
Sponsored by:	The FreeBSD Foundation
2017-10-30 13:54:54 +00:00
Eitan Adler
a2aef24aa3 Update several more URLs
- Primarily http -> https
- Primarily FreeBSD project URLs
2017-10-29 08:17:03 +00:00
Bryan Drewery
30385347cf Rework r254951 to not reach into private OBJDIR areas.
The original change was dealing with the build wanting to run a newer
install(1) that was not yet installed.  The solution to look into the private
legacy directory of the existing build conflicts with 2 upcoming features: a
changed OBJDIR format, and splitting the host tools into arch-dependent and
arch-independent directories.  Rather than hardcoding and changing the paths in
this script, just let kernel-toolchain do the work, while disabling much of the
meat.  With -j15 this finishes in 25 seconds for me and 117 seconds with -j1.
All that is really needed is bootstrap-tools, but the system is not currently
written in a way that all previous dependent steps will have ran.  The previous
steps, such as _worldtmp, are being reworked and renamed and so cannot be
relied upon to be right.

Sponsored by:	Dell EMC Isilon
2017-10-29 01:21:09 +00:00
Glen Barber
33bfd7db54 Increase the arm/armv6 and arm/armv7 images from 2.5GB to 3GB,
since the RPI2 (at least) does not fit in 2.5GB.

While here, add a missing BOARDNAME to RPI2.conf.

Sponsored by:	The FreeBSD Foundation
2017-10-13 15:16:57 +00:00
Glen Barber
977401bd3b Add arm/armv7 checks to env_check().
Sponsored by:	The FreeBSD Foundation
2017-10-12 20:31:10 +00:00
Glen Barber
62d028dcac Switch BEAGLEBONE, CUBIEBOARD, and PANDABOARD to use the GENERIC
kernel configuration.

Submitted by:		andrew
Differential Revision:	https://reviews.freebsd.org/D12484
Sponsored by:	The FreeBSD Foundation
2017-10-09 17:12:02 +00:00
Glen Barber
2116f70705 Catch up with r324340, switching relevant arm SoCs from armv6
to armv7.

Sponsored by:	The FreeBSD Foundation
2017-10-06 17:30:18 +00:00
Warner Losh
0b972ac92e Support armv7 builds for userland
Make armv7 as a new MACHINE_ARCH.

Copy all the places we do armv6 and add armv7 as basically an
alias. clang appears to generate code for armv7 by default. armv7 hard
float isn't supported by the the in-tree gcc, so it hasn't been
updated to have a new default.

Support armv7 as a new valid MACHINE_ARCH (and by extension
TARGET_ARCH).

Add armv7 to the universe build.

Differential Revision: https://reviews.freebsd.org/D12010
2017-10-05 23:01:33 +00:00
Glen Barber
b1bad39103 Remove release-related documentation from the base repository,
moved to the doc repository (see revisions r51045:r51061).

Sponsored by:	The FreeBSD Foundation
2017-10-05 20:54:31 +00:00
Glen Barber
7ea06b02c3 Fix the 'reldoc' target, following doc commit r51047.
Sponsored by:	The FreeBSD Foundation
2017-10-05 19:00:22 +00:00
Glen Barber
54a13912f6 Bump armv6 SoC images to 2.25GB. RPI-B is full, so increase all
image sizes for consistency.

Submitted by:	manu
Sponsored by:	The FreeBSD Foundation
2017-10-02 15:56:45 +00:00
Glen Barber
3f04d8c304 Revert r323812 from release/tools/arm.subr, which has broken the
build on arm/armv6 images.

Pointyhat:	gjb (myself)
MFC after:	immediate
MFC note:	releng/10.4 has broken because of this
Sponsored by:	The FreeBSD Foundation
2017-09-22 14:34:27 +00:00
Glen Barber
c52962c68e Bootstrap etcupdate(8) and mergemaster(8) databases when creating
virtual machine images and embedded images, similar to what is
done when extracting base.txz to the target root filesystem in
an new installation.

Noticed by:	marius
Tested with:	head@r323729
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
2017-09-20 15:49:12 +00:00
Glen Barber
36e7acd92d Increase arm{,64} SoC image sizes to prevent "filesystem full" build
failures.

Sponsored by:	The FreeBSD Foundation
2017-09-13 14:30:30 +00:00
Ed Maste
355534688c make-memstick.sh: use UFSv2
There's not much practical difference as far as install media is
concerned but newfs creates UFSv2 by default and it is sensible to use
the contemporary UFS version.

I also intend to change makefs to create UFSv2 by default (to match
newfs) so we'll want make-memstick.sh to be explicit, rather than
relying on the host tool's default.

Reviewed by:	andrew, gjb, jhibbits
MFC after:	2 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D12231
2017-09-11 14:41:57 +00:00
Ed Maste
f20be204d6 revert unintentional changes from r323436 2017-09-11 14:35:43 +00:00
Ed Maste
e9346a94d1 boot1: remove BOOT1_MAXSIZE default value
This Makefile relies on Makefile.fat providing the correct value for
BOOT1_MAXSIZE and BOOT1_OFFSET. Since BOOT1_OFFSET had no default value
here the build would already fail if Makefile.fat did not provide
correct values.

Sponsored by:	The FreeBSD Foundation
2017-09-11 14:33:04 +00:00
Ed Maste
708c2585e3 make-memstick.sh: use 'set -e' to abort if any step fails
Also remove the now-redundant error handling that was only for makefs.

This change applies arm64's r308171 to the other make-memstick.sh
versions.

Reviewed by:	gjb
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D12195
2017-09-05 12:57:45 +00:00
Ed Maste
93cf995aef mkisoimages.sh: remove obsolete x$var convention
Ancient shells had trouble with empty variables but this has not been
relevant for FreeBSD for a very long time (decades?).
2017-09-04 22:37:28 +00:00