Open jeremiah opened 3 years ago
Hi @jeremiah !
As we depend now on iovisor/gobpf golang package the build process has changed a little bit. There're a few steps that you have to do before creating the package:
$ git clone ..
$ cd opensnitch
$ make protocol
$ cd daemon; go mod vendor; cd ..
$ dpkg-buildpackage
Don't forget that you need some dependencies before packaging it https://github.com/evilsocket/opensnitch/wiki/Compilation
I don't know if this will affect you, but until now I've been building the packages on Debian Sid. However since I don't know what version of golang 1.15/1.16/1.17 , the binaries now depend on GLIBC_2.32 pthread_sigmask
. This forces the libc6 version to be 2.32, which is not available in many systems.
Using golang 1.15.9-6 from Debian Bullseye generates binaries compatible with libc6 >= 2.14.
$ wget https://github.com/evilsocket/opensnitch/archive/refs/tags/v1.4.0.tar.gz
$ tar zxf v1.4.0.tar.gz
$ cp /tmp/opensnitch-arm64.o opensnitch-1.4.0/ebpf-prog/opensnitch.o
$ cd opensnitch-1.4.0
$ make protocol
$ cd daemon/
$ go mod vendor
$ cd ../..
$ tar zcf opensnitch_1.4.0.orig.tar.gz opensnitch-1.4.0/
$ cd opensnitch-1.4.0/
$ dpkg-buildpackage
Note that the opensnitch.o is precompiled, I've attached the modules compiled for 4 architecures with these sums:
6c1db0ca14c2f7548b9378a855c8362658fa35dc opensnitch-arm64.o
5ece05a7f4fad65d3261b7b8c753974e3b569657 opensnitch-arm.o
4f440848aa043632ae5ad91efca34573bf8667ac opensnitch-i386.o
5c585469bd305b79f7adbb18741f1fed9520901d opensnitch-x86_64.o
If you want to compile them see here to know how: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog opensnitch-arm64.o.gz opensnitch-armhf.o.gz opensnitch-i386.o.gz opensnitch-x86-64.o.gz
$ wget https://github.com/evilsocket/opensnitch/archive/refs/tags/v1.4.0.tar.gz $ tar zxf v1.4.0.tar.gz $ cp /tmp/opensnitch-arm64.o opensnitch-1.4.0/ebpf-prog/opensnitch.o
In this step above ^^ you're referring to the .o files you list below, right? Is there a way to compile the .o files on my machine? This is one of the requirements for having packages in our repos - they need to build locally as well as reproducibly via reprotest.
$ cd opensnitch-1.4.0 $ make protocol
Is it possible to include this stage in the debian/rules file?
$ cd daemon/ $ go mod vendor $ cd ../.. $ tar zcf opensnitch_1.4.0.orig.tar.gz opensnitch-1.4.0/ $ cd opensnitch-1.4.0/ $ dpkg-buildpackage
Note that the opensnitch.o is precompiled, I've attached the modules compiled for 4 architecures with these sums:
6c1db0ca14c2f7548b9378a855c8362658fa35dc opensnitch-arm64.o 5ece05a7f4fad65d3261b7b8c753974e3b569657 opensnitch-arm.o 4f440848aa043632ae5ad91efca34573bf8667ac opensnitch-i386.o 5c585469bd305b79f7adbb18741f1fed9520901d opensnitch-x86_64.o
If you want to compile them see here to know how: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog [opensnitch-arm64.o.gz](https://github.com/evilsocket/opensnitch/files/7137460/opensnitch-arm64.o.gz) [opensnitch-armhf.o.gz](https://github.com/evilsocket/opensnitch/files/7137461/opensnitch-armhf.o.gz) [opensnitch-i386.o.gz](https://github.com/evilsocket/opensnitch/files/7137462/opensnitch-i386.o.gz) [opensnitch-x86-64.o.gz](https://github.com/evilsocket/opensnitch/files/7137463/opensnitch-x86-64.o.gz)
Thanks, this is useful.
Is it possible to include this stage in the debian/rules file?
added!
In this step above ^^ you're referring to the .o files you list below, right? Is there a way to compile the .o files on my machine? This is one of the requirements for having packages in our repos - they need to build locally as well as reproducibly via reprotest.
Oops, I think I didn't answer to this: yes, here's how: https://github.com/evilsocket/opensnitch/tree/master/ebpf_prog
@jeremiah let me know if I can help you with anything else. Also if you finally package it for PureOS drop a comment here if you don't mind, I'd love to know about it! and help out with any problem that may appear.
Hi @gustavo-iniguez-goya! Thanks very much for your help. Purism is very interested in having OpenSnitch in PureOS and I'll continue to work on this, but right now we're blocked on the libc issue as well as not having the Go libraries already in Debian. I've communicated this to folks internally, who ask me regularly about OpenSnitch. FWIW Purism will blog about OpenSnitch and talk about how great it is if we can package it. I'll come back to you with my progress next week, still a bit overloaded here.
Hello! My name is Jeremiah and I'm the Director of PureOS. We're packaging opensnitch for PureOS and have run into some small issues described below.
Issue: missing dependencies prevents build
Reproduce: run
dpkg-buildpackage
I expected the opensnitch package to build.
Screenshots If applicable, add screenshots to help explain your problem.
Using PureOS Byzantium