pkgsrc on Linux – Quickstart Guide

Do you want to try out pkgsrc on Linux? Here’s a quickstart guide (tested on Ubuntu 14.04). Of course, always refer to the pkgsrc guide for accurate information.

Get pkgsrc

Install prerequisities.

user@host [~] $ sudo apt-get install build-essential libncurses-dev

Create directory structure in your home directory.

user@host [~] $ mkdir ~/opt

user@host [~] $ cd ~/opt

You have two options for getting pkgsrc: (1) the official ways: by downloading a tar file and extracting it, or by using CVS; (2) by using git. The first way, by using a tar file, is this:

Download pkgsrc and extract.

user@host [~/opt] $ curl -O

user@host [~/opt] $ tar xvzf pkgsrc.tar.gz

The second way, to use git, is also easy. Jörg Sonnenberger has created a GitHub repo that automatically syncs with pkgsrc source.

user@host [~/opt] $ git clone

I think I would prefer using git.

Install and Setup pkgsrc

Install pkgsrc.

user@host [~/opt] $ cd ~/opt/pkgsrc/bootstrap/

user@host [~/opt/pkgsrc/bootstrap] $ export SH=/bin/bash

user@host [~/opt/pkgsrc/bootstrap] $ ./bootstrap --unprivileged

Post install steps.

user@host [~/opt/pkgsrc/bootstrap] $ cat >> ~/pkg/etc/security.local << EOF
    if [ -x $HOME/pkg/sbin/pkg_admin ]; then
            $HOME/pkg/sbin/pkg_admin audit

user@host [~/opt/pkgsrc/bootstrap] $ echo "export PATH=\$PATH:\$HOME/pkg/bin:\$HOME/pkg/sbin" >> ~/.bashrc

user@host [~/opt/pkgsrc/bootstrap] $ source ~/.bashrc

user@host [~/opt/pkgsrc/bootstrap] $ pkg_admin -K ~/pkg/var/db/pkg fetch-pkg-vulnerabilities

user@host [~/opt/pkgsrc/bootstrap] $ echo 'alias pkgupvuln="\$HOME/pkg/sbin/pkg_admin -K ~/pkg/var/db/pkg fetch-pkg-vulnerabilities >/dev/null 2>&1"' >> ~/.bash_aliases

If you used git to get pkgsrc then move on to the next section.

If you did not use git to get pkgsrc then this is the best way going forward. Install CVS and update pkgsrc.

user@host [~/opt/pkgsrc/bootstrap] $ cd ~/opt/pkgsrc/devel/scmcvs/

user@host [~/opt/pkgsrc/devel/scmcvs] $ echo "export CVSEDITOR=vim" >> ~/.bashrc

user@host [~/opt/pkgsrc/devel/scmcvs] $ echo "export CVS_RSH=ssh" >> ~/.bashrc

user@host [~/opt/pkgsrc/devel/scmcvs] $ source ~/.bashrc

user@host [~/opt/pkgsrc/devel/scmcvs] $ bmake install clean clean-depends

user@host [~/opt/pkgsrc/devel/scmcvs] $ cd ~/opt/pkgsrc

user@host [~/opt/pkgsrc] $ cvs up -dP

user@host [~/opt/pkgsrc] $ cd ~/opt/pkgsrc/devel/scmcvs/

user@host [~/opt/pkgsrc/devel/scmcvs] $ bmake update

user@host [~/opt/pkgsrc/devel/scmcvs] $ bmake clean clean-depends

Install Package

Let’s install golang.

user@host [~/opt/pkgsrc] $ cd ~/opt/pkgsrc/lang/go

user@host [~/opt/pkgsrc/lang/go] $ bmake install clean clean-depends

Update Package

Follow these steps when you want to update a package, say golang.

user@host [~] $ pkg_admin -K ~/pkg/var/db/pkg fetch-pkg-vulnerabilities

user@host [~] $ cd ~/opt/pkgsrc

If you used git:
user@host [~/opt/pkgsrc] $ git pull

If you didn’t use git: user@host [~/opt/pkgsrc] $ cvs up -dP

user@host [~/opt/pkgsrc] $ cd ~/opt/pkgsrc/lang/go

user@host [~/opt/pkgsrc/lang/go] $ bmake update

user@host [~/opt/pkgsrc/lang/go] $ bmake clean clean-depends

Delete Package

You can uninstall a package and all its dependencies that are not needed by any other package.

user@host [~] $ pkg_delete -R go

Blending Linux with BSD

The past 24 hours have been a revelation: there’s no need to be entrenched in one camp of free software. There’s a much wider world outside of any one camp. For example, if you think Ubuntu is Linux, think again. If you think Linux is the bastion of free software, think harder. Free software is all around us and it’s only us who choose not to see it.

I’ve been re-introduced (with a new perspective) to MacPorts. It’s a fascinating and remarkable way to install and use free software on your Mac OS X. I had tried it some years ago but it was just too slow on a spinning hard drive. On my MacBook Air it runs much better (some slowness still because of the nature of compiling source). But the world of possibility it opens is fantastic.

Today I re-remembered pkgsrc from NetBSD and looked into it a bit more. It, too, provides fantastic opportunity to blend (Net)BSD with your favorite Linux distro or even Mac OS X. Go ahead and read pkgsrc: my favorite non-root package manager on linux” and see how simple it can make someone’s life. This article seeded this notion of blending Linux with BSD to benefit any user.

Take this theoretical possibility. There’s a user who wants a Linux-based desktop/notebook OS with great hardware support, wide application availability, cheap-ish or free of cost, great community support, in-depth documentation, etc. Some distros that come to mind immediately include your favorite distro as well. Now let’s say this user chose Ubuntu 14.04 LTS. It is promised to be version-stable with support for 5 years. The user can stick with it for 5 years or can migrate to 16.06 in two years. But for the foreseeable future the user is stuck on the same version of some software unless the distro is upgraded as a whole or by using third-party packages. Although PPAs are available for a variety of software, including updated versions of programming languages like Python, they can be hit and miss in terms of packaging quality and support. An upstream developer cannot be expected to be well-versed in the nuances of Ubuntu packaging. So the overall experience may not be ideal.

A possible workaround is to use something like pkgsrc to obtain and use updated software on a distro meant to provide stability above all else. This distro could be CentOS or Debian or whatever. Turn the concept of a Linux distro on its head to be a more FreeBSD-like “core v apps” architecture. Continue to use your Linux distro and all its great features and packages. And when you need to move beyond its supplied packages to something newer or different use something like pksrc.

May your blending be fruitful.

I can do it better

We have all experienced this moment when we thought we could do something better than someone else. I want us all to think twice whenever we have this thought. You may be able to do things better but you should always ask yourself if you really can.

I have been thinking about this for a while now. Arch Linux is a prime example of users who think they know better than those building other distributions. Arch allows them to be lean and customized unlike, say, Ubuntu. They are right but consider this: you and I spend how many hours working on Linux? And how many of them are spent thinking about the nitty gritty of the OS? Pretty low compared to the high-level stuff we are mostly involved with. For example, I’m more concerned about getting my application developed and deployed into production and less about what flags were used to compile Apache httpd. For users in this situation it’s better to let others take care of stuff they’re not interested in.

The software you are running was developed by someone else. If we let that developer focus on one application so that all we had to do was run it, why not do the same for our OS? There comes a point in our careers when we cannot do everything in a vertical stack. We have to give up control over more things so we can focus on the things that matter to us.

pfSense is another great example. Sure I could run a minimal Fedora to serve as my firewall and VPN server. I’d have to dig in and learn how to do it and it wouldn’t be too difficult. But my knowledge of security best practices would not compare favorably to the developers of pfSense. It’s not because they are smarter but because they spend more hours working on a firewall than I do. Thus I trust them to do a better job.

I’m not saying Arch users or those who build their firewalls from scratch should move on to something else. I am saying that you should focus on the things you really want to do and trust others in the free(dom) software community to fill the remaining gaps. Thus when openSUSE makes a decision and you think “I could do it better”, re-think. You could do it better but would it serve you or the community if you did?

100% Linux is Impractical

I was reading a post on the Ubuntu sub-reddit on how a user has converted 100% to Ubuntu. This might be possible but can be fairly impractical. Allow me to explain.

I use Linux almost every day at home and work. I also use Windows every day at work. At home I use Mac OS X on a MacBook. My immediate family is all iOS and extended family is mostly iOS with some Android and BlackBerry OS thrown in. I also have a Nexus 7 tablet. I own an Apple TV and a Roku.

Mine may be a typical American household these days (for a geeky household). No one device or OS is able to solve every use case. This not only the world we live in but the world of our near future. Consumers have lots of choice but they don’t really use that choice. Phones are mostly either iOS or Android. Computers are mostly either Mac OS X or Windows. Servers are mostly either Linux or Windows. Tablets are mostly either iOS or Android. So even with the widest choice available most consumers have picked a couple of winners for each device and the rest use the remaining choices.

I haven’t made up my mind whether this is a good thing or not. On one hand you have the ability for consumers to help each other because they use the same device and OS. On the other hand consumers are creating de facto monopolies with their wallets by rejecting other viable options. So you have these large corporations clambering for supremacy in one facet of technology and relinquishing control in others. Eventually we’ll be left with some devices ruled by sub-par manufacturers or without manufacturers altogether. But I digress.

To expect Linux to rule all devices is a bit naive. It already has a large market share in many device segments and this share increases every day. But it cannot be expected to replace the latest iPhone. The reason is simple: market forces pull technology and consumers in all directions all at once. In addition, consumers are not all alike. I enjoy using Linux, my wife is not a big fan of technology, and kids care about Netflix, Angry Birds, and Temple Run.

Let’s assume Linux could be king for me, my wife, and kids. Who will produce this Linux? Already in the server and desktop market we have major distributions pulling Linux in different directions. This causes headaches for application developers and hardware manufacturers: which distribution should they support? No two major distribution producers can agree on all the things at the same time, from package management to release/support life cycles. How can we expect a single direction for Linux?

Even if Apple, Microsoft, Google, BlackBerry, and others decided to drop everything they are doing now and back Linux, they all have different visions of products and how they want to create them. There’s no uniting factor compelling enough for the thousands of developers to disregard their goals. Each one of those developers has their own vision. It’s hard enough to get them on the same page in a corporation, let alone in the free software world.

Linux can be king of all; it’s possible. But it’s just not practical. Being optimistic is good and working to make Linux king of all domains is great. But we also need to realize that sometimes our ideals might get in the way of making the lives of people better with technology. That should be our goal while we try to get there in our own ways.

Use Private Certificate Authority to Sign Certificate Signing Request on Linux

I’ll assume that you created a private CA using my tutorial. I also make the following assumptions before proceeding with the tutorial.

  • OpenSSL has been installed
  • CA private key is in /home/cg/myca/private/
  • CA root certificate is in /home/cg/myca/certs/
  • CA’s config file, caconfig.cnf, is in /home/cg/myca/conf/
  • serial is in /home/cg/myca/
  • index.txt is in /home/cg/myca/

Copy CSR

You should copy/download the CSR to /home/cg/myca/csr/ directory.

Sign CSR

Then run the following command to sign it.

openssl x509 -days 3650 -CA certs/ -CAkey private/ -req -in csr/csr.server1.pem -outform PEM -out certs/crt.server1.pem -CAserial serial

You’ll be asked to provide the passphrase for the CA root certificate key. The final file, crt.server1.pem, is to be sent to the person who initiated the CSR. This is the final certificate they’ll use.

Generate Certificate Signing Request on Linux

You create a CSR and have it signed by a CA before you can use a certificate. This tutorial is a continuation from my tutorial on creating a CA. However, you do not need to create a CA to generate a CSR.

Install Prerequisites

I wrote this tutorial using Fedora 18. The only prerequisite I needed was OpenSSL.

su -c 'yum install openssl'

Create Directory Structure

mkdir /home/cg/mycert

cd /home/cg/mycert/

mkdir private conf csr

We will run all commands by default in the /home/cg/mycert directory, unless stated otherwise.

Config File

vim /home/cg/mycert/conf/serverconfig.cnf

This file would serve as the config file if you wish to use it. An example file is below.

[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /home/cg/mycert/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
policy = policy_match

[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr # permitted characters
req_extensions = v3_req

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default =

[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name

[ usr_cert ]
basicConstraints= CA:FALSE
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA

[ crl_ext ]

Generate CSR

You can use the config file (serverconfig.cnf) we created in the previous step to answer a lot of the questions asked during certificate generation. Just run the following command and answer the questions. Most questions will have the default values provided in serverconfig.cnf.

openssl req -new -config conf/serverconfig.cnf -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

If you want to provide your own custom values you may run the following command instead.

openssl req -new -newkey rsa:4096 -keyform PEM -keyout private/key.csr.server1.pem -outform PEM -out csr/csr.server1.pem -nodes

You will be asked relevant questions. Following is an example output of the process.

Generating a 4096 bit RSA private key
writing new private key to 'private/key.csr.server1.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [New York]:
Locality Name (city, district) [New York]:
Organization Name (company) [Code Ghar]:
Organizational Unit Name (department, division) [IT]:
Common Name (hostname, FQDN, IP, or your name) [CGIT]:
Email Address []

Two files, key.csr.server1.pem and csr.server1.pem, will be created in $dir/private and $dir/csr directories respectively. Keep these files in a safe location and back them up.

You will submit csr.server1.pem to the CA who will sign it. The CA will sign the file and return the resulting file to you. That will be the certificate you will finally use.


Get every new post delivered to your Inbox.

Join 31 other followers